10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you’re patching, why not take the time to test your backups too.
This vulnerability has been present in Hikvision products since 2014 and comes to us courtesy of h00die-gr3y.
The main culprit here is in Hikvisions authentication mechanism which allows you to login as any valid user using only their username and from that point this module allows you to set a new password for your chosen username so now you can log in "legitimately".
info
and generate
commands for adapted single (unstaged) payloads - such as cmd/windows/powershell/meterpreter/reverse_tcp
.rexec_login
/ rlogin_login
/ rsh_login
modules would die after module completion.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C