10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.
Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange
parameter in OpenTSDB <= 2.4.0.
OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.
Successful exploitation of this vulnerability will result in remote code execution as the root
user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.
1.00-06
and below in the No
and door
parameters of card_scan_decoder.php
. Successful exploitation results in RCE as the root
user.lib/rex/user_agent.rb
has been updated to reflect the latest user agents as of December 2022.modules/post/linux/gather/enum_commands
, including fixing a crash when attempting to search a path that doesnβt existjenkins_gather.rb
module has been updated to use .blank?
instead of .empty?
when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil
.smtp_send_recv
when they did not import the required Exploit::Remote::SMTPDeliver
mixin. These modules have been updated to use the appropriate raw_send_recv
method instead.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C