The Bug Report – June 2023 Edition

By Trellix · July 05, 2023
This story was also written by Jesse Chick.

Can I have a word with the developers who greenlit these vulns?

Why am I here?

“To our newcomers, welcome! To our old hands, welcome back!” (Iykyk.) Every month, we chronicle the disruptive news in the infosec business from the last 30ish days: the major vulnerability drops, the events that serve as important reminders that the platforms to which we entrust the security of our precious data are often the software equivalents of the MiG-25. This June, we are all in-the-wild, all the time, helping you secure your own oxygen mask and assist others, in the bite-sized morsels you’ve come to expect from this rag.

I sincerely hope I am not the first to bring you news of these vulnerabilities:

• CVE-2023-20887: VMware Aria Operations for Networks
• CVE-2023-27997: FortiNet SSL VPN
• CVE-2023-34362: MOVEit Transfer/Cloud

CVE-2023-20887: The best product rebrand of all time

What is it?

As a vulnerability researcher myself, my first step when feeling out a new target is to search for the low-hanging fruit, the simple mistakes made on the part of developers. The locations of possible command injection vulnerabilities within software are relatively easy to spot. CVE-2023-20887 is just such a vulnerability. That’s right, folks; the basic OS command injection is still very much alive, is often high-severity, and is stop numero uno in this month’s Bug Report.

The affected product is the clunkily-named Aria Operations for Networks (“AOfN” for brevity), although you may know it by its old (and superior) name, vRealize Network Insight. In short, AOfN is a monitoring tool for cloud infrastructure and networking marketed by VMware. The application leverages nginx to serve web content and proxy all RPC communications to an Apache Thrift server on the backend; it is in this latter component that the vulnerability lies.

To exploit CVE-2023-20887, an attacker embeds the command to be injected in an RPC request body and takes advantage of a misconfiguration in the nginx web server to forward the malicious request to the vulnerable Thrift backend directly, behavior that the developers clearly intended to render impossible by forcing the Thrift server to accept internal connections (think 127.0.0.1) exclusively. The injected command is then dropped into the juicy format string sudo ls -tp %s/sb.%s.%s*.tar.gz | … and promptly executed via one of those scary process-spawning functions. For the curious (and unoffended by Java code) among you, all the nitty-gritties are available in the concise blog written by Sina Kheirkhah, the discovering researcher, which includes his root-cause analysis and proof-of-concept script.

Who cares?

If your organization is a VMware customer and uses AOfN for your cloud-monitoring needs, you should care a lot. The possible impact of a compromised AOfN instance is exposure of every host visible to the vulnerable application, giving attackers the opportunity to pivot to business-critical resources. Moreover, CVE-2023-20887 is trivially easy to exploit. Go see for yourself. The code is public, linked above, and, as I am sure you will agree, script-kiddy approved.

Actually, that last item is a matter of fact rather than one of opinion: in-the-wild exploitation of CVE-2023-20887 was confirmed internally by VMware no later than June 19th and acknowledged as such by CISA on the 23rd. Oh, and did I mention that exploiting this vulnerability grants the attacker persistence with zero prior authentication? Need I go on?

What can I do?

Update any and all AOfN instances under your jurisdiction running versions 6.10 or older immediately and berate your industry friends to follow suit. All the instructions and files necessary to do so can be found here. That is essential action item #1. If you’re a VMware customer and suspect that you may have been compromised or are simply seeking reassurance that everything will be ok, I have two pieces of information for you that may soften the blow. First, this software application runs within a Linux VM, and the fact that there is no public evidence, yet, to suggest that this vulnerability can allow an attacker to jump from guest to host is something of a saving grace. Second, any IT professional worth their six-figure salary will have hidden your AOfN instances behind a firewall, unexposed to the wider internet, at least, providing a layer of defense from remote attacks.

If this is not the case, we move to essential action item #2: give your system administrator a (purely symbolic) 2-by-4 to the back of the head and tell them to move all your remote management applications to within your organization’s secure intranet. As of this writing, concrete indicators of compromise have not been publicly forthcoming. However, I encourage you to continue to check, especially if you suspect prior intrusion into your network.

CVE-2023-27997: Another Fortinet RCE! Everyone take a drink!

What is it?

No, seriously, pour yourself two fingers of Johnnie Walker Black and bottoms up; you’ll thank me later.

CVE-2023-27997 refers to a heap-based buffer overflow in the SSL VPN component of FortiOS and FortiProxy, affecting a dizzying array of versions between the two Fortinet technologies. Via sophisticated orchestration of successive HTTP requests, an attacker can use this vulnerability to achieve remote code execution in (you guessed it) an entirely unauthenticated scenario. By sending the aforementioned requests to the VPN component’s web interface (which is internet-facing by design), an attacker can write arbitrary data past the end of a heap-allocated buffer. Since the component is not built as a Position Independent Executable (PIE), this primitive can be leveraged to achieve one of the oldest tricks in the book: overwriting the function pointer for a callback handler that the attacker can reliably execute, such as the one used for SSL handshakes. The absence of basic binary hardening is the real VIP in this comedy of errors, as the attacker can then use their newfound control of execution to ROP their way to a remote shell.

Exploiting CVE-2023-27997 may be easy in practice, but the theory behind it is anything but. For those who wish to understand the exploit in-depth, the researchers who disclosed CVE-2023-27997 have written a wonderfully technical blog detailing their methods with an elegance and aesthetic minimalism that I hereby salute. I’ll close this subsection by drawing your attention to the final line of the aforementioned blog. It reads: “We remain however doubtful [sic] they ever ran a proper security assessment on the appliance, considering the number and quality of vulnerabilities that were found from 2019 to today.” Grammatical faux pas notwithstanding, this is some of the most biting collegial trash talking I have seen this year and is almost certainly accurate.

Who cares?

Well, given that Fortinet products remain industry favorites, a hefty chunk of you will care enough about this to respond swiftly. To be more concrete, 6sense puts Fortinet third among networking hardware vendors in terms of market share at 6.8%, accounting for tens of thousands of Fortinet-reliant companies. And it appears that many of those companies are already being targeted; reports of active exploitation in the wild began to roll in on June 12th, and CVE-2023-27997 was added to CISA’s naughty list the following day.

Perhaps a better argument in favor of taking this one deathly seriously is the placement of these products within an enterprise environment. For example, the Fortigate VPN, an affected product, is inherently an edge device that acts as a first line of defense for your protected systems. In other words, CVE-2023-27997 could be the initial point of entry to your infrastructure for an attacker wishing to exfiltrate data, install ransomware, or cause chaos via miscellaneous means. In other, other words, the stakes are… very high.

What can I do?

Hilariously, Fortinet offered the following by way of a workaround: “Disable SSL-VPN.” I mean, yeah, that’ll do it, but, depending on your use case, that might defeat the whole point of using the affected device in the first place. A more pragmatic and obvious answer: Update! Update! Update! Fortinet tends to release security patches ahead of their own vulnerability disclosures, so if your system administrators have their finger on the critical-CVE pulse, you may already be covered. Nevertheless, trust but verify, and immediately refer to the bottom of the PSIRT advisory issued by the vendor for an exhaustive list of vulnerable and patched versions for cross-reference with your Fortinet products.

CVE-2023-34362: I like to MOVEit, MOVEit

What is it?

If you happen to be a child of the early aughts like I am, you cannot read, write, or speak about CVE-2023-34362 without hearing the singing voice of Sacha Baron Cohen emitting from an animated lemur on a cathode ray tube. Nostalgia aside, this vulnerability landed on May 31st—barely too late for our previous installment of the Bug Report—so we could not omit CVE-2023-34362 from our humble periodical this time around and have saved the best for last.

What we have here is a good ol’ fashioned SQL injection vulnerability in the web application behind MOVEit Transfer and MOVEit Cloud, enterprise file sharing software maintained by Progress, which can lead (and has led) to unauthenticated remote code execution. As mentioned, exploitation begins with SQL injection, which can be devastating in and of itself; attackers can glean information regarding the internal database’s schema and corrupt important records at will, short of issuing a DROP DATBASE … directive.

However, this tells merely a fraction of the CVE-2023-34362 story. The most impactful abuses of this vulnerability (yes, tons of in-the-wild activity; see below) involve leveraging the SQL injection to obtain a “valid” API token which grants administrator privileges, then using this elevated access to exploit a textbook .NET deserialization vulnerability. There is so much more to say about the purely technical aspect of CVE-2023-34362, far more than will fit within our meager margins. Extensive root cause analysis, exploit breakdown, and post-exploitation fun are available at your pleasure here, courtesy of the good people at Horizon3.ai.

Who cares?

If your organization uses MOVEit Transfer/Cloud in or outside of the cloud, the house is on fire and masked men are making off with the family jewels. Every sizeable company’s biggest security nightmare is a successful ransomware attack, and all the available evidence indicates that CVE-2023-34362 is being employed for just such purposes. Most significantly, it has been used to deliver derivatives of CL0P, a family of ransomware known to have affected an array of large companies and institutions across all major sectors and industries. Examples can be found here under the appropriate subheading.

As if to underscore the severity of this vulnerability, a June 8th report from Kroll suggests, based on their own forensic analysis, that the threat actors behind CL0P began feeling out this particular ingress as early as 2021. In short, criminal exploitation of this vulnerability has been occurring for quite some time, unidentified and without remedy until May of this year, and should be taken with commensurate seriousness.

What can I do?

To sound like a very broken record, update. You’ll find Progress’s instructions for doing so linked here. Do that, then continue reading—your work isn’t done. Although it’s always wise to check for prior indicators of compromise within your infrastructure associated with all vulnerabilities exploited in the wild, this measure is especially important in the case of CVE-2023-34362, given the frequency with and duration of which it has been weaponized.

In their security notice posted on May 31st, Progress advised its customers to comb system logs for evidence of access breaches anytime in the last 30 days. GreyNoise, your friends in the scanning business, recommend that this window be extended to 90 days prior to June 1st. CISA has released a compilation of detection methods, including YARA rules, and an extensive list of IOCs associated with known ransomware campaigns; we implore you to put them to use.

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _