By Trellix · August 02, 2023
This story was also written by John Dunlap.
A Storm is Brewing!
Summer is now in full swing, and our July Bug Report is similarly coming out swinging. This month comes with a red-hot list of software vulnerabilities being used in the wild in attack campaigns seeking to melt your secure environment like an ice cream cone sitting in direct sunlight.
Without further ado, our “fresh off the grill” vulnerabilities for this month are:
Another month and another serious Office bug. However, CVE-2023-36884 is especially dangerous as it is being widely exploited by APT group STORM-0978 to infect victim hosts with ransomware and to conduct extortion attacks. Stealthier installations of “RomCom”, a backdoor associated with Russian state sponsored attacks against Ukraine, have also been observed. As the attack was both widespread and dangerous, targeting companies for industrial espionage and ransomware across the world, Microsoft threat intelligence published a blog on the attacks. Attacks utilizing CVE-2023-36884 appear to originate from Russia, and unsurprisingly appear to target organizations with ties to Ukraine. This includes obvious targets such as the Ukrainian World Congress, but also organizations with ties to Ukraine that are less obvious, such as American financial institutions doing business in Ukraine. Telecommunications companies have also been targeted.
Considering the checklist of people who should care includes organizations that 1) use Microsoft’s Office Suite and 2) don’t enjoy being ransomed by cybercriminals—then a whole lot of people should care. For those companies that do any business in Ukraine or with Ukrainian partners whatsoever, they should take this vulnerability especially seriously.
Threat researcher Paul Rascagnères published a graphic (made by his colleague, senior threat intelligence analyst Charlie Gardner) demonstrating the observed routes of infection—which we’ve included below for ease of reference. As this vulnerability has been widely exploited in the wild, potentially impacted organizations should review this graphic closely, as well as Microsoft’s blog post for potential indicators of compromise.
Image showing the infection chain for this vulnerability, courtesy of Charlie Gardner.
This is the part where we would normally tell you to update Windows immediately, but as of 7/24/2023 Microsoft lists this vulnerability as “remediation unavailable.” With no effective remediation for the vulnerability right now, the situation is a little more hopes and prayers than we’d like.
However, there are several mitigation strategies available for potentially affected organizations. We’ve included a list below of those suggested by Microsoft:
Somehow, they got in!
We normally think of gateway devices as hardened barriers to entry for our network. Connoisseurs of edge device vulnerabilities will know that this is often not the case, but situations like CVE-2023-3519 are a whole new level of bad. The last thing we want from a Citrix gateway is unauthenticated remote code execution, but somehow that’s what we’re getting regardless.
Worse yet, the vulnerability has been exploited in the wild. While there are no public proof of concept exploits, scanners are on GitHub, which imply that less skilled attackers are attempting massive scans for vulnerable devices. Even more, threat intelligence researchers have reported PHP webshells being found on infected endpoint devices—further confirming that the vulnerability is easy to exploit.
According to Citrix, the vulnerability is only exploitable if you have the device configured as a Gateway. However, a quick search on Shodan reveals that this Gateway configuration is commonly used for thousands of Citrix devices.
Shodan results for title:”citrix gateway”
Any organization with any of the following Citrix (formally NetScaler) devices configured as Gateways should care a lot about this vulnerability:
In this case, the only thing you can do is apply the update distributed by Citrix here.
However, this vulnerability is known to drop common webshells that can be investigated for any potential compromise. A list of compromised files commonly associated with this vulnerability is shown below:
alfav3-encoded.php
alfav4.1-decoded.php
alfav4.1-encoded.php
andela.php
bloodsecv4.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
TwemlowsWebShell.php
wso2.8.5.php
insight-new-min.js
info.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
mini.php
prod.php
log.php
logout.php
vpn.php
config.php
shell.php
poc.php
rshell.php
php-reverse-shell.php
While Adobe has described ColdFusion as “battle-proven," ColdFusion has had just a small handful of vulnerabilities over the years.
Okay, maybe more than a small handful
The definitely not notoriously vulnerable web application programming framework was found to have what amounted to an authorization bypass in CVE-2023-29298, where attackers were able to gain access to administrative “CFM” endpoints. This in turn allowed them to gain remote code execution with CVE-2023-38203, a deserialization vulnerability in the handling of WDDX packets.
Anyone running ColdFusion should be aware of this vulnerability and the (very likely) possibility of further vulnerabilities in the future. The following specific versions are considered vulnerable to the exploit chaining together CVE-2023-29298 and CVE-2023-38203:
A Shodan search displays about 3,000 hosts (at the time of writing) that can be definitively marked as using ColdFusion. However, there may be more vulnerable hosts, as evidence of ColdFusion does not always show up in HTTP headers. ColdFusion is also often used in corporate intranets.
It should also be noted that while CVE-2023-38203 has been effectively remediated, it appears CVE-2023-29298 itself has only been partially mitigated with the available patches.
While Adobe was able to patch the remote code execution bug (CVE-2023-38203), as of this writing, the authorization issue is still being remediated. As there is little the attackers are able to do with CVE-2023-29298 without the presence of CVE-2023-38203, this seems pretty reassuring in solving the problem. But it’s not.
If attackers discover a way to bypass the remediation for CVE-2023-38203, which is in itself a bypass of the previously known vulnerability CVE-2023-29300, then the system will be vulnerable to remote code execution once again. As the deserialization of WDDX messages is a core component of ColdFusion, issues of this nature are highly likely to reoccur, as the core technology at the root of vulnerability is extremely difficult to remove from the product.
Can we suggest replacing Adobe ColdFusion with one of the many alternatives that are less vulnerable to RCE exploits?
_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _