Vulnerabilities New and Old

Particularly avid readers, or perhaps just readers with a magnifying glass, will note that there are six-and-a-half new vulnerabilities in Figure 3 compared with our November SIS. We say a half-new vulnerability because one of the new ones is indistinguishable from an existing signature. While tuning the pattern for CVE-2022-41040, a Microsoft Exchange Server zero-day vulnerability that emerged in late summer 2022, we discovered that our sensors are not able to fully differentiate between CVE-2022-41040 (which is known as ProxyNotShell), and the earlier, similar CVE-2021-34473 (aka ProxyShell). These two vary primarily on whether they require authentication—CVE-2022-41040 requires authentication, while CVE-2021-34473 does not, and our sensors do not offer that level of application simulation. As a result, CVE-2021-34473 has been added to the plot with CVE-2022-41040. (Either way, please patch those Exchange servers.)

Recently Added CVEs

These are the vulnerabilities that were only recently identified in our logs and added to our signatures.

CVE-2007-3010

A remote command execution vulnerability in the Alcatel-Lucent OmniPCX telephony server versions <=7.1. Attackers can use shell metacharacters in the user parameter to pass commands during a ping action. Our logs showed attackers attempting to download a shell to the /tmp/ folder, escalate privileges and run the shell. NVD

CVE-2017-1000226

A user enumeration vulnerability in a WordPress plugin ironically named Stop User Enumeration versions <= 1.3.9. While the plugin prevents REST API GET requests to endpoints containing ‘/users/’, the API will accept POST requests requesting user enumeration. However, we noted that all of the connections on our sensors were GET requests to an endpoint containing ‘/users/’ and therefore would probably have failed anyway. NVD

CVE-2021-21985

A critical remote code execution vulnerability in the vSphere Client in VMware vCenter Server versions 6.5, 6.7, and 7.0. NVD

CVE-2018-17246

A critical arbitrary file inclusion vulnerability in Kibana versions < 6.4.3 and 5.6.13. Attackers with access to the Kibana Console API could send a request that would execute arbitrary Javascript. Our logs showed attackers testing a path traversal technique to reach /etc/passwd to confirm local file inclusion. NVD

CVE-2008-2052

An open redirect vulnerability in Bitrix Site Manager 6.5, allowing attackers to redirect users to arbitrary sites and/or conduct phishing attacks. Roughly half of the exploit attempts against this vulnerability were benign testing and therefore probably researchers. The other half attempted to download a web shell. NVD

CVE-2015-3897

A directory traversal vulnerability in Bonita BPM portal versions <6.5.3. This vulnerability allows attackers to read arbitrary files. Some of the logged attack traffic attempted to locate a password file, the other attempted to find Windows system files. NVD

Conclusions

Since the purpose of this series is to document attacker interest in vulnerabilities to help defenders prioritize patching, our primary recommendation is straightforward: if your enterprise application footprint includes any of these vulnerabilities, all of which have demonstrable attacker intent behind them, you should consider patching as soon as possible.

As in the last several months, the ongoing interest in vulnerable IoT systems is probably a harbinger of future DDoS attacks. We recommend reviewing your DDoS playbook and engaging a mitigation service if availability is mission critical.

We also noted scan activity looking for several vulnerabilities or known vulnerable systems that do not have CVE numbers associated with them. These include three exploits against an Oracle FatWire vulnerability which does not appear to be exploitable in the wild, a Docker enumeration tool, Siemens operational technology port scanners, command and control instructions for a variant of the ZeuS banking trojan, and several Google dorks for easily exploitable systems. This also serves as a timely reminder that not all vulnerabilities are CVEs. While nobody likes having to drop everything and patch when a vulnerability is announced, it sure beats trying to mitigate when there is no patch or indicator of compromise information available.