(Un)official home of Team RunCMD

h0w1tzr’s Commentary: ZyXEL has released a patch for this vulnerability. If you have a model that is affected by this CVE you should patch it now.

Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.

The following table contains the affected models and firmware versions.

Affected Model / Affected Firmware Version
USG FLEX 100, 100W, 200, 500, 700 / ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN / ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 / ZLD5.10 thru ZLD5.21 Patch 1

Links

• • Rapid7 CVE report: https://t.ly/vH2I
  • MITRE’s CVE: https://t.ly/wrsU
  • Exploit PoCs: https://t.ly/bkbP

h0w1tzr’s Commentary: This is yet another trivial vulnerability for attackers to use. It’s an API endpoint that allows attackers to run commands via bash on the F5 BIG-IP as root. If your company runs BIG-IP and you haven’t patched yet I highly recommend you apply their patch immediatly!

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products. Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity. Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.

Links

• • Hacker News: https://t.ly/8RzL
  • F5 Security Advisory: https://t.ly/Imfm
  • GitHub PoCs: https://t.ly/_tIm

Spring released emergency updates to fix the ‘Spring4Shell’ zero-day remote code execution vulnerability [CVE-2022-22965], which leaked prematurely online before a patch was released.

Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed ‘Spring4Shell’ was briefly published on GitHub and then removed.

However, as nothing stays hidden on the Internet, the code was quickly shared in other repositories and tested by security researchers, who confirmed it was a legitimate exploit for a new vulnerability.

h0w1tzr’s Commentary: This only affects Java Enterprise Edition (Java EE) applications that are using the Spring framework. The Spring framework comprises several modules such as IOC, AOP, DAO, Context, ORM, WEB MVC etc. This is not nearly as scary as Log4Shell, but if you are using Spring in any of your applications, now would be a good time to upgrade.

Links

• • Bleeping Computer Article: https://t.ly/HQln
  • CVE-2022-22965: https://t.ly/2g1t
  • Exploit PoC: https://t.ly/1MdN
  • Spring Framework: https://t.ly/Fjet

h0w1tzr’s Commentary: In reality this type of exploit would be difficult to use without first compromising the host that the UPS was attached to which is usually connected via USB however there are some newer models of APC UPSes that are Smart-UPS product line that have the ability to connect the UPS directly to the network so that it can use “SmartConnect” feature that uses the Cloud to manage and report power, as well as send alerts. A quick look on GitHub shows a LOT of documentation in Russian.

A set of three critical zero-day vulnerabilities [CVE-2022-22805, CVE-2022-22806, and CVE-2022-0715] now tracked as TLStorm could let hackers take control of uninterruptible power supply (UPS) devices from APC, a subsidiary of Schneider Electric.

The flaws affect APC Smart-UPS systems that are popular in a variety of activity sectors, including governmental, healthcare, industrial, IT, and retail.

UPS devices act as emergency power backup solutions and are present in mission-critical environments such as data centers, industrial facilities, hospitals.

Links

• • Bleeping Computer: https://t.ly/p9SU
  • CVE-2022-22805
  • CVE-2022-22806
  • CVE-2022-0715

h0w1tzr’s Commentary: This bug is probably going to be even bigger than Dirty Cow was. This bug affects Linux kernels that are >= 5.8 should be patched immediately.

The name “Dirty Pipe”: is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability’s origins. “Pipe” refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer’s Linux machine. After months of analysis, the researcher finally found that the customer’s corrupted files were the result of a bug in the Linux kernel.

Links

• • Ars Technica: https://t.ly/8YDe
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
  • CM4All Exploitation Writeup: https://dirtypipe.cm4all.com/
  • Exploit PoC: https://haxx.in/files/dirtypipez.c

h0w1tzr’s Comments: This is another doozy of a vulnerability against modern day Linux systems, and I would HIGHLY recommend that you patch your systems IMMEDIATELY!

Samba has addressed a critical severity vulnerability that can let attackers gain remote code execution with root privileges on servers running vulnerable software.

Samba is an SMB networking protocol re-implementation that provides file sharing and printing services across many platforms, allowing Linux, Windows, and macOS users to share files over a network.

The vulnerability, tracked as CVE-2021-44142 and reported by Orange Tsai of DEVCORE, is an out-of-bounds heap read/write present in the vfs_fruit VFS module when parsing EA metadata when opening files in smbd.

“The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file,” Samba explained in a security advisory published today.

“If both options are set to different settings than the default values, the system is not affected by the security issue.”

The vulnerable vfs_fruit module is designed to provide enhanced compatibility with Apple SMB clients and Netatalk 3 AFP fileservers.

According to the CERT Coordination Center (CERT/CC), the list of platforms impacted by this vulnerability includes Red Hat, SUSE Linux, and Ubuntu.

Links

• • Bleeping Computer: https://t.ly/kNyO
  • Zero Day Initiative: https://t.ly/yyCe
  • MITRE CVE: https://t.ly/7o4d

h0w1tzr’s Comments: This is why Universal Plug n’ Play (UPnP) is dangerous!

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.

“DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement issued today.

“Your NAS is exposed to the Internet and at high risk if there shows ‘The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard.”

All QNAP users are urged to “immediately update QTS to the latest available version” to block incoming DeadBolt ransomware attacks.

Links

• • Bleeping Computer: https://t.ly/uXqi

Update 3/21/22: I found some PoC exploits on GitHub for this vulnerability: https://github.com/search?q=CVE-2022-21907

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Links

• • Bleeping Computer: https://t.ly/V740
  • MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21907