For the Last 2 Weeks, FireCompass research identified a huge number of CVEs that are high in severity and ransomware, botnet, threat actors creating havoc. Some of the CVEs identified are of popular commercial products used by variants of industries and some new & well know malwares targeting industries for this week. In this, we will list important CVEs discovered this week as well as list of malware, threat actors and botnets which were most active this week along with the CVEs that they were using in their campaigns.
The Key Vulnerabilities that FireCompass has focused on are:
- CVE-2023-34635 – Wifi Soft Unibox Administrator SQL Injection
- Multiple WebMin Vulnerabilities
- CVE-2023-37580 – Zimbra Collaboration (ZCS) XSS
- CVE-2023-38750 – Zimbra Collaboration (ZCS) XML File Exposure
- CVE-2023-3983 – Advantech iView Blind SQLi
- CVE-2022-39986 – RasAP Unauthenticated RCE
- CVE-2022-39987 – RasAP Authenticated RCE
- CVE-2023-39108, CVE-2023-39109, CVE-2023-39110 – Multiple RConfig Vulnerabilities
- CVE-2023-38357 – RWS WorldServer Unauthorized Access
- CVE-2023-33493 – Prestashop Ajaxmanager File and Database Remote File Upload
- CVE-2023-39147 – UVDesk Arbitrary File Upload
The Key malwares and threat actors that FireCompass has focused on are:
- CVE-2023-2868 – Barracuda Email Security Gateway (appliance form factor only) product
- CVE-2022-0543 – Redis
- CVE-2023-3519 – Citrix ADC, Citrix Gateway
- CVE-2023-3466 – Citrix ADC, Citrix Gateway
- CVE-2023-3467 – Citrix ADC, Citrix Gateway
- CVE-2021-26855 – Microsoft Exchange Server
- CVE-2021-26857 – Microsoft Exchange Server
- CVE-2021-26858 – Microsoft Exchange Server
- CVE-2021-27065 – Microsoft Exchange Server
- CVE-2021-30116 – Kaseya VSA
To remain safe against these critical vulnerabilities, it is imperative that organizations must find them at the earliest and fix them. Firecompass Research Team urges organizations to identify their exposed assets, and test and fix the vulnerabilities. The Firecompass CART/EASM platform finds and tests the above-mentioned vulnerabilities, and similar critical vulnerabilities on our customer’s network as soon as they are discovered.
From Above Lists: Below is brief about CVEs
CVE-2023-34635 – Wifi Soft Unibox Administrator SQL Injection
Wifi Soft Unibox Administrator contains a SQL injection vulnerability that lets the attacker access sensitive data. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page. Here is the POC for the exploit – https://www.exploit-db.com/exploits/51610
Multiple Webmin Vulnerabilities
Webmin, which is a web-based server application, has multiple vulnerabilities identified this week. All are Cross site scripting vulnerabilities that let the attacker gain arbitrary remote code execution or access to sensitive files. Here is the list of CVEs.
- CVE-2023-38303
- CVE-2023-38304
- CVE-2023-38305
- CVE-2023-38306
- CVE-2023-38307
- CVE-2023-38308
- CVE-2023-38309
- CVE-2023-38310
- CVE-2023-38311
CVE-2023-37580 & CVE-2023-38750 – Zimbra Collaboration (ZCS)
Two vulnerabilities have been identified in Zimbra Collaboration(ZCS) one is CVE-2023-37580 which is a XSS in Zimbra Web Client. This specific vulnerability was mentioned in CISA known vulnerabilities last week. Another CVE-2023-38750 is a sensitive file exposure. Letting the attacker view internal XML and JSP files.
CVE-2023-3983 – Advantech iView
An authenticated SQL injection vulnerability exists in Advantech iView let the attacker perform blind sql injection.
CVE-2022-39986 & CVE-2022-39987 – RasAP RCE
Two vulnerabilities have been identified in RasAP wireless routers. First one, CVE-2022-39986 which is unauthenticated remote code execution and the second one CVE-2023-3983 which lets an authenticated remote attacker perform SQL injection.
Here is the POC for both of the CVEs – https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
Multiple RConfig Vulnerabilities
Multiple vulnerabilities in RConfig network configuration management contains SSRF vulnerabilities. Here is the list of CVEs
- CVE-2023-39108
- CVE-2023-39109
- CVE-2023-39110
CVE-2023-38357 – RWS WorldServer Unauthorized Access
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. POC – https://packetstormsecurity.com/files/173609/RWS-WorldServer-11.7.3-Session-Token-Enumeration.html
CVE-2023-33493 – Prestashop Ajaxmanager File and Database Remote File Upload
An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions. POC – https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.html
CVE-2023-39147 – UVDesk Arbitrary File Upload
An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file. POC – https://packetstormsecurity.com/files/173878/Uvdesk-1.1.3-Shell-Upload.html
CVE-2023-26316 – Xiaomi Cloud Service XSS
A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Web view’s whitelist checking function allowing java script protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account’s cookies.
CVE-2023-26317 – Xiaomi Router Command Injection
A vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface.
CVE-2023-1437 – Advantech WebAccess
Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.
CVE-2023-38954 – ZKTeco BioAccess IVS SQL Injection
ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability.
CVE-2023-37679 – NextGen Mirth Connect Remote Code Execution
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
Multiple Suprema BioStart 2 vulnerabilities
Suprema BioStart 2 a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management has multiple vulnerabilities
- CVE-2023-33363 – Authentication Bypass
- CVE-2023-33364 – OS Command Injection Vulnerability
- CVE-2023-33365 – Path Traversal Vulnerability
- CVE-2023-33366 – SQL Injection Vulnerability
CVE-2023-4145 & CVE-2023-38708 Pimcore Vulnerability
Pimcore which is a data and experience management tool has two vulnerabilities.
- CVE-2023-4145 – Cross Site Scripting Vulnerability
- CVE-2023-38708 – Path Traversal Vulnerability
Asus RT-AX82U Vulnerabilities
Asus RT-AX82U router has multiple vulnerabilities discovered by Talos.
- CVE-2022-38393 – Denial of service vulnerability
- CVE-2022-38105 – Information disclosure vulnerability
- CVE-2022-35401 – Authentication Bypass Vulnerability
Important Weekly Threat Actors
CVE-2023-2868 – Barracuda Email Security Gateway (appliance form factor only) product
Barracuda revealed that the attackers like pro-China hacker group (UNC4841) are suspected to exploit the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware dubbed Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.
CVE-2022-0543 – Redis
The Unit 42 researchers who spotted the Rust-based worm (named P2PInfect) on July 11 also found that it hacks into Redis servers that have been left vulnerable to the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability.
While over Internet-exposed 307,000 Redis servers have been discovered in the last two weeks, only 934 instances are potentially vulnerable to this malware’s attacks, according to the researchers.
POC: https://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 – Citrix ADC, Citrix Gateway
Around two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. Besides patching CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root. Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – Microsoft Exchange Server
The widespread vulnerabilities like, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 in Microsoft Exchange have been held responsible for numerous exploits impacting thousands of organizations globally. Notably, Acer’s ransomware attack emerged as the first high-profile incident directly linked to the exploitation of these Microsoft Exchange vulnerabilities. This association marked a significant milestone in the world of ransomware attacks, particularly in connection with the popular mail server software hack.
CVE-2021-30116 – Kaseya VSA
On July 2, 2021, the REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya’s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116. It was found to be exploited by the infamous IoT/Linux botnet Mirai.
By: Firecompass Research Team – Debdipta Halder, Soumyanil Biswas, Faran Siddiqui
References
- Firecompass Threat Intel Team
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- NVD CVE Feed
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.
