Top Trending CVEs of June 2023
- Jun 30, 2023
- Shawn Evans
It’s finally summer! That means kids are out of school and vacations are in full swing, that includes Security Researchers. The summer is always a bit slower, but we have some interesting vulnerabilities to report all the same. Leading this month’s advisories we have a duo of pre-auth RCE vulnerabilities that impact Fortinet’s Fortigate SSL VPN and VMWare’s VRealize Network Insight. Yikes. Researchers also discovered that ArcServe UDP backup software is prone to an RCE vulnerability. It’s not a pre-auth vuln, but it does enable admin authentication bypass, so it’s apples-to-apples from the attackers perspective. In a surprise (sad?) twist, we have zero new critical issues to report for any Microsoft products. What a time to be alive.
VMWare Network Insight, now called Aria Operations Networks, is a microservice deployment and management platform for enterprise environments. Researchers have found that the software is prone to a pre-authentication RCE vulnerability. The vulnerability, due to a lack of data validation when processing end user input, is ultimately injected directly into a system command. The vulnerability resides in the “resttosaasservlet” service, which contains the procedure createSupportBundle. The createSupportBundle procedure relies on a structure that contains a customerId, nodeId, requestId, and evictionRequestIds. When used, by design, it creates a support bundle. Within the createseSupportBundle function a call is made to the supporting function evictPublishedSupportBundles, which utilizes unsanitized end user input in the construction of a system call. This vulnerability was assigned CVE-2023-20887.
As a protective measure against unauthorized access, VMWare restricts access to this endpoint to local nodes only. However, researchers found that a misconfigured rewrite rule within the nginx network configuration enables a bypass via a simple crafted request. When these two vulnerabilities are chained it’s possible for an unauthenticated attacker to attain root access to the vulnerable server.
Polished proof of concept exploit code is readily available and exploitation has been observed in the wild. There are no known workarounds to this vulnerability. As far as deployments go, the Aria Operations Networks is likely not going to be exposed to the Internet, but there are always outliers. As the saying goes – patch now (or yesterday).
Researchers have identified a critical pre-authentication vulnerability that impacts Fortinet’s wildly popular Fortigate SSL VPN platform. Previous vulnerabilities present in Fortinet SSL products triggered an internal code review of all SSL VPN products. Through their internal review efforts, the Fortinet team found that a heap-based buffer overflow impacted their flagship SSL VPN product. To address this risk, Fortinet quietly released a patch and reported that it had observed only limited exploits in the wild. However, the Internet being populated with evil geniuses, wasn’t far behind in recreating the exploit chain.
The vulnerability is accessible via the VPN authentication mechanism. As part of the validation process the software sends a request to the /remote/hostcheck_validate endpoint. Valid requests to this endpoint contain a binary parameter “enc” that is structured as [ seed ][ size ][ cipher-text ]. The seed is used in combination with a salt to calculate the first part of an XOR key stream that is used to calculate an MD5 hash. The values here are at least partially controllable by an attacker, at least on the first iteration of the XOR. It introduces the potential to overflow a heap buffer when an invalid bounds check is made that insecurely compares hex bytes to raw bytes. The exploit of this vulnerability relies on the fact that the pointer for each iteration of the keystream remains static. This greatly enhances the predictability of the generated output. When you XOR a value with the same value twice, you’ve re-mixed a remix and it’s back to the original value. The technical process of achieving a functional exploit is complex. Ultimately it was found that sending a huge request results in the allocation of a buffer that sits directly on top of the SSL structure on the heap used for encryption. Having controlled the heap layout, a second socket (request) is created that contains the crafted enc payload. When submitted the second request results in the overflow and a ROP chain is executed. Game over.
This is a very serious vulnerability that will impact tens of thousands of Internet exposed nodes. Although public exploit code has not yet been released, it is inevitable. The research is very well done and provides a clear explanation of how to trigger the overflow condition.
Bishop Fox has released a detection tool to determine if your deployment is vulnerable. Any Fortigate deployment that has the SSL VPN component disabled is not vulnerable. Patch your product ASAP!
ArcServe Unified Data Protect (UDP) is an enterprise backup and recovery platform that was found vulnerable to an authentication bypass that results in RCE. The login request submitted by the application contains a serialized string of values as a POST parameter. Within the serialized string there exists a protocol definition, hostname, username, and password which are submitted to a validateUser function.
The function parses out the values and uses them to create a proxy to manage requests between the client and web service. The proxy is created using the hostname and protocol submitted during login, meaning an attacker has control over these values. This sets the stage for a server side request forgery (SSRF) vulnerability. By exploiting this weakness it’s possible to direct subsequent applications requests to an attacker-defined system. Using this test harness it is ultimately possible to obtain the UUID of the application administrator.
The UUID of the application administrator can then be used against the web service method “validateUserByUuid”. Crafting a request to this method using the acquired admin UUID results in a session cookie. The session cookie provides access to an increased attack surface, which includes the web service method “getLocalHostAsTrust” that returns an encrypted administrator password hash. A reverse engineering analysis of the code used to encrypt the value revealed that a static key was used as the encryption seed, leading to trivial decryption of the password. The retrieved password is almost certainly going to have local admin rights on the vulnerable host, which can be leveraged to attain remote command execution.
This was some excellent research by the MDSec ActiveBreach redteam. There are no known workarounds for this issue. As the adage goes, patch now.
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.