Top Trending CVEs of May 2023
- May 31, 2023
- Shawn Evans
May was a rather quiet month for security research, but an excellent write up filtered to the masses from the Pwn2own 2023 conference held in Vancouver, B.C. In this post we cover a critical vulnerability identified in VMWare that could allow a guest OS escape and RCE on your hypvervisor. ManagedEngine ADManager was found vulnerable to yet another command injection vulnerability and Barracuda released a patch to address a remote command execution vulnerability achieved via *.tar file manipulation. Finally, it wouldn’t be a worthy blog post if we didn’t include a nugget from patch Tuesday.
We begin with a privilege escalation vulnerability that impacts Microsoft’s Outlook email client. In March we covered a vulnerability that enabled an attacker to send a malicious email that contained a custom sound file that, when processed by the client, resulted in the victim sending their NetNTLMv2 hash to an attacker-defined resource. Microsoft released a patch to address this issue, but researchers confirmed it was half-baked. Through careful analysis, it was found that the initial attack vector of injecting a custom sound defined by a UNC, remained a risk.
When a custom sound file is included in an email two functions are called MapUrlToZone and createFile. The MapUrlToZone function is used to determine if the trust zone of a provided URL is local, intranet, or Internet. By injecting a crafted UNC path it’s possible to bypass the URL validation protections implemented by the March patch and compel the client to connect to an attacker-defined resource – say for example ntlmrelayx.py. This is a technique pentesters regularly leverage on offensive internal engagements as a means to relay intercepted credentials to other systems in the domain. This could result in elevated access and potentially remote command execution. The good news here is that the sound file property (PidLidReminderFileParameter) is no longer processed by Exchange servers that received the March patch, so only machines running Outlook behind unpatched Exchange servers are exploitable.
A secondary mitigating factor is that many privileged accounts are members of the protected users security group, which has the benefit of disabling NTLM authentication for all member accounts. All these facts considered, I think the CVSS score on this one is a bit lower than it should be. The attack complexity is low, proof-of-concept code exists in the wild, and successful exploitation requires zero user interaction.
CVE-2023-20869 and CVE-2023-20870 address a vulnerability within the virtual Bluetooth USB of VMWare Workstation that results in sandbox escape and RCE on the hypervisor. By default on VMWare Workstation the option “Share Bluetooth devices with the virtual machine” is enabled, which allows a guest OS to access bluetooth devices on the host. The bluetooth bridge is facilitated through the VBluetooth component which is executed within the vmware-vmx.exe binary. Two of the sub-systems implemented in the VBluetooth component are the USB Request Block (URB) and Service Discovery Protocol (SPD). The Bluetooth devices on the hosts are connected through a virtualized USB device to the guest OS. The URB is basically a data structure that contains all the necessary data to execute any functionality available through a USB device.
A vulnerability present in the URB functions could allow an attacker to arbitrarily read uninitialized data on the heap of the host (CVE-2023-20870). The SDP sub-system allows the bluetooth devices on the host to search for services offered by devices in range of the local radio. The guest OS can send SDP packets to the host via SDP protocol data units (PDU). The host fails to properly validate PDU packets received from the guest OS, which leads to a stack based buffer overflow (CVE-2023-20869). These two vulnerabilities were chained to successfully achieve remote command execution on the host OS. It should be noted that successful exploitation would require an attacker to have system or admin rights on the guest OS to execute privileged code. To this point no exploit code has been released to the public, but I would expect that to change soon. Disable bluetooth sharing if applying a patch isn’t an immediate option. Although RCE is a critical risk, this one shouldn’t have a significant impact on enterprise environments, which operate vSphere vs VMWare Workstation.
Barracuda released an advisory to inform customers that their Barracuda Email Security Gateway was vulnerable to remote command injection. The details of the vulnerability were not specifically defined, but the root cause was related to a module dedicated to screening attachments on inbound emails.
Barracuda researchers determined that a specifically crafted *.tar file sent as an attachment could result in remote command execution. This behavior was attributed to a lack of data validation on the names of the files contained within the archive. Crafted *.tar files can include file names that when processed by the Perl qx() function, facilitate remote command execution. Barracuda released a patch, which was automatically pushed to all Email Security Gateway customers shortly after the vulnerability was identified. However, subsequent investigations conducted by Barracuda established evidence that the vulnerability was initially exploited as early as October 2022. That’s a significant attack window for a low complexity, zero interaction, critical RCE vulnerability. Verify that your appliance is configured to receive automatic updates, otherwise you could be at risk. Contact Barracuda for additional information on identifying indicators of compromise to isolate if your environment was impacted at any point.
ManageEngine is making yet another appearance in a trending CVEs post. The ADManager Plus platform was found to be vulnerable to trivial remote command injection attacks, but only if you’re authenticated.
Researchers discovered that within the ChangePasswordAction script a lack of sufficient data validation could result in trivial PowerShell command injection. The ChangePasswordAction script is responsible for saving and storing a variety of account configuration settings, which includes any proxy server settings. To persist, the proxy server credentials the saveServerSettings function is called. Proxy server credentials submitted within a request were not validated prior to being concatenated into a “reg add” command. Due to the lack of data validation it’s possible to inject system commands into the USERNAME or PASSWORD parameters when updating the proxy server settings. The attack is very low complexity and only requires that ‘\r\n’ and an OS command be appended to a username or password to achieve command execution on the server.
Although the attack complexity is low, the access requirements will mitigate the risk of mass exploitation. In all standard ManageEngine deployments only a user with administrator privileges would be assigned the rights to update proxy server settings.
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.