NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Top Trending CVEs of November 2023

Abstract Tech Graphic

The holiday season has officially arrived, but that hasn’t slowed down security research. November featured some seriously cool exploits and excellent research across a diverse cross-section of the IT landscape. This month we cover an interesting information disclosure vulnerability that impacts Citrix NetScaler devices. It is almost certainly more critical than the CVE would lead you to believe. We also investigate a critical remote command execution vuln that impacts Apache ActiveMQ. Finally, we save the best for last and detail the winding path to remote command execution on F5 Big IP load balancers. Wipe the gravy off your face, roll up your sleeves, and drop to a command line as we cover the trending CVEs for November 2023.

 

1. Citrix Bleed CVE-2023-4966

Citrix Bleed is an information disclosure vulnerability that impacts Citrix NetScaler ADC and NetScaler Gateway. Citrix NetScaler ADC and Gateway devices provide load balancing, traffic management, and VPN services for enterprise networks. Researchers at Assetnote conducted a diff analysis of a patch released by Citrix. In doing so they zeroed in on two functions that were changed, ns_aaa_oauthrp_send_openid_config and ns_aaa_oauthrp_send_openid_config. The updated functions are mapped to endpoints that are accessible to unauthenticated threat actors via “/oauth/idp/.well-known/openid-configuration” and “/oauth/rp/.well-known/openid-configuration”. These functions are responsible for returning an OpenID JSON config. 

The primary difference between the patched and unpatched functions was the introduction of a bounds check on the returned OpenID JSON config. The key here is to know that the OpenID config is a JSON string generated via a call to the C function “snprintf”.  The C function “snprintf” composes a string for printing, but rather than print the string to screen (ala “printf”) the end result is stored in a buffer. The “snprintf” function accepts a maximum buffer size as an argument to prevent a buffer overflow. However, rather than returning the size of the resulting buffer it returns an integer that represents the size of the buffer that would have been returned if the maximum size argument was not set. When the OpenID JSON config is ultimately sent in the server response the return buffer is calculated based on the return value of “snprintf” rather than the size of the buffer up to the max size. This means that the returned data could exceed the intended maximum size of 0x20000 bytes. 

But, attackers need control of the input that populates into the format string. Well, it turns out that the format string that was ultimately generated by the vulnerable functions contained host name values that were derived from the “Host” HTTP request header, which an attacker can control. 

By injecting an excessively long “Host” header (say 24812 bytes) value into a request for the /oauth/idp/.well-known/openid-configuration endpoint it was possible to generate an OpenID payload that exceeded the intended size, resulting in the leakage of memory immediately following the OpenID JSON buffer.

An analysis of the data revealed that the leaked memory contained NAC_AAA session identifiers that could be injected into subsequent requests. This basically results in authentication bypass. I love this exploit chain. It’s easy to understand and easy to exploit. This is similar in severity to the Heartbleed vulnerability that impacted OpenSSL from 2012 to 2014, however Citrix NetScaler deployments will (obviously) be far less prevalent than OpenSSL servers. Citrix has released a patch. You know the routine, patch now!

Severity Complexity CVSS Score
Critical Low 9.4


Systems Impacted: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Read more:

 

2. Apache ActiveMQ RCE CVE-2023-46604

Apache recently released a patch to address a critical vulnerability present in ActiveMQ. Apache ActiveMQ is an open-source message broker coded in Java that implements a Java Message Service API. In a default deployment ActiveMQ operates on TCP port 61616 and messages are brokered to the endpoint via the OpeWire protocol. The protocol is well defined and facilitates the conversion of Java objects to byte arrays and back, aka serialization. The OpenWire specification defines various different data types, which are defined in the packet header. This mechanism provides a means for server side objects to be utilized by the client.

Researchers found that it was possible to craft an OpenWire packet that leveraged the ClassPathXmlApplicationContext spring application and a custom XML file that ultimately resulted in the execution of attacker defined code. The exact vulnerability was related to the way that ActiveMQ deserialized ExceptionResponse data types. When an ExceptionResponse packet (type 31) is encountered it is sent to the ExceptionResponseMarshaller class which ultimately calls the vulnerable function looseUnmarsalThrowable, which deserializes the attacker defined class and message, resulting in the instantiation of an attacker defined class. By crafting an XML payload with the OpenWire data type set to 0x1f (31) it’s possible to launch arbitrary code on the broker. This is a highly critical vulnerability, does not require credentials to exploit, and with thousands of targets available on the Internet, mass exploitation is likely. Apache has released a patch to address the issue.

Severity Complexity CVSS Score
Critical Low 8.8


Systems Impacted: 

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Read more

3. F5 Big IP RCE CVE-2023-46747

It was recently announced by F5 that a critical vulnerability was identified on their BIG-IP platform. Specifically, researchers discovered that the BIG-IP Configuration utility was prone to an authentication bypass via request smuggling that, through a chain of exploits, could result in remote command execution. The research and analysis, conducted by Praetorian, is wonderfully detailed and provides an excellent foundation relating the current vulnerability to similar issues identified in 2020 and 2022. We’ll do our best to keep the summary brief, but I strongly encourage everyone to dive into the full write-up. It’s worth noting that authenticated access to an F5 BIG-IP configuration utility includes an API endpoint that facilitates command execution at “/mgmt/tm/util/bash”. Basically, if you can reach this API endpoint via unauthorized means, it’s game over. The vulns identified in 2020 and 2022 were at a high level as a result of differences in the way requests were parsed on the frontend and backend, ultimately opening avenues for authentication bypass. 

The researchers deployed a default F5 instance and quickly found it was operating a custom version of Apache 2.4.6, which is prone to numerous security issues, including an HTTP request smuggling vuln designated CVE-2022-26377. F5 acknowledges that this vulnerability was present in their Apache 2.4.6 deployment, but never formally fixed for unknown reasons. One of the exploitation requirements of CVE-2022-26377 was that the vulnerable Apache deployment had to leverage Apache JServe Protocol (AJP). AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. As was the case, the F5 instance leveraged the AJP protocol and had TCP port 8009 defined as the entry point. A deeper analysis of various configuration files confirmed that requests on the frontend were mapped to “tmui” endpoints on the backend. 

Having confirmed that AJP was in use, the research team confirmed that it was in fact vulnerable to CVE-2022-26377, which allowed for arbitrary files to be injected into the server response via request smuggling, an attack known as local file include (LFI). So, the ability to smuggle arbitrary data via AJP packets means we can get instant RCE?? Nah, not really. The only direct path to RCE would be to hit the “/mgmt/tm/util/bash” endpoint, but attacks are limited to “/tmui” due to the configuration of Tomcat and AJP. So, the only viable option would be to leverage “/tmui” to create a new admin user.

There were three primary hurdles the team had to overcome. Due to the nature of the vuln, it was only possible to send GET requests to the AJP end points and the request itself had to be exactly 518 bytes. Creating a user requires a POST request, however the frontend script happily accepts the POST data as URL query parameters. However, the length of the URL query string exceeded 518 bytes. Through a trial and error process the research team found it was possible to create a user with a limited subset of the parameters, which totaled about 400 bytes. Finally, by following the execution flow of user creation, it was found that adding the HTTP request header “REMOTEROLE: O” resulted in a bypass of session verification checks and the creation of an unauthorized admin user. 

If you recall from earlier, F5 has Bash command execution as a built in feature for administrators and we just became admins. So, there you have it unauthenticated RCE via AGP request smuggling. This was such a beautiful exploit chain. It goes to show you that history repeats itself and can provide hints at future exploitation potential, particularly as it relates to open source software included as part another company’s product. Patch now!

Severity Complexity CVSS Score
Critical Low 9.8

Systems/Applications Impacted:

  • 17.x 17.1.0 – 17.1.1
  • 16.x 16.1.0 – 16.1.4
  • 15.x 15.1.0 – 15.1.10
  • 14.x 14.1.0 – 14.1.5

Mitigating Controls:

If patching is not immediately possible, F5 has released a mitigation script. For detailed instructions, please refer to the F5 advisory referenced below.

Read more:

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let the NopSec platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what the NopSec platform can do in action watch this on-demand product tour.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.