CVE-2024-7593: Ivanti vTM Authentication Bypass

The team added an exploit, version scanner, pcap, signatures, and YARA for an authentication bypass in Ivanti's Virtual Traffic Manager (vTM). Additionally, the team provided a vulnerable docker image. The exploit creates an administrator account with user-supplied credentials. The team noted few instances online, though the software is a prime target for internal assessments.

CVE-2024-26331: ReCrystallize Server authentication bypass to RCE

An authentication bypass in all versions of ReCrystalize Server exists and allows for any unauthenticated attacker to upload ASP files leading to remote code execution. The authentication bypass is caused by a non-default header and allows any user authentication. The team landed an exploit that deploys a webshell and, additionally, a version scanner, pcap, and network signatures were developed.

Currently, the developers of ReCrystallize do not have a patch or fix for the vulnerability. The team additionally identified that the public Proofpoint Emerging Threats Suricata/Snort rules are incorrect.

CVE-2024-20419: Cisco Smart Software Manager On-Prem Account Takeover

The team added an exploit, pcap, and network signatures for CVE-2024-20419, a vulnerability that allows an unauthenticated and remote attacker reset any password on the Cisco SSM (admin being the default admin user). The team found that this attack allows the attacker to access the web interface, but makes the CLI and SSH unusable for that user. Which might be a feature depending on what you are doing.

The internet-facing target set for this was not wide, but seemed to be focused on higher education. Which does seem somewhat like a desirable target, but our GreyNoise queries have only picked up ShadowServer (so far) scanning for the vulnerability.

Miscellaneous Updates

Asset detection for CVE-2024-32238 and CVE-2022-1026 were revamped to remove false positives. The migration for the entire repository to use go-exploit 1.24.0 (and therefore have coherent -details) was completed. A vulnerable docker image was added for Magento CVE-2024-34102. Finally, dropped binaries are now compiled with CGO=0 as we ran into a problem dropping a payload on NixOS.

ip-intel update:

Tracking for Ermac 2.0, an Android based banking trojan, was added. Additionally tracking of 63256 Botnet, a branch off the 7777 botnet that affects primarily ASUS routers, was also added.