Happy friday! Here are this weeks release notes from the VulnCheck Initial Access team:
Last week we covered CVE-2019-7256, a vulnerability in Linear eMerge e-Series that was being exploited by Flax Typhoon. This week we assigned and developed content for CVE-2024-9441. This vulnerability was disclosed last week without a CVE, and has no patch. Unlike CVE-2019-7256, we did find vulnerable systems online. The team developed network rules, pcap, Shodan/Censys queries, and an exploit. Unfortunately, we were not able to develop a GreyNoise query for this one, but assume exploitation will happen soon if it hasn't happened already.
While everyone was hot for the CUPS vulnerability last week, we identified this Zimbra vulnerability as being critical. And we were right! This vulnerability was added to CISA KEV yesterday (trailing our content release). This vulnerability exploits the postjournal system that did not properly escape the recipient address before passing to shell commands, leading to remote code execution.
This vulnerability has a few major caveats that might make it less exploitable than it may seem at first glance. The postjournal service is not enabled in the default configuration and must explicitly be turned on, it is unclear how common this configuration is in the ecosystem and we did not identify a way to validate if it is enabled without sending malicious traffic. Secondly, the vulnerability requires the attacker to be in an allow list of IP addresses that defaults to the routed subnets at the time of install, which the team thinks greatly reduces the risk of large scale exploitation, although we do note approximately 25,000 potentially vulnerable systems online.
The team also developed an exploit, signatures, version scanners, and PCAPs for the Jorani Leave Management System, also part of the recent Flax Typhoon exploited CVE set. The vulnerability is triggered by a path traversal in the language parameter and logging of usernames containing PHP leading to remote code execution. This software does not appear to be widespread on the internet with, at the time of development, roughly 500 finger-printable servers on the internet.
This is another Flax Typhoon vulnerability. This vulnerability affects multiple QNAP products - QNAP QTS, QuTS hero, and QuTS. It's is a command injection in a multipart request to the quick.cgi component, which is only intended to be exposed in uninitialized instances waiting to be set up via manual or cloud based provisioning. The exploit payload must be under 128 bytes, so the team delivered an exploit with payload options of a simple encrypted payload, or small unix payload to make a web request for additional bash commands to run. The team also delivered a new pcap, network signatures, version scanner, and Shodan/Censys/Graynoise queries.
The team started tracking some commercial VPN that were privately reported to us as being used by attackers: Surfshark, AirVPN, and Cyberghost. We've started tracking Tor exit nodes. Finally, we noted we were tracking some VShell that were cohosted with honeypots. A deep dive on why that was resulted in a new VShell honeypot detection, and a refinement of the existing VShell c2 detection.