Happy Friday! The following are the release notes for the content the Initial Access Intelligence team delivered over this holiday-shortened week:
VulnCheck assigned this CVE in coordination with Horizon3.ai. The team notes there are likely fewer than 2,000 of these systems exposed to the internet. Nevertheless, the CVE was added to VulnCheck KEV on April 12 and to CISA KEV nearly a month later.
Affected versions do not authenticate requests made to the /api/v1/validate/code endpoint, allowing attackers to submit and execute arbitrary code. The team developed an exploit that executes a Python payload yielding a reverse shell over an encrypted SSL socket (or an unencrypted socket, if preferred). The team also published PCAPs, network rules, search engine queries, and a vulnerable Docker container.
Although an obscure product, ZKTeco BioTime played a central role in an incident report by Fortinet regarding Iranian intrusion into critical infrastructure. The vulnerabilities were added to VulnCheck-KEV on May 2 and to CISA KEV on May 19.
For each, the team developed an exploit (with one exception), PCAPs, search engine queries, and network rules. At the time of writing, the CVE-2023-38951 exploit is not quite finished and will be delivered next week. The team notes an incredibly suspicious number of internet-facing systems, with 53,000 currently listed in Saudi Arabia. They assume this is mostly honeypots, but have not yet confirmed it. It's worth noting that coverage for these CVEs was initiated by customer request.
At customer request, the team added content for CVE-2021-21985, a widely exploited vulnerability in VMware vCenter Server's vSphere Client. The vulnerability has been part of VulnCheck-KEV since inception and still regularly sees activity on Shadow Server. Additionally, the vulnerability has been known to be used by ransomware groups, including the Conti ransomware gang.
Arbitrary method invocation in the VSAN health check plugin (enabled by default) is chained with internal SSRF to trigger code execution and ultimately run an arbitrary OS command. Our exploit offers several reverse shell options through this vector. The team also delivered PCAPs, Suricata and Snort rules, and a YARA rule. The queries we provided still show many possible targets online.
By request, the team added PCAPs, network signatures, and search engine queries for three historical vulnerabilities: CVE-2013-2134 (Apache Struts2), CVE-2013-4810 (JBoss), and CVE-2017-7455 (Moxa). Interestingly, scanning for CVE-2013-4810 remains active, and we suspect similar is true for CVE-2013-2134, as it is integrated into pocsuite3.