Author: Caitlin Condon

CVE-2023-22515: Zero-Day Privilege Escalation in Confluence Server and Data Center

On October 4, 2023, Atlassian published a security advisory on CVE-2023-22515, a critical privilege escalation vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center. Atlassian does not specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints.

The advisory indicates that “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”

It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.

Since CVE-2023-22515 has been exploited in user environments, Atlassian recommends that on-premises Confluence Server and Data Center customers update to a fixed version immediately, or else implement mitigations. The advisory notes that “Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.” Indicators of compromise are included in the advisory and are reproduced in the Mitigation guidance section below.

Affected Products

The following versions of Confluence Server and Data Center are affected:

  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Versions prior to 8.0.0 are not affected by this vulnerability. Atlassian Cloud sites are not affected by this vulnerability. Confluence sites accessed via an atlassian.net domain are hosted by Atlassian and are not vulnerable to this issue.

Fixed versions:

  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (Long Term Support release) or later

For more information, refer to the Atlassian advisory and release notes.

Mitigation guidance

On-prem Confluence Server and Confluence Data Center customers should upgrade to a fixed version immediately, restricting external network access to vulnerable systems until they are able to do so. The Atlassian advisory says that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances. Directions on doing this are in the advisory.

Atlassian recommends checking all affected Confluence instances for the following indicators of compromise:

  • Unexpected members of the confluence-administrator group
  • Unexpected newly created user accounts
  • Requests to /setup/*.action in network access logs
  • Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-22515 with a remote version-based vulnerability check expected to be available in today’s (October 4) content release.

Critical Vulnerabilities in WS_FTP Server

On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting the Ad Hoc Transfer module in WS_FTP Server, a secure file transfer solution. There are a number of vulnerabilities in the advisory, two of which are critical (CVE-2023-40044 and CVE-2023-42657).

Rapid7 is not aware of any exploitation in the wild as of September 29, 2023. Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget.

The vulnerabilities in the advisory span a range of affected versions, and several affect only WS_FTP servers that have the Ad Hoc Transfer module enabled. Nevertheless, Progress Software’s advisory urges all customers to update to WS_FTP Server 8.8.2, which is the latest version of the software. Rapid7 echoes this recommendation.The vendor advisory has guidance on upgrading, along with info on disabling or removing the Ad Hoc Transfer module.

The critical vulnerabilities are below — notably, NVD scores CVE-2023-40044 as only being of “high” severity, not critical:

  • CVE-2023-40044: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, the Ad Hoc Transfer module is vulnerable to a .NET deserialization vulnerability that allows an unauthenticated attacker to execute remote commands on the underlying WS_FTP Server operating system. The vulnerability affects all versions of the WS_FTP Server Ad Hoc module. Progress Software’s advisory indicates that WS_FTP Server installations without the Ad Hoc Transfer module installed are not vulnerable to CVE-2023-40044.
  • CVE-2023-42657: WS_FTP Server versions prior to 8.7.4 and 8.8.2 are vulnerable to a directory traversal vulnerability that allows an attacker to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.  Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.

Additional (non-critical) vulnerabilities are listed below. See Progress Software’s advisory for full details:

  • CVE-2023-40045: In WS_FTP Server versions prior to 8.7.4 and 8.8.2, the Ad Hoc Transfer module is vulnerable to reflected cross-site scripting (XSS). Delivery of a specialized payload could allow an attacker to execute malicious JavaScript within the context of the victim's browser.
  • CVE-2023-40046: The WS_FTP Server manager interface in versions prior to 8.7.4 and 8.8.2 is vulnerable to  SQL injection, which could allow an attacker to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
  • CVE-2023-40047: The WS_FTP Server Management module in versions prior to 8.8.2 is vulnerable to stored cross-site scripting (XSS), which could allow an attacker with administrative privileges to import an SSL certificate with malicious attributes containing cross-site scripting payloads.  Once the cross-site scripting payload is successfully stored, an attacker could leverage this vulnerability to target WS_FTP Server admins with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser.  
  • CVE-2023-40048: The Manager interface in WS_FTP Server version prior to 8.8.2 was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function.
  • CVE-2023-40049: In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.  
  • CVE-2022-27665: WS_FTP Server 8.6.0 is vulnerable to reflected XSS (via AngularJS sandbox escape expressions), which allows an attacker to execute client-side commands by inputting malicious payloads in the subdirectory search bar or Add folder filename boxes. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Mitigation guidance

Progress Software security advisories have borne increased scrutiny and garnered broader attention from media, users, and the security community since the Cl0p ransomware group’s May 2023 attack on MOVEit Transfer. Secure file transfer technologies more generally continue to be popular targets for researchers and attackers.

While these vulnerabilities are not known to be exploited by adversaries at this time, we would advise updating to a fixed version as soon as possible, without waiting for a typical patch cycle to occur. As noted in the advisory, "upgrading to a patched release using the full installer is the only way to remediate this issue. There will be an outage to the system while the upgrade is running."

The optimal course of action is to update to 8.8.2 as the vendor has advised. If you are using the Ad Hoc Transfer module in WS_FTP Server and are not able to update to a fixed version, consider disabling or removing the module.

See Progress Software's advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers running WS_FTP will be able to assess their exposure to all eight of the CVEs in this blog with authenticated vulnerability checks expected to be available in today’s (September 29) content release.

CVE-2023-42793: Critical Authentication Bypass in JetBrains TeamCity CI/CD Servers

On September 20, 2023, JetBrains disclosed CVE-2023-42793, a critical authentication bypass vulnerability in on-premises instances of their TeamCity CI/CD server. Successful exploitation of CVE-2023-42793 allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution attack and gain administrative control of the server — making the vulnerability a potential supply chain attack vector.

As of September 25, 2023, Rapid7 is not aware of in-the-wild exploitation of CVE-2023-42793, and no public exploit code is available. We still recommend, however, that TeamCity customers upgrade to the fixed version (2023.05.4) immediately, or else apply one of the vulnerability-specific patches outlined in the JetBrains advisory. Customers who are unable to upgrade or apply a targeted fix for CVE-2023-42793 should consider taking the server offline until the vulnerability can be mitigated.

Affected Products

CVE-2023-42793 affects all on-prem versions of JetBrains TeamCity prior to 2023.05.4. TeamCity Cloud is not affected, and according to JetBrains, TeamCity Cloud servers have already been upgraded to the latest version.

Mitigation Guidance

JetBrains notes in their advisory that vulnerability-specific security patch plugins (i.e., hot fixes) are available as a temporary workaround for TeamCity customers who are not able to upgrade to 2023.05.4. The plugins are supported on TeamCity 8.0+ and will mitigate CVE-2023-42793 specifically, but will not address any other security issues or bugs that are included in the full 2023.05.4 upgrade.

Security patch plugins:

For TeamCity 2019.2 and later, the plugin can be enabled without restarting the TeamCity server. For versions older than 2019.2, a server restart is required after the plugin has been installed. TeamCity customers should refer to the JetBrains advisory on CVE-2023-42793 for the latest information.

Rapid7 strongly recommends upgrading to the fixed version of the software (2023.05.4) as soon as possible rather than relying solely on workarounds.

Rapid7 Customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-42793 with a remote vulnerability check targeted for today’s (September 25) content release.

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

On Tuesday, July 18, Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Of the three vulnerabilities, CVE-2023-3519 is the most severe—successful exploitation allows unauthenticated attackers to execute code remotely on vulnerable target systems that are configured as a Gateway.  

  • CVE-2023-3466: Reflected XSS vulnerability—successful exploitation requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler IP (NSIP)
  • CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot)
  • CVE-2023-3519: Unauthenticated remote code execution—NOTE that the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA  virtual server

CVE-2023-3519 is known to be exploited in the wild. This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. See the Citrix advisory for more information.

Affected Products

According to Citrix, the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

The advisory notes that NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is vulnerable. Citrix recommends that customers who are using an EOL version upgrade their appliances to one of the supported fixed versions below.

All three CVEs are remediated in the following fixed product versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Mitigation guidance

Patches are available for vulnerable versions of NetScaler ADC and NetScaler Gateway and should be applied on an emergency basis. For more information, see Citrix’s advisory.

Rapid7 customers

Our engineering team is investigating vulnerability check implementation options for InsightVM and Nexpose customers. We will update this blog with further information by 2 PM ET.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities

Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments. The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability. The behavior our teams are observing appears to be consistent with a zero-day exploit published (and then subsequently taken down) by Project Discovery circa July 12.

Background

On Tuesday, July 11, Adobe released fixes for several vulnerabilities affecting ColdFusion, including a Rapid7-discovered access control bypass vulnerability (CVE-2023-29298) that we disclosed in coordination with the vendor. On July 13, Rapid7 managed services teams began observing exploitation of Adobe ColdFusion in multiple customer environments. Based on available evidence, threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability. The behavior our teams are observing appears to be consistent with CVE-2023-38203, which was published and then subsequently taken down by Project Discovery circa July 12.

It’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 in their July 12 blog post. Adobe published a fix for CVE-2023-29300, which is a deserialization vulnerability that allows for arbitrary code execution, on July 11. In actuality, what Project Discovery had detailed was a new zero-day exploit chain that Adobe fixed in an out-of-band update on July 14.

The patch for CVE-2023-29300 implements a denylist of classes that cannot be deserialized by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion. Adobe is likely unable to remove this WDDX functionality completely, as that would break all the things that rely on it, so instead of prohibiting deserialization of WDDX data, they implement a denylist of Java class paths that cannot be deserialized (so an attacker cannot specify a deserialization gadget located in these class paths).

The Project Discovery authors evidently figured out a gadget that worked (i.e., a class that is not on Adobe’s denylist and can be used as a deserialization gadget to achieve remote code execution) based on the class com.sun.rowset.JdbcRowSetImpl. The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw. On Friday July 14, Adobe published an out-of-band patch for CVE-2023-38203 — a new deserialization vulnerability. The only thing this patch does is add the class path !com.sun.rowset.** to the denylist, breaking the exploit Project Discovery had published on July 12.

Incomplete fix for CVE-2023-29298

Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14). We have notified Adobe that their patch is incomplete. There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing.

Affected Products

The following versions of ColdFusion are vulnerable to both CVE-2023-29298 and CVE-2023-38203:

  • Adobe ColdFusion 2023 Update 1
  • Adobe ColdFusion 2021 Update 7 and below
  • Adobe ColdFusion 2018 Update 17 and below

The latest versions of ColdFusion are below, and contain the July 14 out-of-band patch for CVE-2023-38203. Note that these are still vulnerable to CVE-2023-29298:

  • Adobe ColdFusion 2023 Update 2
  • Adobe ColdFusion 2021 Update 8
  • Adobe ColdFusion 2018 Update 18

Observed attacker behavior

Rapid7 has observed POST requests (see example below) in IIS logs that were sent to file accessmanager.cfc in order to leverage this exploit.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities

The attackers then executed encoded PowerShell commands on an endpoint in order to create a webshell to gain access to the endpoint. The webshell is typically observed in \wwwroot\CFIDE directory: .\ColdFusion11\cfusion\wwwroot\CFIDE\ckeditr.cfm

Additionally, Rapid7 observed cURL commands to the following Burpsuite URL, along with nltest /domain_trusts related activity in order to query the domain controller. : hXXp://rlgt1hin2gdk2p3teyhuetitrkxblg95.oastify[.]com

IOCs

IP addresses:
62.233.50[.]13
5.182.36[.]4
195.58.48[.]155

Domains:

  • oastify[.]com
  • ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)

Mitigation guidance

Adobe ColdFusion customers should immediately update to the latest version of ColdFusion and block domain oastify[.]com. As of July 17, the latest versions of ColdFusion are in APSB23-41 here.

Adobe’s July 14 advisory also explicitly notes the following, which ColdFusion customers may want to consider implementing in addition to applying the latest updates:

Note: If you become aware of any package with a deserialization vulnerability in the future, use the serialfilter.txt file in <cfhome>/lib to denylist the package (eg: !org.jgroups.**;).*

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-29298 and CVE-2023-38203 with a vulnerability check available in the July 17 content release. Note that the previous vulnerability check for CVE-2023-29298 has been updated to reflect that the fix is incomplete.

InsightIDR and Managed Detection & Response customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on post-exploitation activity related to this vulnerability:

  • Webshell - Possible ColdFusion Webshell In Command Line (deployed: March, 2023)
  • Attacker Tool - PowerShell -noni -ep -nop Flags (deployed: August, 2019)
  • Attacker Technique - PowerShell Download Cradles (deployed: January, 2019)
  • PowerShell - Obfuscated Script (deployed: March, 2018)
  • Suspicious Process - Burpsuite Related Domain in Command Line (deployed: October 2020)

Managed Detection & Response customers please note: If the Rapid7 MDR team detects suspicious activity in your environment, your Customer Advisor will reach out to you directly.

SonicWall Recommends Urgent Patching for GMS and Analytics CVEs

On Wednesday, July 12, 2023, security firm SonicWall published an urgent security advisory warning customers of 15 new vulnerabilities affecting their Global Management System (GMS) and Analytics products. Four of the vulnerabilities carry critical severity ratings:

  • CVE-2023-34124: Web service authentication bypass
  • CVE-2023-34133: Multiple unauthenticated SQL injection issues and security filter bypass
  • CVE-2023-34134: Password hash read via web service
  • CVE-2023-34137: CAS authentication bypass

The rest of the vulnerabilities include a predictable password reset key issue and a hard-coded Tomcat credentials issue, in addition to command injection, file write, file upload, password hash read, and other issues. SonicWall took the unusual (but not unprecedented) step of issuing an urgent security notice for the new CVEs.

Per the company’s advisory, the various vulnerabilities could allow an attacker to view data that they would not normally be able to retrieve, including data belonging to other users or other data that the application itself is able to access. Attackers may be able to modify or delete this data, causing persistent changes to the application's content or behavior. At least on the surface, the potential for data exposure and theft as a result of these flaws sounds reminiscent of the recent MOVEit Transfer vulnerabilities — we expect these CVEs to be extremely attractive to adversaries, including those looking to extort victims after executing smash-and-grab attacks.

While the vulnerabilities are not known to be exploited in the wild as of July 13, 2023, SonicWall vulnerabilities, including Rapid7-discovered vulnerabilities, have been popular targets for adversaries in the past (including ransomware groups). The urgent nature of SonicWall’s warning reflects that history and should be heeded.

Mitigation guidance

The affected products are:

  • SonicWall GMS 9.3.2-SP1 and before
  • SonicWall Analytics 2.5.0.4-R7 and before

The vulnerabilities are fixed in SonicWall GMS 9.3.3 and SonicWall Analytics 2.5.2. We urge customers to update immediately, without waiting for a regular patch cycle to occur. See SonicWall’s advisory for full details.

Rapid7 customers

Our engineering team expects to ship remote vulnerability checks for the vulnerabilities affecting SonicWall GMS in today’s (July 13) content release. We are investigating the feasibility of adding checks for SonicWall Analytics.

CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances

Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances dating back to at least November 2022. As of June 6, 2023, as part of an ongoing product incident response, Barracuda is urging ESG customers to immediately decommission and replace ALL ESG physical appliances irrespective of patch level.

Background

On May 18 and 19, 2023, Barracuda discovered anomalous traffic originating from their Email Security Gateway (ESG) appliances. Barracuda ESG is a solution for filtering inbound and outbound email and protecting customer data. ESG can be deployed as a physical or virtual appliance, or in a public cloud environment on AWS or Microsoft Azure.

On May 30, Barracuda disclosed CVE-2023-2868, a remote command injection vulnerability that the firm said had been exploited in the wild by threat actors since at least October 2022 across a subset of devices running versions 5.1.3.001-9.2.0.006. According to the security bulletin, the vulnerability exists in a module that performs initial screens on attachments of incoming emails. Barracuda has indicated that, as of June 6, no other products, including SaaS email security services, are known to be affected.

The company indicated they had pushed patches to their global ESG customer base on May 20, 2023. On May 21, Barracuda deployed an additional script to “contain the incident and counter unauthorized access methods.” However, on June 6, the company updated their advisory to warn customers that physical devices should be completely replaced, irrespective of firmware version or patch level.

The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access.

Barracuda has a full description of the incident so far in their advisory, including extensive indicators of compromise, additional vulnerability details, and information on the backdoored module for Barracuda’s SMTP daemon (the trojanized module has been dubbed SALTWATER).

Baselining on a known ESG appliance, which runs the "Barracuda Networks Spam Firewall" SMTP daemon, there appear to be roughly 11,000 appliances on the internet (Barracuda Networks Spam Firewall smtpd). Notably, if other Barracuda appliances also run this service, that number may be inflated.

Observed attacker behavior

Rapid7 services teams have so far identified malicious activity that took place as far back as November 2022, with the most recent communication with threat actor infrastructure observed in May 2023. In at least one case, outbound network traffic indicated potential data exfiltration. We have not yet observed any lateral movement from a compromised appliance.

Note: Although sharing malware indicators like hashes and YARA hunting rules can be very useful, in this case they may not be as relevant unless teams have direct access to the operating system of the appliance or VMDK image. Network indicators like the IP addresses shared by Barracuda and also observed by Rapid services teams are a good start for reviewing network logs (e.g., firewall or IPS logs).

Mitigation guidance

Customers who use the physical Barracuda ESG appliance should take the device offline immediately and replace it. Barracuda’s advisory has instructions for contacting support. Users are also being advised to rotate any credentials connected to the ESG appliance, including:

  • Any connected LDAP/AD
  • Barracuda Cloud Control
  • FTP Server
  • SMB
  • Any private TLS certificates

ESG appliance users should check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators Barracuda has released publicly (where possible): https://www.barracuda.com/company/legal/esg-vulnerability

Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability

Rapid7 managed services teams are observing exploitation of a critical vulnerability in Progress Software’s MOVEit Transfer solution across multiple customer environments. We have observed an uptick in related cases since the vulnerability was disclosed publicly yesterday (May 31, 2023); file transfer solutions have been popular targets for attackers, including ransomware groups, in recent years. We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis.

Progress Software published an advisory on Wednesday, May 31, 2023 warning of a critical SQL injection vulnerability in their MOVEit Transfer solution. The vulnerability, which currently does not have a CVE, is a SQL injection flaw that allows for “escalated privileges and potential unauthorized access” on target systems. While the advisory does not explicitly confirm the vulnerability was exploited by threat actors as a zero-day, Progress Software is advising MOVEit customers to check for indicators of unauthorized access over “at least the past 30 days,” which implies that attacker activity was detected before the vulnerability was disclosed.

As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the United States. Rapid7 has previously analyzed similar SQLi-to-RCE flaws in network edge systems; these types of vulnerabilities can provide threat actors with initial access to corporate networks.

Observed attacker behavior

Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation. Rapid7 analyzed a sample webshell payload associated with successful exploitation. The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 "Not Found" error if the header was not populated with a specific password-like value. As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory.

We will update this section as our investigations progress.

Mitigation guidance

The MOVEit Transfer advisory has contradictory wording on patch availability, but as of June 1, it does appear that fixed versions of the software are available. Patches should be applied on an emergency basis. Per the MOVEit advisory published on May 31, 2023, organizations should look for indicators of compromise dating back at least a month.

Fixed Version Documentation
MOVEit Transfer 2023.0.1 MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.5 MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.4 MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2021.1.4 MOVEit 2021 Upgrade Documentation

The advisory also advises customers to modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.

Rapid7 customers

For InsightVM and Nexpose customers, an authenticated vulnerability check is expected to ship in the June 1, 2023 content release.

CVE-2023-27350: Ongoing Exploitation of PaperCut Remote Code Execution Vulnerability

CVE-2023-27350 is an unauthenticated remote code execution vulnerability in PaperCut MF/NG print management software that allows attackers to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets.

A patch is available for this vulnerability and should be applied on an emergency basis.

Overview

The vulnerability was published in March 2023 and is being broadly exploited in the wild by a wide range of threat actors, including multiple APTs and ransomware groups like Cl0p and LockBit. Several other security firms and news outlets have already published articles on threat actors’ use of CVE-2023-27350, including Microsoft’s threat intelligence team, who is tracking exploitation by multiple Iranian state-sponsored threat actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint alert on May 11, 2023 warning that CVE-2023-27350 had been exploited since at least mid-April and was being used in ongoing Bl00dy ransomware attacks targeting “the Education Facilities Subsector.” Their alert includes indicators of compromise (IOCs) and reinforces the need for immediate patching.

Internet-exposed attack surface area for CVE-2023-27350 appears to be modest, with under 2,000 vulnerable instances of PaperCut identified as of April 2023. However, the company claims to have more than 100 million users, which is a strong motivator for a wide range of threat actors.

Affected Products

According to the vendor’s advisory, CVE-2023-27350 affects PaperCut MF or NG 8.0 and later across all platforms. This includes the following versions:

  • 8.0.0 to 19.2.7 (inclusive)
  • 20.0.0 to 20.1.6 (inclusive)
  • 21.0.0 to 21.2.10 (inclusive)
  • 22.0.0 to 22.0.8 (inclusive)

PaperCut has an FAQ available for customers at the end of their advisory. Note that updating to a fixed version of PaperCut resolves both CVE-2023-27350 and CVE-2023-27351.

Rapid7 Customers

The following product coverage is available to Rapid7 customers:

InsightVM and Nexpose

An authenticated check for CVE-2023-27350 on Windows and MacOS systems is available to Nexpose and InsightVM customers as of April 28, 2023.

A remote, unauthenticated check for PaperCut MF is expected to ship in the May 17 content-only release.  

InsightIDR and Managed Detection and Response

The following rule has been added for Rapid7 InsightIDR and Managed Detection and Response (MDR) customers and will fire on known malicious behavior stemming from PaperCut exploitation:

  • Suspicious Process - PaperCut Process Spawning Powershell or CMD
Active Exploitation of IBM Aspera Faspex CVE-2022-47986

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On January 26, 2023, IBM published an advisory for multiple security issues affecting its Aspera Faspex software. The most critical of these was CVE-2022-47986, which is a pre-authentication YAML deserialization vulnerability in Ruby on Rails code. The vulnerability carries a CVSS score of 9.8.

Vulnerability details and working proof-of-concept code have been available since February, and there have been multiple reports of exploitation since then, including the vulnerability’s use in the IceFire ransomware campaign. Rapid7 vulnerability researchers published a full analysis of CVE-2022-47986 in AttackerKB in February 2023.

Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986. In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.

According to IBM, affected products include Aspera Faspex 4.4.2 Patch Level 1 and below. CVE-2022-47986 is remediated in 4.4.2 Patch Level 2.

Logfiles can be found in the folder /opt/aspera/faspex/log by default. Entries related to PackageRelayController#relay_package should be considered suspicious. See AttackerKB for additional in-depth technical analysis.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-47986 with an authenticated vulnerability check available as of the February 17, 2023 content release. A remote vulnerability check was released on February 27, 2023. Accuracy improvements to both checks were released March 28, 2023.