Memory Security Weekly Report No. 129

1、CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability（2.28）

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

Detailed Information

Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests.

"The ZK Framework is an open-source Java framework," CISA said. "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager."

The vulnerability was patched in May 2022 in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2.

As demonstrated by Huntress in a proof-of-concept (PoC) in October 2022, the vulnerability can be weaponized to bypass authentication, upload a backdoored JDBC database driver to gain code execution, and deploy ransomware on susceptible endpoints.

Singapore-based Numen Cyber Labs, in addition to publishing a PoC of its own in December 2022, cautioned that it found more than 4,000 Server Backup Manager instances exposed on the internet.

The vulnerability has since come under mass exploitation, as evidenced by NCC Group's Fox-IT research team last week, to obtain initial access and deploy a web shell backdoor on 286 servers.

A majority of the infections are located in the U.S., South Korea, the U.K., Canada, Spain, Colombia, Malaysia, Italy, India, and Panama. A total of 146 R1Soft servers remain backdoored as of February 20, 2023.

"Over the course of the compromise, the adversary was able to exfiltrate VPN configuration files, IT administration information, and other sensitive documents," Fox-IT said.

Reference

https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html?&web_view=true

2、Aruba Networks fixes six critical vulnerabilities in ArubaOS（3.1）

Threat actors have been observed exploiting a privilege escalation vulnerability on the Windows Backup and Restore service.

Detailed Information

Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

The flaws impact Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.

Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.

The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol (Aruba Networks access point management protocol).

The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0.

An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.

The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752, and also have a CVSS v3 rating of 9.8.

The impacted versions are:

ArubaOS 8.6.0.19 and below

ArubaOS 8.10.0.4 and below

ArubaOS 10.3.1.0 and below

SD-WAN 8.7.0.0-2.3.0.8 and below

The target upgrade versions, according to Aruba, should be:

ArubaOS 8.10.0.5 and above

ArubaOS 8.11.0.0 and above

ArubaOS 10.3.1.1 and above

SD-WAN 8.7.0.0-2.3.0.9 and above

Unfortunately, several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. These are:

ArubaOS 6.5.4.x

ArubaOS 8.7.x.x

ArubaOS 8.8.x.x

ArubaOS 8.9.x.x

SD-WAN 8.6.0.4-2.2.x.x

A workaround for system administrators who cannot apply the security updates or are using EoL devices is to enable the “Enhanced PAPI Security” mode using a non-default key.

However, applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba’s security advisory, which are fixed by the new versions.

Reference

https://www.bleepingcomputer.com/news/security/aruba-networks-fixes-six-critical-vulnerabilities-in-arubaos/