- Vulnerability Overwatch
- Posts
- CVE-2024-27348 / CVE-2022-21445 CVE-2019-1069 / CVE-2020-14644 / CVE-2020-0618
CVE-2024-27348 / CVE-2022-21445 CVE-2019-1069 / CVE-2020-14644 / CVE-2020-0618
Simon Ganiere
September 18, 2024
PRESENTED BY
Vulnerability Overwatch
Simon Ganiere · 18th September 2024
The information provided is purely for your information. There is no guarantee of its content or its accuracy. The content is generated automatically using AI Agents based on the CISA KEV list. The content also represents a point in time view on the vulnerability therefore some of the information can become quickly innacurate.
Table of Contents
CVE-2024-27348: Remote Command Execution (RCE) in Apache HugeGraph-Server
Description
CVE-2024-27348 is a critical Remote Command Execution (RCE) vulnerability identified in Apache HugeGraph-Server. The vulnerability is present in versions 1.0.0 to 1.2.1 of the software. It allows an attacker to execute arbitrary commands on the server through the Gremlin graph traversal language API. This vulnerability is due to improper sandbox restrictions, enabling attackers to bypass security mechanisms.
Impact
The impact of CVE-2024-27348 is significant due to the nature of the vulnerability, which allows for remote command execution. Successful exploitation can lead to unauthorized access to sensitive data, complete server compromise, and the ability to execute commands with the same privileges as the vulnerable application. The CVSS score for this vulnerability is 9.8, indicating its critical severity.
Affected Systems
Apache HugeGraph-Server versions 1.0.0 to 1.2.1
Systems running Java 8 or Java 11
Known Exploits
A proof of concept (PoC) exploit for CVE-2024-27348 is available, demonstrating how unauthenticated users can execute OS commands via Groovy injection in Apache HugeGraph-Server. The exploit takes advantage of the Gremlin graph traversal language API to bypass sandbox restrictions.
Mitigation
To mitigate this vulnerability, users are advised to upgrade to Apache HugeGraph-Server version 1.3.0 or later. Additionally, it is recommended to enable the authentication system provided by Apache HugeGraph-Server to add an extra layer of security. Users should also review and apply security best practices to limit potential exposure.
Threat Actor
There is no specific information about a threat actor associated with this vulnerability. However, given its critical nature, it is expected that various malicious actors, including cybercriminals and state-sponsored groups, could exploit this vulnerability to gain unauthorized access to vulnerable systems.
Resources
CVE-2022-21445: Oracle WebLogic Server Deserialization Vulnerability
Description
CVE-2022-21445 is a critical deserialization vulnerability in Oracle WebLogic Server. This vulnerability allows an unauthenticated attacker to exploit the T3 protocol to execute arbitrary code remotely. The flaw is due to improper handling of serialized data, which can be manipulated to execute malicious payloads.
Impact
The exploitation of this vulnerability can result in remote code execution, leading to full control over the affected Oracle WebLogic Server. This could allow attackers to gain unauthorized access, manipulate data, disrupt services, and potentially pivot to other parts of the network.
Affected Systems
Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0
Oracle WebLogic Server versions 14.1.1.0.0
Known Exploits:
There have been reports of this vulnerability being exploited in the wild, with attackers leveraging it to deploy ransomware and other forms of malware. The exploitation involves sending crafted serialized data through the T3 protocol to trigger the vulnerability and execute arbitrary code.
Mitigation
Apply the patches provided by Oracle immediately. Oracle released a Critical Patch Update in April 2022 that addresses this vulnerability.
Disable the T3 protocol if it is not needed for your environment.
Use network-level protections such as firewalls and intrusion detection/prevention systems to block malicious T3 traffic.
Regularly monitor and review server logs for any suspicious activities.
Threat Actor
The specific threat actors exploiting this vulnerability are not publicly known. However, given the critical nature of the vulnerability and its potential impact, it is likely that both opportunistic attackers and advanced persistent threat (APT) groups may target unpatched systems.
Resources
CVE-2019-1069: Windows Task Scheduler Elevation of Privilege Vulnerability
Description
CVE-2019-1069 is an elevation of privilege vulnerability in the Windows Task Scheduler service. The vulnerability arises from improper validation of certain file operations, allowing attackers to execute arbitrary code with elevated privileges.
Impact
Successful exploitation of this vulnerability allows an attacker to gain complete control over the affected system. This includes the ability to install programs, view, modify, or delete data, and create new accounts with full user rights.
Affected Systems
Windows 10
Windows Server versions
Known Exploits
The vulnerability has been actively exploited in the wild. Exploits typically involve malicious files that manipulate the Task Scheduler’s file operation handling to gain elevated privileges. Publicly available exploit code released by the security researcher known as SandboxEscaper has facilitated exploitation by other threat actors.
Mitigation
Apply the latest security patches provided by Microsoft.
Regularly update systems and software.
Employ robust security practices such as least privilege access.
Use antivirus and endpoint protection solutions to detect and block exploit attempts.
Threat Actor
The vulnerability was publicly disclosed by SandboxEscaper, a known individual who has released multiple zero-day vulnerabilities affecting Windows systems. Reports indicate that the Ryuk ransomware group has leveraged this vulnerability to escalate privileges in their attacks.
Resources
CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
Description
CVE-2020-0618 is a remote code execution vulnerability in Microsoft SQL Server Reporting Services (SSRS). This vulnerability allows an attacker to execute arbitrary code on the server by sending a specially crafted request to the affected SQL Server Reporting Services instance.
Impact
Exploitation of this vulnerability could allow an attacker to take control of the affected SQL Server Reporting Services. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Affected Systems
Microsoft SQL Server 2012
Microsoft SQL Server 2014
Microsoft SQL Server 2016
Known Exploits
The exploitation involves sending a specially crafted request to a vulnerable SSRS instance, which can lead to arbitrary code execution on the server. This vulnerability has been actively exploited in the wild.
Mitigation
Apply the security updates provided by Microsoft for the affected SQL Server versions.
Ensure that SQL Server instances are not accessible over the internet unless necessary and are protected by firewalls.
Restrict access to SSRS to only trusted users and networks.
Regularly review and update security policies and configurations for SQL Server instances.
Threat Actor
The specific threat actor exploiting this vulnerability is not publicly known. However, it has been reported that the vulnerability has been actively exploited in the wild by various threat actors.
Resources
CVE-2020-14644: Oracle WebLogic Server Remote Code Execution Vulnerability
Description
CVE-2020-14644 is a critical vulnerability in Oracle WebLogic Server, part of Oracle Fusion Middleware. This vulnerability affects the "Core" component and is present in versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. It allows an unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server, leading to the execution of arbitrary code.
Impact
The vulnerability has a CVSS score of 9.8, indicating its critical nature. Exploitation can result in a total takeover of the affected Oracle WebLogic Server, allowing attackers to perform any action on the compromised server, including data theft, system manipulation, and further propagation of malicious activities.
Affected Systems
Oracle WebLogic Server versions:
10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0
Known Exploits
There are known exploits for CVE-2020-14644 that leverage a deserialization vulnerability in Oracle WebLogic Server. Attackers exploit this by sending specially crafted data to the server, triggering the vulnerability and resulting in remote code execution.
Mitigation
Oracle has released patches to address CVE-2020-14644 as part of its Critical Patch Update in July 2020. It is strongly recommended to apply these patches immediately. Additional measures include:
Restricting network access to the WebLogic Server to trusted hosts only.
Implementing network-based intrusion detection and prevention systems to monitor and block suspicious activities.
Regularly updating and applying security patches to all systems and software.
Threat Actor
Specific threat actors exploiting CVE-2020-14644 have not been widely publicized. However, such vulnerabilities are typically targeted by various malicious actors, including advanced persistent threats (APTs), cybercriminals, and opportunistic hackers.
Resources