CVE-2022-39952 Fortinet Global Exposure

There appears to be a new RCE out for Fortinet devices as per this post (it’s against FortiNAC as far I am aware so this is probably a much smaller exposure footprint than all fortinet devices):

https://www.fortiguard.com/psirt/FG-IR-22-300

There’s also this in FortiWeb (and well they released 40 odd fixes to various bits)

https://www.fortiguard.com/psirt/FG-IR-21-186

When we consider security edge devices and the risks these may pose to organizations and society as a whole it’s important to understand that these are no trivial matter. These are “security” appliances that are there to protect your organizations, to provide remote access as well as protect network egress etc.

Fortinet are not the only vendor to suffer from these types of vulnerability (Remote Code Execution – RCE) however there do appear to have been quite a few of these when looking historically.

Threat Intel

CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

.@Volexity discovers zero-day exploit impacting all current versions of Atlassian Confluence Server and Data Center. Attackers deploy in-memory Java implant to evade detection. Read more in our latest blog post: https://t.co/aCSwnSUfj8 #DFIR #ThreatIntel #InfoSec
— Volexity (@Volexity) June 2, 2022

Defense

vSphere Unauthenticated Remote Code Execution Vulnerability – VMSA-2021-0002

For vendor guidance please see:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

CVE Refs: CVE-2021-21972, CVE-2021-21973, CVE-2021-21974

Introduction

There’s a new unauthenticated remove code execution (RCE) in vSphere 6.5, 6.7 and 7.0 which has just dropped. There’s a vendor patch and currently there is no known public exploit however the hunt will now be on and I can imagine that it’s hours and days until this is in the wild rather than weeks or months.