Accelerate vulnerability response. Find out how at RSAC 2024, May 6-9. Meet With Us →

WATCH DEMO

August 22, 2023 CISA KEV Breakdown | Ivanti, Veeam

Nucleus Security > CISA KEV > August 22, 2023 CISA KEV Breakdown | Ivanti, Veeam
  • August 22, 2023
  • Ryan Cribelar
  • CISA KEV

August 22: 2 New Vulns | CVE-2023-27532, CVE-2023-38035

In this CISA KEV Breakdown, an Ivanti Sentry bypass vulnerability finds a home in the KEV after confirmation of exploitation by the vendor. Veeam enters the ring for the first time this year, with a vulnerability that has been recently attributed to a well known ransomware group.

CVE ID

Vendor/Project

Software

Exploitation Consequence

GreyNoise Traffic

EPSS Score

EPSS Percentile

Due Date

Category

CVE-2023-27532

Veeam

Backup & Replication Cloud

Exposed Credentials

0.00091

38.24%

09/12/2023

Backup

CVE-2023-38035

Ivanti

Sentry

Security Bypass

0.00043

6.97%

09/12/2023

Security Tool

Notable Vulnerability Additions

CVE-2023-38035 | Ivanti Sentry

Published in a security advisory by Ivanti on August 21, 2023, a vulnerability was discovered in Ivanti Sentry, formerly MobileIron Sentry, in all supported versions 9.18, 9.17, and 9.16. The vulnerability only affects Sentry according to the advisory, and not other Ivanti products. Exploitation can allow an unauthenticated attacker to read and write files to the vulnerable server. Ivanti points out that risk of exploitation is lowered if TCP 8443 is not exposed to the internet.

The vulnerability was credited to Mnemonic researchers, and in their advisory, point out that the vulnerability can be chained with CVE-2023-35081 or CVE-2023-35078 to fully achieve remote code execution.

Organizations should ensure that configuration through Ivanti Sentry API endpoints should be limited by some sort of access control. Ivanti has also released RPM scripts to deploy upgrades to non-vulnerable versions.

Security Advisory(s):

https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US

CVE-2023-27532 | Veeam Backup & Replication Cloud Unauthenticated Privilege Escalation

A vulnerability exists in Veeam Backup & Replication Cloud all versions prior to V12 (build 12.0.0.1420 P20230223) and V11a (build 11.0.1.1261 P20230227) that allows an unauthenticated attacker with access to the Veeam backup service to retrieve exposed encrypted credentials. An attacker could then leverage these credentials to move laterally and achieve further access in the network. According to a Twitter thread from Code White on March 9, it appears that exploitation of the vulnerability does present the credentials in plaintext, so it didn’t take long for the encryption within the exposed credentials to no longer present a hurdle for attackers.

The advisory was published March 7, and not 3 weeks later many PoCs were released as Horizon.ai points out in their post. As Huntress points out in ther post, this vulnerability was present in a small percentage of their overall observation, and any immediate danger is posed to organizations hosting their Veeam solution publicly on the internet. For those with proper access control surrounding the backup tool, it is still a potential vector for an attacker to leverage but would first require initial access.

WithSecure’s W/Labs posted a blog on April 28 of this year detailing activity observed that they believe to be attributed to FIN7 or an actor utilizing FIN7 tradecraft. BlackBerry released a report just recently on August 17 with indication that the Cuba Ransomware Group targeted a U.S-based organization, and even CISA themselves have released a joint advisory on this threat group from last year. Due to the recency of the report from BlackBerry, one could assume the vulnerability was added to the KEV due to the behavior identified in this report attributing the ransomware group to CVE-2023-27532.

GreyNoise has launched a tag to track scanning and exploitation activity for this vulnerability which can be found here.

Security Advisory(s):

https://www.veeam.com/kb4424

← August 17, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet