Accelerate vulnerability response. Find out how at RSAC 2024, May 6-9. Meet With Us →

WATCH DEMO

August 24, 2023 CISA KEV Breakdown | Openfire, RARLAB

Nucleus Security > CISA KEV > August 24, 2023 CISA KEV Breakdown | Openfire, RARLAB
  • August 25, 2023
  • Ryan Cribelar
  • CISA KEV

August 24: 2 New Vulns | CVE-2023-32315, CVE-2023-38831

In this CISA KEV Breakdown, a 0-day in WinRAR is used to target traders and yet another well-known exploited vulnerability finds its home.

CVE ID

Vendor/Project

Software

Exploitation Consequence

GreyNoise Traffic

EPSS Score

EPSS Percentile

Due Date

Category

CVE-2023-32315

Ignite Realtime

Openfire

Path Traversal

0.00677

77.32%

09/14/2023

Collaboration Platform

CVE-2023-38831

RARLAB

WinRAR

Code Execution

0.96325

99.34%

09/14/2023

File Transfer

Notable Vulnerability Additions

CVE-2023-32315 | Openfire Path Traversal

A vulnerability exists in Openfire beginning with version 3.10.0 and patched in 4.7.5 and 4.6.8 that can allow an unauthenticated attacker to use the Openfire setup environment to access pages in Openfire that are typically limited to administrators. This vulnerability specifically conveys the ability for the attacker to perform path traversal to admin-restricted pages. The GitHub advisory for the vulnerability suggests the attacker is able to access restricted log files, and existing publicly available exploitation details suggests the installation of a webshell.

Public information about how to exploit the vulnerability is readily available. As an interesting counter-post to the existing exploitation, Jacob Baines of VulnCheck discusses in their post an improved exploit that doesn’t even require the creation of an administrator account which minimizes the footprint left by the attacker, and it is written in Go to boot. Baines points out that the vulnerability allowing for access to plugin-admin.jsp allows just the same access to user-create.jsp which can be used in a POST to first create the plugin which can then be accessed via path traversal. The post also notes that exploit code likely began appearing mid-June once in-the-wild activity began to arise.

Path traversal vulnerabilities are tricky, and everything an attacker can accomplish upon exploiting the vulnerability is often difficult to fully scope. It is important to consider these possibilities when assessing vulnerabilities in this manner as where the vulnerability exists in your environment is key in scoping risk. While this may be noted as a common path traversal vulnerability, what an attacker can accomplish thanks to the surrounding mechanisms in the application arguably solidify the risk of this particular path traversal bug as muc higher. GreyNoise has launched a tag for this vulnerability which can be viewed here.

Security Advisory(s):

https://www.igniterealtime.org/downloads/#openfire

CVE-2023-38831 | WinRAR Arbitrary Code Execution

A vulnerability in WinRAR before version 6.23 can allow an attacker to embed malicious code within a ZIP file. Group-IB’s threat intelligence unit wrote an extensive writeup on initial discovery, observed actor behavior, and details behind the exploitation which you can view here. A malicious actor exploiting this vulnerability is able to embed malicious code in a ZIP file with a spoofed extension.

Existing exploitation code publicly available appears to utilize file extensions like .cmd or .bat but it does not appear that exploitation is limited to these two extensions. Attacks observed by Group-IB commonly utilized two files in the malicious .ZIP, one being a misconfigured JPG file and the second being the file containing the embedded command. Once WinRAR fails to open the first JPG, it then moves to the second file, thus executing the code within.

While it is reassuring that exploitation requires user-interaction, it is still a widely adopted software that is commonly used where it isn’t realized. Exploitation evidence is recent and organizations should take caution in ensuring their users update WinRAR to avoid being targeted.

Security Advisory(s):

http://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa

← August 22, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet