June 23 + June 29: 13 New Vulns | Zyxel, VMware, Apple, Samsung, D-Link

In this CISA KEV Breakdown, five vulnerabilities were added on June 23, predominately from Apple with three vulnerabilities total, one Zyxel vulnerability affecting NAS devices, and a VMware tools authentication bypass bug are the last to round it out.

This Breakdown post is also covering the additions for June 29, 2023. Eight more vulnerabilities were added, with a bundle of Samsung mobile device vulnerabilities being six of the eight, and the last two are D-link networking device vulnerabilities. Mirai botnets continue to be a large indicator of attempted exploitation of dated vulnerabilities for high gain by attackers.

CVE ID

Vendor/Project

Software

Exploitation Consequence

GreyNoise Traffic

EPSS Score

EPSS Percentile

Due Date

CVE-2023-32434

Apple

Multiple Products

Privilege Escalation


0.00157

51.15%

07/14/2023

CVE-2023-32439

Apple

Multiple Products

Code Execution

0.00164

51.98%

07/14/2023

CVE-2023-32435

Apple

iOS and macOS

Code Execution

0.00115

44.23%

07/14/2023

CVE-2019-20500

D-Link

DWL-2600AP Access Point

Command Injection

0

0.97508

99.97%

07/20/2023

CVE-2019-17621

D-Link

DIR-859 Router

Code Execution

0.0009

37.39%

07/20/2023

CVE-2021-25394

Samsung

Mobile Devices

Code Execution

0.00044

8.46%

07/20/2023

CVE-2021-25489

Samsung

Mobile Devices

Command Injection

0.00063

24.92%

07/20/2023

CVE-2021-25372

Samsung

Mobile Devices

Code Execution

0.0006

23.48%

07/20/2023

CVE-2021-25371

Samsung

Mobile Devices

Privilege Escalation

0.00063

24.92%

07/20/2023

CVE-2021-25487

Samsung

Mobile Devices

Code Execution

0.00063

24.92%

07/20/2023

CVE-2021-25395

Samsung

Mobile Devices

Privilege Escalation

0.00063

24.92%

07/20/2023

CVE-2023-20867

VMware

Tools

Authentication Bypass

0.009

80.49%

07/14/2023

CVE-2023-27992

Zyxel

Multiple Network-Attached Storage (NAS) Devices

Command Injection

0

0.00255

62.16%

07/14/2023

Notable Vulnerability Additions

CVE-2023-20867 | VMware Tools Remote Code Execution

In our June 22 Breakdown post, we included a footnote about the possible inclusion of CVE-2023-20867 to the KEV:

Nucleus Security is also aware of CVE-2023-20867 which is a VMware ESXi 0-day that has been confirmed as exploited by Mandiant. They report in their blog that a novel malware system developed by UNC3886 was used to backdoor VMware ESXi hosts, vCenter servers and Windows virtual machines. The exploitation of CVE-2023-20867 was sophisticated and executed under the noses of EDR for quite some time. As of recently, a fix has been available by the VMware team, as well as SUSE. Organizations are encouraged to assess impact from this vulnerability as we predict that is likely to be added to the KEV soon.

The vulnerability has been given a due date of July 14 according to the KEV, and the associated security advisory can be found below. This vulnerability is exploited upon a fully compromised ESXi host failing to provide proper authentication in host-to-guest operations, meaning the fully compromised host can be used to send malicious packets to any number of guest hosts without mitigation through authentication.

Security Advisory(s):

https://www.vmware.com/security/advisories/VMSA-2023-0013.html

CVE-2023-32434, CVE-2023-32435, CVE-2023-32439 | Apple in-the-wild zero-days

Apple released security updates for three CVEs they note as being exploited in the wild, according their security advisory. In historical Apple fashion, little information exists as to the exploitation observed by Apple.

Kaspersky posted to the Securelist blog a piece about Operation Triangulation, which they named as the campaign which identified numerous compromises to mobile devices they observed through the Kaspersky Unified Monitoring and Analysis Platform (KUMA). Exploitation activity dated as old as 2019 at the time of writing was observed through their blog, with most recent versions of the exploitation affecting iOS devices on 15.7.

All information Kaspersky has investigated and observed is hosted on their stand up page found here. For a detailed understanding in what Kaspersky uncovered within the exploitation itself, see their report here.

The TriangleDB exploits (as some in the community have called it) have been shared in samples across various sources in the community, and should be considered available at time of writing. Nucleus Security urges users to ensure their latest iOS, macOS, iPadOS, watchOS versions are not susceptible to bad actors looking to potentially exploit these vulnerabilities.

Security Advisory(s):

CVE-2023-32434: https://support.apple.com/en-us/HT213808, https://support.apple.com/en-us/HT213812, https://support.apple.com/en-us/HT213809, https://support.apple.com/en-us/HT213810, https://support.apple.com/en-us/HT213813, https://support.apple.com/en-us/HT213811, https://support.apple.com/en-us/HT213814

CVE-2023-32435: https://support.apple.com/en-us/HT213811

CVE-2023-32439: https://support.apple.com/en-us/HT213813, https://support.apple.com/en-us/HT213811, https://support.apple.com/en-us/HT213814, https://support.apple.com/en-us/HT213816

CVE-2023-20867 | Zyxel Firmware Command Injection

A vulnerability exists in Zyxel NAS326 firmware versions 5.21 and earlier, NAS540 firmware versions 5.21 and earlier, and Zyxel NAS542 firmware versions 5.21 and earlier that can allow an unauthenticated remote attacker to exploit to trigger OS command injection. Zyxel devices are commonly known to be popular candidates for popular malware and ransomware families.

In our May 31 Breakdown post, we included CVE-2023-28771 which was a command injection vulnerability affecting multpile Zyxel devices that was used by attackers to attempt to implant Mirai botnets en-masse, and on June 5, our Breakdown post included CVE-2023-33009 and CVE-2023-33010, which attackers were exploiting in similar capacity.

This is not meant to highlight ill will reflected at vendors such as Zyxel, but rather to highlight the increased need to consider how advantageous devices such as these are for attackers. They have a particular interest in Zyxel and other critical network devices to gain significant advantage and yield from attempted exploitation, and will continue to use them to their advantage when improperly configured or maintained.

GreyNoise has launched a tag to observe Zyxel exploitation and scanning activity, which can be viewed here.

Security Advisory(s):

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

Samsung Vulnerabilities | Race Conditions, Improper Input Validation, Oh My!

A batch of Samsung vulnerabilities from 2021 that have lived for quite some time within Google TAG’s zero-day tracker sheet were suddenly added to the KEV. Aside from the possible implication that these vulnerabilities were exploited thanks to this sheet, the only publicly available confirmation Nucleus Security is aware of is the fact that CISA has confirmed they have observed the vulnerabilities exploited in the wild. While the vulnerabilities were privately disclosed to the vendor, it is still certainly possible that attackers found vulnerable devices even post-patch and exploited with success. Thinking about how long Google researchers noted that CVE-2023-21492 was a known vulnerability and likely being exploited, it comes with little surprise to see that this batch of Samsung vulnerabilities confirmed to have been exploited as well.

The apparent increase in interest in spyware and other malware families targeting mobile devices continues to see activity through the KEV. Mobile devices are often times difficult to observe and maintain within complex environments, but these vulnerabilities being added to the KEV after such long disclosure time amplifies the argument to keep a close eye on common attack vectors for every day users in your organization. It is a sobering reminder that exploitation predominately involves a vulnerability one year or older, so ensuring devices are not vulnerable to long-known issues such as this will continue to be important.

Security Advisory(s):

CVE-2021-25395, CVE-2021-25394: https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=5

CVE-2021-25371, CVE-2021-25372: https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=3

CVE-2021-25489, CVE-2021-25487: https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10

CVE-2019-17621, CVE-2019-20500 | D-Link Command Execution & Command Injection

Two vulnerabilities in D-Link networking devices have historically been linked to exploitation activity also involving the attempted implantation of Mirai botnets on vulnerable hosts.

CVE-2019-17621 is a remote code execution bug which can allow an attacker to execute code as root by sending a specially crafted request to the UPnP endpoint /gena.cgi containing the vulnerability. This vulnerability has been wrapped in a metasploit module as of time of writing and should be considered widely available for exploitation. CVE-2019-20500 is also a vulnerability that can allow an attacker to send a malicious request to the /admin.cgi endpoint which does not properly sanitize user input, enabling remote code execution.

These two vulnerabilities were identified by Palo Alto’s Unit 42 in their blog post, which can be found here. In it, they detail how each vulnerability was used in attempts to implant Mirai botnets on vulnerable hosts. Below are snippets of malicious traffic exploiting both CVE-2019-17621 as well as CVE-2019-20500 provided by Unit 42’s report.

Image 5 is a screenshot of the D-Link DIR-859 remote command injection vulnerability. The host has been redacted. Image 6 is a screenshot of the D-Link DWL-2600AP remote command execution vulnerability. The host has been redacted. This exploit allows for remote command execution.

GreyNoise has had a tag available for over a month observing D-Link DWL-2600AP exploitation and scanning activity which can be observed here.

Security Advisory(s):

CVE-2019-17621: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147, https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146

CVE-2019-20500: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10113

Footnote

The Samsung, D-Link and Zyxel vulnerabilities recently added to the KEV were specified in a request to review available evidence by Nucleus Security to CISA directly. We encourage readers to understand the criteria for what makes a vulnerability KEV-eligible, and to email CISA directly with evidence of exploitation and available mitigation at vulnerability@cisa.dhs.gov if you have reliable information that a vulnerability should be included in the KEV.

As long as the KEV remains driven by community effort as well as CISA, it amps up the value of using it as a means to prioritize action. All members of the security community with ample ability and access to research, especially data involving exploitation evidence are encouraged to reach out ot CISA to include vulnerabilities not yet in the KEV.

← June 22, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet