May 1: 3 New Vulns | CVE-2023-21839, CVE-2023-1389, CVE-2021-45046

In this CISA KEV Breakdown, three vulnerabilities were added: The post-patch Log4j exploit CVE-2021-45046, a TP-Link Archer Firmware command injection bug, and a trivial-to-exploit Oracle WebLogic RCE.

CVE ID

Vendor/Project

Software

Exploitation Consequence

GreyNoise Traffic

EPSS Score

EPSS Percentile

Due Date

CVE-2023-21839

Oracle

WebLogic Server

Code Execution

0

0.07745

93.19%

05/22/2023

CVE-2023-1389

TP-Link

Archer AX21

Command Injection

1

0.00233

59.89%

05/22/2023

CVE-2021-45046

Apache

Log4j2

Code Execution

175

0.97354

99.8%

05/22/2023

Notable Vulnerability Additions

CVE-2023-21839 | Oracle WebLogic RCE

A vulnerability in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 could allow for a remote unauthenticated attacker to achieve code execution with network access via T3 or IIOP. The vulnerability exists due to the fact that the weblogic.deployment.jms.ForeignOpaqueReference class can be utilized as a way for an attacker to bind an object on the server via a remote JNDI name. For more information on exploitation of an available PoC, see this report from PingSafe.

The vulnerability has been confirmed to be trivial to exploit. Exploit code for the vulnerability exists in multiple places at time of writing. Oracle has released a patch for the vulnerabilty which can be found in the security advisory link below. GreyNoise has launched a tag to track activity for the vulnerability and can be found here. There does not appear to be solidifed mitigation techniques aside from applying the vendor patch. One recommendation includes turning off the IIOP function, however this should only be considered if impact to business would be minimal or in the matter of a live incident in which this would prevent further exploitation temporarily.

Security Advisory:

https://www.oracle.com/security-alerts/cpujan2023.html

CVE-2023-1389 | TP-Link Archer Firmware Command Injection

A vulnerability exists in the web management interface in TP-Link Archer AX21 Firmware due to the lack of sanitizing user input to the popen() function in the /cgi-bin/luci;stok=/locale endpoint. To successfully exploit the vulnerability, an attacker would need to send two POST requests in the same format, embedding their command in the country field supplied to the endpoint, resulting in the command being executed with root privileges. It is important to note that an attacker requires initial adjacent network access to exploit this vulnerability. Exploit code exists for this vulnerability in multiple places at time of writing. GreyNoise has published a report on observed exploitation as well as a tag to track further activity.

On April 24, 2023, Zero-day Initiative released a report detailing how CVE-2023-1389 was utilized in Mirai botnet incidents. The vulnerability was initially disclosed to ZDI at the Pwn2Own Toronto Event, where three separate teams exploited the vulnerability. Both LAN and WAN interfaces were found to be exploitable, where the WAN interface requires chaining a race condition weakness to allow for remote code execution via the same method. Read more from the report including indicators of compromise, network traffic analysis and Mirai payload evidence.

Security Advisory:

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware

CVE-2021-45046 | Log4j Incomplete Remediation RCE

A vulnerability exists in the patch applied to Log4j originally disclosed as CVE-2021-44228, in which certain non-default configurations were still vulnerable to similar exploitation. Specifically, CVE-2021-45046 is a deserialization vulnerability in Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 where the Thread Context Lookup pattern is vulnerable to remote code execution. To no longer be vulnerable to CVE-2021-45046 requires an upgrade to 2.16.0.

Exploit code for the vulnerability is available at time of writing. A joint advisory was released by CISA on September 14, 2022 indicating the vulnerability had been exploited by Iranian-sponsored APTs in targeted attacks to deploy ransomware. GreyNoise has had a tag posted for tracking Log4j exploitation activity since December 09 2021, and can be viewed here.

Security Advisory:

https://www.oracle.com/security-alerts/cpujan2023.html

 

← April 21, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet