VULNERA Pulse

Fortra — GoAnywhere MFT

CVE-2023-0669 / Added: Feb. 10, 2023

CVSS Not Assigned

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object.

Headlines

• Feb. 10, 2023 - Clop ransomware claims to be behind GoAnywhere zero-day attacks
• Feb. 10, 2023 - GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

Back to top ↑

Intel — Ethernet Diagnostics Driver for Windows

CVE-2015-2291 / Added: Feb. 10, 2023

HIGH CVSS 7.20

Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service.

Headlines

• Feb. 10, 2023 - That dream crypto job offer is probably just malware
• Feb. 9, 2023 - Hackers use fake crypto job offers to push info-stealing malware
• Jan. 11, 2023 - Cybercriminals bypass Windows security with driver-vulnerability exploit
• Jan. 11, 2023 - Scattered Spider hackers use old Intel driver to bypass security

Back to top ↑

TerraMaster — TerraMaster OS

CVE-2022-24990 / Added: Feb. 10, 2023

CVSS Not Assigned

TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.

Headlines

• Feb. 10, 2023 - US Warns Critical Sectors Against North Korean Ransomware Attacks
• Feb. 10, 2023 - North Korean ransomware attacks on healthcare fund govt operations
• Feb. 10, 2023 - North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

Back to top ↑

CVE-2021-20038

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Dec. 8, 2021

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

Vendor Impacted: Sonicwall

Products Impacted: Sma 400 Firmware, Sma 200 Firmware, Sma 500v Firmware, Sma 100 Appliances, Sma 210 Firmware, Sma 410 Firmware

Quotes

• Have also been observed using or possessing publicly available tools for encryption
• Cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks

Headlines

• Feb. 10, 2023 - US Warns Critical Sectors Against North Korean Ransomware Attacks
• Feb. 10, 2023 - North Korean ransomware attacks on healthcare fund govt operations
• Feb. 10, 2023 - North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

CVE-2021-21974

HIGH CVSS 8.80

Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 24, 2021

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Vendor Impacted: Vmware

Product Impacted: Esxi

Quotes

• CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is [a] fit
• The victim count is likely higher due to Internet search engines being a point-in-time scan and devices being taken offline for remediation before a second scan
• End of General Support (EOGS) and/or significantly out-of-date products
• Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)
• We [previously] made the assumption the attack was linked to the Nevada ransomware which was a mistake
• Security alert! We hacked your company successfully ... Send money within 3 days, otherwise we will expose some data and raise the price
• CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed
• A malicious actor with local user privileges on the victim's machine may exploit this vulnerability to delete arbitrary files from the file system of the machine on which Workstation is installed
• These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021

Headlines

• Feb. 9, 2023 - A new variant of ESXiArgs ransomware makes recovery much harder
• Feb. 9, 2023 - VMware ESXi server ransomware evolves, after recovery script released
• Feb. 9, 2023 - It might be impossible now to recover data from VMware ransomware attacks
• Feb. 9, 2023 - ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware
• Feb. 8, 2023 - CISA Releases Recovery Script for Victims of ESXiArgs Ransomware
• Feb. 8, 2023 - Among ESXiArgs' ransomware victims? FBI, CISA here to help
• Feb. 8, 2023 - CISA Releases Recovery Tool for VMware Ransomware Victims
• Feb. 8, 2023 - US CISA releases a script to recover servers infected with ESXiArgs ransomware
• Feb. 7, 2023 - Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks
• Feb. 7, 2023 - VMware has no evidence of zero-day exploitation in ESXiArgs ransomware attacks
• Feb. 7, 2023 - VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree
• Feb. 6, 2023 - Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread
• Feb. 6, 2023 - Massive ransomware attack targets VMware ESXi servers worldwide
• Feb. 6, 2023 - Massive Ransomware Attack Targets VMware ESXi Servers
• Feb. 6, 2023 - Widespread cyberattack hits servers across Europe
• Feb. 6, 2023 - Legacy VMware Bug Exploited in Global Ransomware Campaign
• Feb. 6, 2023 - Ransomware scum attack old VMWare ESXi vulnerability
• Feb. 4, 2023 - CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers
• Feb. 4, 2023 - New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

CVE-2021-38003

HIGH CVSS 8.80

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Nov. 23, 2021

Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Vendor Impacted: Google

Product Impacted: Chromium V8 Engine

Quotes

• We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published

Headlines

• Feb. 10, 2023 - Malicious Game Mods Target Dota 2 Game Users
• Feb. 10, 2023 - This Week In Security: ImageMagick, VBulletin, And Dota 2

CVE-2023-0286

CVSS Not Assigned

Remote Code Execution

Published: Feb. 8, 2023

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Quotes

• Read memory contents or enact a denial-of-service

Headlines

• Feb. 10, 2023 - Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack
• Feb. 9, 2023 - OpenSSL Fixes Multiple New Security Flaws with Latest Update
• Feb. 8, 2023 - PAN-SA-2023-0001 Impact of OpenSSL Vulnerabilities Disclosed Feb 7, 2023
• Feb. 7, 2023 - OpenSSL Ships Patch for High-Severity Flaws

CVE-2022-24990

CVSS Not Assigned

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 7, 2023

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

Vendor Impacted: Terramaster

Product Impacted: Terramaster Os

Quotes

• Have also been observed using or possessing publicly available tools for encryption
• Cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks

Headlines

• Feb. 10, 2023 - US Warns Critical Sectors Against North Korean Ransomware Attacks
• Feb. 10, 2023 - North Korean ransomware attacks on healthcare fund govt operations
• Feb. 10, 2023 - North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations