VULNERA Pulse

CVE-2023-27350

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: April 20, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Vendor Impacted: Papercut

Product Impacted: Mf/ng

Quotes

• No user serviceable parts inside
• I cannot generate inappropriate content
• Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505)
• Lace Tempest (DEV-0950) is a Cl0p ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13
• In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service
• Urgent security message for all NG/MF customers
• The built-in 'Scripting' functionality for printers
• We have evidence to suggest that unpatched servers are being exploited in the wild
• The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. In addition to our email and in-app announcements to all customers, we’ve been using this list to proactively reach out to potentially exposed customers via multiple means
• Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix
• Evidence to suggest that unpatched servers are being exploited in the wild

Headlines

• April 27, 2023 - S3 Ep132: Proof-of-concept lets anyone hack at will
• April 27, 2023 - Increased exploitation of PaperCut drawing blood around the Internet
• April 27, 2023 - Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
• April 27, 2023 - Microsoft says Clop, LockBit ransomware gangs behind PaperCut server attacks
• April 27, 2023 - Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware
• April 27, 2023 - Microsoft: Cl0p Ransomware Exploited PaperCut Vulnerabilities Since April 13
• April 27, 2023 - PaperCut vulnerabilities leveraged by Clop, LockBit ransomware affiliates
• April 27, 2023 - Microsoft Blames Clop Affiliate for PaperCut Attacks
• April 26, 2023 - Microsoft: Clop and LockBit ransomware behind PaperCut server hacks
• April 26, 2023 - Clop, LockBit ransomware gangs behind PaperCut server attacks
• April 25, 2023 - PaperCut security vulnerabilities under active attack – vendor urges customers to patch
• April 25, 2023 - Attackers Abuse PaperCut RCE Flaws to Take Over Enterprise Print Servers
• April 25, 2023 - Print Management Software PaperCut Actively Exploited In The Wild
• April 25, 2023 - PoC exploit for abused PaperCut flaw is now public (CVE-2023-27350)
• April 24, 2023 - Experts released PoC Exploit code for actively exploited PaperCut flaw
• April 24, 2023 - Exploit released for PaperCut flaw abused to hijack servers, patch now
• April 24, 2023 - Huntress: Most PaperCut Installations Not Patched Against Already-Exploited Security Flaw
• April 24, 2023 - Russian cybercrime group likely behind ongoing exploitation of PaperCut flaws
• April 24, 2023 - Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers

CVE-2023-27524

HIGH CVSS 8.90

Remote Code Execution Public Exploits Available

Published: April 24, 2023

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

Quotes

• The security of the web application depends critically on ensuring the SECRET_KEY is actually secret. If the SECRET_KEY is exposed, an attacker with no prior privileges could generate and sign their own cookies and access the application, masquerading as a legitimate user
• Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources
• By default, database connections are set up with read-only permissions but an attacker with admin access can enable writes and DML (data model language) statements. The powerful SQL Lab interface allows attackers to run arbitrary SQL statements against connected databases
• A dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data
• The web application signs the cookie with a SECRET_KEY, a value that is supposed to be randomly generated and typically stored in a local configuration file

Headlines

• April 26, 2023 - Common insecure configuration opens Apache Superset servers to compromise
• April 26, 2023 - Thousands of publicly-exposed Apache Superset installs exposed to RCE attacks
• April 26, 2023 - Organizations Warned of Security Risk in Default Apache Superset Configurations
• April 26, 2023 - Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
• April 25, 2023 - Apache Superset: Insecure defaults leave systems vulnerable

CVE-2023-1389

HIGH CVSS 8.80

Actively Exploited Remote Code Execution

Published: March 15, 2023

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Vendor Impacted: Tp-Link

Products Impacted: Archer Ax21, Archer Ax21 Firmware

Quotes

• In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service
• Starting on April 11th, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability

Headlines

• April 27, 2023 - Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
• April 26, 2023 - Mirai malware targeting top TP-Link routers to hijack into DDoS attacks
• April 25, 2023 - A new Mirai botnet variant targets TP-Link Archer A21
• April 25, 2023 - TP-Link Archer WiFi router flaw exploited by Mirai malware

CVE-2023-27351

HIGH CVSS 8.20

Risk Context N/A

Published: April 20, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

Quotes

• Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505)
• Lace Tempest (DEV-0950) is a Cl0p ransomware affiliate that has been observed using GoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns. The threat actor incorporated the PaperCut exploits into their attacks as early as April 13
• In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service
• Urgent security message for all NG/MF customers
• The built-in 'Scripting' functionality for printers
• We have evidence to suggest that unpatched servers are being exploited in the wild
• The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. In addition to our email and in-app announcements to all customers, we’ve been using this list to proactively reach out to potentially exposed customers via multiple means
• Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix

Headlines

• April 27, 2023 - Microsoft says Clop, LockBit ransomware gangs behind PaperCut server attacks
• April 27, 2023 - Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware
• April 27, 2023 - Microsoft: Cl0p Ransomware Exploited PaperCut Vulnerabilities Since April 13
• April 27, 2023 - PaperCut vulnerabilities leveraged by Clop, LockBit ransomware affiliates
• April 27, 2023 - Microsoft Blames Clop Affiliate for PaperCut Attacks
• April 27, 2023 - Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
• April 26, 2023 - Microsoft: Clop and LockBit ransomware behind PaperCut server hacks
• April 26, 2023 - Clop, LockBit ransomware gangs behind PaperCut server attacks
• April 25, 2023 - PaperCut security vulnerabilities under active attack – vendor urges customers to patch
• April 25, 2023 - Attackers Abuse PaperCut RCE Flaws to Take Over Enterprise Print Servers
• April 25, 2023 - Print Management Software PaperCut Actively Exploited In The Wild
• April 25, 2023 - PoC exploit for abused PaperCut flaw is now public (CVE-2023-27350)
• April 24, 2023 - Experts released PoC Exploit code for actively exploited PaperCut flaw
• April 24, 2023 - Exploit released for PaperCut flaw abused to hijack servers, patch now

CVE-2023-27532

HIGH CVSS 7.50

Actively Exploited Remote Code Execution Public Exploits Available

Published: March 10, 2023

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Vendor Impacted: Veeam

Product Impacted: Backup \& Replication

Quotes

• A proof-of-concept (POC) exploit was made publicly available a few days prior to the campaign, on 23rd March 2023
• In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service
• The exact method used by the threat actor to invoke the initial shell commands remains unknown but was likely achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532, which can provide unauthenticated access to a Veeam Backup & Replication instance

Headlines

• April 28, 2023 - Cybercrime group FIN7 targets Veeam backup servers
• April 27, 2023 - Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
• April 26, 2023 - FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability

CVE-2023-29552

CVSS Not Assigned

Actively Exploited Remote Code Execution

Published: April 25, 2023

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.

Quotes

• CVE-2023-29552 is a threat that can potentially impact business continuity and result in financial loss, even if an attacker has limited resources
• This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor
• Given the criticality of the vulnerability and the potential consequences resulting from exploitation, Bitsight coordinated public disclosure efforts with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and impacted organizations
• This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack
• SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet
• Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation
• Service Location provides a dynamic configuration mechanism for applications in local area networks. It is not a global resolution system for the entire Internet; rather, it is intended to serve enterprise networks with shared services
• Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported

Headlines

• April 26, 2023 - High-Severity SLP Flaw Can Amplify DDoS Attacks up to 2,200 Times
• April 26, 2023 - SLP Vulnerability Allows DoS Attacks With Amplification Factor of 2,200
• April 26, 2023 - New SLP Vulnerability Could Enable Massive DDoS Attacks
• April 26, 2023 - Old protocol has new DoS-amplification bug
• April 25, 2023 - New DDoS amplification vector could enable massive attacks
• April 25, 2023 - SLP flaw allows DDoS attacks with an amplification factor as high as 2200 times
• April 25, 2023 - New SLP bug can lead to massive 2,200x DDoS amplification attacks
• April 25, 2023 - New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks
• April 25, 2023 - Abuse of the Service Location Protocol May Lead to DoS Attacks | CISA

CVE-2023-20870

CVSS Not Assigned

Risk Context N/A

Published: April 25, 2023

VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

Quotes

• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host
• Functionality for sharing host Bluetooth devices with the virtual machine
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• Exploit this issue to execute code as the virtual machine's VMX process running on the host
• Share Bluetooth devices with the virtual machine

Headlines

• April 26, 2023 - Critical Flaw Patched in VMware Workstation and Fusion
• April 26, 2023 - VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
• April 26, 2023 - VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest
• April 26, 2023 - VMware Releases Critical Patches for Workstation and Fusion Software
• April 26, 2023 - VMware patches critical vulnerability
• April 25, 2023 - VMware addressed two zero-day flaws demonstrated at Pwn2Own Vancouver 2023
• April 25, 2023 - VMware fixes critical zero-day exploit chain used at Pwn2Own

CVE-2023-20869

CVSS Not Assigned

Risk Context N/A

Published: April 25, 2023

VMware Workstation (17.x) and VMware Fusion (13.x) contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

Quotes

• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host
• Functionality for sharing host Bluetooth devices with the virtual machine
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• Exploit this issue to execute code as the virtual machine's VMX process running on the host
• Share Bluetooth devices with the virtual machine

Headlines

• April 26, 2023 - Critical Flaw Patched in VMware Workstation and Fusion
• April 26, 2023 - VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
• April 26, 2023 - VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest
• April 26, 2023 - VMware Releases Critical Patches for Workstation and Fusion Software
• April 26, 2023 - VMware patches critical vulnerability
• April 25, 2023 - VMware addressed two zero-day flaws demonstrated at Pwn2Own Vancouver 2023
• April 25, 2023 - VMware fixes critical zero-day exploit chain used at Pwn2Own

CVE-2023-20872

CVSS Not Assigned

Risk Context N/A

Published: April 25, 2023

VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.

Quotes

• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host
• Functionality for sharing host Bluetooth devices with the virtual machine
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• Exploit this issue to execute code as the virtual machine's VMX process running on the host
• Share Bluetooth devices with the virtual machine

Headlines

• April 26, 2023 - Critical Flaw Patched in VMware Workstation and Fusion
• April 26, 2023 - VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
• April 26, 2023 - VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest
• April 26, 2023 - VMware Releases Critical Patches for Workstation and Fusion Software
• April 26, 2023 - VMware patches critical vulnerability
• April 25, 2023 - VMware fixes critical zero-day exploit chain used at Pwn2Own

CVE-2023-20871

CVSS Not Assigned

Risk Context N/A

Published: April 25, 2023

VMware Fusion contains a local privilege escalation vulnerability. A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system.

Quotes

• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host
• Functionality for sharing host Bluetooth devices with the virtual machine
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• Exploit this issue to execute code as the virtual machine's VMX process running on the host
• Share Bluetooth devices with the virtual machine

Headlines

• April 26, 2023 - Critical Flaw Patched in VMware Workstation and Fusion
• April 26, 2023 - VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
• April 26, 2023 - VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest
• April 26, 2023 - VMware Releases Critical Patches for Workstation and Fusion Software
• April 26, 2023 - VMware patches critical vulnerability
• April 25, 2023 - VMware fixes critical zero-day exploit chain used at Pwn2Own