In the past, I tended to focus only on vulnerabilities with a CVSS score of 9 or higher (Severity=Critical), or those capable of RCE (Remote Code Execution). Recent examples of breaches show that even vulnerabilities with CVSS scores below 9 could have a critical impact when combined. The following is an excerpt from the source that illustrates we should make the most of the Known Exploited Vulnerabilities catalog.
以前ならCVSSスコア 9以上、または RCE (Remote Code Execution) 可能な脆弱性のみに注目しがちだった。近年の既に起きている侵害事例を見ると、CVSS 9未満の脆弱性も、二つ組合せるとクリティカルなインパクトを持ちうる、と分かる。Known Exploited Vulnerabilities catalogを活用すべき事例を以下ソースから抜粋して書き留めておく。
Zimbra RCE Vulnerability Exploited Without Admin Privileges
A remote-code-execution (RCE) vulnerability affecting Zimbra Collaboration Suite (ZCS) email servers was exploited without valid administrative credentials, unlike previously believed.
Zimbra Collaboration Suite (ZCS) のメールサーバーに影響を及ぼすリモートコード実行 (RCE) の脆弱性は、これまで考えられていたのとは異なり、
The finding come from security researchers at Volexity, who detailed them in an advisory published on Wednesday.
この発見は、Volexity社のセキュリティ研究者が水曜日に
While the RCE issue (tracked CVE-2022-27925) was patched by Zimbra in March 2022, in July and early August 2022 Volexity investigated several instances of victim organizations experiencing serious breaches to their ZCS email servers.
RCE問題(追跡番号:CVE-2022-27925)は202
“Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint [...] used by CVE-2022-27925,” Volexity said. “This meant that [the flaw] could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.”
「Volexityは、「CVE-2022-27925で使用さ
After disclosing the authentication bypass vulnerability (tracked CVE-2022-37042) to Zimbra, the company issued patches for it at the end of July.
Zimbra社に認証回避の脆弱性(追跡番号:CVE-
Still, the Volexity investigation suggested the vulnerability was being mass exploited with the authentication bypass as early as the end of June 2022, and over 1000 ZCS instances around the world being backdoored and compromised.
それでもVolexityの調査では、2022年6月末には早く
“These ZCS instances belong to a variety of global organizations, including government departments and ministries; military branches; worldwide businesses with billions of dollars of revenue, etc.“
"これらのZCSインスタンスは、政府省庁、軍部、
Volexity said that affected organizations also included a considerable number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and therefore less prepared to effectively detect and remediate an incident.
影響を受ける組織には、メールサーバーを管理する専任のITスタ
In order to verify the presence of web shells on a ZCS instance, Volexity suggested companies compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations.
ZCS インスタンスに Web シェルが存在するかどうかを確認するために、Volexity は、Zimbra インスタンスにある JSP ファイルのリストを、Zimbra インストールにデフォルトで存在するものと比較することを企業に提案しました。
The company’s mail servers were also under the spotlight at the end of June when a flaw in RARlab’s UnRAR utility was discovered that could be exploited to steal emails from individual Zimbra mail user accounts.
6月末には、RARlab社のUnRARユーティリティに、Zi
Over 1,000 servers already compromised すでに1,000台以上のサーバーが危険にさらされている
After discovering evidence during multiple incident responses that Zimbra email servers were being breached using the CVE-2022-27925 RCE with the help of the CVE-2022-37042 auth bypass bug, Volexity scanned for instances of hacked servers exposed to Internet access.
複数のインシデント対応中に、CVE-2022-37042認証
Since the latest Zimbra versions (8.8.15 patch 33 and 9.0.0 patch 26) are patched against the actively exploited RCE and auth bypass bugs, admins should patch their servers immediately to block attacks.
Zimbraの最新バージョン(8.8.15パッチ33および9
However, as Volexity warns, if vulnerable servers haven't been patched against the RCE bug (CVE-2022-27925) before the end of May 2022, "you should consider your ZCS instance may be compromised (and thus all data on it, including email content, may be stolen) and perform a full analysis of the server."
しかし、Volexityが警告しているように、
Unfortunately, these two Zimbra bugs are likely not the only ones actively exploited, given that CISA has added another high severity Zimbra flaw (CVE-2022-27924), allowing unauthenticated attackers to steal plain text credentials, to its Known Exploited Vulnerabilities Catalog.
残念ながら、CISAは、
Newly added ones in Known Exploited Vulnerabilities Catalog
CVE-2022-27924 Zimbra Collaboration
Zimbra Collaboration (ZCS) Command Injection Vulnerability
Published on 2022-08-04
Zimbra Collaboration (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.
Zimbra Collaboration (ZCS) は、攻撃者が対象のインスタンスに memcache コマンドを注入し、任意のキャッシュエントリの上書きを引き起こすことを可能にします。
Apply updates per vendor instructions by 2022-08-25
NIST: NVD Base Score: 7.5 HIGH
CVE-2022-34713 Microsoft Windows
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Published on 2022-08-09
A remote code execution vulnerability exists when Microsoft Windows MSDT is called using the URL protocol from a calling application.
Microsoft Windows MSDTを呼び出し元のアプリケーションからURLプロトコルで呼び出した場合、リモートでコードが実行される脆弱性が存在します。
Apply updates per vendor instructions by 2022-08-30
https://msrc.microsoft.com/
update-guide/vulnerability/ CVE-2022-34713
CNA: Microsoft Corporation Base Score: 7.8 HIGH
CVE-2022-30333 RARLAB UnRAR
RARLAB UnRAR Directory Traversal Vulnerability
Published on 2022-08-09
RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.
Linux および UNIX 上の RARLAB UnRAR には、ディレクトリトラバーサルの脆弱性があり、抽出(解凍)操作中に攻撃者にファイルへの書き込みを許してしまいます。
Apply updates per vendor instructions by 2022-08-30
Vulnerability updated with version 6.12. Accessing link will download update information: https://www.rarlab.com/rar/
rarlinux-x32-612.tar.gz
NIST: NVD Base Score: 7.5 HIGH
CVE-2022-27925 Zimbra Collaboration
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
Published on 2022-08-11
Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
Zimbra Collaboration (ZCS) には、mboximport 機能に欠陥があり、認証された攻撃者が任意のファイルをアップロードし、リモートでコード実行を行うことが可能です。この脆弱性は、未認証のリモートコード実行を可能にする CVE-2022-37042 と連鎖しています。
Apply updates per vendor instructions by 2022-09-01
https://blog.zimbra.com/2022/
08/authentication-bypass-in- mailboximportservlet- vulnerability/
NIST: NVD Base Score: 7.2 HIGH
CVE-2022-37042 Zimbra Collaboration
Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
Published on 2022-08-11
Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
Zimbra Collaboration (ZCS) には、MailboxImportServlet に認証バイパスの脆弱性が存在します。この脆弱性は、CVE-2022-27925 と連鎖しており、認証のないリモートでのコード実行を許してしまいます。
Apply updates per vendor instructions by 2022-09-01
https://blog.zimbra.com/2022/
08/authentication-bypass-in- mailboximportservlet- vulnerability/
NIST: NVD Base Score: N/A (on 08/14)
Source
Zimbra RCE Vulnerability Exploited Without Admin Privileges (infosecurity 08/11)
Zimbra auth bypass bug exploited to breach over 1,000 servers (BleepingComputer 08/11)
No comments:
Post a Comment