Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-23119, assessed its impact and developed mitigation measures for this vulnerability.

CVE-2024-23119 is a high-severity SQL Injection vulnerability in Centreon, impacting Centreon Web versions prior to 22.10.17, 23.04.13, and 23.10.5. Centreon is a widely used network, system and application monitoring tool. This issue resides within the insertGraphTemplate function, which fails to properly validate user inputs before incorporating them into SQL queries. As a result, authenticated attackers can execute arbitrary SQL commands, potentially gaining control over the database and executing code within the context of the service account. The vulnerability is categorized with a CVSS base score of 8.8, reflecting a high risk due to its potential impact on confidentiality, integrity and availability. The exploit prediction scoring system (EPSS) estimates a 0.07% chance of exploitation in the next 30 days, indicating it is less likely but still notable. This vulnerability was initially reported by Zero Day Initiative (ZDI) as ZDI-CAN-22339 and has been addressed in Centreon Web versions 22.10.15, 23.04.10, and 23.10.1. For further details and mitigation, refer to the advisory provided by ZDI and the Centreon GitHub repository.

Technical Overview

CVE-2024-23119 stems from an SQL Injection issue occurring during the creation of graph templates. Centreon utilizes a web interface that communicates over HTTP/HTTPS. The vulnerability is identified in the formGraphTemplate.php and insertGraphTemplateInDB() functions, which are executed through main.get.php (see Figure 1). The core issue arises from inadequate validation and sanitization of specific request parameters that are used to construct SQL queries.

Figure 1: Code Snippet from ‘main.get.php’

When a graph template is created, an HTTP POST request is sent to main.get.php with parameters including p, o and submitA. The formGraphTemplate.php script processes these parameters and invokes the insertGraphTemplateInDB() function (see Figure 2), which then calls insertGraphTemplate().

Figure 2: Code Snippet from ‘formGraphTemplate.php’

In this function, an SQL query is constructed to insert data into the giv_graphs_template table. While some parameters are sanitized, others like lower_limit, upper_limit, size_to_max, default_tpl1, and scaled are directly incorporated into the SQL query without proper sanitization (see Figure 3). This lack of sanitization permits attackers to inject arbitrary SQL commands.

Figure 3: Code snippet from ‘insertgraphTemplate() in DB-Func.php’

Exploiting this SQL Injection vulnerability allows a remote, authenticated attacker to craft malicious requests to the server, leading to potential data leakage, data corruption or full control over the database. This vulnerability highlights the importance of rigorous input validation and the use of parameterized queries to prevent such critical security issues in web applications.

Triggering the Vulnerability

• Send Malicious POST Requests: An attacker can trigger the vulnerability by sending a specially crafted HTTP POST request to the Centreon web interface. This request must include malicious SQL payloads in parameters that are not properly sanitized.
• Exploit Unsanitized Parameters: The vulnerability arises from insufficient input validation in the lower_limit, upper_limit, size_to_max, default_tpl1, and scaled An attacker can trigger this vulnerability by injecting SQL commands into these parameters when creating or modifying graph templates.
• Access via Graph Template Interface: The attack must be executed through the graph template creation or modification interface, specifically by setting the request parameter p to “20404” and other relevant parameters to trigger the vulnerable code path.
• Authenticated Access Required: The attacker must have authenticated access to the Centreon web interface. This means the attacker needs to log in and have the appropriate permissions to create or modify graph templates to exploit this vulnerability effectively.

Exploitation

Exploiting CVE-2024-23119 involves a series of methodical steps to leverage the SQL injection vulnerability in the Centreon web management interface., The attacker must first authenticate to the Centreon API by sending a POST request to the /api/latest/authentication/providers/configurations/local endpoint. This request includes a JSON payload with valid credentials to gain access to the server’s API.

Figure 4: CSRF Token

Next, the attacker retrieves a CSRF token from the /main.get.php?p=20404&o=a endpoint (see Figure 4), which is necessary for making authenticated requests. The CSRF token is extracted from the HTML response using a regular expression to ensure that subsequent interactions with the server are authorized. With the token in hand, the attacker crafts a malicious payload designed to exploit the SQL injection vulnerability. This payload is injected into specific fields, such as lower_limit, upper_limit, size_to_max, default_tpl1, or scaled, in a graph template creation request. For example, a crafted payload like 1′, NULL, 0, NULL, NULL, ‘0’, NULL, NULL); CREATE TABLE poc (id int); # could be used to create a new table named poc in the database.

Figure 5: Exploitation using SQL injection

Finally, the attacker sends the malicious request to the /main.get.php?p=20404 endpoint with the payload and necessary parameters, including the CSRF token. Upon successful execution of the payload, the attacker verifies the impact by checking the database for changes, such as the presence of the newly created table. This initial access can be leveraged for further exploitation, potentially leading to more severe consequences like data breaches or unauthorized access.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 20295 Centreon main.get.php SQL Injection 9

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

• Upgrade to Centreon Web versions 22.10.15, 23.04.10, or 23.10.1
• Monitor and review system logs for suspicious activity.
• Utilize up-to-date IPS signatures to filter network traffic.
• Restrict user privileges and sanitize user inputs.

Relevant Links

• ZDI-24-113 | Zero Day Initiative
• National Vulnerability Database (NVD)
• Common Vulnerability Scoring System Calculation
• CWE-89: Improper Neutralization of Special Elements used in SQL Command
• Centreon Products

Summary

This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. It has functionality to read clipboard data, capture keystrokes, run as different users, and restart or shutdown the system. The sample is also capable of detecting debuggers and blocking user input if one is detected, as well as directing control of keyboard and mouse events. It is imperative to be cautious when running files of unknown origin or with vague names such as “File.exe”.  SonicWall customers are protected in the daily update feed via the “MalAgent.AutoITBot” signature.

Technical Analysis

Using the Detect-It-Easy (DIE) tool to review a sample shows the malware as an AutoIT executable. Note the original name was “File.exe”.

Figure 1: DIE Sample detection

Multiple libraries are being imported with no data outside of ordinals identifying the related functions, as well as four separate networking libraries. This indicates the libraries have been obfuscated, and it can be seen by using the DIE tool in Figure 2.

Figure 2: Obfuscated libraries

Using the AutoITExtractor tool we can extract the script shown in Figure 3.  This allows us to see it has cleartext commands to find and launch each browser on a Google sign in page (accounts.google.com)

Figure 3: Extracted script contents

Statically analyzing the binary using a disassembler yields there are no hardcoded addresses that are known to be malicious. While the script has each browser attempt to access Google accounts, there are generic login links for Facebook, Reddit, and other major social media sites. While the browsers launch and execute, a separate function will set up a listening socket if the environment is correct and connectivity has been established as shown in Figure 4.

Figure 4: Socket option setup

The malware will call the standard WSAGetLastError Windows API, as seen during dynamic analysis, if the socket setup fails, as seen in Figure 5.

Figure 5: Socket bind operation (failed)

When the browsers are run, they create multiple processes using the following command line structure:

Figure 6: Browser command line commands

The first process creates a hidden, separate page in Firefox, while the second attempts to open the socket.

Once a connection is made, the functions for keylogging, screen capture and further file enumeration take place. This behavior was not observed during testing, however, and no connection was made by a C2 server.

SonicWall Protections

To ensure SonicWall customers are protected against this threat, the following signature has been released:

• MalAgent.AutoITBot

IOCs

File.exe

6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0

Contributing Researchers: Soumy Das and Hasib Vhora

Overview

CVE-2024-38063 is a critical remote code execution vulnerability in Windows systems with the IPv6 stack, carrying a CVSS score of 9.8. This zero-click, wormable flaw allows attackers to execute arbitrary code remotely via specially crafted IPv6 packets, potentially leading to full system compromise. It affects Windows 10, Windows 11, and Windows Server systems. Microsoft has released patches to mitigate this vulnerability, and it is essential to apply these updates promptly to protect against exploitation. Given the critical nature of this vulnerability and its likely exploitation in the wild, SonicWall has proactively enhanced its firewall and RTDMI products with additional mitigations to protect systems, protecting cases where the patch has not yet been applied.

A Chinese researcher from Cyber KunLun discovered the vulnerability and publicly disclosed by Microsoft in its August 2024 Patch Tuesday release. Due to the simplicity with which an exploit could be crafted, Microsoft has urged users to apply the available patches immediately. Some security experts have incorrectly advised disabling IPv6. While Microsoft clarifies that disabling IPv6 can mitigate the vulnerability, it is not recommended due to potential issues with Windows functionality. Instead, Microsoft advises patching systems immediately.

SonicWall Protections

The SonicWall firewall protects against CVE-2024-38063 by blocking malicious IPv6 fragmented packets by default. This will still occur regardless of whether additional security services are configured, including if deep packet inspection (DPI) is enabled or disabled or if the firewall is configured to allow smaller IPv6 packets. The firewall drops the critical  packet involved in the exploit due to its fragment reassembly logic, which ensures that the packet never reaches the victim machine.  If an exploitation attempt is made, a log may be created depending on the firewall’s configuration showing “IPv6 fragment was dropped”.

Given the wormable nature of this vulnerability, there is a risk that it could be embedded in binaries sent over the network for later exploitation. We’ve strengthened our RTDMI sandboxing solution to safeguard our customers to detect and block Windows or Linux binaries carrying this exploit. This added layer of protection is crucial for identifying and preventing lateral movement and post-exploitation activities by threat actors, ensuring robust security even if some systems remain unpatched.

The Patch

By doing basic patch diffing with the help of Diaphora on the old and new versions of the tcpip.sys driver within Microsoft Windows, it is possible to determine the patch was added to the Ipv6pProcessOptions function.

The additional, conditional logic in the updated version introduces checks before executing IppSendErrorList. The vulnerability takes advantage of an out-of-bound write (OOB) by sending malformed Ipv6 packets. It forces packets to be written to an error list called IppSendErrorList to obtain the correct conditions. The new checks only add packets to the list after the data is validated. Otherwise, it only sends an error without adding the packets to the list memory structure. The patch prevents unintended behavior or exploitation by ensuring that the functions `IppSendError` or `IppSendErrorList` are only called under appropriate conditions, reducing the risk of incorrect or malicious data being processed. This indicates that the vulnerable code likely still exists but is more complicated or potentially impossible to leverage.

Overview 

The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp Gold is a software that monitors every connected device in the network, providing visibility into the IT infrastructure. It also has the functionality to swiftly pinpoint and resolve issues in the infrastructure by utilizing its intuitive workflows and system integrations. 

Identified as CVE-2024-5008, WhatsUp Gold versions prior to 2023.1.3 allow an authenticated threat actor with the Application Monitoring (APM) privilege to upload an arbitrary file, which can further lead to remote code execution, earning a high CVSS score of 8.8. This vulnerability was originally discovered by Le Ngoc Anh (@L3ng0c4nh) and Nguy Minh Tuan (@minhtuanact) of the Sun* Cyber Security Research Team. WhatsUp Gold users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory. 

Technical Overview 

This vulnerability arises due to a flaw in the input validation mechanism in the function that handles importing the application profile definition file. WhatsUp Gold allows an authenticated user with Application Monitoring (APM) privilege to import an XML file that defines the application profile to be monitored. The file contains information such as which port is to be monitored and the frequency of polling. This function is accessible at Settings > Application monitoring > Application and profile setup > Application Profiles > Import, as seen in Figure 1. 

Figure 1: Window to import application profile definition 

The diff of AppProfileImportController.cs from Apm.UI.dll between vulnerable and patched versions reveals that the function has been improved to allow the import of definition files with .xml extension only, as seen in Figure 2. It indicates that the previous version should have allowed files with dangerous extensions such as .aspx to be imported, which can further lead to remote code execution. 

Figure 2: Diff of affected function 

Triggering the Vulnerability 

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites. 

• The attacker must have network access to the target vulnerable system

• The attacker must have the privilege of APM functionality

• The crafted application profile definition file containing malicious ASP code must be imported with the forged .aspx extension

• The uploaded file must be requested from the browser to execute the specified code in the previous step

Exploitation 

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction. 

To achieve remote code execution, a malformed application profile definition file containing an ASP.Net payload needs to be uploaded. It will generate a request, as seen in Figure 3. Notice the changed extension of the file to .aspx, which allows the injected C# code to be executed. This process will create a file named poc.aspx in the directory \NM.UI\Content\Apm\Import. 

Figure 3: Arbitrary File Creation 

Thereafter, the request to URL http(s)://vuln-whatsup.com/NmConsole/Content/Apm/Import/poc.aspx needs to be made to execute the payload, as seen in the top portion of Figure 4. This request will generate a file ‘C:\POC\poc’ in the affected system, as mentioned in the payload. It will contain the result of the specified command whoami, as seen in the bottom portion of Figure 4. 

Figure 4: Remote Code Execution 

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

• IPS: 4482 Progress WhatsUp Arbitrary File Upload 

Remediation Recommendations 

The WhatsUp Gold users are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory. 

Relevant Links 

• Vendor advisory 

• Announcement by ZDI 

Overview 

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-28747, a vulnerability in SmartPLC devices, assessed its impact and developed mitigation measures for this vulnerability. 

This vulnerability of hardcoded credentials affects SmartPLC devices, specifically the AC14xx and AC4xxS models, with firmware versions up to and including 4.3.17. It allows unauthenticated remote attackers to gain high-privilege access using hard-coded credentials of username “target” and password “target” embedded in the firmware. An attacker can exploit this flaw to access the device configuration and execute various commands, significantly compromising the security of the affected systems. The vulnerability has a CVSS base score of 9.8, indicating a critical level of severity due to its easy exploitability and severe impact on confidentiality, integrity and availability. Associated with CWE-798, this vulnerability highlights the dangers of using hard-coded credentials in firmware. The exploit prediction scoring system (EPSS) gives it a 0.09% probability of exploitation within the next 30 days, placing it in the 39th percentile of vulnerabilities most likely to be exploited. We anticipate there might be an increase in the EPSS score as a result of this publication in the next 30 days. It is recommended to update to firmware version 6.1.8 or later. For more details and mitigation steps, refer to the advisory on CERT VDE and the National Vulnerability Database (NVD). 

Technical Overview 

In the affected versions above, the presence of hard-coded credentials within the firmware allows an attacker to log in to the device using the telnet service. The telnet server configuration, as defined in the xinetd.d configuration, does not use encryption for username/password pairs, which magnifies the risk. Once the attacker gains access, they can leverage these credentials to obtain high-level privileges on the SmartPLC devices. 

PASSWD Information 

The passwd file in the etc directory provides critical information on the user accounts (see Figure 1). The ‘target’ user account has been identified with a hashed password that has been successfully cracked (see Figure 2), revealing the credentials for remote access. 

Figure 1: PASSWD Entry Hash 

In Figure 1, the entry in the passwd file can be broken down into individual components: 

• Username: The user’s login name 

• Password: Encrypted or hashed password 

• User ID (UID): Numerical ID of the user 

• Group ID (GID): Numerical ID of the user’s primary group 

• User Info: A comment field 

• Home Directory: Path to the user’s home directory 

• Shell: Path to the user’s login shell
  

Figure 2: John the Ripper cracked password 

User Groups 

Each user belongs to specific groups, as defined in the /etc/group file (see Figure 3), which dictates their permissions and access levels within the system. 

Figure 3: User group 

Telnet Service Configuration 

The telnet service is configured to run as root (see Figure 4), allowing high-level access upon successful login. The configuration does not disable the service and logs on failure include USERID for tracking. 

Figure 4: Telnet service configuration 

Explanation of Parameters

• flags = REUSE: This flag indicates that the server should reuse the socket for multiple connections. It allows the same socket to be used for new incoming connections without closing and reopening it. 

• socket_type = stream: This specifies the type of socket used. “stream” indicates a stream socket, typically used for TCP connections, which provides reliable, ordered, and error-checked delivery of a stream of bytes. 

• wait = no: This setting specifies whether the server should wait for the process handling the connection to complete before accepting new connections. “no” means that the server can handle multiple connections simultaneously. 

• user = root: This specifies the user account under which the telnet daemon (telnetd) will run. “root” means that the telnetd will run with root privileges, which can pose a security risk if not properly secured. 

• server = /usr/sbin/telnetd: This specifies the path to the telnet server daemon that will handle the incoming telnet connections. 

• server_args = -i: This provides additional arguments to the server daemon. The “-i” option typically indicates that the server should operate in “inetd” mode, meaning it is controlled by the inetd super-server. 

• log_on_failure += USERID: This directive specifies logging options. “USERID” indicates that the server should log the user ID of the failed connection attempts. 

• disable = no: This indicates whether the service is enabled or disabled. “no” means that the telnet service is enabled and can accept connections.
  

Exploitation 

An attacker can remotely gain unauthorized access with high privileges by following these steps: 

• Identify the Target Device: The attacker first identifies an ifm Smart PLC device running the vulnerable firmware. This can be achieved by scanning networks for devices using the specific model signatures or known IP ranges. 

• Initiate a Telnet Session: Using a telnet client, the attacker connects to the device’s telnet service. The telnet configuration on the device is set to allow root access without encryption, making it susceptible to interception and exploitation. 

• Utilize Hard-Coded Credentials: The attacker inputs the hard-coded credentials (target:target) during the login prompt. These credentials are known to be hard-coded within the firmware and have been successfully cracked using tools like John the Ripper. 

• Gain Root Access: Upon successful login, the attacker gains root privileges on the device due to the telnet service running under the root user context. This allows full control over the device, enabling the attacker to modify configurations, access sensitive data, or disrupt operations. 

• Leverage Access for Further Exploitation: With root access, the attacker can potentially exploit other vulnerabilities within the network, establish persistent backdoors, or pivot to other systems connected to the same network.
  

This vulnerability poses a significant risk as it allows for a complete takeover of industrial control systems, potentially leading to severe operational disruptions.  

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

• IPS: 20183 ifm SmartSPS Default Account Login

Remediation Recommendations 

The risks posed by this vulnerability can be mitigated or eliminated by: 

• Remove or replace hard-coded credentials. 

• Utilizing up-to-date IPS signatures to filter network traffic. 

• Ensure that users do not have unnecessary high privileges. 

• Update to Firmware Version 6.1.8 or later.
  

Relevant Links 

VDE-2024-012 ifm: Vulnerabilities in ifm AC14 firmware 

National Vulnerability Database (NVD) 

Common Vulnerability Scoring System Calculation 

CWE-798: Use of Hard-coded Credentials 

CVE Numbering Authority (CNA) Partner Information 

ifm electronic GmbH