MICROSOFT SECURITY BULLETIN COVERAGE FOR MAY 2024

/0 Comments/in /by

Overview

Microsoft’s May 2024 Patch Tuesday has 59 vulnerabilities, 25 of which are Remote Code Execution vulnerabilities. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2024 and has produced coverage for 9 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-29996 Windows Common Log File System Driver Elevation of Privilege Vulnerability ASPY 568 Exploit-exe exe.MP_383
CVE-2024-30025 Windows Common Log File System Driver Elevation of Privilege Vulnerability ASPY 569 Exploit-exe exe.MP_384
CVE-2024-30032 Windows DWM Core Library Elevation of Privilege Vulnerability ASPY 570 Exploit-exe exe.MP_385
CVE-2024-30034 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability ASPY 571 Exploit-exe exe.MP_386
CVE-2024-30035 Windows DWM Core Library Elevation of Privilege Vulnerability ASPY 572 Exploit-exe exe.MP_387
CVE-2024-30037 Windows Common Log File System Driver Elevation of Privilege Vulnerability ASPY 567 Exploit-exe exe.MP_382
CVE-2024-30044 Microsoft SharePoint Server Remote Code Execution Vulnerability IPS 15674 Microsoft SharePoint Server Remote Code Execution (CVE-2024-30044)
CVE-2024-30050 Windows Mark of the Web Security Feature Bypass Vulnerability IPS 15666 Windows Mark of the Web Security Feature Bypass (CVE-2024-30050)
CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability ASPY 566 Malformed-docx docx.MP_11

Release Breakdown

The vulnerabilities can be classified into the following categories:

For May, there are 57 critical, 1 Important, and 1 moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-30011 Windows Hyper-V Denial of Service Vulnerability
CVE-2024-30019 DHCP Server Service Denial of Service Vulnerability
CVE-2024-30046 ASP.NET Core Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-26238 Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability
CVE-2024-29994 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-29996 Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30007 Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-30018 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30025 Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30027 NTFS Elevation of Privilege Vulnerability
CVE-2024-30028 Win32k Elevation of Privilege Vulnerability
CVE-2024-30030 Win32k Elevation of Privilege Vulnerability
CVE-2024-30031 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVE-2024-30032 Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30033 Windows Search Service Elevation of Privilege Vulnerability
CVE-2024-30035 Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30037 Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30038 Win32k Elevation of Privilege Vulnerability
CVE-2024-30049 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE-2024-30008 Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2024-30016 Windows Cryptographic Services Information Disclosure Vulnerability
CVE-2024-30034 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-30036 Windows Deployment Services Information Disclosure Vulnerability
CVE-2024-30039 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-30043 Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2024-30054 Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability

Remote Code Execution Vulnerabilities

CVE-2024-29997 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-29998 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-29999 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30000 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30001 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30002 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30003 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30004 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30005 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-30009 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30010 Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-30012 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30014 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30015 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30017 Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-30020 Windows Cryptographic Services Remote Code Execution Vulnerability
CVE-2024-30021 Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30022 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30023 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30024 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30029 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30042 Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-30044 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-30045 .NET and Visual Studio Remote Code Execution Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2024-30040 Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-30050 Windows Mark of the Web Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE-2024-30041 Microsoft Bing Search Spoofing Vulnerability
CVE-2024-30047 Dynamics 365 Customer Insights Spoofing Vulnerability
CVE-2024-30048 Dynamics 365 Customer Insights Spoofing Vulnerability
CVE-2024-30053 Azure Migrate Cross-Site Scripting Vulnerability

Tampering Vulnerabilities

CVE-2024-30059 Microsoft Intune for Android Mobile Application Management Tampering Vulnerability

RSAC 2024: Don’t Call It a Comeback, We’ve Been Here for Years

/0 Comments/in , /by

A New Chapter

RSAC 2024 is officially in the books, and it was incredible! Seeing the cybsersecurity community gather to showcase new products and capabilities while networking and sharing ideas was invaluable. We’ve recently adopted a new tagline here at SonicWall – “Never Alone. Relentless Security.” And we were certainly never alone at RSAC 2024, as we set a new all-time record for booth visitors! That’s quite the achievement for a company that’s been at it for over 32 years. But this new motto has much greater meaning to us and our values as a company. It highlights our dedication to our partner community and reminds us that we are never alone when we work together, and it keeps our pursuit for relentless security and in-house expertise top of mind. We had a lot of “new” at RSAC this year – new motto, new products, new faces, new strategies and more. Let’s dive into some of the highlights for SonicWall this year.

Upping Our Game

This year, we wanted our booth to stand out from the crowd, opting for a clear, white background with a pop of vibrant SonicWall orange. These bright, inviting colors made our booth shine in a sea of the more typical colors found at security conferences.

Figure 1: Our amazing team gathered at the SonicWall booth.

We kept our “drip” cohesive and unified with matching shirts and SonicWall-branded custom Nikes. Wherever we went, people knew we were with SonicWall – and they were definitely jealous when they saw the shoes.

Figure 2: Our custom SonicWall Nike’s

We kept visitors engaged at our booth with a challenging lockpicking exercise, handing out prizes to anyone who could successfully pick the lock. We also provided prizes to anyone who engaged with a demo or presentation. And yes, we did give away a pair of our stunning custom Nikes as a prize.

As a company that’s made two acquisitions in the past five months, it was important for us to show up as one company, and I think we knocked it out of the park. Not only did we show up as a unified whole repping SonicWall and our firewalls, but we also covered cloud security and our new Managed Detection and Response (MDR) services in our live talks. We’ve grown a lot in the past year, and we wanted our visitors to experience the new SonicWall.

SonicWall Brings the Heat

This conference wasn’t just about us dropping a hot new shoe into the world of sneaker-heads – that was an added bonus. We also plugged RSAC to debut our latest, innovative cybersecurity platform, SonicPlatform. SonicPlatform is designed to unify all SonicWall products into a single integrated interface, and it was met with rave reviews, being named one the  20 coolest cybersecurity products at RSAC this year by CRN.

CRN was impressed by SonicPlatform’s enablement of our MSP and MSSP partners to efficiently manage multiple client environments, automate key tasks, reduce operational costs, enhance service delivery and garner valuable insights—all through a single, user-friendly interface. You can read more about SonicPlatform in our press release.

And SonicPlatform wasn’t the only attention-grabber for us– SecureIQLab honored us with their Advanced Cloud Firewall Contender Award as well.

Riding the Wave of Momentum

We weren’t the only ones who thought what we brought to the table was cool. Several media members came by the booth to meet with executives and get a first-hand experience with the new SonicPlatform. As a result, we’ve seen several stories published in addition to the announcement by CRN listed above:

Figure 3: CNBC filming a demo of the new SonicPlatform

We Came, We Saw, We Conquered

We had several goals in mind for RSAC this year. We came in to stand out from the crowd, show off our unification and cohesion as a company, and showcase some of our most exciting new products. I think it’s fair to say we accomplished all of that and much more. It wouldn’t have been possible without our SonicWall team working tirelessly to make this happen – especially those on the ground at the event who showed up with ambition, pride and wonderful smiles each day. Let’s make breaking records and raising the bar a SonicWall tradition, not just at RSAC, but in all things we do. For now, that’s a wrap on RSAC 2024.

Experience Seamless Onboarding with SonicExpress 2.4.0

/0 Comments/in /by

“In 2024, worldwide smartphone shipments are expected to grow 4.2%, totaling 1.2 billion units year over year” -Gartner® [1]

Global sales of smartphones are increasing every year, and with that, the number of users accessing applications is increasing along with the use of  web for office-related tasks. Network admins are also utilizing mobile devices to get work done: These devices allow them to extend their presence, enabling faster responses and easier network configuration and setup.

As part of our commitment to anytime, anywhere cybersecurity, users can use the SonicExpress mobile app to manage their SonicWall devices. The SonicExpress mobile app simplifies firewall onboarding with device registration, initial setup, basic configuration and monitoring for Gen 7 SonicWall next-generation firewalls (NGFWs). The application also simplifies the onboarding process for SonicWall Access Points and Switches. Designed for Apple and Android platforms, the SonicExpress app is now available for download from the Apple App Store and the Google Play Store.

Onboarding As Easy As 1, 2, 3

The typical onboarding process involves device registration and several other steps that must be completed to get new SonicWall devices ready for configuration and use. With SonicExpress, onboarding of SonicWall devices can be completed with three simple steps.

  1. Launch the SonicExpress App on a mobile device
  2. Connect a mobile device via USB cable or HTTPS to a new SonicWall device
  3. Complete the setup

Designed with intuitive interfaces, the SonicExpress app guides the user through device registration and initial setup in less than a minute.

Simplified Initial Firewall Setup

Zero-touch deployments require firewalls to connect to the internet using a DHCP address on the WAN interface. However, in specific deployments, WAN interfaces are assigned static IP addresses or configured over a PPPoE interface. There is typically no internet connectivity for firewalls being set up for closed network deployments. SonicExpress helps with these deployments and other initial setup configurations by connecting the firewall using the USB interface.

The SonicExpress Setup Guide walks users through registering their firewalls and setting up specific deployment use cases. Alternatively, users can register the firewall without going through the entire setup process by simply scanning a QR code.

Monitoring your SonicWall Devices and Wireless Network Manager (WNM)

The SonicExpress app allows users to monitor SonicWall devices and Wireless Network Manager (WNM) for threat alerts, resource utilization and system status via an intuitive dashboard. It offers the flexibility of being able to check the health of your network from anywhere and the convenience of making easy, quick changes to ensure the security posture of your network.

For a firsthand look at the new SonicExpress App, you can download the mobile application directly from the Apple App Store or Google Play Store today.

[1] Gartner Press Release, “Gartner Predicts Worldwide Shipments of AI PCs and GenAI Smartphones to Total 295 Million Units in 2024,” February 7, 2024. https://www.gartner.com/en/newsroom/press-releases/2024-02-07-gartner-predicts-worldwide-shipments-of-ai-pcs-and-genai-smartphones-to-total-295-million-units-in-2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Remcos Is Pairing with PrivateLoader to Extend Its Capabilities

/0 Comments/in /by

Overview

This week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a PrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB scripts, altering the registry and setting up services to restart the malware at variable times or by control, this malware is able to infiltrate a system completely and remain undetected.

Infection Cycle

The sample is detected as a 32-bit PE file with no packer or protector.

Figure 1: Initial detection

When looking into the sections and API calls of the file, different tools give different reports. Detect It Easy shows API calls that have been cleared (to obfuscate what they’re doing), and TLS (Thread Local Storage) functionality, meaning that malicious code can be prepared or run before the main file has started at its entry point. PEStudio, however, shows all available API calls but no TLS functionality.

Figure 2: Every call from ws2_32.dll has been obfuscated

Figure 3: A separate tool shows all hidden calls

Once functions are properly labeled, the file is shown to have the following capabilities:

  • Anti-analysis/ Anti-VM
    • GetSystemTimeAsFileTime
    • GetTickCount
    • IsDebuggerPresent
    • IsProcessorFeaturePresent
    • QueryPerformanceCounter
    • QueryPerformanceFrequency
  • System Enumeration
    • CreateToolhelp32Snapshot
    • EnumDisplaySettingsW
    • EnumServicesStatusW
    • EnumSystemLocalesW
    • EnumWindows
    • FindFirstFileA/Ex/W
    • FindNextFileA/Ex/W
    • GetClipboardData
    • GetCurrentProcessId
    • GetCurrentThreadId
    • GetEnvironmentStrings
    • GetLogicalDriveStringsA
    • GetLocalTime
    • GetLocaleInfoA/W
    • GetNativeSystemInfo
    • GetStartupInfo
    • GetTimeZoneInformation
    • GetUserDefaultLCID
    • GetWindowThreadProcessId
    • IsLocaleValid
    • OpenClipboard
    • RegEnumKeyA/W
    • RegEnumValueA/W
    • SystemParametersInfoW
  • Monitoring
    • GetCursorPos
    • GetForegroundWindow
    • GetKeyState
    • GetKeyboardLayout
    • GetKeyboardState
    • Mouse_event
    • ReadProcessMemory
    • SetWindowsHookExA
    • waveInAddBuffer
    • waveInStart
  • Process Injection
    • GetProcessId
    • GetModuleHandleA/Ex/W
    • CreateProcessA/W
    • Process32FirstW
    • ProcessNextW
    • VirtualAlloc
    • VirtualFree
    • VirtualProtect
    • WriteProcessMemory
  • Persistence
    • AdjustTokenPrivilege
    • ControlService
    • GetTempFileNameW
    • LookupPrivilegeValueA
    • OpenProcess
    • OpenProcessToken
    • RegCreateKeyA/Ex/W
    • RegDeleteKeyA/Ex/W
    • RegDeleteValueA/Ex/W
    • RegSetValueA/Ex/W
    • ShellExecuteExA/W
    • WriteFile
  • Communication
    • InternetOpenUrlW
    • InternetReadFile
    • URLDownloadToFileW
    • URLOpenBlockingStreamW
    • Inet_addr
    • Gethostbyaddr
    • Gethostbyvalue
    • getservbyvalue
    • Connect
    • Send
    • socket
    • Recv

Runtime shows that if security checks are not initially cleared by modules within ntdll.dll, the main portion of the executable will not be touched before it exits. No files are dropped, and nothing is injected into memory.

Figure 4: Beginning of the security check function

Once security has been passed, which consists of VM, locale, timezone and analysis tool enumeration, two files are dropped.

  • C:\Users\user\AppData\Local\Temp\install.vbs
  • C:\Users\user\AppData\Roaming\data\notepads.exe

Notepads.exe is a copy of the parent executable placed for persistence. The script contains the following four lines and is deleted once executed – there is no check on whether or not this action is successful. The script will simply delete itself if it is run before ‘notepads.exe’ is dropped.

Figure 5: Install.vbs contents

User security access is then checked. If applicable, Windows User Access Control is disabled with the following command to allow for privileged access:

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Figure 6: UAC is disabled

At this point, the system is enumerated fully and hooks are implemented to track keystrokes, mouse actions, audio and screen grabs. Targeted software includes browsers by searching the following locations for logins and cookie data, as well as the clipboard data being pulled:

\AppData\Local\Google\Chrome\User Data\Default\Login Data

\AppData\Local\Google\Chrome\User Data\Default\Cookies

\AppData\Roaming\Mozilla\Firefox\Profiles\

\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

\AppData\Local\Microsoft\Edge\

\Opera Software\Opera Stable\

\User Data\Default\Network\Cookies

This information is stored in ‘logins.json’ and ‘key3.db’, also seen in the screenshot below.

Figure 7: Browser paths and storage files

Once complete, ‘notepads.exe’ will open a socket on the system and reach out to two URLs. The first is a GET request to geoplugin(dot)net/json.gp, which returns geographic information pertaining to the victim’s IP address. The second is to nuevosremcs.duckdns.org. Once a connection is made, a config file is created and sent to the server. Here is the configuration observed during runtime:

{

“Host:Port:Password”: “nuevosremcs.duckdns.org:9090:1”,

“Assigned name”: “Nuevos”,

“Connect interval”: “1”,

“Install flag”: “Enable”,

“Setup HKCU\Run”: “Enable”,

“Setup HKLM\Run”: “Enable”,

“Install path”: “AppData”,

“Copy file”: “notepads.exe”,

“Startup value”: “system32”,

“Hide file”: “Disable”,

“Mutex”: “Rmc-WRNU47”,

“Keylog flag”: “1”,

“Keylog path”: “Application path”,

“Keylog file”: “logs.dat”,

“Keylog crypt”: “Disable”,

“Hide keylog file”: “Disable”,

“Screenshot flag”: “Disable”,

“Screenshot time”: “10”,

“Take Screenshot option”: “Disable”,

“Take screenshot title”: “”,

“Take screenshot time”: “5”,

“Screenshot path”: “AppData”,

“Screenshot file”: “Screenshots”,

“Screenshot crypt”: “Disable”,

“Mouse option”: “Disable”,

“Delete file”: “Disable”,

“Audio record time”: “5”

}

At this point the C2 has assumed control and can remotely stop, start and engage further monitoring or file downloads for other functionality.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • PrivateLoader

IOCs

Parent sample / Notepads.exe: 27bb3968cc18fb0df5b14e6d1b805552

Install.vbs: a7fe45cc57afb3dba91ab77483fffa0a

Mutex Created

  • \Sessions\1\BaseNamedObjects\Rmc-WRNU47

IP Addresses

  • 246.82.10
  • 237.33.50

URLs

  • http://geoplugin.net/json.gp
  • duckdns.org

CRN Recognizes Five SonicWall Standouts on the 2024 Women of the Channel List

/0 Comments/in /by

SonicWall  announced today that CRN®, a brand of The Channel Company, has named Michelle Ragusa-McBain, Global Channel Chief to the 2024 Women of the Channel Power 100, an elite subset of prominent leaders selected from the CRN® 2024 Women of the Channel list, which included four more SonicWall employees – Christine Bartlett, CMO, Katie Ralph, Director of Solutions Engineering (EMEA), Alice Strange, Senior Territory Account Manager and Trisha O’Rourke, Senior Sales Manager.

Every year, CRN highlights women from vendor, distributor and solution provider organizations whose vision and leadership have a beneficial influence on the technology industry. The CRN 2024 Women of the Channel honorees are creative, strategic leaders who show ongoing commitment to using their skills to innovate and drive success for their partners and customers.

From within this impressive group, the annual Power 100 recognizes some of the most influential women leaders from technology vendors and distributors who consistently contribute their advocacy and expertise to advancing the channel.

Every woman on the Power 100 is an inspiration to industry peers and shows deep dedication to improving outcomes and opportunities for their own organizations and the full IT channel ecosystem.

Michelle has made an immediate impact at SonicWall. She has keynoted the largest and most influential technology conferences including Channel Partners, CRN, CompTIA, IT Nation and Kaseya. She is a passionate advocate for Women, Diversity and Inclusion in Technology, and serves as Chair Emeritus of Advancing Women in Technology for CompTIA. Previously she sat on the board of CRN’s Women of the Channel – she’s also a Co-Founder of Tech Worlds Half non-profit, a longstanding member of the National Women in Technology Group and, most recently, serves as Florida Leader for the Alliance of Channel Women.

“It is a great privilege to honor the remarkable achievements of these women leaders in the IT channel,” said Jennifer Follett, VP, U.S. Content and Executive Editor, CRN, at The Channel Company. “Each woman on the list has demonstrated a deep commitment to innovation and leadership that advances their organizations and drives transformation and success across the IT channel.”

Christine Bartlett, CMO

In a short amount of time, Christine has helped reignite SonicWall’s marketing strategy to align with its commitment to be a 100% channel company. She has been pivotal in developing key messaging for two critical growth acquisitions: Solutions Granted, Inc. (security services/MSP) and Banyan Security (cloud security) and has been responsible for the development and implementation of business marketing strategies.

Katie Ralph, Director of Solutions Engineering (EMEA)

Katie is an industry-recognized thought-leader and event speaker, and a people-focused and passionate cyber evangelist with a strong technical foundation. Previously named a ‘Top 10 Women in Cyber’ winner, she has held positions as a dedicated specialist in cyber, in addition to life as both a vendor and customer. Katie is the face of SonicWall EMEA for partners and will continue to engage with them in 2024.

Alice Strange, Senior Territory Account Manager

As a Sr. Territory Account Manager for SonicWall, Alice acts as a trusted advisor to Florida customers across multiple verticals. Over the course of the last year, Alice has worked closely with SonicWall customers and partners to drive adoption of SonicWall’s security platform, with specific focus on vital solutions outside of the firewall, necessary for true edge-to-endpoint protection.

Trisha O’Rourke, Senior Sales Manager

Trisha is the Senior Channel Sales Manager at SonicWall. A self-motivated leader and relationship builder, Trisha is focused on creating lasting professional connections with partners and customers. She guided SonicWall’s West Channel team while continuing to lead the largest accounts in generating year-over-year growth.

The 2024 Women of the Channel list will be featured in the June issue of CRN Magazine, with online coverage starting May 13 at www.CRN.com/WOTC.

 

XWiki Remote Code Execution Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of CVE-2024-31984, which is a code injection vulnerability in XWiki’s management of space titles and has a critical CVSS score of 9.9. After assessing the impact, we developed mitigation measures to address the vulnerability. This vulnerability, originating from insufficient input validation, allows remote, authenticated attackers to execute arbitrary code on the target server by creating documents with maliciously crafted titles. The team’s efforts have focused on understanding the severity of the risk and ensuring that users can securely manage and operate their XWiki platforms without compromise.

The versions of XWiki Platform impacted by the remote code execution vulnerability encompass a broad range of releases. Specifically, the vulnerability affects all versions starting from 7.2-rc-1 up to, but not including the patched versions 14.10.20, 15.5.4 and 15.10-rc-1. This wide span of versions includes any builds prior to 4.10.20, making it imperative for users operating on these versions to update their systems. The vulnerability has been effectively addressed in the newer versions 14.10.20, 15.5.4 and 15.10-rc-1. For those unable to immediately upgrade, a manual patch is available for the Main.SolrSpaceFacet page (Figure 1) to mitigate the risk temporarily until an upgrade can be implemented. This patch is crucial as it prevents the execution of arbitrary Groovy code, which could compromise the confidentiality, integrity and availability of the XWiki installation.

Figure 1: Patch

Technical Overview

XWiki’s scripting capabilities form a core component of its architecture, allowing users to craft both simple and complex web applications directly within the XWiki interface without the conventional requisites of compiling code or deploying software components. This functionality is facilitated through an advanced scripting feature set that is embedded in the content of an XWiki page, alongside traditional wiki markup. XWiki supports a variety of scripting languages such as Velocity, Groovy, and Python, which are enabled by default, thus offering versatility and power to developers. The platform utilizes the JSR-223 scripting framework to evaluate script code seamlessly. This is executed via the script macro, which follows the syntax {{script language=”<script engine name>”}}<some code>{{/script}}, allowing for direct embedding of code in pages. Specific languages can be declared directly, for example, Groovy code is written within {{groovy}}<some code>{{/groovy}} blocks, enabling immediate and accessible scripting without leaving the XWiki page environment.

Regarding its content organization, XWiki uses a hierarchical structure termed as “Wiki”, “Space”, and “Page”, or alternatively, “Page” and “Child Page”. Historically, spaces functioned similarly to folders in a file system, designed to house a collection of pages. However, in more recent updates, XWiki has eliminated the distinction between a page and a space, streamlining its structure. Despite these advancements, a significant vulnerability has been identified within this framework. The issue arises from inadequate input validation of the title fields in XWiki Spaces. Specifically, when a user attempts to create or update a page using actions like “save” or “saveandcontinue”, the user-supplied title is stored without neutralizing special characters, potentially leading to code injection risks. This vulnerability extends to the rendering process of the space’s title in the “Main.SolrSpaceFacet” on the “Main.SolrSearchConfig” page, where script elements within space titles are executed due to the lack of special character neutralization, posing a critical security risk to the integrity and security of the XWiki installation.

Triggering the Vulnerability

The four main triggers of the vulnerability in XWiki, allowing remote code execution via the Solr-based search mechanism, can be detailed as follows:

  • Crafted Document Titles: The vulnerability is triggered by creating a document with a specially crafted title. For instance, using the title structure {{/html}}{{async}}{{groovy}}println(“Hello from Groovy Title!”){{/groovy}}{{/async}} which contains embedded Groovy code allows arbitrary code execution when the document is processed or indexed by the Solr search engine.
  • User Rights and Permissions: Any user with the ability to edit titles of a space, which by default is every user, can exploit this vulnerability. This broad default permission setting significantly widens the potential for exploitation.
  • Search UI Interaction: The crafted code in the document title is executed when interacting with the XWiki search interface. Specifically, after the maliciously titled document is indexed, searching for this document and engaging with facets such as deploying the Location facet can lead to the execution of the embedded Groovy script.
  • Insufficient Input Sanitization: The underlying issue of inadequate input validation and neutralization of special characters in the XWiki Spaces’ title field is a critical trigger. This allows embedded scripts in document titles to be executed without any filtering, directly compromising the application’s security.

Exploitation

The exploitation process targets the XWiki system by leveraging the ability to execute arbitrary code remotely. This process involves an automated script that uses five specific HTTP requests to interact with the XWiki installation:

  • Login Page Request: Fetches the CSRF token necessary for session authenticity.
  • URL: loginPageURL = baseURL + ‘xwiki/bin/login/XWiki/XWikiLogin?loginLink=1’

Figure 2: Login Request

 

  • Login Submission Request: Submits login credentials and the CSRF token.
  • URL: loginURL = baseURL + ‘xwiki/bin/loginsubmit/XWiki/XWikiLogin’

Figure 3: CSRF Token Post Request

  • Document Edit Page Request: Accesses the document edit page to fetch another CSRF token and check document availability.
  • URL (Initial attempt):
    • baseDocURL = baseURL + “xwiki/bin/edit/”
    • newDocURL = baseDocURL + targetDoc
  • Document Save/Preview Request: Submits a malicious script embedded in the document’s title for preview and execution.
  • URL: saveDocURL = baseURL + “xwiki/bin/preview/” + targetDoc

Figure 4: Malicious Script, Document Upload

  • Document Search Request: Searches for the modified document to trigger attacker execution.
  • URL: searchURL = baseURL + “xwiki/bin/view/Main/Search?text=test”

The attacker configures a client with the server’s URL, username and password, and begins the exploitation by requesting the XWiki login page to obtain a CSRF token (Figure 5). This token is extracted from the HTML content and used alongside the login credentials to authenticate successfully.

Figure 5: CSRF Form Token

After authentication, the attacker searches for an editable document. If unavailable, the document name is modified iteratively until one is found. Another CSRF token is then retrieved from the document editing page. The attack vector is a script embedded in the document’s title, using XWiki’s syntax to embed Groovy code that executes shell commands. The payload — containing the CSRF token, malicious title, and shell command—is submitted to the document’s preview URL for processing (Figure 4).

Finally, the attacker initiates a search query to ensure the Solr search engine processes the modified document, confirming the execution of the embedded command. The script concludes by reporting the success of the exploit, demonstrating how the XWiki system can be compromised by using crafted document titles to execute code remotely.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4408 XWiki Platform SolrSpaceFacet Remote Code Execution

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up-to-date IPS signatures to filter network traffic.
  • Configure the vulnerable product to allow access to trusted clients only.

Relevant Links

JIRA Ticket

Security Advisory

Commit Macro Changes

Patch

NVD

CWE-95

Anti-Ransomware Day 2024: It’s Time to Eat Your Broccoli

/0 Comments/in , , /by

Too Much Ice Cream

May 12th, 2017 – a day that lives in infamy for all cybersecurity professionals. It was on this day that the WannaCry ransomware attack was unleashed, devastating hundreds of thousands around the globe. In 2020, Interpol deemed May 12th Anti-Ransomware Day as a way to spread awareness and help prevent another attack like WannaCry.

Despite many ransomware attacks being completely preventable, they still continue to happen at an alarming rate. While ransomware numbers were down last year, the number of attacks was still up 70% from pre-pandemic levels. And 2023 had its own infamous ransomware attacks with the likes of the GoAnywhere MFT zero-day and the MOVEit File Transfer Tool attacks – both carried out by the increasingly dangerous Cl0p ransomware gang.

Anti-Ransomware Day exists to encourage organizations to be proactive about ransomware attacks instead of being reactive when they happen. Spending the budget and time upfront on strong cybersecurity, even if it’s not at the top of your list of wants, will be very beneficial in the long term. Fortunately, there are some simple steps you can take to prevent a ransomware attack at your organization, or, at the very least, make the fallout from an attack much more manageable. It just requires… eating your broccoli.

Do I Have to Eat Actual Broccoli?

No, in fact – you don’t actually have to eat any vegetables at all, although I would recommend you do. This blog isn’t about your diet. Growing up, my mom would tell me I had to eat my broccoli before I could eat my dessert. I had to do something that I didn’t think was very fun or pleasant because it was good for me and my health. Much like a kid eating broccoli, all organizations need to be spending time and budget on good cyber hygiene before moving on to something they may think is more valuable or want to do more…for their own good.

Broccoli provides excellent nutritional value and even strengthens the immune system. Good cyber hygiene will do the same thing for your organization. So what steps can you take to strengthen your organization’s defenses against ransomware?

  • Update: Whenever possible, enable automatic updates on applications and devices on your network — both for operating systems and for any other apps in your ecosystem.
  • Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
  • Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and up-to-date backups on hand significantly eases recovery in the event of a ransomware attack.
  • Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
  • Invest in MDR: SonicWall’s Managed Detection and Response (MDR) provides round-the-clock protection against ransomware, blending advanced cybersecurity solutions with a dedicated Security Operations Center (SOC) that monitors alerts, investigates incidents, and mitigates threats, enhancing existing defenses.
  • Safeguard: By taking the above steps, most attacks can be prevented, but not all. They’re called “best practices” and not “ironclad guarantees” for a reason: If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats.

If you are the victim of a ransomware attack, remember that it doesn’t pay to pay – when you pay threat actors after an attack, you can never guarantee that the threat actors will actually do as they promise. Once they have your data, it’s impossible to know what will or won’t be done with it, regardless of payments. The best way to handle a ransomware attack is to prepare for it before it happens. With the right security measures and a defensive-minded approach, you can make one of the scariest threats not so threatening to you and your organization. If you make the choice to eat your broccoli before you eat your ice cream, you’ll be in a much better position to fend off and recover from a ransomware attack.  So to recognize the importance of Anti-Ransomware Day this year, remember to #EatYourCyberBroccoli

If you want to start strengthening your organization’s cybersecurity posture, contact a SonicWall representative today.

Esports in Education: Why Security Should Come In First

/0 Comments/in , /by

In the days of Super Mario, the relationship between video games and school was anything but super. Shortly after early electronics allowed video games to jump from the TV into your hands, schools everywhere handed down an edict—if a student took their Game Boy to school, the only available quest would be scheming to liberate it from the inside of the teacher’s desk.

But as video games — and the internet itself — have leveled up, so have their relationship with education. Esports have found a home within the same hallowed halls they were once banned from, and today approximately 8,600 high schools and 170 higher-education campuses support an esports program.

The Emergence of Esports

“Esports,” which stands for “electronic sports,” has existed in some form since the dawn of gaming. Video game competitions and tournaments started gaining popularity as early as the 1970s, with one event — the Space Invaders Championship, held by Atari in 1980 —  attracting more than 10,000 participants.

But the real transition from “competitive gaming” to “esports” didn’t begin until the late 1990s. With the release of games like “Quake” and “StarCraft,” players began competing against one another in organized events, and companies began sponsoring tournaments.

The 2000s brought the establishment of major esports organizations, such as the Electronic Sports League (ESL) and Major League Gaming (MLG), which helped formalize and popularize competitive gaming. Soon after, the introduction of platforms such as YouTube and Twitch took gaming to an even higher level, delivering global audiences of tens and even hundreds of thousands of viewers eager to watch their favorite players and teams compete live.

Today, esports is a global phenomenon. Professional players earn substantial incomes and massive prize pools in the millions of dollars for tournaments such as Call of Duty Championship and League of Legends World Championship are not unheard of. With sponsorships from brands like Nike, Red Bull and Tiffany and Co., today’s esports parallels traditional sports in just about every way.

Esports and Education: A Natural Evolution

And these similarities extend to their presence in schools. Many early gamers are now teachers (or librarians, or administrators) themselves, and their comfort with and enjoyment of games has made them open to the benefits of incorporating gaming into an educational environment.

These benefits, as it turns out, are numerous: Students who participate in esports display increased academic engagement and build problem-solving and STEM (Science, Technology, Engineering and Math) skills. Esports offer greater inclusivity than traditional sports, and foster creativity among participants. They also help build social skills, offering both an avenue for community and opportunities to become better at working collaboratively as part of a team.

And they can open doors to the future: Some colleges and universities offer scholarships for K-12 esports participants, and esports participants in higher education can find themselves better prepared for careers such as information technology, business, management, education and more.

ESSER, HERF & the Economics of Esports in Education

But to realize the benefits brought by esports, cash-strapped schools need to find a way to support such programs. Fortunately, there are a number of available avenues for funding the fun.

State grants are available for K-12 and higher education institutions aiming to start or improve an esports program. Federal funding programs, such as ESSER (Elementary and Secondary School Emergency Relief Fund) and HEERF, are also available — for now.

Designed to provide emergency pandemic funding to enhance school IT infrastructure, the first two rounds of ESSER funding have expired. But schools have until Sept. 30, 2024, to use their portion of the $121.97 billion in funding associated with ESSER III, also known as ARP (American Rescue Plan) ESSER. While most school districts are on pace to leverage their ESSER allocations, some have used less than a tenth of their funds. And according to the Center on Budget and Policy Priorities, 50 percent or more of ESSER III funding remained unspent in 13 states and the District of Columbia as of January 2024.

Combining ESSER III funding with existing E-rate funds can help schools build a solid esports program, but don’t wait: This program is a “use it or lose it” funding mechanism.

The final round of HEERF (Higher Education Emergency Relief Funding) was also established through the ARP. The deadline for submitting a plan has passed, but purchases can still be completed into 2024 — meaning that colleges and universities may still be able to apply this funding to esports programs.

To be eligible for most of these funding sources, educational institutions will need to show how esports programs benefit students, align with educational goals and meet the specific needs of a given school district. If your planned esports program includes a curriculum, this will help tremendously in securing federal funding.

In addition to HEERF and ESSER funding, schools can also apply for a number of STEM grants, such as:

Safeguarding the Sport

One of the most important considerations for any school esports program is also among the most easily overlooked. Schools that would never dream of sending their football team out without pads or their swim team to a meet sans lifeguard should extend this same safety mindset to their esports programs.

While these programs can have a positive impact, they’re not without their risks, both to the players themselves, and to entire districts. For any esports program to be successful, schools must secure campus networks and access — all while preventing PII theft and blocking ransomware, DDoS attacks, intrusion attempts and other disruptive (and potentially destructive) cyberattacks.

SonicWall is an expert in securing educational institutions, with over 7,300 current global deployments. Our solutions offer the network performance, availability and reliability that esports organizations and schools need to maintain their competitive edge.

Find out more about why securing esports is necessary — and how SonicWall can help.

What’s a Hybrid Mesh Firewall?

/0 Comments/in , /by

The days of a defined network perimeter, secured by a network firewall, have been disrupted by modern hybrid workforces and multi-cloud environments. This has led to a firewall market evolution, with new form factors and deployment methods for emerging use cases. More importantly, consistent policy model and management experience, unified reporting and analytics, shared context, and flexible consumption models are now required.

According to the 2024 Gartner Market Guide for Hybrid Mesh Firewall Platforms, “By 2025, over 50% of network firewall deployments will involve more than two deployment factors from the same vendor — up from less than 10% in 2023.”[1]

Managing multiple form factors for different use cases in an enterprise can be difficult, but a hybrid mesh firewall platform addresses these complex challenges directly.

So … What is a Hybrid Mesh Firewall?

A hybrid mesh firewall is a security platform that offers flexible deployment options in multiple form factors, as well as an as-a-service delivery model with unified, cloud-delivered management, reporting and analytics. Imagine a security platform that seamlessly protects everything, everywhere in your organization, without slowing you down. That’s the power of a hybrid mesh firewall. It’s like an advanced security shield that combines the best of traditional firewalls with cutting-edge features. This translates to:

  • Complete Network Protection: Your entire network is safeguarded, from your offices to remote workers and cloud applications.
  • Stronger Defenses: Modern threats are stopped before they can harm your business.
  • Simplified Access Control: This ensures only authorized users and devices can access your data (zero trust).
  • Flexibility for Your Business: It works seamlessly, regardless of how distributed your workforce or applications are.

In short, a hybrid mesh firewall gives you the peace of mind you need to run your business securely in today’s dynamic world.

[1] Gartner, Market Guide for Hybrid Mesh Firewall Platforms, 16 January 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

What Are the Key Capabilities and Features of a Hybrid Mesh Firewall?

Mesh Architecture
The term “mesh” refers to how various network security enforcement points and form factors are interconnected. In an enterprise IT landscape of any size, these enforcement points are strategically deployed across different network segments to create layers of purpose-built defense with a common policy. This practice protects against modern cyber threats and secures an expanded threat landscape that now includes a perimeter-less corporate network, encrypted traffic and SaaS adoption.

Cloud-delivered Centralized Management, Reporting and Analytics
To streamline the management of multiple security devices within the hybrid mesh firewall, many enterprises use cloud-delivered (SaaS) centralized management and orchestration tools. These tools simplify tasks such as deployment, configuration, monitoring, auditing, reporting and analytics. By providing a unified view of the entire network security posture, these tools enable real-time monitoring and reporting. They also facilitate automated responses to security incidents across the entire IT landscape. This includes securing corporate locations, private and public cloud assets, sanctioned and unsanctioned SaaS applications, BYOD, guest services, and remote workers. With these tools, enterprises can effectively manage their security infrastructure more efficiently and comprehensively.

Firewall Features
A hybrid mesh firewall should be capable of packet filtering, access control and stateful inspection capabilities to monitor and control incoming and outgoing network, user and application traffic based on predefined rules and policies. This helps prevent unauthorized access and protects against common threats like malware, phishing and denial-of-service (DoS) attacks.

Advanced Security Services
Besides firewall functionalities, a hybrid mesh firewall can incorporate advanced security features. These include deep packet inspection (DPI), application visibility and control, intrusion prevention, antivirus, and signature-based threat detection. Additionally, it may feature SSL/TLS decryption and inspection, sandboxing, and threat intelligence integration. These advanced capabilities enable the firewall to identify and mitigate sophisticated threats, such as zero-day exploits, advanced persistent threats (APT) and targeted attacks unknown to a firewall.

Scalability and Flexibility
One of the advantages of a hybrid mesh firewall is its scalability and flexibility. Organizations can easily expand their network infrastructures and adapt to evolving security requirements. This can be done by adding or upgrading individual security devices within the mesh architecture. The deployment can also evolve with modern cloud-native or client-based enforcement points for emerging use cases. Scaling up and down depending on changing requirements can be done without disrupting the policy and management experience. Additionally, the hybrid mesh firewall supports Network Operations Center (NOC) and Security Operations Center (SOC) automation/playbooks and access control rules.

How Can SonicWall Help?

SonicWall enables you to adopt a hybrid mesh firewall approach with:

Unified Platform for Management and Orchestration with SonicPlatform
SonicPlatform is our latest innovative cybersecurity platform, unifying all SonicWall products under one interface. This platform represents a significant stride toward a more integrated, efficient and secure management ecosystem for SonicWall’s diverse product suite. It not only streamlines management tasks, it also fosters deep integration — enabling the sharing of contextual information across all enforcement points within the product family and with third-party vendors.

Ease of Use and Zero-Touch Deployment with SaaS Management
Along with a unified experience, cloud-delivered management offers the ability to onboard and manage dozens or hundreds of firewalls of all types and for all use cases. Managing any number of firewalls is easy with zero-touch deployment, simple configuration wizards, built-in and audit-ready reporting, federated security policies, fleet management, custom templates, auto-upgrade, and more.

Flexible Deployment Options
SonicWall has provided network security solutions to MSPs/MSSPs, distributed enterprises, governments and SMBs worldwide for over 30 years. In that time, the company has shipped more than three million of its firewalls, including:

  • SOHO and TZ Series firewalls for SMBs and branch/internet edge use cases
  • NSa Series for midsize enterprises and campus deployments
  • NSsp Series for large enterprises and data center deployments
  • NSv Series virtual firewalls for hybrid and multi-cloud environments.

Customers have the flexibility to deploy NSv firewalls on AWS and Azure public/government clouds and protect private cloud workloads on VMware ESXi, Microsoft Hyper-V, Nutanix, and KVM. And our recent acquisition of Banyan Security, a proven cloud platform specializing in identity-centric Secure Service Edge (SSE) and Zero Trust Network Access, has expanded our cloud protection capabilities even further.

Superior Threat Protection with Advanced Security Services and Global Threat Intelligence
SonicWall’s hybrid mesh firewall delivers a much deeper level of security across wired and wireless networks. It inspects every byte of every packet while maintaining high performance and low latency. This is achieved through TLS decryption and inspection capabilities, as well as IPS capabilities with advanced anti-evasion technology. Additionally, it provides a network-based malware protection solution with the power of cloud sandboxing. The firewall also features our patented Real-Time Deep Memory Inspection (RTDMI™) and patented single-pass, low latency, Reassembly-Free Deep Packet Inspection (RFDPI) engines.

Lower TCO, Investment Protection and Flexible Consumption Model
SonicWall offers best-in-class threat prevention performance with all security services enabled, and is one of the select vendors in this space offering the ability to deploy platforms in highly available environments without additional licenses needed. SonicWall also offers flexible consumption models with license portability, a pay-as-you-go (PAYG) licensing model in cloud marketplaces, a credit-based consumption model with FlexSpend, a customer loyalty program that allows customers to refresh to our latest offerings and migrate existing licenses, and monthly billing options for MSPs and MSSPs.

A hybrid mesh firewall offers a balanced approach to network security by combining the strengths of network firewalls with advanced security technologies — creating policy enforcement points in a mesh architecture using a cloud-delivered platform approach. This robust and flexible solution safeguards an organization’s networks against a wide range of cyber threats, reducing the impact of the cybersecurity skills gap, inconsistent policies, and variable levels of management experience. If you’d like to explore the possibilities of hybrid mesh firewall protection, get in touch with your SonicWall partner or contact us here.

CrushFTP Server-Side Template Injection (SSTI)

/0 Comments/in /by

Overview

SonicWall Capture Labs threat research team became aware of a fully unauthenticated server-side template injection vulnerability within CrushFTP, assessed its impact, and developed mitigation measures. CrushFTP is an enterprise file transfer tool. Such tools have seen increased attention from attackers over the last several years. This vulnerability, CVE-2024-4040, has a CVSS score of 10.0 and has been reported to be exploited in the wild by CISA.  A PoC and vulnerability scanner script has been released on GitHub, making it relatively easy for attackers to leverage. Shodan indicates around 5,200 instances of exposure on the internet at the time of writing. CrushFTP has released an update to fix this vulnerability and anyone using this software should update to version 11.1 or newer.

Technical Overview

CrushFTP is designed to provide an anonymous or unprivileged session token for any unauthenticated request to any page with a “/WebInterface” prefix. This session token can then be used to access other API endpoints. The vulnerability exists due to an accessible endpoint – ServerSessionAJAX – that allows these tokens to access its API features. The ServerSessionAJAX API functions as a server-side templating engine by performing variable replacements. This API is susceptible to a server-side template injection vulnerability within the writeResponse function. If an attacker manages to insert data enclosed within %% or {} symbols in the argument, the server will execute and render the attacker-specified template. This results in arbitrary file read as root, authentication bypass for administrator account access, and can lead to theft of all files stored on the instance. To perform our analysis, we installed CrushFTP version 10.6 using a docker container hosted on docker hub.

Triggering the Vulnerability

In order to leverage and trigger this vulnerability, an attacker must first obtain an unprivileged session token by sending a basic GET request to any endpoint in “/WebInterface,” as seen in Figure 1.

Figure 1: Obtaining a session token

Using a session token, the attacker can attempt to access resources that should only be accessed by a fully authenticated account, such as an API implemented by ServerSessionAJAX. In Figure 2, we are trying to access an API feature we shouldn’t have permission to access — the zip function. Upon trying to access, an error appears instead of the expected “access denied” message.

Figure 2: Indication of unauthenticated access to API

Through this unauthenticated API, we can send legitimate template commands to obtain information about the server, which will be returned in the response. The code allows an extensive list of legitimate commands to be sent into the request. Figure 3 shows a small subset of the list from the code, including one that returns the working directory of where the application is running, which is crucial for exploitation.

Figure 3: change_vars_to_values_static function

Attempting to access this command via an unauthenticated request, as seen in Figure 4, proves an attacker can effectively leverage the SSTI. Notice that the working directory is returned in the server’s response when the “working_dir” template is provided.

Figure 4: Successful template injection

Exploitation

To exploit this vulnerability, an attacker can use this access to obtain an administrator login or session token. By examining the possible templates that can be leveraged within the “change_vars_to_values” function, we run across “INCLUDE” tags among many others, as seen in Figure 5.

Figure 5: Injectable Tags

As demonstrated in Figure 4, it is easy to obtain the working directory of the application. Within the application’s main directory, a file named sessions.obj contains all of the session data for the instance, including session tokens.  If an administrator is logged into the application, their token will be in this file. An attacker can exploit the SSTI vulnerability using <INCLUDE>, as seen in Figure 6, to have the file’s contents returned in the response.

Figure 6: SSTI using <INCLUDE>

Within the response, it is easy to locate a list of assigned session tokens. In Figure 7, the administrator token is highlighted in yellow. While an attacker may not know which token is dedicated to the administrator, trial and error will eventually allow them to utilize the correct token.

Figure 7: Output of SSTI including the sessions.obj file

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4396 CrushFTP Server-Side Template Injection
  • IPS:4400 CrushFTP Server-Side Template Injection 2
  • IPS:4402 CrushFTP Server-Side Template Injection 3

Remediation Recommendations

CrushFTP has released an update to fix this vulnerability, and anyone using this software is advised to update to version 11.1 or newer.

Relevant Links