Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Tim Corless

WebMin backdoor being exploited in wild

Recommended Posts

There's a few of these 😄 already seen exploit traffic in honeypot btw.

image.thumb.png.7f4ce2c40b0bef9c343a9285403214ba.png

  • Like 1

Share this post


Link to post

CVE-2019-15107 is being exploited in the wild.  It's a pre-auth exploit which allows admin password change, a.k.a. RCE, introduced by an attacker via a backdoor in the application.

Via BinaryEdge.io:

image.thumb.png.40dd75cdec005022e02a37b9487c5e4e.png

 

Timeline

April 2018 - an attacker backdoor'd WebMin's Sourceforge repo via build process.

17th August 2019 - 0day exploit available to exploit vulnerability.

17th August 2019 - WebMin issue advisory

20th August 2019 - mass exploitation seen in wild.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

  • Similar Content

    • By Kevin Beaumont
      The boilerplate description
      "A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution."
      What it means in practice
      Unauthenticated remote code execution on internet connected Citrix Gateway devices = bad.
      Are attackers actually exploiting this vulnerability?
      Yes, at scale, against targeted and untargeted assets.
      Impact
      Lame stuff like coin miners, but also devices getting backdoored, and people trying to use this to deploy ransomware inside Windows orgs behind the Citrix boxes.
      Vendor advisory and patches
      Here: https://support.citrix.com/article/CTX267027
      Checking if your device has already been exploited
      Check out this tool, which is getting frequent updates: https://github.com/fireeye/ioc-scanner-CVE-2019-19781/tree/v1.2
      Scale of the issue
      Somewhere in the region of ~100k devices were exploitable with this back in December.  After have a huge awareness campaign via all sorts of orgs, this one is about ~10k unpatched devices at present.  Those orgs are still in serious danger of exploitation.
      If you patched late
      You want to run the FireEye tool linked above to look for exploitation, as attackers may have backdoored your device.
      I just applied the mitigations
      You should also apply the patch, as it hardens the setup - just the mitigations alone present some issues.
    • By Kevin Beaumont
      CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.
      Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

      The scanning traffic is taking place across the whole internet it appears, spray and pray style.
      The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:
      Timeline
      May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

      June 4th 2019 - Vendor updates advisory to correct impacted versions
      August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.
      August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.
      August 17th 2019 - Another exploit, checks if vulnerable before exploit.
      August 21nd 2019 - Exploitation seen in wild.
    • By Kevin Beaumont
      CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 
      I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

       
      Timeline
      24th April 2019 - Vendor advisory.
      14th August 2019 - TLP Rainbow post.
      20th August 2019 - exploit posted publicly.
      22nd August 2019 - exploitation in wild.
      Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy