The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474

Published: 2024-04-30

Last Updated: 2024-04-30 15:19:40 UTC

by Johannes Ullrich (Version: 1)

Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS.

The sample request ...

The exploit is simple: attempt to download and execute the "amanas2" binary and execute it. Sadly, I was not able to retrieve the file. Virustotal does show the URL as malicious for a couple of anti-malware tools.

Oddly, I am seeing this pattern only the last couple days, even though the vulnerability and the PoC were disclosed last year ...

Read the full entry:

https://isc.sans.edu/diary/Another+Day+Another+NAS+Attacks+against+Zyxel+NAS326+devices+CVE20234473+CVE20234474/30884/

D-Link NAS Device Backdoor Abused

Published: 2024-04-29

Last Updated: 2024-04-29 13:48:03 UTC

by Johannes Ullrich (Version: 1)

End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. The sample URL used by the PoC was ...

In addition to not requiring a password, the URL also accepts arbitrary system commands, which must be base64 encoded. Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. DLink instead advised to replace affected devices. I have not been able to find an associated CVE number.

[Graph of hits for URLs that include "user=messagebus" with two distinct peaks. One early in April and one late in April]

After the initial exploit attempts at the beginning of the month, we now see a new distinct set of exploit attempts, some of which use different URLs to attack vulnerable systems. It appears that nas_sharing<dot>cgi is not the only endpoint that can be used to take advantage of the passwordless "messagebus" account.

Read the full entry:

https://isc.sans.edu/diary/DLink+NAS+Device+Backdoor+Abused/30878/

Linux Trojan - Xorddos with Filename eyshcjdmzg (2024.04.29)

https://isc.sans.edu/diary/Linux+Trojan+Xorddos+with+Filename+eyshcjdmzg/30880/

Does it matter if iptables isn't running on my honeypot? (2024.04.25)

https://isc.sans.edu/diary/Does+it+matter+if+iptables+isnt+running+on+my+honeypot/30862/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-38028 - Windows Print Spooler Elevation of Privilege Vulnerability

Product: Microsoft Windows Server 2022

CVSS Score: 0

** KEV since 2024-04-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38028

ISC Podcast: https://isc.sans.edu/podcastdetail/8952

CVE-2023-4473 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 are susceptible to command injection, enabling unauthorized execution of operating system commands via a manipulated URL.

Product: Zyxel Nas542_Firmware

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4473

ISC Diary: https://isc.sans.edu/diary/30884

ISC Podcast: https://isc.sans.edu/podcastdetail/8962

CVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.

Product: Zyxel Nas542_Firmware

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474

ISC Diary: https://isc.sans.edu/diary/30884

ISC Podcast: https://isc.sans.edu/podcastdetail/8962

CVE-2024-20353 - Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software are vulnerable to an unauthenticated remote attacker causing denial of service by triggering an unexpected device reload through a crafted HTTP request.

Product: Cisco Adaptive Security Appliance Software

CVSS Score: 8.6

** KEV since 2024-04-24 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20353

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

CVE-2024-20359 - Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software are vulnerable to an authenticated, local attacker being able to execute arbitrary code with root-level privileges by exploiting improper file validation in system flash memory.

Product: Cisco Adaptive Security Appliance Software

CVSS Score: 6.0

** KEV since 2024-04-24 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20359

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

CVE-2024-2389 - Flowmon is vulnerable to an operating system command injection flaw, allowing unauthenticated users to execute arbitrary commands via the management interface.

Product: Flowmon

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2389

ISC Podcast: https://isc.sans.edu/podcastdetail/8952

CVE-2024-32658 & CVE-2024-32659 - FreeRDP prior to version 3.5.1 out-of-bounds read vulnerabilities

Product: FreeRDP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32658

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32659

NVD References:

- https://github.com/FreeRDP/FreeRDP/commit/1a755d898ddc028cc818d0dd9d49d5acff4c44bf

- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vpv3-m3m9-4c2v

- https://oss-fuzz.com/testcase-detail/4852534033317888

- https://oss-fuzz.com/testcase-detail/6196819496337408

- https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e24d454d8566f54aae1b6b617b

- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w

- https://oss-fuzz.com/testcase-detail/6156779722440704

CVE-2024-32948 - Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember:from n/a through 4.0.28.

Product: Repute Infosystems ARMember

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32948

NVD References: https://patchstack.com/database/vulnerability/armember-membership/wordpress-armember-membership-plugin-plugin-4-0-28-broken-access-control-vulnerability?_s_id=cve

CVE-2024-32709 - Plechev Andrey WP-Recall is vulnerable to SQL Injection from versions n/a through 16.26.5.

Product: Plechev Andrey WP-Recall

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32709

NVD References: https://patchstack.com/database/vulnerability/wp-recall/wordpress-wp-recall-plugin-16-26-5-sql-injection-vulnerability?_s_id=cve

CVE-2024-32836 - WP-Lister Lite for eBay allows unrestricted upload of files with dangerous types, posing a security risk from versions n/a through 3.5.11.

Product: WP Lab WP-Lister Lite for eBay

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32836

NVD References: https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-11-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-32954 - Unrestricted Upload of File with Dangerous Type vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.5.

Product: Tribulant Newsletters

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32954

NVD References: https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-5-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2023-31090 - Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows unrestricted upload of dangerous file types, enabling attackers to upload a web shell to a web server.

Product: Unlimited Elements Unlimited Elements For Elementor

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31090

NVD References: https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-60-unrestricted-zip-extraction-vulnerability?_s_id=cve

CVE-2023-51425 - Rencontre – Dating Site is vulnerable to Privilege Escalation due to Improper Privilege Management from version n/a through 3.10.1.

Product: Jacques Malgrange Rencontre – Dating Site

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51425

NVD References: https://patchstack.com/database/vulnerability/rencontre/wordpress-rencontre-plugin-3-10-1-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2023-51472 - Mestres do WP Checkout Mestres WP is vulnerable to Privilege Escalation due to Improper Authentication in versions n/a through 7.1.9.7.

Product: Mestres do WP Checkout Mestres WP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51472

NVD References: https://patchstack.com/database/vulnerability/checkout-mestres-wp/wordpress-checkout-mestres-wp-plugin-7-1-9-6-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2023-51477 - BuddyBoss Theme allows unauthorized access to functionality not properly constrained by ACLs, affecting versions from n/a through 2.4.60.

Product: BuddyBoss Theme

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51477

NVD References: https://patchstack.com/database/vulnerability/buddyboss-theme/wordpress-buddyboss-theme-theme-2-4-60-unauthenticated-arbitrary-wordpress-settings-change-vulnerability?_s_id=cve

CVE-2023-51478 - Abdul Hakeem Build App Online is vulnerable to improper authentication, enabling privilege escalation from version n/a through 1.0.19.

Product: Abdul Hakeem Build App Online

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51478

NVD References: https://patchstack.com/database/vulnerability/build-app-online/wordpress-build-app-online-plugin-1-0-19-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2023-51482 - EazyPlugins Eazy Plugin Manager is vulnerable to improper authentication, allowing unauthorized access to functionalities not properly restricted by ACLs.

Product: EazyPlugins Eazy Plugin Manager

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51482

NVD References: https://patchstack.com/database/vulnerability/plugins-on-steroids/wordpress-eazy-plugin-manager-plugin-4-1-2-subscriber-arbitrary-options-update-lead-to-rce-vulnerability?_s_id=cve

CVE-2023-51484 - WP Login as User or Customer (User Switching) versions up to 3.8 allow unauthorized users to elevate their privileges through improper authentication.

Product: WP Login as User or Customer (User Switching)

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51484

NVD References: https://patchstack.com/database/vulnerability/login-as-customer-or-user/wordpress-login-as-user-or-customer-plugin-3-8-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2024-22144 - Eli Scheetz Anti-Malware Security and Brute-Force Firewall has a Code Injection vulnerability allowing attackers to inject malicious code.

Product: Eli Scheetz Anti-Malware Security and Brute-Force Firewall

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22144

NVD References:

- https://patchstack.com/articles/critical-vulnerability-found-in-gotmls-plugin?_s_id=cve

- https://patchstack.com/database/vulnerability/gotmls/wordpress-anti-malware-security-and-brute-force-firewall-plugin-4-21-96-unauthenticated-predictable-nonce-brute-force-leading-to-rce-vulnerability?_s_id=cve

- https://sec.stealthcopter.com/cve-2024-22144/

CVE-2024-30560 - Cross-Site Request Forgery (CSRF) vulnerability in WP DX-Watermark.This issue affects DX-Watermark: from n/a through 1.0.4.

Product: WP DX-Watermark

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30560

NVD References: https://patchstack.com/database/vulnerability/dx-watermark/wordpress-dx-watermark-plugin-1-0-4-csrf-to-arbitrary-file-upload-and-xss-vulnerability?_s_id=cve

CVE-2024-31266 - AlgolPlus Advanced Order Export For WooCommerce is vulnerable to Code Injection from version n/a through 3.4.4.

Product: AlgolPlus Advanced Order Export For WooCommerce

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-31266

NVD References: https://patchstack.com/database/vulnerability/woo-order-export-lite/wordpress-advanced-order-export-for-woocommerce-plugin-3-4-4-remote-code-execution-vulnerability?_s_id=cve

CVE-2022-36028 & CVE-2022-36029 - Greenlight has open redirect vulnerabilities in versions prior to 2.13.0 within the Login page.

Product: BigBlueButton Greenlight

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-36028

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-36029

NVD References:

- https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623

- https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://

CVE-2024-0916 - Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3.

Product: UvDesk Community

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0916

NVD References:

- https://github.com/uvdesk/core-framework/pull/706

- https://pentraze.com/vulnerability-reports/

CVE-2024-32651 - Changedetection.io is vulnerable to Server Side Template Injection (SSTI) in Jinja2, allowing attackers to execute remote commands and potentially takeover the server machine.

Product: Changedetection.io

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32651

NVD References:

- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21

- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3

- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2

CVE-2024-3962 - The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.

Product: Product Addons & Fields for WooCommerce

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3962

NVD References:

- https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon

- https://themeisle.com/plugins/ppom-pro/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/4f95bcc3-354e-4016-9a17-945569b076b6?source=cve

CVE-2024-0740 - Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 allows remote code execution without authentication, fixed in Eclipse IDE 2024-03.

Product: Eclipse Foundation Eclipse Target Management

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0740

NVD References:

- https://git.eclipse.org/r/c/tm/org.eclipse.tm/+/202145

- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/171

CVE-2023-47222 - Media Streaming add-on has an exposure of sensitive information vulnerability that could compromise system security via network exploitation, now fixed in version 500.1.1.5.

Product: Media Streaming add-on

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47222

NVD References: https://www.qnap.com/en/security-advisory/qsa-24-15

CVE-2024-32764 - myQNAPcloud Link is vulnerable to missing authentication for critical function allowing unauthorized users to access certain features.

Product: QNAP myQNAPcloud Link

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32764

NVD References: https://www.qnap.com/en/security-advisory/qsa-24-09

CVE-2024-32766 - QNAP operating systems versions are vulnerable to OS command injection, allowing users to execute commands via a network, but the issue has been fixed in the latest releases.

Product: QNAP QTS

CVSS Score: 10.0

NVD: https://www.qnap.com/en/security-advisory/qsa-24-09

NVD References: https://www.qnap.com/en/security-advisory/qsa-24-09

CVE-2024-32880 - Pyload allows authenticated users to leverage a folder change vulnerability to upload a malicious template and achieve remote code execution, with no current fix in place.

Product: payload Download Manageer

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32880

NVD References: https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f

CVE-2024-32881 - Danswer is vulnerable to unauthorized access to slack bot tokens, potentially leading to full compromise of the customer's slack bot.

Product: Danswer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32881

NVD References:

- https://github.com/danswer-ai/danswer/commit/89ff07a96b41be9e05256bd252105be233f4d28a

- https://github.com/danswer-ai/danswer/commit/bd7e21a6388775e850d6f716675a893c72881e56

- https://github.com/danswer-ai/danswer/security/advisories/GHSA-xr9w-3ggr-hr6j

CVE-2024-3342 - The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection through the 'events' attribute of the 'mp-timetable' shortcode in versions up to 2.4.11, allowing authenticated attackers with contributor-level access to extract sensitive database information.

Product: MotoPress Timetable and Event Schedule

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3342

NVD References:

- https://plugins.trac.wordpress.org/changeset/3077596/mp-timetable/trunk/classes/models/class-events.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/9670bd32-34ce-48b1-82d9-62ab8869a89b?source=cve

CVE-2024-1874 - PHP versions 8.1.*, 8.2.*, and 8.3.* are vulnerable to arbitrary command execution in Windows shell when using proc_open() with array syntax.

Product: PHP

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1874

NVD References: https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7

CVE-2024-4300 - E-WEBInformationCo. FS-EZViewer(Web) allows remote attackers to access database credentials and host IP address by revealing sensitive information in the service.

Product: E-WEBInformationCo. S-EZViewer(Web)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4300

NVD References: https://www.twcert.org.tw/tw/cp-132-7774-fbd01-1.html

CVE-2024-33551 - XStore Core versions up to 5.3.5 suffer from an SQL Injection vulnerability due to improper neutralization of special elements in SQL commands.

Product: 8theme XStore Core

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33551

NVD References: https://patchstack.com/database/vulnerability/et-core-plugin/wordpress-xstore-core-plugin-5-3-5-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-33553 - Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5.

Product: 8theme XStore Core

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33553

NVD References: https://patchstack.com/database/vulnerability/et-core-plugin/wordpress-xstore-core-plugin-5-3-5-unauthenticated-php-object-injection-vulnerability?_s_id=cve

CVE-2024-33559 - XStore is vulnerable to SQL Injection from versions n/a through 9.3.5.

Product: 8theme XStore

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33559

NVD References: https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-33544 & CVE-2024-33546 - AA-Team WZone through 14.0.10 SQL Injection vulnerabilities

Product: AA-Team WZone

CVSS Scores: 9.3 - 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33544

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33546

NVD References: https://patchstack.com/database/vulnerability/woozone/wordpress-wzone-plugin-14-0-10-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-3191 - MailCleaner up to 2023.03.14 is vulnerable to a critical issue in its Email Handler component, leading to remote os command injection.

Product: MailCleaner

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3191

NVD References:

- https://github.com/MailCleaner/MailCleaner/pull/601

- https://modzero.com/en/advisories/mz-24-01-mailcleaner/

- https://modzero.com/static/MZ-24-01_modzero_MailCleaner.pdf

- https://vuldb.com/?ctiid.262307

- https://vuldb.com/?id.262307

CVE-2024-33566 - Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.

Product: N-Media OrderConvo

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33566

NVD References: https://patchstack.com/database/vulnerability/admin-and-client-message-after-order-for-woocommerce/wordpress-orderconvo-plugin-12-4-unauthenticated-api-access-to-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-3375 - Dialogue in Havelsan Inc. allows unauthorized access to critical resources due to improper permission assignment.

Product: Havelsan Inc. Dialogue

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3375

NVD References: https://www.usom.gov.tr/bildirim/tr-24-0363

CVE-2024-4306 - HubBank version 1.0.2 is vulnerable to a critical unrestricted file upload bug, enabling registered users to upload malicious PHP files through document upload fields and execute webshells.

Product: HubBank

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4306

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank