A Week of RCE (Remote Code Execution)

‍CVE-2024-36971

Affecting the Android Kernel (we don’t hear that often), a use-after-free vulnerability was discovered. CVE-2024-36971 allows an attacker to possibly execute code remotely on affected devices although relevant system privileges are required before this can be abused successfully. Given a CVSS score of 7.8, the requirement of pre-existing conditions might indicate a decrease in criticality.

Even though it has a low EPSS score of 0.00172, CISA has reported that this exploit was seen being exploited in the wild and consequently, added to the Known Exploited Vulnerability catalog^[1].

CVE-2024-32113

Seems like Apache can’t catch a break, with a critical path traversal vulnerability being disclosed in their ERP offering OFBiz. With a high CVSS score of 9.1, CVE-2024-32113 can potentially lead to remote code execution due to access to directories which are by default restricted. The improper limitation affects versions before 18.12.13 of OFBiz and users are recommended to upgrade to 18.12.13.

With reports of exploitation by attackers, CISA also added this flaw to their KEV catalog and the CVE has an EPSS score of 0.06264^[1].

CVE-2024-4885

Continuing the critical bugs conversation, Progress’s network monitoring software Whatsup Gold is exposed to a remote code execution flaw resulting in a critical CVSS score of 9.8. The flaw exists in the GetFileWithoutZip function which lacks proper implementation of paths inputted by users.

It was reported this flaw is under active attack since 1st August with multiple public exploits available, although it has a low EPSS score of 0.00072^[2].

CVE-2024-7029

A pre-authentication command injection vulnerability was discovered in Avtech Security’s IP Camera. Affecting the AVM1203 firmware version FullImg-1023-1007-1011-1009 and earlier, this flaw allows attackers to inject and execute commands over the network without any sort of authentication. With a high CVSS score of 8.7 and relatively low EPSS score of 0.00043, the vulnerability has been reportedly being exploited since March and attackers have been using the flaw to spread malware, possibly a Mirai variant^[3].

CVE-2018-0824

Another trend we have been seeing for the past few weeks is resurgence of years old Windows exploits being seen in the wild. A six year old remote code execution vulnerability, CVE-2018-0824 was recently added to the CISA’s Known Exploited Vulnerability catalog recently as it is actively exploited towards unpatched systems.

A high severity bug with a CVSS score of 7.5, and due to the recent exploits in the wild a high EPSS score of 0.96256^[4].

‍CVE-2023-4966

Mass scanning and exploitation is still ongoing for CVE-2023-4966, aptly named “Citrix Bleed” due to the flaw leaking the session token, affecting Citrix NetScaler ADC and NetScaler Gateway. The underlying issue for this vulnerability is a buffer overflow flaw in one of the sprintf() function which handles OpenID authorization^[5]. 

The exploit has been seen as being  exploited as a zero-day previously and is, expectedly, critical in nature. Consequently, this CVE was added to CISA’s KEV.

CVE-2022-25168

Critical flaw in Apache Hadoop, CVE-2022-25168 allows attackers to execute code remotely. The issue arises due to how Hadoop parses uploaded file archives: no sufficient checks are made on the zipped/tarred file before it is passed to the shell which can lead to unintended parsing of command injected in the file name, resulting in code execution.

‍

Cytellite sensors also experienced significant exploit activity and mass scanning. The remote code execution vulnerabilities CVE-2024-3273 and CVE-2024-27348 are actively being exploited. Additionally, there has been a noticeable increase in exploitation attempts of older CVEs and exploits targeting IoT devices. For further details, please refer to our previous report.

‍CVE-2023-26801

The infamous Mirai botnet has a variant that has been seen exploiting CVE-2023-26801. A common injection vulnerability in LB-LINK routers, where attackers can execute code remotely through injecting malicious keywords in the parameters of the HTTP request towards /goform/set_LimitClient_cfg.

The variant, known as IZ1H9, is using this vulnerability combined with other CVEs affecting routers. A total compromise of the target device can lead to using them as part of large scale DDoS attacks^[7].

CVE-2014-8361

Multiple different families of malware have been seen exploiting CVE-2014-8361, a remote code execution flaw in Realtek SDK’s miniigd SOAP service. The flaw can be exploited through a crafted NewInternalClient request and has been actively exploited in the wild. 

Targeting IoT devices, Gadget aka Bashlite botnet malware, a Linux based malware, was seen using this CVE for malware delivery^[8]. A botnet worm that propagates through GitHub and Pastebin called Gitpaste-12^[9] exploited multiple device exploits, along with CVE-2014-8361. Go-based HinataBot^[10] was also seen exploiting this, alongside Yowai^[11], ZHTrap^[12] and Zerobot^[13].

‍

Critical Apache HTTP exploit CVE-2021-41773^[14] and older vulnerability CVE-2017-17215^[15] affecting Huawei routers are still under active exploitation. For further details, please refer to our previous report.

‍CVE-2024-32113

The OFBiz vulnerability we discussed in the first section, saw scanning activity in order to take advantage of it originating from Mirai malware variants. Although patched back in May, the exploitation is very simple, which might provide an increase in exploitation attempts in order to deliver the Mirai variants^[16].

CVE-2024-7029

Another trending vulnerability being exploited by Mirai variants, CVE-2024-7029 is pre-authentication command injection vulnerability in Avtech IP cameras. With reportedly no patches available, attackers are exploiting this in the wild for the purpose of malware delivery, which looks like another Mirai botnet. CISA has warned against active attacks towards this, and as mentioned earlier, has added the CVE to their Known Exploited Vulnerabilities catalog^[2].

The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.

1. https://www.cisa.gov/news-events/alerts/2024/08/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
2. https://thehackernews.com/2024/08/critical-security-flaw-in-whatsup-gold.html
3. https://www.securityweek.com/cisa-warns-of-avtech-camera-vulnerability-exploited-in-wild/
4. https://www.cisa.gov/news-events/alerts/2024/08/05/cisa-adds-one-known-exploited-vulnerability-catalog
5. https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
6. https://cujo.com/blog/the-zerobot-botnet-vulnerabilities-targeted-and-exploits-used-in-detail/
7. https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/
8. https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/
9. https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpaste-12-spreads-via-github-and-pastebin/
10. https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
11. https://cyware.com/news/cybercriminals-exploit-thinkphp-vulnerability-via-hakai-and-yowai-botnets-a8bc3d86
12. https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/
13. https://cujo.com/blog/the-zerobot-botnet-vulnerabilities-targeted-and-exploits-used-in-detail/
14. https://cujo.com/blog/the-zerobot-botnet-vulnerabilities-targeted-and-exploits-used-in-detail/
15. https://cujo.com/blog/the-sysrv-botnet-and-how-it-evolved/
16. https://isc.sans.edu/diary/rss/31132