Rewterz Threat Alert – Amadey Botnet – Active IOCs
December 2, 2021Rewterz Threat Alert – Remcos RAT – Active IOCs
December 3, 2021Rewterz Threat Alert – Amadey Botnet – Active IOCs
December 2, 2021Rewterz Threat Alert – Remcos RAT – Active IOCs
December 3, 2021Severity
High
Analysis Summary
Following are the five vulnerabilities that are being actively exploited by threat actors. These exploits pose a great threat to organizations if not patched and mitigated. The Zoho vulnerabilities are being actively exploited by state sponsored threat groups (APTs). Cisco and cyber security agencies have warned against the exploitations of the Apache HTTP servers. Google also warned against the exploitation of the Qualcomm vulnerability as it is being used by threat actors for targeted and limited attacks.
CVE-2021-44077
Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2018-14847
Mikrotik RouterOS could allow a remote attacker to bypass security restrictions, caused by improper validation by the Session ID in Winbox. By sending a specially-crafted Session ID, an attacker could exploit this vulnerability to read arbitrary files on the system.
CVE-2021-40438
Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.
CVE-2020-11261
Qualcomm multiple chipsets could allow a local attacker to gain elevated privileges on the system, caused by improper validation of input by the Graphics component. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
CVE-2021-37415
Zoho ManageEngine ServiceDesk Plus could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability to allow a few REST-API URLs without authentication.
Impact
- Access Gain
- Security Bypass
- Privilege Escalation
Affected Vendors
- Apache
- Zoho
- Qualcomm
Affected Products
- Zoho ManageEngine ServiceDesk Plus 11305
- Zoho ManageEngine ServiceDesk Plus MSP 10527
- Zoho ManageEngine ServiceDesk Plus MSP 10529
- Zoho ManageEngine SupportCenter Plus 11012
- MikroTik RouterOS 6.29
- MikroTik RouterOS 6.42
- Apache HTTP Server 2.4.48 and older
- Qualcomm kernel/msm 4.18 and older
- Zoho ManageEngine ServiceDesk Plus 11301
Remediation
Upgrade to the latest version of Zoho ManageEngine ServiceDesk Plus, available at:
Upgrade to the latest version of Mikrotik RouterOS, available from the mikrotik Web site.
Upgrade to the latest version of Apache, available from the Apache Web site.
Upgrade to the latest version of Qualcomm, available from the Qualcomm Web site.
Upgrade to the latest version of Zoho ManageEngine ServiceDesk Plus, available from the Zoho Web site.