Rewterz Threat Advisory – Cisco Small Business RV Series Routers Command Injection Vulnerabilities
August 4, 2020Rewterz Threat Alert – Emotet IOCs
August 4, 2020Rewterz Threat Advisory – Cisco Small Business RV Series Routers Command Injection Vulnerabilities
August 4, 2020Rewterz Threat Alert – Emotet IOCs
August 4, 2020Severity
High
Analysis Summary
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through theBIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services,and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
The security bug involves a remote code execution (RCE) vulnerability in the management interface of BIG-IP known as the Traffic Management User Interface (TMUI). It was noticed from the mitigation rule in Apache httpd that a possible way to exploit this vulnerability involves a HTTP GET request containing semicolon character in the URI. In a Linux command line, a semi-colon signals to the interpreter that a command line has finished, and it is a character the vulnerability needs to be triggered. To further analysis, the tested IoT botnet author can add a scanning capability to existing and/or new malware variants via this Yara rule
Impact
- Remote code execution
Indicators of Compromise
SHA-256
- acb930a41abdc4b055e2e3806aad85068be8d85e0e0610be35e784bfd7cf5b0e
- 037859323285e0bbbc054f43b642c48f2826924149cb1c494cbbf1fc8707f942
- 55c4675a84c1ee40e67209dfde25a5d1c1979454ec2120047026d94f64d57744
- 03254e6240c35f7d787ca5175ffc36818185e62bdfc4d88d5b342451a747156d
- 204cbad52dde24ab3df41c58021d8039910bf7ea07645e70780c2dbd66f7e90b
- 3f8e65988b8e2909f0ea5605f655348efb87565566808c29d136001239b7dfa9
- 15b2ee07246684f93b996b41578ff32332f4f2a60ef3626df9dc740405e45751
- 0ca27c002e3f905dddf9083c9b2f8b3c0ba8fb0976c6a06180f623c6acc6d8ca
- ecc1e3f8332de94d830ed97cd07867b90a405bc9cc1b8deccec51badb4a2707c
- e71aca778ea1753973b23e6aa29d1445f93dc15e531c706b6165502d6cf0bfa4
URL
- http[:]//hxxp[:]//78[.]142[.]18[.]20
- http[:]//hxxp[:]//79[.]124[.]8[.]24/bins/
Remediation
- Block all threat indicators at your respective controls.
- Ensure that IoT devices’ firmware run on the latest versions.
- Search for IOCs in your environment.