Last updated at Thu, 21 Dec 2023 22:23:15 GMT
Back from a quiet holiday season
Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.
Make sure that your OpenTSDB isn’t too open
Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB <= 2.4.0.
OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.
Successful exploitation of this vulnerability will result in remote code execution as the root user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.
New module content (3)
- Linear eMerge E3-Series Access Controller Command Injection by Gjoko Krstic (gjoko[at]applied-risk.com) and h00die-gr3y, which exploits CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions
1.00-06and below in theNoanddoorparameters ofcard_scan_decoder.php. Successful exploitation results in RCE as therootuser. - OpenTSDB 2.4.0 unauthenticated command injection by ErikWynter and Shai rod, which exploits CVE-2020-35476, an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0.
- SolarWinds Orion Secrets Dump by Rob Fuller and npm-cesium137-io - This adds a post module for extracting encrypted credentials from SolarWinds Orion NPM.
Enhancements and features (2)
- #17258 from h00die - This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with Bloodhound 4. This includes both the .ps1 and binary from the original repository.
- #17380 from smashery - The list of user agent strings inside
lib/rex/user_agent.rbhas been updated to reflect the latest user agents as of December 2022.
Bugs fixed (5)
- #17334 from bcoles - Multiple improvements to
modules/post/linux/gather/enum_commands, including fixing a crash when attempting to search a path that doesn't exist - #17389 from ErikWynter - log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass
- #17409 from adfoster-r7 - Update rhost walker to handle interrupt signal
- #17416 from MegaManSec - The
jenkins_gather.rbmodule has been updated to use.blank?instead of.empty?when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty ornil. - #17435 from jmartin-r7 - A bug has been fixed whereby some modules were accidentally updated to use
smtp_send_recvwhen they did not import the requiredExploit::Remote::SMTPDelivermixin. These modules have been updated to use the appropriateraw_send_recvmethod instead.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
