Rewterz Threat Update – 2021 CVEs Being Exploited in the Wild

Severity

High

Analysis Summary

The following CVEs are being actively exploited in wild by threat actors. Immediate action is suggested.

CVE-2021-26855

A server-side request forgery (SSRF) vulnerability in Exchange Server

CVE-2021-26857: 

An insecure deserialization vulnerability in the Unified Messaging service

CVE-2021-26858:

A post-authentication arbitrary file write vulnerability in Exchange

CVE-2021-27065:

 A post-authentication arbitrary file write vulnerability in Exchange

CVE-2021-22893: 

The Zero-day Pulse Connect Secure authentication bypass vulnerability allows an attacker to run an arbitrary code on the Pulse Connect Secure Gateway. A remote, unauthenticated attacker can send a specially crafted HTTP request to the victim to exploit the vulnerability and gain access to the target system.

CVE-2021-22894:

Pulse Connect Secure is vulnerable to a buffer overflow, caused by improper bounds checking. By persuading a victim to connect to a maliciously-crafted meeting room, a remote authenticated attacker could overflow a buffer and execute arbitrary code with root privileges on the system.

CVE-2021-22899:

Pulse Connect Secure could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injectionflaw. By using Windows Resource Profiles Feature, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2021-22900:

Pulse Connect Secure could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions by the administrator web interface. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system.

CVE-2021-27101:

Accellion File Transfer Appliance is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the document_root.html script using a specially crafted Host header, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2021-27102:

Accellion File Transfer Appliance could allow a remote attacker to execute arbitrary commands on the system. By using a local web service call, an attacker could exploit this vulnerability to execute arbitrary OS commands on the system.

CVE-2021-27103:

Accellion File Transfer Appliance is vulnerable to server-side request forgery. By sending a request with a specially-crafted POST request to wmProgressstat.html, an attacker could exploit this vulnerability to conduct an SSRF attack.

CVE-2021-27104:

Accellion File Transfer Appliance could allow a remote attacker to execute arbitrary commands on the system. By sending a specially crafted POST request, an attacker could exploit this vulnerability to execute arbitrary OS commands on the system.

CVE-2021-21985:

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in the vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server

Impact

• Data Manipulation
• Remote Code Execution
• Data Breach
• Unauthorized Access

Affected Vendors

Microsoft
Pulse Secure
VMware
Acellion

Affected Products

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019
• Pulse Connect Secure 9.1RX
• Pulse Connect Secure 9.0RX
• VMware vCenter Server (vCenter Server)
• VMware Cloud Foundation (Cloud Foundation)
• Pulse Secure Pulse Connect Secure 9.0R3
• Pulse Secure Pulse Connect Secure 9.0RX
• Pulse Secure Pulse Connect Secure 9.1RX
• Pulse Secure Pulse Connect Secure 9.1R1
• Accellion File Transfer Appliance 9_12_370

Remediation

Refer to CISA advisory from more update affected product and their respective patches

https://us-cert.cisa.gov/ncas/alerts/aa21-209a