CISA Alert AA23-250A: Nation-State APT Actors Exploit CVE-2022-47966 and CVE-2022-42475
On September 7th, 2023, The Cybersecurity and Infrastructure Security Agence (CISA) released a security alert on two critical remote command injection vulnerabilities found in ManageEngine products and FortiOS SSL VPN [1]. Both CVE-2022-47966 and CVE-2022-42475 have a CVSS score of 9.8 (Critical) and have been exploited by the different APT groups in cyber espionage campaigns against a US aviation organization.
In this blog, we explained how ManageEngine CVE-2022-47966 and FortiOS CVE-2022-42475 exploit are used by nation-state threat actors.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of the Picus Platform
What is ManageEngine CVE-2022-47966 Remote Code Execution Vulnerability?
On January 10th, 2023, ManageEngine released a security advisory for a remote code execution vulnerability affecting multiple ManageEngine products. CVE-2022-47966 vulnerability allows an unauthenticated attacker to execute arbitrary commands on on-premise ManageEngine products. The vulnerability has a CVSS score of 9.8 (Critical). Although it was discovered nearly eight months ago, adversaries still target vulnerable ManageEngine products to gain access to their victims' environment.
The vulnerability stems from the xmlsec library from Apache Santuario. The xmlsec version 1.4.1 has a vulnerability in the XML Signature validation step, which was discovered back in 2008. Vulnerable ManageEngine products still use this vulnerable library. Adversaries abuse this vulnerability to craft a malicious SAML payload and use it in an XSLT injection attack. ManageEngine addressed this issue by updating the xmlsec version 2.2.3, and organizations are advised to update their ManageEngine products.
| Affected Products | Affected Versions | Fixed Version | 
| Access Manager Plus | 4307 and below | 4308 | 
| Active Directory 360 | 4309 and below | 4310 | 
| ADAudit Plus | 7080 and below | 7081 | 
| ADManager Plus | 7161 and below | 7162 | 
| ADSelfService Plus | 6210 and below | 6211 | 
| Analytics Plus | 5140 and below | 5150 | 
| Application Control Plus | 10.1.2220.17 and below | 10.1.2220.18 | 
| Asset Explorer | 6982 and below | 6983 | 
| Browser Security Plus | 11.1.2238.5 and below | 11.1.2238.6 | 
| Device Control Plus | 10.1.2220.17 and below | 10.1.2220.18 | 
| Endpoint Central | 10.1.2228.10 and below | 10.1.2228.11 | 
| Endpoint Central MSP | 10.1.2228.10 and below | 10.1.2228.11 | 
| Endpoint DLP | 10.1.2137.5 and below | 10.1.2137.6 | 
| Key Manager Plus | 6400 and below | 6401 | 
| OS Deployer | 1.1.2243.0 and below | 1.1.2243.1 | 
| PAM 360 | 5712 and below | 5713 | 
| Password Manager Pro | 12123 and below | 12124 | 
| Patch Manager Plus | 10.1.2220.17 and below | 10.1.2220.18 | 
| Remote Access Plus | 10.1.2228.10 and below | 10.1.2228.11 | 
| Remote Monitoring and Management (RMM) | 10.1.40 and below | 14986 | 
| ServiceDesk Plus | 14003 and below | 14004 | 
| ServiceDesk Plus MSP | 13000 and below | 13001 | 
| SupportCenter Plus | 11017 to 11025 | 11026 | 
| Vulnerability Manager Plus | 10.1.2220.17 and below | 10.1.2220.18 | 
What is FortiGate CVE-2022-42475 Remote Code Execution Vulnerability?
On December 12th, 2022, Fortinet released a security advisory for a zero-day vulnerability affecting FortiOS. CVE-2022-42475 vulnerability is a heap-based buffer overflow vulnerability found in the sslvpnd component of FortiOS SSL-VPN. Adversaries may abuse this vulnerability to execute arbitrary commands in remote systems. The vulnerability has a CVSS score of 9.8 (Critical). Adversaries often use this vulnerability to gain initial access and establish persistence in their victims' environment.
Fortinet patched CVE-2022-42475 back in December 2022; however, there are still vulnerable versions in use. Organizations are advised to fix their vulnerable Fortinet products as soon as possible.
| Affected Products | Affected Versions | Fixed Version | 
| FortiOS | version 7.2.0 through 7.2.2 version 7.0.0 through 7.0.8 version 6.4.0 through 6.4.10 version 6.2.0 through 6.2.11 version 6.0.0 through 6.0.15 version 5.6.0 through 5.6.14 version 5.4.0 through 5.4.13 version 5.2.0 through 5.2.15 version 5.0.0 through 5.0.14 | version 7.2.3 or above version 7.0.9 or above version 6.4.11 or above version 6.2.12 or above version 6.0.16 or above | 
| FortiOS-6K7K | version 7.0.0 through 7.0.7 version 6.4.0 through 6.4.9 version 6.2.0 through 6.2.11 version 6.0.0 through 6.0.14 | version 7.0.8 or above version 6.4.10 or above version 6.2.12 or above version 6.0.15 or above | 
| FortiProxy | version 7.2.0 through 7.2.1 version 7.0.0 through 7.0.7 version 2.0.0 through 2.0.11 version 1.2.0 through 1.2.13 version 1.1.0 through 1.1.6 version 1.0.0 through 1.0.7 | version 7.2.2 or above version 7.0.8 or above version 2.0.12 or above | 
Cyber Espionage Against a US Aeronautical Organization
The multiple nation-state threat actors were able to compromise a US-based aeronautical organization using ManageEngine CVE-2022-47966 and FortiOS CVE-2022-42475 vulnerabilities. The aim of the attack campaign appears to be cyber espionage, and CISA estimated the date of the initial compromise as early January 2023. The attack campaign has two initial access vectors.
In early January 2023, Iranian APT actors were able to gain initial access to their victims' infrastructure by abusing the ManageEngine CVE-2022-47966 vulnerability. This malicious action allowed adversaries to gain root-level access to the public-facing application, Zoho ManageEngine ServiceDesk Plus, and they created a privileged local user account named Azure. Using the privileged account, APT actors were able to enumerate the network, download malware, collect administrative user credentials, and move laterally through the organization's network.
In February 2023, additional APT actors were able to compromise the victim's firewall using the FortiOS CVE-2022-42475 vulnerability. After gaining initial access, adversaries re-activated a previously disabled administrator account and deleted log data from the victim's servers to delete traces of the compromise. APT actors were able to move laterally in the victim's network using compromised credentials and deploy multiple webshells in different file locations to establish persistence.
How Picus Helps Simulate ManageEngine CVE-2022-47966 and FortiOS CVE-2022-42475 RCE Attacks?
We also strongly suggest simulating ManageEngine CVE-2022-47966 and FortiOS CVE-2022-42475 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyNotShell, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for ManageEngine CVE-2022-47966 vulnerability exploitation attacks:
| Threat ID | Threat Name | Attack Module | 
| 63009 | ManageEngine Web Attack Campaign | Web Application | 
Picus Threat Library includes the following threats for FortiOS CVE-2022-42475 vulnerability exploitation attacks:
| Threat ID | Threat Name | Attack Module | 
| 31317 | FortiProxy Web Attack Campaign | Web Application | 
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-47966 vulnerability exploitation attacks and related malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for CVE-2022-47966 vulnerability exploitation attacks:
| Security Control | Signature ID | Signature Name | 
| CheckPoint | asm_dynamic_prop_AMSN20190425_06 | Zoho ManageEngine Applications Manager SQL Injection (CVE-2019-11469) | 
| CheckPoint | asm_dynamic_prop_MENGINE_ADS_CMD_INJ | ManageEngine ADSelfService Plus Command Injection | 
| CheckPoint | 0A6191292 | Malicious Binary.TC.c80buXKH | 
| CheckPoint | asm_dynamic_prop_CVE_2022_47966 | Zoho ManageEngine Remote Code Execution (CVE-2022-47966) | 
| Cisco FirePower | 1.58201.2 | SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt | 
| Cisco FirePower | 1.61452.1 | SERVER-WEBAPP Zoho ManageEngine multiple products remote code execution attempt | 
| Citrix | - | Invalid Multipart syntax in request | 
| Citrix | - | Blocked by 'HTML SQL Injection' Security Check | 
| F5 BIG-IP | 200002142 | SQL-INJ insert into | 
| F5 BIG-IP | 200003903 | CSV Injection Attempt (1) | 
| F5 BIG-IP | 200004162 | PHP injection attempt (require) | 
| F5 BIG-IP | 200001362 | .send (Parameter) | 
| F5 BIG-IP | 200004028 | PHP injection attempt ( popen ) | 
| F5 BIG-IP | 200002466 | SQL-INJ insert into (2) | 
| F5 BIG-IP | 200004185 | POpen injection attempt (Parameter) | 
| F5 BIG-IP | 200104762 | PHP injection attempt (assert) (Parameter) | 
| F5 BIG-IP | 200103295 | Zoho ManageEngine SAMLResponse RCE | 
| F5 BIG-IP | 200004208 | JavaScript Code Injection - require(); (Parameter) | 
| Forcepoint NGFW | - | File_Malware-Blocked | 
| Forcepoint NGFW | - | HTTP_CRL-Zoho-Manageengine-Applications-Manager-Resourceid-SQL-Injection | 
| Forcepoint NGFW | - | HTTP_CRL-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass | 
| Forcepoint NGFW | - | HTTP_CSU-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass | 
| Fortigate IPS | 26560 | applications3: ManageEngine.Applications.Manager.Code.Execution | 
| Fortigate IPS | 50773 | applications3: ManageEngine.ADSelfService.Plus.RestAPI.Authentication.Bypass | 
| Fortigate IPS | 52571 | applications3: ManageEngine.xmlsec.SAML.SSO.Remote.Code.Execution | 
| FortiWeb | 30000085 | SQL Injection | 
| FortiWeb | 50050041 | Generic Attacks | 
| FortiWeb | 90501371 | Known Exploits | 
| FortiWeb | 60140003 | Generic Attacks(Extended) | 
| Imperva SecureSphere | - | sql-injection | 
| Imperva SecureSphere | - | CVE-2021-40539: ManageEngine ADSelfService P | 
| McAfee | 0x40216400 | HTTP: SQL Injection - Exploit | 
| McAfee | 0x4529eb00 | HTTP: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | 
| McAfee | 0x452c8100 | HTTP: Zoho ManageEngine Code Execu | 
| ModSecurity | 942440 | SQL Comment Sequence Detected | 
| ModSecurity | 942360 | Detects concatenated basic SQL injection and SQLLFI attempts | 
| ModSecurity | 921150 | HTTP Header Injection Attack via payload (CR/LF detected) | 
| ModSecurity | 942210 | Detects chained SQL injection attempts 1/2 | 
| ModSecurity | 942350 | Detects MySQL UDF injection and other data/stru | 
| ModSecurity | 942410 | SQL Injection Attack | 
| ModSecurity | 942150 | SQL Injection Attack | 
| ModSecurity | 942100 | SQL Injection Attack Detected via libinjection | 
| ModSecurity | 942480 | SQL Injection Attack | 
| PaloAlto | 35826 | HTTP SQL Injection Attempt | 
| PaloAlto | 91676 | ZOHOcorp ManageEngine Improper Authentication Vulnerability | 
| Snort | 1.58201.2 | SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus RestAPI authentication bypass attempt | 
| Snort | 1.61452.1 | SERVER-WEBAPP Zoho ManageEngine multiple products remote code execution attempt | 
| TrendMicro Tipping Point | 35284 | HTTP: Zoho ManageEngine Applications Manager FaultTemplateOptions.jsp resourceid SQL Injection | 
| TrendMicro Tipping Point | 42204 | HTTP: Multiple Zoho ManageEngine Products Code | 
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a. [Accessed: Sep. 08, 2023]
 
    
    
    
    
    
    
    
   .png?width=353&height=200&name=Ivanti-EPMM-ET-preview-sept25%20(1).png)