CVE-2016-7089
published 2016-08-24CVE-2016-7089: WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN.
PriorityP277high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.24%
65.4th percentile
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted/anomalous ifconfig command execution on WatchGuard RapidStream appliances, particularly when invoked by non-root local users, as this is the exploitation vector for ESCALATEPLOWMAN privilege escalation. ↗
- →The exploit is attributed to the Shadow Brokers group; presence of the exploit binary (40270.zip) or its contents on a WatchGuard appliance filesystem should be treated as a strong indicator of compromise. ↗
- ·This vulnerability is specific to WatchGuard RapidStream appliances; exploitation requires local user access, limiting the attack surface to authenticated local sessions. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-39jg-jjh7-v68p: WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOW
ghsa_unreviewed·2022-05-17
CVE-2016-7089 [HIGH] GHSA-39jg-jjh7-v68p: WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOW
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN.
VulnCheck
WatchGuard RapidStream Appliances Command Execution
vulncheck·2016·CVSS 7.8
CVE-2016-7089 [HIGH] WatchGuard RapidStream Appliances Command Execution
WatchGuard RapidStream Appliances Command Execution
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN.
Affected: WatchGuard rapidstream
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/ncas/alerts/TA16-250A; https://cisa.gov/news-events/alerts/2015/08/01/recent-email-phishing-campaigns-mitigation-and-response; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/138393/ESCALATEPLOWMAN-WatchGuard-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/92638https://www.exploit-db.com/exploits/40270/https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean/http://packetstormsecurity.com/files/138393/ESCALATEPLOWMAN-WatchGuard-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/92638https://www.exploit-db.com/exploits/40270/https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean/
2016-08-24
Published
Exploited in the wild