cbcvebase.
CVE-2018-17431
published 2019-01-30

CVE-2018-17431: Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.91%
99.7th percentile
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
comodounified_threat_management_firewall< 2.7.02.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/manage/webshell/u?s=5&w=218&h=15&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=62&_=5621298674064
url/manage/webshell/u?s=5&w=218&h=15&k=%0a&l=62&_=5621298674064
path/manage/webshell/u
command%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a
  • Detect exploitation attempts by monitoring HTTP GET requests to the path /manage/webshell/u with query parameters 's', 'w', 'h', 'k', 'l', and '_'. The 'k' parameter carries URL-encoded shell commands.
  • A successful exploitation response contains the string 'Configuration has been altered' in the HTTP response body. Alert on this string appearing in responses to /manage/webshell/u requests.
  • The exploit is unauthenticated and requires no session cookie or prior login. Any unauthenticated request to /manage/webshell/u should be treated as suspicious.
  • ·The numeric parameters 's', 'w', 'h', 'l', and '_' in the exploit URL are randomized per request, so detection rules should not rely on their specific values and should instead focus on the path /manage/webshell/u and the presence of the 'k' parameter.
  • ·The vulnerability affects Comodo UTM Firewall releases before 2.7.0 and Central Manager releases before 1.5.0. Detections should be scoped to hosts running these product versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.