CVE-2019-5645
published 2020-09-01CVE-2019-5645: By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
41.69%
98.5th percentile
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rapid7 | metasploit | <= 5.0.27 | — |
| rapid7 | metasploit_framework | 5.0.27 – 5.0.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for specially crafted HTTP GET requests to Metasploit HTTP/HTTPS handler listeners that contain regex-like patterns in the request path or parameters, which may be attempts to register a malicious resource handler. ↗
- →Alert on resource exhaustion or CPU spikes on Metasploit servers coinciding with inbound HTTP connections, which may indicate a ReDoS (Regular Expression Denial of Service) attack via the HTTP handler. ↗
- →Classify DoS impact tiers: 'Gentle', 'Soft', and 'Hard' DoS — monitor for progressive degradation of Metasploit HTTP handler session acceptance as an indicator of exploitation. ↗
- ·The exploit module targets the Metasploit HTTP(S) handler directly; only Metasploit instances with an active HTTP/HTTPS listener (e.g., multi/handler with a stager using HTTP/HTTPS) are vulnerable to this attack vector. ↗
- ·Confirmed affected version is Metasploit 5.0.20; scope of affected versions beyond this test target should be verified against Rapid7 advisories. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Regular expression denial of service in Rapid7 Metasploit
ghsa_unreviewed·2021-05-05
CVE-2019-5645 [HIGH] CWE-400 Regular expression denial of service in Rapid7 Metasploit
Regular expression denial of service in Rapid7 Metasploit
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.
Red Hat
log4j: deserialization of untrusted data in SocketServer
vendor_redhat·2019-12-20·CVSS 9.8
CVE-2019-17571 [CRITICAL] CWE-502 log4j: deserialization of untrusted data in SocketServer
log4j: deserialization of untrusted data in SocketServer
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Statement: This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has b
Red Hat
log4j: Socket receiver deserialization vulnerability
vendor_redhat·2017-04-02·CVSS 9.8
CVE-2017-5645 [CRITICAL] CWE-502 log4j: Socket receiver deserialization vulnerability
log4j: Socket receiver deserialization vulnerability
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
Statement: The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x
Package: hawtio-osgi (Red Hat
No detection rules found.
2020-09-01
Published