CVE-2020-29238
published 2021-03-10CVE-2020-29238: An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.65%
96.6th percentile
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| expressvpn | expressvpn | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0)
Gecko/20100101 Firefox/81.0
Host: 127.0.0.1:8181
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758999
Connection: close↗
- →Detect exploitation attempts by inspecting HTTP Range headers containing two negative byte ranges, particularly where the second value is a large negative integer consistent with integer overflow (e.g., -9223372036854758999), targeting the Nginx range filter module. ↗
- →A successful exploit response will return HTTP 206 Partial Content with a multipart/byteranges body and a negative Content-Range value, indicating memory leak via integer overflow in Nginx range filter. ↗
- →Monitor for HTTP 206 responses from Nginx servers where the Content-Range header contains a negative start byte, which is a strong indicator of successful CVE-2020-29238 exploitation. ↗
- →The vulnerable service runs on Nginx version 1.9.15; identify exposed instances of this specific version on port 8181 as high-priority targets for patching and monitoring. ↗
- ·The vulnerability is only exploitable if the router control panel is exposed to the Internet; it is normally restricted to the local network. Exposure to the Internet significantly increases risk. ↗
- ·Only ExpressVPN Router version 1.x firmware is affected. Devices upgraded to the latest firmware version are not vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Unit42
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
blogs_unit42·2021-08-17
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
## Executive Summary
Organizations are facing an increase in obfuscation behavior from on-site and remote employees attempting to bypass proxy servers to hide their online activities or exfiltrate data without detection. For example, an employee might use the “incognito” mode, download a personal virtual private network (VPN) or the Tor browser, or bypass the corporate VPN. In those cases, the information security team (InfoSec) needs complete network visibility to determine if that employee is solely guarding their own privacy, masking behavior that breaks organization policies or attempting to cover an attack.
Personal VPN services promise to enable secure, encrypted tunnels for user traffic. They provide services that prevent others from seeing through these tunnels by encrypting the
Unit42
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
blogs_unit42·2021-08-17
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
Threat Research Center
Threat Research
Cybercrime
## Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
Saeed Abbasi
Kirti Parekh
Published: August 16, 2021
Cybercrime
Threat Research
Data exfiltration
Insider threats
VPN
## Executive Summary
Organizations are facing an increase in obfuscation behavior from on-site and remote employees attempting to bypass proxy servers to hide their online activities or exfiltrate data without detection. For example, an employee might use the “incognito” mode, download a personal virtual private network (VPN) or the Tor browser, or bypass the corporate VPN. In those cases, the information security team (InfoSec) needs complete network visibility to determine if that employee is solely guarding their own pri
http://expressvpn.comhttp://ja1sharma.com/blog/2021/CVE-2020-29238/http://packetstormsecurity.com/files/162152/ExpressVPN-VPN-Router-1.0-Integer-Overflow.htmlhttps://bugcrowd.com/disclosures/4e8d5325-8e49-4ea3-962a-a088bbb73a3f/expressvpn-router-integer-buffer-overflow-server-info-disclosure-when-router-s-nginx-server-used-as-reverse-proxy-serverhttp://expressvpn.comhttp://ja1sharma.com/blog/2021/CVE-2020-29238/http://packetstormsecurity.com/files/162152/ExpressVPN-VPN-Router-1.0-Integer-Overflow.htmlhttps://bugcrowd.com/disclosures/4e8d5325-8e49-4ea3-962a-a088bbb73a3f/expressvpn-router-integer-buffer-overflow-server-info-disclosure-when-router-s-nginx-server-used-as-reverse-proxy-server
2021-03-10
Published