CVE-2020-4000
published 2020-11-24CVE-2020-4000: The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
43.02%
98.6th percentile
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | big-ip_aam | — | — |
| f5 | big-ip_advanced_waf | — | — |
| f5 | big-ip_afm | — | — |
| f5 | big-ip_analytics | — | — |
| f5 | big-ip_apm | — | — |
| f5 | big-ip_asm | — | — |
| f5 | big-ip_dhd | — | — |
| f5 | big-ip_dns | — | — |
| f5 | big-ip_fps | — | — |
| f5 | big-ip_gtm | — | — |
| f5 | big-ip_link_controller | — | — |
| f5 | big-ip_ltm | — | — |
| f5 | big-ip_pem | — | — |
| f5 | ssl_orchestrator | — | — |
| vmware | sd-wan_orchestrator | — | — |
| vmware | sd-wan_orchestrator | >= 3.4.0 < 3.4.4 | 3.4.4 |
| vmware | sd-wan_orchestrator | >= 4.0.0 < 4.0.1 | 4.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
urlportal/rest/meta/
bytes
|2e 2e 2f| (URL-encoded ../)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Exploit traffic is an authenticated HTTP GET request to the 'portal/rest/meta/' endpoint containing a '?' query parameter followed by a path traversal sequence (|2e 2e 2f| = '../'). Monitor inbound HTTP GET requests to SD-WAN Orchestrator for this URI pattern.
- →Exploitation requires an authenticated session — correlate path traversal attempts with prior successful logins to the SD-WAN Orchestrator portal to identify compromised accounts. ↗
- →MITRE mapping is TA0007 (Discovery) / T1083 (File and Directory Discovery), suggesting attackers use this traversal to enumerate the filesystem before executing files.
- ·Vulnerable versions are SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1. Ensure detection rules are scoped to hosts running these versions. ↗
- ·The Snort/Suricata rule (SID 2035103) is recommended for both Perimeter and Internal deployment zones, reflecting that exploitation can originate from external attackers or malicious insiders with valid credentials.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_oracle9.8CRITICAL
vendor_cisco6.4MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
F5
CVE-2020-5947: In versions 16
vendor_f5·2020-11-19·CVSS 4.3
CVE-2020-5947 [MEDIUM] CVE-2020-5947: In versions 16
CVE-2020-5947: In versions 16
In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific BIG-IP platforms, attackers may be able to obtain TCP sequence numbers from the BIG-IP system that can be reused in future connections with the same source and destination port and IP numbers. Only these platforms are affected: BIG-IP 2000 series (C112), BIG-IP 4000 series (C113), BIG-IP i2000 series (C117), BIG-IP i4000 series (C115), BIG-IP Virtual Edition (VE).
Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP DHD, BIG-IP DNS, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, Ssl Orchestrator
Affected Versions: 15.0.0 - 15.1.2; 16.0.0 - 16.0.1
F5 Advisory Articles: K64571774
F5 References: https://support.f5.com/c
VMware
VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)
vendor_vmware·2020-11-18·CVSS 6.5
CVE-2020-3984 [MEDIUM] VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)
VMSA-2020-0025: VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)
The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
CVEs: CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002, CVE-2020-4003
Affected products: VMware SD-WAN, VMware VeloCloud
Cisco
Cisco IOS XE ROM Monitor Software Vulnerability
vendor_cisco·2020-09-24·CVSS 6.4
CVE-2020-3524 [MEDIUM] CWE-284 Cisco IOS XE ROM Monitor Software Vulnerability
Cisco IOS XE ROM Monitor Software Vulnerability
A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cisco ASR 920 Series Aggregation Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to break the chain of trust and load a compromised software image on an affected device.
The vulnerability is due to the presence of a debugging configuration option in the affected software. An attacker could exploit this vulnerability by connecting to an affected device through the console, forcing the device into ROMMON mode, and writing a malicious pattern using that specific option on the device. A successful exploit could allo
Citrix
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
vendor_citrix·2020-09-18·CVSS 6.1
CVE-2020-8245 [MEDIUM] CWE-269 Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
of Problem Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues: CVE ID Description Vulnerability Type
CVE References: CVE-2020-8245, CVE-2020-8246, CVE-2020-8247
Affected Products: Citrix ADC, Citrix Application Delivery Controller, Citrix Gateway, Citrix SD-WAN WANOP, NetScaler ADC, NetScaler Gateway, XenServer, sd-wan
Severity: Medium
Remediation:
Fixed builds have been released for supported versions of Citrix ADC, Citrix Ga
Oracle
Oracle Oracle Supply Chain Risk Matrix: Middle Tier (jython) — CVE-2016-4000
vendor_oracle·2020-07-15·CVSS 9.8
CVE-2016-4000 [CRITICAL] Oracle Oracle Supply Chain Risk Matrix: Middle Tier (jython) — CVE-2016-4000
Oracle Oracle Supply Chain Risk Matrix: Middle Tier (jython) vulnerability
CVE: CVE-2016-4000
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2020 (JUL 2020)
Red Hat
macaron: open redirect in the static handler
vendor_redhat·2020-05-06·CVSS 6.1
CVE-2020-12666 [MEDIUM] CWE-601 macaron: open redirect in the static handler
macaron: open redirect in the static handler
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
Statement: This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.
Red Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulne
Oracle
Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Jython) — CVE-2016-4000
vendor_oracle·2020-04-15·CVSS 9.8
CVE-2016-4000 [CRITICAL] Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Jython) — CVE-2016-4000
Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Jython) vulnerability
CVE: CVE-2016-4000
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Oracle Flow Builder (Jython) — CVE-2016-4000
vendor_oracle·2020-01-15·CVSS 9.8
CVE-2016-4000 [CRITICAL] Oracle Oracle Enterprise Manager Risk Matrix: Oracle Flow Builder (Jython) — CVE-2016-4000
Oracle Oracle Enterprise Manager Risk Matrix: Oracle Flow Builder (Jython) vulnerability
CVE: CVE-2016-4000
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2020 (JAN 2020)
Cisco
Cisco IOS XE ROM Monitor Software Vulnerability
vendor_cisco·CVSS 3.0
CVE-2020-3524 Cisco IOS XE ROM Monitor Software Vulnerability
CVE-2020-3524: Cisco IOS XE ROM Monitor Software Vulnerability
A vulnerability in the Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco 4000 Series Integrated Services Routers, Cisco ASR 920 Series Aggregation Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, physical attacker to break the chain of trust and load a compromised software image on an affected device. The vulnerability is due to the presence of a debugging configuration option in the affected software. An attacker could exploit this vulnerability by connecting to an affected device through the console, forcing the device into ROMMON mode, and writing a malicious pattern using that specific option on the device. A successful explo
GHSA
GHSA-hqcj-mm82-w3pc: The SD-WAN Orchestrator 3
ghsa_unreviewed·2022-05-24
CVE-2020-4000 [HIGH] CWE-22 GHSA-hqcj-mm82-w3pc: The SD-WAN Orchestrator 3
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.
Suricata
ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)
suricata·2022-02-04·CVSS 8.8
CVE-2020-4000 [HIGH] ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)
ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
2020-11-24
Published