CVE-2020-9020
published 2020-02-17CVE-2020-9020: Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.47%
82.5th percentile
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iteris | vantage_velocity_firmware | — | — |
| iteris | vantage_velocity_firmware | — | — |
| iteris | vantage_velocity_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_24;)
- →Exploit arrives as an HTTP POST to /cgi-bin/timeconfig.py? containing a semicolon (0x3b) shell metacharacter in the NTP Server field (htmlNtpServer parameter) — the ET rule keys on content:"/cgi-bin/timeconfig.py?" followed by content:"|3b|". ↗
- →Post-exploitation payload is fetched via wget from 198.23.238.203 over HTTP port 80; monitor for outbound wget/curl requests to that IP from IoT/embedded devices. ↗
- →C2 communications use encrypted SSL traffic to 198.23.238.203 on port 5684; alert on SSL/TLS sessions to that IP:port from internal hosts. ↗
- →Satori scans TCP port 23 (Telnet) on random hosts and attempts credential brute-force; high-rate outbound Telnet scanning from a compromised device is a strong post-compromise indicator. ↗
- →Embedded passwords in the Satori sample are XOR-encrypted with single-byte key 0x07; use this to decode credential strings during malware analysis or memory forensics. ↗
- →Palo Alto Networks Threat Prevention signature 90769 blocks the exploit traffic; verify this signature is active on NGFWs protecting Vantage Velocity devices. ↗
- ·Nine distinct Satori binaries are hosted on the C2 server, each compiled for a different CPU architecture (arm, arm7, mips, mipsel, powerpc, sh4, sparc, m68k, x86_64, x86_32); hash-based detections must cover all variants to avoid gaps. ↗
- ·The C2 server 198.23.238.203 was still accessible at time of publication; block/null-route this IP but treat it as potentially shared infrastructure that may be reused against other targets. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3cc2-9qw3-rg33: Iteris Vantage Velocity Field Unit 2
ghsa_unreviewed·2022-05-24
CVE-2020-9020 [HIGH] GHSA-3cc2-9qw3-rg33: Iteris Vantage Velocity Field Unit 2
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
VulnCheck
iteris vantage_velocity_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-9020 [CRITICAL] iteris vantage_velocity_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
iteris vantage_velocity_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
Affected: iteris vantage_velocity_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/; https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/
Suricata
ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)
suricata·2021-03-24·CVSS 9.8
CVE-2020-9020 [CRITICAL] ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)
ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_24;)
No public exploits indexed.
Unit42
Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
blogs_unit42·2021-03-17·CVSS 9.8
CVE-2020-9020 [CRITICAL] Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
Haozhe Zhang
Vaibhav Singhal
Zhibin Zhang
Jun Du
Published: March 17, 2021
Threat Research
Vulnerabilities
Botnet
CVE-2020-9020
IoT
Mirai variant
## Executive Summary
On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020 , which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, it will be under control of attackers, who can then leak sensitive data or conduct further attacks, such as Distributed Denial
Unit42
Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
blogs_unit42·2021-03-17·CVSS 9.8
CVE-2020-9020 [CRITICAL] Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
## Executive Summary
On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, it will be under control of attackers, who can then leak sensitive data or conduct further attacks, such as Distributed Denial-of-Service (DDoS) attacks. The vulnerability has a critical rating (i.e., CVSS 3.1 score of 9.8) due to its low attack complexity, but critical security impact. The exploit captured by Unit 42 researchers utilized the vulnerability to spread Satori, a Mirai botnet variant.
Palo Alto Networks Next-Generatio
2020-02-17
Published
Exploited in the wild