CVE-2021-22502
published 2021-02-08CVE-2021-22502: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
96.74%
99.9th percentile
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | operation_bridge_reporter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /AdminService/urest/v1/LogonResource with backtick-enclosed shell commands embedded in the 'userName' JSON field — this is the injection point and requires no authentication. ↗
- →The server returns HTTP 401 with body containing 'An error occurred' and 'AUTHENTICATION_FAILED' even on a successful injection attempt — a 401 response does NOT rule out exploitation. ↗
- →The injection occurs at the login endpoint before authentication; monitor for shell metacharacters (backticks, $(), pipes) inside the 'userName' field of JSON bodies sent to the LogonResource endpoint. ↗
- →Response Content-Type header will be 'application/json' — use this alongside the 401 status and error body strings to fingerprint exploitation attempts. ↗
- ·Vulnerability affects OBR version 10.40 and below; older versions may also be affected — confirm exact version scope before scoping detection. ↗
- ·The Metasploit module and Nuclei template were tested specifically on the Linux 10.40 version; Windows deployments may behave differently. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-22502 [CRITICAL] CWE-20 Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
Vulnerability: Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
Affected: Micro Focus Operation Bridge Reporter (OBR)
Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-22502
Remediation Due Date: 2021-11-17
GHSA
GHSA-9f78-r2f6-597q: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10
ghsa_unreviewed·2022-05-24
CVE-2021-22502 [CRITICAL] CWE-78 GHSA-9f78-r2f6-597q: Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
VulnCheck
Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-22502 [CRITICAL] CWE-20 Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution.
Affected: Micro Focus Operation Bridge Reporter (OBR)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild; https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx; https://www.cisa.gov/sites/default/files
No detection rules found.
Metasploit
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
metasploit
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
This module exploits a command injection vulnerability on *login* (yes, you read that right) that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It's a straight up command injection, with little escaping required and it works before authentication. This module has been tested on the Linux 10.40 version. Older versions might be affected, check the advisory for details.
Nuclei
Micro Focus Operations Bridge Reporter - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-22502 [CRITICAL] Micro Focus Operations Bridge Reporter - Remote Code Execution
Micro Focus Operations Bridge Reporter - Remote Code Execution
Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
Template:
id: CVE-2021-22502
info:
name: Micro Focus Operations Bridge Reporter - Remote Code Execution
author: pikpikcu
severity: critical
description: |
Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
impact: |
Unauthenticated attackers can execute arbitrary commands on th
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2019-19356 [HIGH] New Mirai Variant Targeting Network Security Devices
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targeting Network Security Devices
Vaibhav Singhal
Ruchna Nigam
Zhibin Zhang
Asher Davila
Published: March 15, 2021
Threat Research
Vulnerabilities
CVE-2019-19356
CVE-2020-25506
CVE-2020-26919
CVE-2021-22502
CVE-2021-27561
CVE-2021-27562
IoT
Mirai
VisualDoor
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2020-25506 [HIGH] New Mirai Variant Targeting Network Security Devices
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
- VisualDoor (a SonicWall SSL-VPN exploit).
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
- Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an exploit targeting CVE-2020-26919 was also
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.htmlhttps://softwaresupport.softwaregrp.com/doc/KM03775947https://www.zerodayinitiative.com/advisories/ZDI-21-153/https://www.zerodayinitiative.com/advisories/ZDI-21-154/http://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.htmlhttps://softwaresupport.softwaregrp.com/doc/KM03775947https://www.zerodayinitiative.com/advisories/ZDI-21-153/https://www.zerodayinitiative.com/advisories/ZDI-21-154/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22502
2021-02-08
Published
2021-11-03
Added to CISA KEV
Exploited in the wild