CVE-2021-3122
published 2021-02-07CVE-2021-3122: CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089)…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.38%
99.7th percentile
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ncr | command_center_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
1runCommand00InProgressnslookup {{interactsh-url}}00000000-0000-0000-0000-000000000001WebServer- →Detect exploitation attempts by monitoring for inbound TCP connections to port 8089 on Aloha BOH/POS servers, particularly from external/untrusted IP addresses connecting to cmcAgent.exe ↗
- →Alert on cmcAgent.exe spawning child processes such as cmd.exe or powershell.exe, which indicates successful RCE via the runCommand XML parameter ↗
- →Hunt for the CMCAgent banner response containing 'mynodename' / 'myNodeName' in Shodan/FOFA to identify publicly exposed vulnerable instances ↗
- →Monitor for network traffic from Aloha BOH servers to C2 domain support-ncr-aloha[.]net or support[.]nesinoder[.]com, used by the threat actor's ScreenConnect RMM tool ↗
- →Detect malware exfiltrating scraped credit card data over port 1888 from POS terminals to the BOH server ↗
- →Look for suspicious file writes to c:\windows\temp by cmcAgent.exe, which may indicate post-exploitation staging activity ↗
- →Nuclei detection: match TCP responses on port 8089 containing both '<cmcsys' and 'myNodeName' to confirm a vulnerable CMCAgent instance ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xcf5-m6c7-75hg: CMCAgent in NCR Command Center Agent 16
ghsa_unreviewed·2022-05-24
CVE-2021-3122 [CRITICAL] CWE-78 GHSA-xcf5-m6c7-75hg: CMCAgent in NCR Command Center Agent 16
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
VulnCheck
ncr command_center_agent Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-3122 [CRITICAL] ncr command_center_agent Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ncr command_center_agent Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Affected: ncr command_center_agent
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2021-3122; https://www.sentin
No detection rules found.
Nuclei
NCR Command Center Agent 16.3 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-3122 [CRITICAL] NCR Command Center Agent 16.3 - Remote Command Execution
NCR Command Center Agent 16.3 - Remote Command Execution
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Template:
id: CVE-2021-3122
info:
name: NCR Command Center Agent 16.3 - Remote Command Execution
severity: critical
author: daffainfo,jjcho
description: |
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, un
Metasploit
NCR Command Center Agent Remote Code Execution
metasploit
NCR Command Center Agent Remote Code Execution
NCR Command Center Agent Remote Code Execution
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. The vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Sentinelone
CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
blogs_sentinelone·2021-07-22·CVSS 9.8
CVE-2021-3122 [CRITICAL] CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
A guest post by Kyle Pagelow from Tetra Defense
In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.
Our investigation led us to discover and report CVE-2021-3122 . While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.
According to the vendor , CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client usi
Sentinelone
CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
blogs_sentinelone·2021-07-22·CVSS 9.8
CVE-2021-3122 [CRITICAL] CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
A guest post by Kyle Pagelow from Tetra Defense
In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.
Our investigation led us to discover and report CVE-2021-3122. While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.
According to the vendor, CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client using
Sentinelone
PrintNightmare Vulnerability: Analysis and Mitigation
blogs_sentinelone·2021-07-14·CVSS 7.8
CVE-2021-34527 [HIGH] PrintNightmare Vulnerability: Analysis and Mitigation
## Executive Summary
A remote code execution vulnerability is being dubbed ‘PrintNightmare’ (CVE-2021-34527 and CVE-2021-1675).
The vulnerabilities are present in the Windows Spooler Service present on all Windows versions.
Microsoft has released two patches to address these vulnerabilities (an Out-of_Band update on July 1 as well as the July 13th monthly update).
Exploit code is readily available and has already been folded into popular hacking tools like Mimikatz and the Metasploit framework.
SentinelOne has provided DeepVisibility queries to detect attempts to exploit PrintNightmare in customer environments.
## What Happened?
On June 29, 2021, details emerged of a remotely exploitable vulnerability in the Microsoft Windows Print Spooler service affecting all versions of Windows t
https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122https://rdf2.alohaenterprise.com/client/CMCInst.ziphttps://www.tetradefense.com/incident-response-services/active-exploit-a-remote-code-execution-rce-vulnerability-for-ncr-aloha-point-of-sale/https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122https://rdf2.alohaenterprise.com/client/CMCInst.ziphttps://www.tetradefense.com/incident-response-services/active-exploit-a-remote-code-execution-rce-vulnerability-for-ncr-aloha-point-of-sale/
2021-02-07
Published
Exploited in the wild