This issue can be exploited over Telnet, SSH, or through an insecure web interface. In most cases, this type of attack is done through the help desk application. Due to the missing authentication, anyone can send the attacker any document over the network. Due to this weakness, any unauthenticated attacker can do the following: - Send a crafted request to the help desk application; - This can be done via the insecure web interface; - End users can send any document over the network. Due to the missing authentication, an attacker can do any of the following. - Change the help desk settings; - Change the help desk settings and completely block a certain user; - Send a crafted request to the help desk application; - This can be done via the insecure web interface; - End users can send any document over the network. Due To the missing authentication, any unauthenticated attacker can do any of the following. - Change the help desk settings; - Change the help desk settings and completely block a certain user; - Send a crafted request to the help desk application; - This can be done via the insecure web interface; - End users can send any document over the network.
Vulnerability Finding Tips
If you’re having a hard time finding the vulnerability that corresponds to your CVE, try using the search bar at https://cve.mitre.org/. If you still can’t find it, use your favorite search engine and type in “CVE-2022-28771.”
How do I know if my environment is vulnerable?
If your environment is vulnerable, you should be aware of the following: - You have unauthenticated access to the help desk application on your server; - Your environment has more than one server and you are able to get the information from one of them.
If your environment is vulnerable, you should be aware of the following: - You have unauthenticated access to the help desk application on your server; - Your environment has more than one server and you are able to get the information from one of them.
How to Check Help Desk Settings
Unauthenticated attackers can change the help desk settings on the help desk application and completely block a certain user. To check this, we need to use the following steps:
1) Set up a listener on port 8080 of your local IP address (e.g. 192.168.1.2).
2) If you are located behind NAT/firewall, then use your public IP address instead of your local IP address (e.g. 10.0.0.18).
3) You should see the following in your listening log:
Cisco Systems Inc., Catalyst 6000 series, IOS 12.4(4)T7
- UDP src 10.0.0.18:23 - UDP dst 10.0.0 - Source port 23 - Destination port 8080 UDP packets: sent 1, received 0
- Success rate 0%
5) Enter "show run" at the command prompt and press enter to show all commands in running configuration, then enter "show run user access list" and press enter to view all users that have access to show run commands in running configuration:
6) You should see a line for "bob". This is who has access to show run commands in running configuration:
7) Enter "show run user account" and press enter to view all accounts that have access to show run commands in running configuration:
8) A username list will
FAQ
Q: What can the attacker do?
A: The attacker can send a crafted request to the help desk application and this can be done via the insecure web interface.
Timeline
Published on: 07/12/2022 21:15:00 UTC
Last modified on: 07/22/2022 16:46:00 UTC