Malicious cyber actors, including nation-states, use a vast range of tactics, techniques, and procedures to deliver effects and extort organizations withing the maritime environment for financial gain or economic disruption. Below, we will provide a brief overview of 10 known exploited vulnerabilities (KEVs) that have targeted the maritime environment within the last year, as well as a few case study / examples throughout.
Key Terms:
CVE = Common Vulnerabilities and Exposures – A list of publicly known cybersecurity vulnerabilities. Format is as follows:
CVSS = Common Vulnerability Scoring System – An industry standard for assessing the severity of the computer system security vulnerabilities. 10 being most severe.
CWE = Common Weakness Enumeration – A list of common software and hardware weaknesses that exist in a computer system. They are categorized to help describe weaknesses using a common language. A single record can contain and provide information about multiple vulnerabilities.
Example: 4 out of the 10 KEVs below are categorized in CWE-20: Improper Input Validation
10 Known Exploited Vulnerabilities in the Maritime Environment:
1. Microsoft WinVerifyTrust function Remote Code Execution
CVE-2013-3900 | CVSS: 7.6 | CWE-20 |
Description: Microsoft WinVerifyTrust function Remote Code Execution vulnerability, identified as CVE-2013-3900, is a significant security flaw that allows attackers to execute arbitrary code on affected systems. This vulnerability arises from improper handling of Authenticode signature verification within the WinVerifyTrust function. An attacker can exploit this flaw by crafting a malicious executable or DLL file with a specially formatted digital signature, which, when executed or loaded by a vulnerable system, bypasses security checks and runs the malicious code. This can lead to unauthorized control over the system, data theft, or disruption of services. Microsoft addressed this vulnerability with a security update, urging users to apply the patch to mitigate potential risks. |
2. “BlueKeep” Microsoft Windows Remote Desktop Remote Code Execution Vulnerability
CVE-2019-0708 | CVSS: 9.8 | CWE-416 |
Description: BlueKeep, identified as CVE-2019-0708, is a critical security flaw in Microsoft's Remote Desktop Services (RDS) that allows for remote code execution. This vulnerability exists in older versions of Windows, such as Windows 7, Windows Server 2008 R2, and Windows Server 2008. BlueKeep is particularly dangerous because it is "wormable," meaning that malware exploiting this vulnerability can propagate from one vulnerable computer to another without user interaction. An attacker who successfully exploits BlueKeep can execute arbitrary code on the target system, gaining full control, installing programs, viewing, changing, or deleting data, and creating new accounts with full user rights. Microsoft issued a security patch to address this vulnerability, and it is crucial for users and organizations to apply this update to prevent potential widespread exploitation. | ||
Example: An attacker scans the internet for systems with Remote Desktop Protocol (RDP) enabled and identifies a Windows 7 machine that has not been updated with the security patch for CVE-2019-0708. The attacker crafts a malicious RDP request designed to exploit the BlueKeep vulnerability. Upon sending this malicious RDP request to the target machine, the attacker leverages the flaw in the RDS to execute arbitrary code on the victim's system. This code opens a backdoor, giving the attacker remote access and control over the machine. With this access, the attacker can perform various malicious activities, such as:
By exploiting the BlueKeep vulnerability, the attacker can quickly compromise multiple systems, leading to significant security breaches, data loss, and potential financial damage. Applying the security patch from Microsoft is essential to mitigate this risk and protect systems from such remote code execution attacks. |
3. Microsoft SMBv1 Remote Code Execution/Information Disclosure Vulnerability (multiple CVEs)
CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 | CVSS: 8.1 | CWE-20 CWE-200 |
Description: These vulnerabilities affect the Server Message Block version 1 (SMBv1) protocol, which is used for file sharing in Windows environments. Exploitation of these vulnerabilities can allow attackers to execute arbitrary code or disclose sensitive information without user interaction. The remote code execution vulnerabilities enable attackers to gain control of affected systems, potentially leading to the deployment of malware, data theft, or system disruption. Information disclosure vulnerabilities can expose sensitive data to unauthorized users. Microsoft released patches to address these vulnerabilities, and it is crucial for organizations to disable SMBv1 and apply these updates to mitigate potential attacks. | ||
Example: An attacker identifies a Windows system running SMBv1 that has not been updated with the latest security patches. The attacker crafts a malicious packet designed to exploit one of the SMBv1 remote code execution vulnerabilities, such as CVE-2017-0144. By sending this malicious packet to the vulnerable system, the attacker successfully exploits the flaw, gaining the ability to execute arbitrary code on the target machine. The attacker installs a ransomware program that encrypts the victim's files and displays a ransom note demanding payment for decryption. Simultaneously, the attacker exploits an SMBv1 information disclosure vulnerability to obtain sensitive information, such as user credentials and network configuration details, which can be used for further attacks within the victim's network. |
4. Apache HTTP Server-Side Request Forgery (SSRF)
CVE-2021-40438 | CVSS: 9.0 | CWE-918 |
Description: The Apache HTTP Server-Side Request Forgery (SSRF) vulnerability allows attackers to manipulate a server into making unauthorized requests to internal or external systems. SSRF vulnerabilities occur when an application accepts untrusted user input and uses it to construct requests to other servers without proper validation. Exploiting this flaw, attackers can bypass network controls, access sensitive data, and interact with internal services that are otherwise inaccessible. Apache has released patches to address SSRF vulnerabilities, and administrators are advised to apply these updates and implement input validation and proper request handling to mitigate the risks. | ||
Example: An attacker discovers an Apache web application that accepts URLs as input for fetching data from other sites. The attacker inputs a specially crafted URL pointing to an internal server address, exploiting the SSRF vulnerability. The Apache server, processing the malicious request, unknowingly sends a request to the internal server, retrieving sensitive information such as internal IP addresses, server configurations, or even confidential data stored on the internal server. By leveraging this SSRF vulnerability, the attacker can further map the internal network, identify potential targets, and exploit additional vulnerabilities, leading to a significant security breach. |
5. Apache Tomcat Improper Privilege Management “GhostCat” Vulnerability
CVE-2020-1938 | CVSS: 9.8 | N/A |
Description: The Apache Tomcat Improper Privilege Management "GhostCat" vulnerability, identified as CVE-2020-1938, is a critical flaw that allows attackers to read or write arbitrary files on the Tomcat server. This vulnerability exists in the Apache JServ Protocol (AJP) connector, which is enabled by default and listens on all interfaces. By exploiting this vulnerability, an attacker with network access to the AJP port can access sensitive files, such as configuration files and source code, or upload malicious files, potentially leading to remote code execution. Apache has released patches to address GhostCat, and it is crucial for administrators to update their Tomcat installations and restrict AJP port access to trusted sources. | ||
Example: An attacker identifies an Apache Tomcat server with the AJP connector enabled and accessible over the network. The attacker crafts a malicious request to exploit the GhostCat vulnerability, targeting the AJP port. By sending this request, the attacker successfully reads the Tomcat configuration files, gaining valuable information such as database credentials and server configurations. Taking the exploitation further, the attacker uploads a malicious JSP file to the server, using the same AJP connector. This file allows the attacker to execute arbitrary code on the Tomcat server, effectively gaining full control over the system. The attacker can now manipulate the server, steal sensitive data, and potentially launch further attacks within the network. |
6. Apache Tomcat Remote Code Execution Vulnerability
CVE-2017-12617 | CVSS: 8.1 | CWE-434 |
Description: The Apache Tomcat Remote Code Execution (RCE) vulnerability allows attackers to execute arbitrary code on a Tomcat server by exploiting flaws in the server's configuration or software. This type of vulnerability can occur due to various issues, such as insecure deserialization, inadequate input validation, or flaws in the server's authentication mechanisms. When exploited, an attacker can gain full control over the affected server, enabling them to install malware, manipulate data, and disrupt services. These vulnerabilities are critical, as they can lead to complete system compromise and significant security breaches. | ||
Example: An attacker discovers an Apache Tomcat server with an insecure deserialization vulnerability. The attacker crafts a malicious serialized object designed to exploit this vulnerability and sends it to the server. When the Tomcat server processes this object, the deserialization flaw is triggered, allowing the attacker to execute arbitrary code. With this code execution capability, the attacker uploads a web shell to the server, providing remote access to the server's filesystem and enabling command execution. The attacker now has full control over the Tomcat server, allowing them to manipulate data, exfiltrate sensitive information, and further compromise the network. |
7. Apache Log4j2 Remote Code Execution Vulnerability
CVE-2021-44228 | CVSS: 10 | CWE-917 CWE-400 CWE-20 CWE-502 |
Description: The Apache Log4j2 Remote Code Execution (RCE) vulnerability, also known as "Log4Shell" and identified as CVE-2021-44228, is a critical security flaw in the widely used Java-based logging library, Log4j2. This vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions of Log4j2 by crafting and sending malicious log messages. When these messages are logged by an application using Log4j2, the malicious code is executed, granting the attacker full control over the affected system. This vulnerability is highly severe because Log4j2 is extensively used in numerous applications, making many systems potentially exploitable. | ||
Example: An attacker identifies a web application using Apache Log4j2 for logging. The attacker crafts a malicious payload containing a specially formatted string and injects it into a log entry, such as a user agent string or a form input field. When the web application logs this payload using Log4j2, the vulnerability is triggered. The malicious string instructs the Log4j2 library to download and execute a remote code from a server controlled by the attacker. As a result, the attacker gains the ability to execute arbitrary code on the web server. This access allows the attacker to install malware, steal sensitive data, and take complete control of the compromised system, potentially impacting all applications and services running on it. |
8. Apache HTTP Server Privilege Escalation Vulnerability
CVE-2019-0211 | CVSS: 7.8 | CWE-416 |
Description: The Apache HTTP Server Privilege Escalation Vulnerability allows attackers to gain elevated privileges on the affected server by exploiting flaws in the server's configuration or code. This type of vulnerability can occur due to improper handling of user permissions, insecure configurations, or bugs in the server software. When exploited, an attacker can escalate their access from a lower privilege level to a higher one, such as from a regular user to an administrator, enabling them to perform actions that would normally be restricted. This can lead to unauthorized access to sensitive data, the ability to modify system settings, and potential control over the entire server. |
9. Apache HTTP Server-Side Request Forgery (SSRF)
CVE-2012-1823 | CVSS: 7.5 | CWE-20 |
Description: The Apache HTTP Server-Side Request Forgery (SSRF) vulnerability allows attackers to manipulate the server into making unauthorized requests to internal or external systems. This vulnerability occurs when an application using the Apache HTTP server accepts untrusted user input to construct requests without proper validation. Exploiting this flaw, attackers can bypass network controls, access sensitive data, and interact with internal services that are otherwise inaccessible. This can lead to data breaches, unauthorized actions on internal systems, and potential further exploitation of internal network resources. |
10. PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability
CVE-2019-11043 | CVSS: 9.8 | CWE-120 CWE-787 |
Description: The PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability allows attackers to execute arbitrary code or cause a denial of service (DoS) on servers running vulnerable versions of PHP-FPM. This vulnerability occurs due to improper handling of input data, leading to a buffer overflow condition. By exploiting this flaw, attackers can overwrite memory and potentially control the execution flow of the application. This can result in unauthorized access, data corruption, and the ability to run malicious code on the affected server, posing significant security risks. |
The critical vulnerabilities discussed, including Microsoft WinVerifyTrust, BlueKeep, SMBv1, Apache Tomcat, Apache Log4j2, and Apache HTTP Server, highlight the persistent and evolving threats to cybersecurity. These vulnerabilities enable attackers to execute arbitrary code, escalate privileges, and manipulate servers, leading to unauthorized access, data breaches, and system disruptions. In the maritime environment, where operational continuity and data integrity are paramount, the exploitation of such vulnerabilities can have catastrophic consequences, affecting navigation, communication, and cargo management systems.
Given the interconnected nature of maritime systems and their reliance on robust IT infrastructure, it is crucial to be aware of these vulnerabilities and deploy effective mitigation strategies. Failure to address these security gaps can result in significant financial losses, operational downtime, and damage to reputation. Staying informed about the latest threats and implementing timely updates and security measures are essential steps to safeguard maritime operations from cyber threats.
For detailed guidance on how to mitigate these vulnerabilities, please read our latest blog post: Top 10 Essential Cybersecurity Strategies for Maritime Operations