2024.09

Tripwires General Availability

Tripwires Launch: The NodeZero Tripwires™ feature has been officially launched to General Availability.
Tripwire Types: Three types of tripwires are now available: AWS credential file, MySQL Dump file, and Windows Suspicious Process Monitor.
Core Capabilities:
- Opt-in to drop tripwires during pentests (configurable on the pentest configuration page).
- View and manage dropped tripwires in pentest results and the new Tripwires Management page.
- Test triggering a tripwire, view alert details (real or test), and receive email alerts.
- Integrate with Splunk Cloud via webhooks, test webhook connections, and receive tripwire alerts as webhook events.
- Grant additional team members access to the Tripwires feature through User Management.

Features/Enhancements

1CV Badge: Introduced a new "1CV" badge along with a tooltip for easy identification of 1-Click Verify ("1CV") pentests directly from the main pentest page.
1CV Summary Table: Added a summary table on the main pentest summary page to display the status and associated tests of 1CV pentests.
Tagging and Filtering: Introduced enhanced tagging and filtering options for Rapid Response tests, allowing users to find relevant tests more quickly and efficiently.

New Attack Content

CVE-2017-9805 [CISA KEV]: Apache Struts2 vulnerability allowing attackers to achieve remote code execution and full system control.
CVE-2020-0618 [CISA KEV]: Microsoft SQL Server Reporting Services vulnerability allowing unauthenticated attackers to execute code via the Report Server service account.
CVE-2020-7247 [CISA KEV]: OpenSMTPD vulnerability allowing remote attackers to execute arbitrary commands as root.
CVE-2022-29499 [CISA KEV]: Mitel MiVoice Connect vulnerability allowing remote code execution due to improper data validation.
CVE-2023-35813: Sitecore Experience Manager vulnerability that enables remote attackers to execute arbitrary code on the affected server.
CVE-2024-6670 [CISA KEV]: This vulnerability allows an attacker to bypass authentication and reset the admin password. Due to the intrusiveness of the attack, the proof of concept (POC) was modified to include a sleep command on the MSSQL database, while still demonstrating the availability of SQLi and authentication bypass.
CVE-2024-7593 [CISA KEV]: Ivanti Virtual Traffic Manager vulnerability allowing remote, unauthenticated attackers to bypass admin panel authentication.
CVE-2024-23692 [CISA KEV]: Rejetto HTTP File Server vulnerability allowing remote, unauthenticated attackers to execute commands on the affected system.
CVE-2024-45195: Apache OFBiz vulnerability allowing remote code execution by bypassing patches for previously disclosed vulnerabilities (CVE-2024-32113, CVE-2024-36104, CVE-2024-38856). This patch bypass vulnerability affects large organizations using Apache OFBiz, which is widely used for enterprise resource planning (ERP) and customer relationship management (CRM).

Azure to On-Prem Pivot Attack Capability

Hybrid-Joined Intune Device Exploitation: A new capability that allows attackers to pivot from Azure to on-premise, gaining remote code execution (RCE) on all hybrid-joined, Intune-managed devices within a tenant. This attack utilizes interactsh for out-of-band RCE validation, targeting Windows, MacOS, and Linux devices. Windows hosts in internal tests will leak NTLM credentials to NodeZero for additional attack opportunities.

Kubernetes Service Account Token Discovery

NodeZero can now find potential Kubernetes Service Account tokens in file shares and S3 buckets. These exposed credentials will appear in the credentials tab of the portal. This includes tokens discovered in SMB, NFS, and S3 repositories.

AWS Cognito Misconfiguration Exploit

NodeZero has expanded its attack content for AWS by targeting misconfigurations in AWS Cognito where the unauthenticated role is assigned IAM permissions. NodeZero can now grab unauth-role for AWS Cognito pool IDs discovered during enumeration.