DIVD-2022-00058 - ZK Framework - ZK AuUploader Servlet Upload Vulnerability
| Our reference | DIVD-2022-00058 |
| Case lead | Ralph Horn & Lennaert Oudshoorn |
| Author | Axel Boesenach |
| Researcher(s) |
|
| CVE(s) | |
| Product | ZK Framework |
| Versions | ZK 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 |
| Recommendation | Apply the security patch provided by ZK (9.6.2) https://www.zkoss.org/product/zk/releasenote/9.6.2 |
| Workaround | Add custom classes in their declared package as described by ZK in https://tracker.zkoss.org/browse/ZK-5150 |
| Status | Open |
| Last modified | 10 May 2023 21:16 |
Summary
In may 2022 a file upload vulnerability was found by Markus Wulftange in the ZK AuUploader servlets for which a security patch was released by ZK. At the time of this release there was no public exploitation script available to abuse the vulnerability. It wasn’t until the October 2022 blogpost of Huntress that demonstrated the exploitation of the R1Soft Server Backup Manager which uses the ZK framework. At the time of the Huntress blogpost there were no indications of this vulnerability being exploited in the wild until March of 2023 when Fox-IT encountered active exploitation of this software during an incident response engagement.
Because ZK is a framework which can be incorporated in other software applications we can identify whether a service is vulnerable, but we’re unable to identify the exact part that is vulnerable within this software application.
What you can do
When you receive an e-mail notifying a device within your network being vulnerable to this attack it is advised to check which software is running on this device.
If the device is indeed running an instance of the R1Soft Server Backup Manager software it is important to patch this device as soon as possible due to the active exploitation of the vulnerable instance running this software. Please refer to the ConnectWise security advisory.
If the device is not running the R1Soft Server Backup manager software we’d like to know which software is running on the device so we can provide the necessary steps needed to patch the device if the vendor has created a patch for the involved software, or report it to said vendor if there’s no patch available yet.
What we are doing
We are actively scanning the internet for vulnerable ZK instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.
Timeline
| Date | Description |
|---|---|
| 30 Oct 2022 | DIVD takes notice of ConnectWise vulnerability |
| 31 Oct 2022 | Huntress discloses CVE-2022-36537 |
| 01 Nov 2022 | DIVD merges ConnectWise efforts with ZK Upload case |
| 01 Nov 2022 | Huntress involved in case |
| 07 Nov 2022 | DIVD starts researching non-intrusive fingerprint |
| 21 Jan 2022 | DIVD finds out versions are backported |
| 22 Feb 2023 | Fox-IT encounters active exploitation of R1Soft Server Backup Manager |
| 27 Mar 2023 | DIVD identifies vulnerable parties |
| 10 Apr 2023 | DIVD notifies vulnerable parties |
| 07 May 2023 | DIVD conducts new scan |
| 07 May 2023 | DIVD notifies vulnerable parties |
More information
- ZK Security Tracker
- NIST Vulnerability Database
- Huntess CVE-2022-36537 Vulnerability Disclosure
- Fox-IT Blog Active Exploitation of ConnectWise
- ConnectWise Security Advisory