Potential Information Disclosure CVE-2023-43261 Exploitation - Web

 1title: Potential Information Disclosure CVE-2023-43261 Exploitation - Web
 2id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
 3related:
 4    - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
 5      type: similar
 6status: experimental
 7description: |
 8        Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
 9references:
10    - https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
11    - https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
12    - https://github.com/win3zz/CVE-2023-43261
13    - https://vulncheck.com/blog/real-world-cve-2023-43261
14author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
15date: 2023/10/20
16modified: 2023/10/30
17tags:
18    - attack.initial_access
19    - attack.t1190
20    - cve.2023.43621
21    - detection.emerging_threats
22logsource:
23    category: webserver
24    definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.'
25detection:
26    selection:
27        cs-method: 'GET'
28        # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
29        cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old
30        sc-status: 200
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

• Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

  

  Milesight's industrial routers risk unauthorized web interface access, while Titan MFT and Titan SFTP servers face remote

  
  Read More

• Inside the Router: How I Accessed Industrial Routers and Reported the Flaws

  

  Router Vulnerability Hunt, From Google Dorks to Firmware Emulation — The Full Story

  
  Read More

• GitHub - win3zz/CVE-2023-43261: CVE-2023-43261 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption

  

  CVE-2023-43261 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption - win3zz/CVE-2023-43261

  
  Read More

• Looking for CVE-2023-43261 in the Real World - Blog - VulnCheck

  

  VulnCheck was excited to breach ICS networks when CVE-2023-43261 was first disclosed. However, there is more to this than the CVE description would lead you to believe. Follow VulnCheck’s journey from CVE description to exploitation in the wild

  
  Read More

Related rules

• Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)