A (cautionary) tale of two patched bugs, both exploited in the wild

Miscreants are right now exploiting two security bugs for which patches exist, one in a VMware network and applications monitoring tool and the other in some TP-Link routers.

VMware two weeks ago issued a fix for CVE-2023-20887, a critical command-injection vulnerability in Aria Operations for Networks that can be abused to achieve remote code execution.

Meanwhile, TP-Link patched CVE-2023-1389 in mid-March. This is another command-injection vulnerability that can lead to remote code execution. Yesterday, Fortinet researchers warned that a DDoS-as-a-service botnet called Condi is spreading by exploiting still-vulnerable TP-Link Archer AX21 routers.

So if this sounds like a cautionary tale about bad things happening to unpatched products…it is.

The 9.8-out-of-10-severity rated VMware bug, CVE-2023-20887, was disclosed and patched by the virtualization giant on June 7 alongside two other vulnerabilities in Aria Operations for Networks: CVE-2023-20888, an authenticated deserialization vulnerability that received a 9.1 severity score, and CVE-2023-20889, an 8.8-rated information disclosure vulnerability.

Researcher Sina Kheirkhah, working with Trend Micro's Zero Day Initiative found and reported all three security issues to VMware, and last week Kheirkhah uploaded a proof-of-concept exploit for CVE-2023-20887 to GitHub.

Yesterday GreyNoise CEO Andrew Morris sounded the alarm that the VMware bug had been exploited in the wild. These attacks began June 13 and originated from two IP addresses, according to the company's analysis platform.

Also yesterday, VMware updated its security advisory: "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild."

Condi botnet on the loose

The second bug under active exploit, CVE-2023-1389, affects TP-Link Archer AX21 firmware versions before 1.1.4. TP-Link disclosed the flaw in April after releasing firmware updates the month earlier. 

In its April 27 security advisory for the buggy routers, the vendor including the following disclaimer in all-red letters:

But apparently not everyone took this warning to heart, because on May 1 the US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-1389 to its known exploited vulnerabilities catalog.

And now, according to FortiGuard Labs researchers Joie Salvio and Roy Tay, a new Mirai-based botnet called Condi is spreading via TP-Link's CVE-2023-1389.

The botnet is being sold as part of a distributed-denial-of-service (DDoS) package on a Telegram channel called Condi Network that offers DDoS as a service that other criminals can rent, and it also sells the malware source code.

• June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh
• Apple squashes kernel bug used by TriangleDB spyware
• Guess what happened to this US agency using outdated software?
• Third MOVEit bug fixed a day after PoC exploit made public

DDoS attacks, which flood organizations' networks with junk traffic to overwhelm systems and prevent legit users from accessing services, don't require an awful lot of technical know-how in the first place. And these types of DDoS-for-hire services and botnets, of course, further lower the barrier for entry into cybercrime.

Since the end of May, the security shop has seen an "increasing number" of Condi samples, which means that miscreants are actively working to expand the botnet army.

While the sample that the two researchers analyzed only scanned for CVE-2023-1389, "other Condi botnet samples were also seen exploiting other vulnerabilities to propagate," Salvio and Tay warned. "The publicly available source code for older versions also includes scanners for known vulnerabilities exploited by other Mirai variants." ®