Remote Code Execution – Bitrix (CVE-2022-29268) and Jet CSIRT deface case.
🔻 The vulnerability is in the “Rejected” status in NVD, although its exploitability has been confirmed. 🤷♂️ What is it about? CMS Bitrix can be deployed from the “1C-Bitrix: Virtual Machine” image. Then it is configured in the web setup interface (without authentication). At a certain step there is an option “Upload backup”. Instead of a backup, you can upload a web shell there and it will be installed. 🫠
🔻 What is the risk? Surely no one will expose the initial setup interface to the Internet? 🤔 But people do it, Google dork is available.
🔻 This happened in the Jet CSIRT website deface case as well. In November 2023, the setup interface was exposed for 3 days. The attackers found it and installed the web shell. 🤷♂️
Jet states that Bitrix does not consider this to be a vulnerability in the setup interface. So the recommendation: don’t make it accessible from the Internet. 😅🤡
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.