Time to start patching… again…
CVE-2022-36537 has now been seen exploited in the wild. Currently they seem to be targeting Connectwise R1Soft Server Backup Manager; but it’s only a matter of time before they start finding other targets. The problem with ZK Framework, like Spring Framework, Log4j, etc. is that it is hard for organizations to know if they are running these frameworks unless they are the ones also developing the software they use.
On top of that, the vulnerabilities themselves are often hard to detect without exploitation, so vulnerability management platforms may take awhile to build engines for them (and even then they are often prone to false positives). That’s why I’m releasing ZK Searcher (built off of my SpringSearcher platform).
This is a free to use platform that can help you search your Windows, Mac, and Linux devices for the likely presence of ZK Framework. It is important to note that just because you get a hit on this platform does not automatically mean that it is vulnerable. Instead, use these findings to start dialogs with vendors. Something like “Hey, we found what we think is ZK Framework in your XYZ application; can you confirm if that is the case, and if so if the version you are using in XYZ version 123 is vulnerable to CVE-2022-36537? If it is, can you send us instructions on upgrading, or let us know the timeline until a fix is available? If there isn’t a fix available yet, what temporary mitigations do you suggest we take to reduce our risk?”.
To get started with ZK Searcher, sign up at https://zksearcher.infosecchicago.com. It is multi-tenant, so MSPs or companies with subsidiaries can easily separate out their environments in the results; and multiple users can be assigned to one or more companies. Once the account is confirmed and the companies are setup, simply download the relevant script for the device(s) you want to check, and push them to your devices or manually run them. Once they finish checking, they will check in with the dashboard.
Currently email notifications for new findings aren’t available; but I’ll probably add those soon. In the meantime, just keep checking the dashboard for possible results until all devices have run the script(s).