CERT Recently Published Vulnerability Noteshttps://kb.cert.org/vuls/2024-03-26T19:09:03.692810+00:00CERTcert@cert.orghttps://www.sei.cmu.eduCERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.VU#417980: Implementations of UDP-based application protocols are vulnerable to network loops2024-03-19T19:49:45.063322+00:002024-03-26T19:09:03.692810+00:00https://kb.cert.org/vuls/id/417980
<h3 id="overview">Overview</h3>
<p>A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.</p>
<h3 id="description">Description</h3>
<p>The User Datagram Protocol (<a href="https://datatracker.ietf.org/doc/html/rfc768">UDP</a>) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing. Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops. </p>
<p>As an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable. </p>
<h3 id="impact">Impact</h3>
<p>Successful exploitation of this vulnerability could result in the following scenarios:
1. Overload of a vulnerable service, causing it to become unstable or unusable.
2. DOS attack of the network backbone, causing network outage to other services.
3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.</p>
<h3 id="solution">Solution</h3>
<h4 id="apply-updates">Apply updates</h4>
<p>CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.</p>
<h4 id="protect-or-replace-udp-applications">Protect or replace UDP applications</h4>
<p>When possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., <a href="https://freeradius.org/rfc/rfc2869.html#Message-Authenticator">Message-Authenticator</a>) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.</p>
<h4 id="deploy-anti-spoofing">Deploy anti-spoofing</h4>
<p>Network providers should deploy available anti-spoofing techniques (<a href="https://www.rfc-editor.org/info/bcp38">BCP38</a>) such as Unicast Reverse Path Forwarding (<a href="https://datatracker.ietf.org/doc/html/rfc3704">uRPF</a>) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse. </p>
<h4 id="enforce-network-rate-limiting">Enforce network rate-limiting</h4>
<p>Service providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.</p>
<h3 id="description">Description</h3>
<p>The User Datagram Protocol (<a href="https://datatracker.ietf.org/doc/html/rfc768">UDP</a>) is a simple, connectionless protocol that is still commonly used in many internet-based applications. UDP has a limited packet-verification capability and is susceptible to IP spoofing. Security researchers have identified that certain implementations of the UDP protocol in applications can be triggered to create a network-loop of seemingly never-ending packets. Software implementations of UDP-based application protocols DNS, NTP, TFTP, Echo (RFC862), Chargen (RFC864), and QOTD (RFC865) were specifically found to be vulnerable to such network loops. </p>
<p>As an example, if two application servers have a vulnerable implementation of said protocol, an attacker can initiate a communication with the first server, spoofing the network address of the second server (victim). In many cases, the first server will respond with an error message to the victim, which will also trigger a similar behavior of another error message back to the first server. This behavior has been demonstrated to be resource exhausting and can cause services to become either unresponsive or unstable. </p>
<h3 id="impact">Impact</h3>
<p>Successful exploitation of this vulnerability could result in the following scenarios:
1. Overload of a vulnerable service, causing it to become unstable or unusable.
2. DOS attack of the network backbone, causing network outage to other services.
3. Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.</p>
<h3 id="solution">Solution</h3>
<h4 id="apply-updates">Apply updates</h4>
<p>CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this vulnerability in the vendor-specific implementations. Review the vendor-specific information below. If the product is end-of-life/unsupported, vendors will be unlikely to release a patch; thus, we recommend replacing the device.</p>
<h4 id="protect-or-replace-udp-applications">Protect or replace UDP applications</h4>
<p>When possible, protect UDP-based applications using network firewall rules and/or other access-control lists to prevent unauthorized access. If the same service can be implemented using a TCP or with any request-validation capability (e.g., <a href="https://freeradius.org/rfc/rfc2869.html#Message-Authenticator">Message-Authenticator</a>) available in the UDP-based application protocol, implement such protection to prevent unknown or spoofed requests. It is recommended that you disable unnecessary and unused UDP services that may be enabled as part of your operating system to prevent exposure of these services for abuse.</p>
<h4 id="deploy-anti-spoofing">Deploy anti-spoofing</h4>
<p>Network providers should deploy available anti-spoofing techniques (<a href="https://www.rfc-editor.org/info/bcp38">BCP38</a>) such as Unicast Reverse Path Forwarding (<a href="https://datatracker.ietf.org/doc/html/rfc3704">uRPF</a>) to prevent IP spoofing in protecting their internet-facing resources against spoofing and abuse. </p>
<h4 id="enforce-network-rate-limiting">Enforce network rate-limiting</h4>
<p>Service providers should employ network rate-limiting capabilities, such Quality-of-Service (QoS) to protect their network from abuse from network loops and amplifications and to ensure their critical resources/services are protected.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporters Yepeng Pan and Christian Rossow from the CISPA Helmholtz Center for Information Security, Germany. This document was written by Elke Drennan and Vijay Sarvepalli.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07" class="vulreflink safereflink" target="_blank" rel="noopener">https://docs.google.com/document/d/1KByZzrdwQhrXGPPCf9tUzERZyRzg0xOpGbWoDURZxTI/edit#heading=h.edovh0fxvs07</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc768" class="vulreflink safereflink" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc768</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc862/" class="vulreflink safereflink" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc862/</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc864/" class="vulreflink safereflink" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc864/</a></li>
<li><a href="https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks</a></li>
<li><a href="https://manrs.org/netops/guide/antispoofing/" class="vulreflink safereflink" target="_blank" rel="noopener">https://manrs.org/netops/guide/antispoofing/</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc7873" class="vulreflink safereflink" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc7873</a></li>
<li><a href="https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting</a></li>
<li><a href="https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.dotmagazine.online/issues/digital-responsibility-and-sustainability/dns-cookies-transaction-mechanism</a></li>
<li><a href="https://www.kb.cert.org/vuls/id/568372" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.kb.cert.org/vuls/id/568372</a></li>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2009-3563" class="vulreflink safereflink" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2009-3563</a></li>
<li><a href="https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack" class="vulreflink safereflink" target="_blank" rel="noopener">https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2024-2169">CVE-2024-2169 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2024-1309">CVE-2024-1309 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2009-3563">CVE-2009-3563 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-03-19</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-03-19</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-03-26 19:09 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>4 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23417980 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions2024-03-14T15:22:28.382418+00:002024-03-19T21:48:13.839143+00:00https://kb.cert.org/vuls/id/488902
<h3 id="overview">Overview</h3>
<p>A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Security researchers have labeled this variant of the Spectre v1 vulnerability “GhostRace", for ease of communication. </p>
<h3 id="description">Description</h3>
<p>Speculative execution is an optimization technique where a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. Attackers exploiting Spectre v1 take advantage of the speculative execution of conditional branch instructions used for memory access bounds checks. These are discussed in some amount of detail in the article <a href="https://docs.kernel.org/admin-guide/hw-vuln/spectre.html">Spectre Side Channels</a> found at kernel.org. The earlier research did not include any of the speculative execution attacks using race conditions. Race conditions, generally considered part of concurrency bugs, occur when two or more threads attempt to access the same, shared resource without proper synchronization, which can create an opportunity for an attacker to trick a system into carrying out unauthorized actions in addition to its normal processes. This recent research explores a speculative race condition attack against the speculative execution facility of the modern CPUs.</p>
<p>In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition. However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker. Another major difference is that while classic race conditions are relatively infrequent in production code bases, speculative race conditions can be pervasive. Common synchronization primitives all exhibit no-op-like behavior on a transiently executed path, essentially causing any of the critical regions in victim software to become vulnerable. In practice, whether a particular critical region is actually exploitable or not depends on the characteristics of the resulting race condition, similar in some ways to the exploitation of the classic race condition. </p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by utilizing the race condition, termed as speculative race condition.</p>
<h3 id="solution">Solution</h3>
<p>Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil
Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Security researchers have labeled this variant of the Spectre v1 vulnerability “GhostRace", for ease of communication. </p>
<h3 id="description">Description</h3>
<p>Speculative execution is an optimization technique where a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. Attackers exploiting Spectre v1 take advantage of the speculative execution of conditional branch instructions used for memory access bounds checks. These are discussed in some amount of detail in the article <a href="https://docs.kernel.org/admin-guide/hw-vuln/spectre.html">Spectre Side Channels</a> found at kernel.org. The earlier research did not include any of the speculative execution attacks using race conditions. Race conditions, generally considered part of concurrency bugs, occur when two or more threads attempt to access the same, shared resource without proper synchronization, which can create an opportunity for an attacker to trick a system into carrying out unauthorized actions in addition to its normal processes. This recent research explores a speculative race condition attack against the speculative execution facility of the modern CPUs.</p>
<p>In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition. However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker. Another major difference is that while classic race conditions are relatively infrequent in production code bases, speculative race conditions can be pervasive. Common synchronization primitives all exhibit no-op-like behavior on a transiently executed path, essentially causing any of the critical regions in victim software to become vulnerable. In practice, whether a particular critical region is actually exploitable or not depends on the characteristics of the resulting race condition, similar in some ways to the exploitation of the classic race condition. </p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by utilizing the race condition, termed as speculative race condition.</p>
<h3 id="solution">Solution</h3>
<p>Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil
Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://kb.cert.org/vuls/id/180049" class="vulreflink safereflink" target="_blank" rel="noopener">https://kb.cert.org/vuls/id/180049</a></li>
<li><a href="https://vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution" class="vulreflink safereflink" target="_blank" rel="noopener">https://vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution</a></li>
<li><a href="https://www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown</a></li>
<li><a href="https://www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2024-2193">CVE-2024-2193 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-03-14</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-03-14</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-03-19 21:48 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>3 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23488902 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks2024-03-07T14:49:15.807869+00:002024-03-18T16:40:29.962460+00:00https://kb.cert.org/vuls/id/949046
<h3 id="overview">Overview</h3>
<p>Sciener is a company that develops software and hardware for electronic locks that are marketed under many different brands. Their hardware works in tandem with an app, called the TTLock app, which is also produced by Sciener. The TTLock app utilizes Bluetooth connections to connect to locks that utilize the Sciener firmware, and allows for manipulation of the lock. Sceiner firmware locks also supports peripherals. The GatewayG2, also produced by Sciener, allows for connection to an appropriate lock through the TTLock app through WiFi. Sciener firmware also allows wireless keypad connection to supported devices. </p>
<p>Analysis has revealed that various locks are vulnerable through the Sciener firmware. Additional vulnerabilities within the TTLock App and GatewayG2 can be further utilized to compromise the associated electronic lock integrity, and affect any locks that utilize them.</p>
<p>A number of these vulnerabilities are facilitated through the unlockKey character. The unlockKey character, when provided to the appropriate lock, can be used to unlock or lock the device. </p>
<h3 id="description">Description</h3>
<p>The vulnerabilities are as follows:</p>
<p>• CVE-2023-7006</p>
<p>The unlockKey character in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the locks integrity. Challenge requests take place during the unlocking process, and contain a random integer between 0 and 65535. Challenge requests can be repeatedly prompted and responded to without any limitations, until the correct integer is discovered. Successfully completing the challenge request provides the unlockKey character.</p>
<p>• CVE-2023-7005</p>
<p>A specially crafted message can be sent to the TTLock App that downgrades the encryption protocol used for communication and can be utilized to compromise the lock, such as by providing the unlockKey character. During the challenge request process, if a message is sent to the lock unencrypted, and with a specific set of information, the corresponding message that contains the unlockKey character will be provided unencrypted. </p>
<p>• CVE-2023-7003</p>
<p>The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused compromise other locks using the Sciener firmware. This AES key can be utilized to connect to any other Sciener lock that supports wireless keypads, without user knowledge or interaction. </p>
<p>• CVE-2023-6960</p>
<p>The TTLock App supports the creation of virtual keys and settings. They virtual keys are intended to be distributed to other individuals through the TTLock app, for unlocking and locking the lock. They can also be set to only be valid for a certain period of time. Deletion of these keys only occurs client side in the TTLock app, with the appropriate key information persisting within the associated lock. If an attacker acquires one of these keys, they can utilize it to unlock the lock after its intended deletion or invalidation. </p>
<p>• CVE-2023-7004</p>
<p>The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device. This can be utilized by a threat actor who introduces a device that spoofs the MAC address of the lock, allowing for compromise of the unlockKey value.</p>
<p>• CVE-2023-7007</p>
<p>The Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack. An attacker can impersonate the MAC address of a GatewayG2 that has established a connection with a lock, then connect to Sciener servers and receive messages instead of the legitimate GatewayG2. This can facilitate access of the unlockKey character. </p>
<p>• CVE-2023-7009</p>
<p>Some Sciener-based locks support plaintext message processing over Bluetooth Low Energy, allowing unencrypted malicious commands to be passed to the lock. These malicious commands, less then 16 bytes in length, will be processed by the lock as if they were encrypted communications. This can be further exploited by an attacker to compromise the lock's integrity.</p>
<p>• CVE-2023-7017</p>
<p>Some Sciener locks' firmware update mechanism does not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A challenge request can be sent to the lock with a command to prepare for an update, rather than an unlock request. This allows an attacker within Bluetooth range to pass an arbitrary malicious firmware to the lock, compromising its integrity.</p>
<h3 id="impact">Impact</h3>
<p>These vulnerabilities allow attackers with physical, adjacent, or Bluetooth connection proximity to the lock access of various capabilities to compromise the lock integrity, without victim knowledge or interaction. This results in the locks functionality being null. </p>
<p>Affected versions:</p>
<ul>
<li>Kontrol Lux lock, firmware versions 6.5.x to 6.5.07</li>
<li>Gateway G2, firmware version 6.0.0</li>
<li>TTLock App, version 6.4.5</li>
</ul>
<h3 id="solution">Solution</h3>
<p>There is no software solution for these vulnerabilities, only a potential work-around. By disabling various functions related to the Bluetooth capability of locks using Sciener firmware, several of the attacks can be prevented. However, as the locks are designed with the intention of utilization with the TTLock App, this may not be a practical solution for most users.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Lev Aronsky, Idan Strovinsky, and Tomer Telem of Aleph Research by HCL Software for providing the report and information. This document was written by Christopher Cullen.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Sciener is a company that develops software and hardware for electronic locks that are marketed under many different brands. Their hardware works in tandem with an app, called the TTLock app, which is also produced by Sciener. The TTLock app utilizes Bluetooth connections to connect to locks that utilize the Sciener firmware, and allows for manipulation of the lock. Sceiner firmware locks also supports peripherals. The GatewayG2, also produced by Sciener, allows for connection to an appropriate lock through the TTLock app through WiFi. Sciener firmware also allows wireless keypad connection to supported devices. </p>
<p>Analysis has revealed that various locks are vulnerable through the Sciener firmware. Additional vulnerabilities within the TTLock App and GatewayG2 can be further utilized to compromise the associated electronic lock integrity, and affect any locks that utilize them.</p>
<p>A number of these vulnerabilities are facilitated through the unlockKey character. The unlockKey character, when provided to the appropriate lock, can be used to unlock or lock the device. </p>
<h3 id="description">Description</h3>
<p>The vulnerabilities are as follows:</p>
<p>• CVE-2023-7006</p>
<p>The unlockKey character in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the locks integrity. Challenge requests take place during the unlocking process, and contain a random integer between 0 and 65535. Challenge requests can be repeatedly prompted and responded to without any limitations, until the correct integer is discovered. Successfully completing the challenge request provides the unlockKey character.</p>
<p>• CVE-2023-7005</p>
<p>A specially crafted message can be sent to the TTLock App that downgrades the encryption protocol used for communication and can be utilized to compromise the lock, such as by providing the unlockKey character. During the challenge request process, if a message is sent to the lock unencrypted, and with a specific set of information, the corresponding message that contains the unlockKey character will be provided unencrypted. </p>
<p>• CVE-2023-7003</p>
<p>The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused compromise other locks using the Sciener firmware. This AES key can be utilized to connect to any other Sciener lock that supports wireless keypads, without user knowledge or interaction. </p>
<p>• CVE-2023-6960</p>
<p>The TTLock App supports the creation of virtual keys and settings. They virtual keys are intended to be distributed to other individuals through the TTLock app, for unlocking and locking the lock. They can also be set to only be valid for a certain period of time. Deletion of these keys only occurs client side in the TTLock app, with the appropriate key information persisting within the associated lock. If an attacker acquires one of these keys, they can utilize it to unlock the lock after its intended deletion or invalidation. </p>
<p>• CVE-2023-7004</p>
<p>The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device. This can be utilized by a threat actor who introduces a device that spoofs the MAC address of the lock, allowing for compromise of the unlockKey value.</p>
<p>• CVE-2023-7007</p>
<p>The Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack. An attacker can impersonate the MAC address of a GatewayG2 that has established a connection with a lock, then connect to Sciener servers and receive messages instead of the legitimate GatewayG2. This can facilitate access of the unlockKey character. </p>
<p>• CVE-2023-7009</p>
<p>Some Sciener-based locks support plaintext message processing over Bluetooth Low Energy, allowing unencrypted malicious commands to be passed to the lock. These malicious commands, less then 16 bytes in length, will be processed by the lock as if they were encrypted communications. This can be further exploited by an attacker to compromise the lock's integrity.</p>
<p>• CVE-2023-7017</p>
<p>Some Sciener locks' firmware update mechanism does not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A challenge request can be sent to the lock with a command to prepare for an update, rather than an unlock request. This allows an attacker within Bluetooth range to pass an arbitrary malicious firmware to the lock, compromising its integrity.</p>
<h3 id="impact">Impact</h3>
<p>These vulnerabilities allow attackers with physical, adjacent, or Bluetooth connection proximity to the lock access of various capabilities to compromise the lock integrity, without victim knowledge or interaction. This results in the locks functionality being null. </p>
<p>Affected versions:</p>
<ul>
<li>Kontrol Lux lock, firmware versions 6.5.x to 6.5.07</li>
<li>Gateway G2, firmware version 6.0.0</li>
<li>TTLock App, version 6.4.5</li>
</ul>
<h3 id="solution">Solution</h3>
<p>There is no software solution for these vulnerabilities, only a potential work-around. By disabling various functions related to the Bluetooth capability of locks using Sciener firmware, several of the attacks can be prevented. However, as the locks are designed with the intention of utilization with the TTLock App, this may not be a practical solution for most users.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Lev Aronsky, Idan Strovinsky, and Tomer Telem of Aleph Research by HCL Software for providing the report and information. This document was written by Christopher Cullen.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://alephsecurity.com/2024/02/20/kontrol-lux-lock-1/" class="vulreflink safereflink" target="_blank" rel="noopener">https://alephsecurity.com/2024/02/20/kontrol-lux-lock-1/</a></li>
<li><a href="https://alephsecurity.com/2024/03/07/kontrol-lux-lock-2/" class="vulreflink safereflink" target="_blank" rel="noopener">https://alephsecurity.com/2024/03/07/kontrol-lux-lock-2/</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7004">CVE-2023-7004 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7005">CVE-2023-7005 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7006">CVE-2023-7006 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7017">CVE-2023-7017 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7009">CVE-2023-7009 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7007">CVE-2023-7007 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-7003">CVE-2023-7003 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-6960">CVE-2023-6960 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-03-07</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-03-07</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-03-18 16:40 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>3 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23949046 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#446598: GPU kernel implementations susceptible to memory leak2024-01-16T16:59:24.294805+00:002024-01-17T15:27:17.567461+00:00https://kb.cert.org/vuls/id/446598
<h3 id="overview">Overview</h3>
<p>General-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. An attacker with access to GPU capabilities using a vulnerable GPU's programmable interface can access memory that is expected to be isolated from other users and processes. </p>
<h3 id="description">Description</h3>
<p>Graphics processing units (GPUs), originally used to accelerate computer graphics, have today become the standard hardware accelerators for scientific computing and articifical intelligence / machine learning (AI/ML) applications due to their massive parallelism and high memory bandwidth. A GPGPU platform provides the ability to copy CPU memory to the GPU in order to perform these high-end computing tasks. The GPU kernel, essentially a user-provided C-like program that executes on the GPU, performs such intense numerical computations on the memory copied data. Afterwards, the CPU can copy the data back to present to the user or perform other tasds. This GPU-enabled high-performance computing is beneficial in many domains, including the training of artificial neural networks, doing inference on neural networks, and scientific computing. GPGPU platforms are useful in accelerating any task where operations such as matrix multiplication dominate the computation time. While GPGPUs are an essential part of large-scale ML implementations, such as Large Language Models (LLMs), they also serve a role as accelerators in client computing from applications to middleware. Standards, such as <a href="https://www.khronos.org/opencl/">OpenCL</a> (Open Computing Language) and Apple’s <a href="https://developer.apple.com/metal/">Metal</a>, are frameworks that provide specifications for enabling such "close-to-metal" programming by giving applications direct access to these rich GPU computing capabilities on mobile devices and in high-performance computing datacenters.</p>
<p>Researchers at Trail of Bits have uncovered a vulnerability in which a GPU kernel can observe memory values from a different GPU kernel, even when these two kernels are isolated between applications, processes, or users. The specific region of memory that this behavior was observed is referred to as <code>local memory</code>, essentially this is a software-managed cache, similar to the L1 cache in CPUs. The size of this memory region can vary across GPUs from 10’s of KB to several MB. Trail of Bits have shown that this vulnerability can be observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on various combinations of operating systems and drivers. Trail of Bits' research and testing, utilizing open-source software libraries, have identified platforms from AMD, Apple, and Qualcomm that exhibit this behavior. During the testing phase, this issue was not observed on NVIDIA devices. For further information review the information provided by Apple, AMD and Google in the <em>Vendor Information</em> section.</p>
<p>Researcher Tyler Sorenson, from Tail of Bits, states: </p>
<blockquote>
<p>Due to the fact that most DNN computations (matrix multiplication and convolutions) make heavy use of local memory, the researchers also believe many ML implementations, both in the embedded domain as well as datacenter domain, may be impacted by this vulnerability.</p>
</blockquote>
<p>The security researchers at Trail of Bits have labeled this vulnerability <code>LeftoverLocals</code> in order to identify this vulnerability when discussing across multiple GPU platforms. </p>
<p>The GPU marketplace contains a wide and complex software supply-chain to facilitate the adoption of the advanced capabilities of GPUs. We expect that resolving these issues will require multiple stakeholders from hardware manufacturers, software library providers, programmers, system integrators standards bodies to cooperate. <a href="https://dl.acm.org/doi/10.1145/2801153">Prior resaerch work in this area</a> has shown that resolving these issues may require a multi-pronged, ongoing-process approach.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to a GPU programmable interface, like OpenCL or Metal, can craft and install a malicious application capable of recording a dump of uninitialized local memory (leftover from an earlier application) that may contain sensitive data. Additionally, the attacker can read data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user.</p>
<h3 id="solution">Solution</h3>
<h4 id="gpu-software-developers">GPU Software Developers</h4>
<p>GPU software developers are advised to review their vendor provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications. GPU software developers are also urged to review their applications for data privacy when leveraging such high-performance computing capabilities. </p>
<h4 id="gpu-users">GPU users</h4>
<p>Review the <em>Vendor Information</em> section for software updates and additional information provided by the vendors, ensure your devices are up to date and have the security protection provided by your vendors. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Tyler Sorensen, along with the ML safety team, of <a href="https://www.trailofbits.com">Trail of Bits</a> researched and reported these vulnerabilities. Vendors and the Khronos Group worked closely with us and other stakeholders to enable coordinated disclosure of these vulnerabilities. This document was written by Ben Koo and Vijay Sarvepalli.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>General-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. An attacker with access to GPU capabilities using a vulnerable GPU's programmable interface can access memory that is expected to be isolated from other users and processes. </p>
<h3 id="description">Description</h3>
<p>Graphics processing units (GPUs), originally used to accelerate computer graphics, have today become the standard hardware accelerators for scientific computing and articifical intelligence / machine learning (AI/ML) applications due to their massive parallelism and high memory bandwidth. A GPGPU platform provides the ability to copy CPU memory to the GPU in order to perform these high-end computing tasks. The GPU kernel, essentially a user-provided C-like program that executes on the GPU, performs such intense numerical computations on the memory copied data. Afterwards, the CPU can copy the data back to present to the user or perform other tasds. This GPU-enabled high-performance computing is beneficial in many domains, including the training of artificial neural networks, doing inference on neural networks, and scientific computing. GPGPU platforms are useful in accelerating any task where operations such as matrix multiplication dominate the computation time. While GPGPUs are an essential part of large-scale ML implementations, such as Large Language Models (LLMs), they also serve a role as accelerators in client computing from applications to middleware. Standards, such as <a href="https://www.khronos.org/opencl/">OpenCL</a> (Open Computing Language) and Apple’s <a href="https://developer.apple.com/metal/">Metal</a>, are frameworks that provide specifications for enabling such "close-to-metal" programming by giving applications direct access to these rich GPU computing capabilities on mobile devices and in high-performance computing datacenters.</p>
<p>Researchers at Trail of Bits have uncovered a vulnerability in which a GPU kernel can observe memory values from a different GPU kernel, even when these two kernels are isolated between applications, processes, or users. The specific region of memory that this behavior was observed is referred to as <code>local memory</code>, essentially this is a software-managed cache, similar to the L1 cache in CPUs. The size of this memory region can vary across GPUs from 10’s of KB to several MB. Trail of Bits have shown that this vulnerability can be observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on various combinations of operating systems and drivers. Trail of Bits' research and testing, utilizing open-source software libraries, have identified platforms from AMD, Apple, and Qualcomm that exhibit this behavior. During the testing phase, this issue was not observed on NVIDIA devices. For further information review the information provided by Apple, AMD and Google in the <em>Vendor Information</em> section.</p>
<p>Researcher Tyler Sorenson, from Tail of Bits, states: </p>
<blockquote>
<p>Due to the fact that most DNN computations (matrix multiplication and convolutions) make heavy use of local memory, the researchers also believe many ML implementations, both in the embedded domain as well as datacenter domain, may be impacted by this vulnerability.</p>
</blockquote>
<p>The security researchers at Trail of Bits have labeled this vulnerability <code>LeftoverLocals</code> in order to identify this vulnerability when discussing across multiple GPU platforms. </p>
<p>The GPU marketplace contains a wide and complex software supply-chain to facilitate the adoption of the advanced capabilities of GPUs. We expect that resolving these issues will require multiple stakeholders from hardware manufacturers, software library providers, programmers, system integrators standards bodies to cooperate. <a href="https://dl.acm.org/doi/10.1145/2801153">Prior resaerch work in this area</a> has shown that resolving these issues may require a multi-pronged, ongoing-process approach.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to a GPU programmable interface, like OpenCL or Metal, can craft and install a malicious application capable of recording a dump of uninitialized local memory (leftover from an earlier application) that may contain sensitive data. Additionally, the attacker can read data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user.</p>
<h3 id="solution">Solution</h3>
<h4 id="gpu-software-developers">GPU Software Developers</h4>
<p>GPU software developers are advised to review their vendor provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications. GPU software developers are also urged to review their applications for data privacy when leveraging such high-performance computing capabilities. </p>
<h4 id="gpu-users">GPU users</h4>
<p>Review the <em>Vendor Information</em> section for software updates and additional information provided by the vendors, ensure your devices are up to date and have the security protection provided by your vendors. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Tyler Sorensen, along with the ML safety team, of <a href="https://www.trailofbits.com">Trail of Bits</a> researched and reported these vulnerabilities. Vendors and the Khronos Group worked closely with us and other stakeholders to enable coordinated disclosure of these vulnerabilities. This document was written by Ben Koo and Vijay Sarvepalli.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regions" class="vulreflink safereflink" target="_blank" rel="noopener">https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regions</a></li>
<li><a href="https://www.vulkan.org" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.vulkan.org</a></li>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/API/WebGPU_API" class="vulreflink safereflink" target="_blank" rel="noopener">https://developer.mozilla.org/en-US/docs/Web/API/WebGPU_API</a></li>
<li><a href="https://researchcomputing.princeton.edu/support/knowledge-base/gpu-computing" class="vulreflink safereflink" target="_blank" rel="noopener">https://researchcomputing.princeton.edu/support/knowledge-base/gpu-computing</a></li>
<li><a href="https://developer.apple.com/documentation/metal/performing_calculations_on_a_gpu" class="vulreflink safereflink" target="_blank" rel="noopener">https://developer.apple.com/documentation/metal/performing_calculations_on_a_gpu</a></li>
<li><a href="https://devblogs.microsoft.com/directx/announcing-the-opencl-and-opengl-compatibility-pack-for-windows-10-on-arm/ " class="vulreflink safereflink" target="_blank" rel="noopener">https://devblogs.microsoft.com/directx/announcing-the-opencl-and-opengl-compatibility-pack-for-windows-10-on-arm/ </a></li>
<li><a href="https://source.android.com/docs/core/graphics/arch-vulkan" class="vulreflink safereflink" target="_blank" rel="noopener">https://source.android.com/docs/core/graphics/arch-vulkan</a></li>
<li><a href="https://developer.nvidia.com/cuda-toolkit" class="vulreflink safereflink" target="_blank" rel="noopener">https://developer.nvidia.com/cuda-toolkit</a></li>
<li><a href="https://www.amd.com/en/technologies/vulkan" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.amd.com/en/technologies/vulkan</a></li>
<li><a href="https://developer.arm.com/Processors/Mali-G78" class="vulreflink safereflink" target="_blank" rel="noopener">https://developer.arm.com/Processors/Mali-G78</a></li>
<li><a href="https://www.imaginationtech.com/product/ge8320/" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.imaginationtech.com/product/ge8320/</a></li>
<li><a href="https://github.com/Mesa3D/mesa/blob/957009978ef6d7121fc0d710d03bc20097d4d46b/src/amd/vulkan/radv_shader.c#L709 " class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/Mesa3D/mesa/blob/957009978ef6d7121fc0d710d03bc20097d4d46b/src/amd/vulkan/radv_shader.c#L709 </a></li>
<li><a href="https://dl.acm.org/doi/10.1145/2801153" class="vulreflink safereflink" target="_blank" rel="noopener">https://dl.acm.org/doi/10.1145/2801153</a></li>
<li><a href="https://arxiv.org/pdf/1605.06610.pdf" class="vulreflink safereflink" target="_blank" rel="noopener">https://arxiv.org/pdf/1605.06610.pdf</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-4969">CVE-2023-4969 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-01-16</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-01-16</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-01-17 15:27 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>2 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23446598 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies2024-01-16T15:53:57.114750+00:002024-01-31T18:07:52.095478+00:00https://kb.cert.org/vuls/id/302671
<h3 id="overview">Overview</h3>
<p>A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies.</p>
<h3 id="description">Description</h3>
<p>SMTP protocol (refer <a href="https://www.rfc-editor.org/rfc/rfc5321">RFC 5321</a> and <a href="https://www.rfc-editor.org/rfc/rfc5322">5322</a>), is an Internet based protocol for e-mail transmission and exchange. The SMTP protocol is used by multiple servers to relay emails as the email is exchanged between a sender and a recipient. This handover of emails allows for a complex number of next-hop servers to interact and exchange emails before its delivery to the intended recipient. A priority based Mail eXchange (MX) record also allows for emails to delivered to alternate servers or partner gateways to spool and deliver in cases of outages. In order prevent fraudulent emails, email software and services authenticate a user and employ security policies such DMARC, essentially a combination of SPF and DKIM, to certify an email's origination as it traverse these various services.</p>
<p>Security researcher Timo Longin at SEC Consult discovered that the email software deployed across numerous SMTP servers treats the end-of-data sequence inconsistently. An attacker can exploit this inconsistency by crafting an email message that deviates from the standard end-of-data sequence, causing confusion as the message is transferred to its next hop. Any email server within the route of SMTP Gateways processing this manipulated message may interpret the submitted data as multiple messages, then process and relay them forward. Postfix software developer Wietse Venema explained:</p>
<blockquote>
<p>The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than CR LF</p>
</blockquote>
<p>SEC-Consult researchers have labeled this vulnerability as "SMTP Smuggling" to discuss this problem that involves multiple stakeholders such as email service providers, email software vendors, email security product vendors and others that process and handle emails. </p>
<p><strong>VU#302671</strong>
An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.</p>
<p>An <a href="https://www.openwall.com/lists/oss-security/2023/12/24/1">Openwall</a> community discussion also lead to the reservation of the following CVE numbers
</p><table>
<tbody><tr><td>Exim</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51766</a></td></tr>
<tr><td>Postfix </td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51764</a> </td></tr>
<tr><td>Sendmail</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51765</a></td></tr>
</tbody></table><p></p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to an SMTP service can craft an email with improper end-of-data sequencing to submit two or more email messages that can be used to bypass security policy. When the attack is successful, the attacker can impersonate any sender in any domain that is hosted at the originating mail service. The attacker is then capable of avoiding In-place email handling policies, since email security scanners and gateways that analyze the message will fall prey to the improper sequencing of the message. A successful attack enables the attacker to impersonate any sender in any domain that is hosted at the originating mail service.</p>
<h3 id="solution">Solution</h3>
<h4 id="email-service-providers-and-administrators">Email Service Providers and Administrators</h4>
<p>Please ensure your email software is up to date and you have applied the right workaround and/or patches provided by your software vendor. Check the <em>Vendor Information</em> section for instructions and links to the either respective advisories. If you use Email Security Appliances or managed Email Gateways ensure their software is both up to date and is configured best to mitigate these attacks and reduce the risk of improper message relay to other SMTP servers. Ensure any email backup MX records and services that may be hosted by partners are also protected from misuse or abuse. Email service providers are also urged to ensure that the email sender verification and header verifications are performed on every email to ensure identity of the authenticated sender is properly represented in the submitted emails. </p>
<h4 id="email-end-users">Email end users</h4>
<p>As email sender verification continues to be a challenge in the Internet, email users are urged to continue their precaution when replying to emails to provide sensitive information or when clicking on links that can download or install malicious software. </p>
<h4 id="additionational-resources">Additionational Resources</h4>
<p>SEC-Consult have provided both <a href="https://github.com/The-Login/SMTP-Smuggling-Tools">software</a> and a <a href="https://www.smtpsmuggling.com">website</a> to support analysis of the various service providers and software vendors to ensure their software and services can be verified against these attacks. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter Timo Longin from SEC Consult. This document was written by Timur Snoke and Vijay Sarvepalli</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies.</p>
<h3 id="description">Description</h3>
<p>SMTP protocol (refer <a href="https://www.rfc-editor.org/rfc/rfc5321">RFC 5321</a> and <a href="https://www.rfc-editor.org/rfc/rfc5322">5322</a>), is an Internet based protocol for e-mail transmission and exchange. The SMTP protocol is used by multiple servers to relay emails as the email is exchanged between a sender and a recipient. This handover of emails allows for a complex number of next-hop servers to interact and exchange emails before its delivery to the intended recipient. A priority based Mail eXchange (MX) record also allows for emails to delivered to alternate servers or partner gateways to spool and deliver in cases of outages. In order prevent fraudulent emails, email software and services authenticate a user and employ security policies such DMARC, essentially a combination of SPF and DKIM, to certify an email's origination as it traverse these various services.</p>
<p>Security researcher Timo Longin at SEC Consult discovered that the email software deployed across numerous SMTP servers treats the end-of-data sequence inconsistently. An attacker can exploit this inconsistency by crafting an email message that deviates from the standard end-of-data sequence, causing confusion as the message is transferred to its next hop. Any email server within the route of SMTP Gateways processing this manipulated message may interpret the submitted data as multiple messages, then process and relay them forward. Postfix software developer Wietse Venema explained:</p>
<blockquote>
<p>The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than CR LF</p>
</blockquote>
<p>SEC-Consult researchers have labeled this vulnerability as "SMTP Smuggling" to discuss this problem that involves multiple stakeholders such as email service providers, email software vendors, email security product vendors and others that process and handle emails. </p>
<p><strong>VU#302671</strong>
An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.</p>
<p>An <a href="https://www.openwall.com/lists/oss-security/2023/12/24/1">Openwall</a> community discussion also lead to the reservation of the following CVE numbers
</p><table>
<tbody><tr><td>Exim</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51766</a></td></tr>
<tr><td>Postfix </td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51764</a> </td></tr>
<tr><td>Sendmail</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-51766">CVE-2023-51765</a></td></tr>
</tbody></table><p></p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to an SMTP service can craft an email with improper end-of-data sequencing to submit two or more email messages that can be used to bypass security policy. When the attack is successful, the attacker can impersonate any sender in any domain that is hosted at the originating mail service. The attacker is then capable of avoiding In-place email handling policies, since email security scanners and gateways that analyze the message will fall prey to the improper sequencing of the message. A successful attack enables the attacker to impersonate any sender in any domain that is hosted at the originating mail service.</p>
<h3 id="solution">Solution</h3>
<h4 id="email-service-providers-and-administrators">Email Service Providers and Administrators</h4>
<p>Please ensure your email software is up to date and you have applied the right workaround and/or patches provided by your software vendor. Check the <em>Vendor Information</em> section for instructions and links to the either respective advisories. If you use Email Security Appliances or managed Email Gateways ensure their software is both up to date and is configured best to mitigate these attacks and reduce the risk of improper message relay to other SMTP servers. Ensure any email backup MX records and services that may be hosted by partners are also protected from misuse or abuse. Email service providers are also urged to ensure that the email sender verification and header verifications are performed on every email to ensure identity of the authenticated sender is properly represented in the submitted emails. </p>
<h4 id="email-end-users">Email end users</h4>
<p>As email sender verification continues to be a challenge in the Internet, email users are urged to continue their precaution when replying to emails to provide sensitive information or when clicking on links that can download or install malicious software. </p>
<h4 id="additionational-resources">Additionational Resources</h4>
<p>SEC-Consult have provided both <a href="https://github.com/The-Login/SMTP-Smuggling-Tools">software</a> and a <a href="https://www.smtpsmuggling.com">website</a> to support analysis of the various service providers and software vendors to ensure their software and services can be verified against these attacks. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter Timo Longin from SEC Consult. This document was written by Timur Snoke and Vijay Sarvepalli</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/" class="vulreflink safereflink" target="_blank" rel="noopener">https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/</a></li>
<li><a href="https://www.postfix.org/smtp-smuggling.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.postfix.org/smtp-smuggling.html</a></li>
<li><a href="https://github.com/The-Login/SMTP-Smuggling-Tools" class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/The-Login/SMTP-Smuggling-Tools</a></li>
<li><a href="https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email" class="vulreflink safereflink" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email</a></li>
<li><a href="https://www.smtpsmuggling.com" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.smtpsmuggling.com</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-01-16</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-01-16</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-01-31 18:07 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>6 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23302671 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation.2024-01-16T14:26:59.071069+00:002024-03-04T19:06:16.417508+00:00https://kb.cert.org/vuls/id/132380
<h3 id="overview">Overview</h3>
<p>Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). Researchers at Quarkslab have identified a total of 9 vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information. Quarkslab have labeled these set of related vulnerabilities as PixieFail.</p>
<h3 id="description">Description</h3>
<p><a href="https://uefi.org">UEFI</a> represents a contemporary firmware standard pivotal in initiating the operating system on modern computers and in facilitating communication between the hardware and OS. <a href="https://www.tianocore.org">TianoCore</a>'s EDKII stands as an open-source implementation adhering to UEFI and UEFI Platform Initialization (PI) specifications, offering an essential firmware development environment across platforms. Within EDKII, the NetworkPkg software encompasses a TCP/IP stack, enabling crucial network functionalities available during the initial Preboot eXecution Environment (PXE) stages. The PXE environment, when enabled, allows machines to boot via network connectivity, eliminating the need for physical interaction or keyboard access. Typically employed in larger data centers, PXE is vital for automating early boot phases, particularly in high-performance computing (HPC) environments.</p>
<p>Quarkslab researchers have discovered several vulnerabilities within the EDKII's NetworkPkg IP stack, introduce due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks. Successful exploits can result in denial of service, leakage of sensitive data, remote code execution, DNS cache poisoning, and network session hijacking. To successfully exploit this vulnerable NetworkPkg implementation, the attacker requires the PXE boot option to be enabled.</p>
<p>Tianocore's EDKII is used as a reference code or adopted as-is by many vendors for their UEFI implementation and distributed via supply-chain to other vendors in the PC market. Due to the widespread use of these libraries, these vulnerabilities may be present in a large number of implementations. We recommend users consult vendor specific advisory and details that will help resolve these issues. </p>
<h3 id="impact">Impact</h3>
<p>The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration. An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.</p>
<h3 id="solution">Solution</h3>
<h4 id="apply-updates">Apply updates</h4>
<p>Update to the latest stable version of UEFI firmware that includes fixes to these vulnerabilities. Please follow the advisory and any details provided by your vendor as part of this advisory. Downstream users of Tianocore EDKII that incorporate NetworkPkg should update to the latest version provided by <a href="https://github.com/tianocore/edk2">Tianocore project</a>. Please follow any vendor provided recommended configurations that can limit the exposure of these vulnerabilities as suitable to your environment.</p>
<h4 id="enforce-network-security">Enforce network security</h4>
<p>In operations environments, you may consider the following workarounds to prevent exposure and potential exploitation of these vulnerabilities
* Disable PXE boot if it is not used or supported in your computing environment.
* Enforce Network Isolation so the UEFI Preboot environment is available to specific network that is protected from unauthorized access.
* Deploy available protection to your computing environment from rogue DHCP services using capabilities such as<a href="https://en.wikipedia.org/wiki/DHCP_snooping"> Dynamic ARP inspection and DHCP snooping</a>.</p>
<h4 id="employ-secure-os-deployments">Employ secure OS deployments</h4>
<p>Follow <a href="https://learn.microsoft.com/en-us/mem/configmgr/osd/plan-design/security-and-privacy-for-operating-system-deployment">security best practices</a> in design of the preboot environment that provide OS deployment capabilities to your organization. UEFI supply-chain vendors should also consider migration to modern network boot environments that employ <a href="https://www.intel.com/content/www/us/en/developer/articles/technical/network-boot-in-a-zero-trust-environment.html">secure protocols</a> such as <a href="https://tianocore-docs.github.io/EDKIIHttpsBootGettingStartedGuide/draft/">UEFI HTTPS Boot</a> that can limit abuse of the legacy PXE boot related security issues. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the Quarkslab for researching and reporting these vulnerabilities and support coordinated disclosure. </p>
<p>This document was written by Vijay Sarvepalli.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). Researchers at Quarkslab have identified a total of 9 vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information. Quarkslab have labeled these set of related vulnerabilities as PixieFail.</p>
<h3 id="description">Description</h3>
<p><a href="https://uefi.org">UEFI</a> represents a contemporary firmware standard pivotal in initiating the operating system on modern computers and in facilitating communication between the hardware and OS. <a href="https://www.tianocore.org">TianoCore</a>'s EDKII stands as an open-source implementation adhering to UEFI and UEFI Platform Initialization (PI) specifications, offering an essential firmware development environment across platforms. Within EDKII, the NetworkPkg software encompasses a TCP/IP stack, enabling crucial network functionalities available during the initial Preboot eXecution Environment (PXE) stages. The PXE environment, when enabled, allows machines to boot via network connectivity, eliminating the need for physical interaction or keyboard access. Typically employed in larger data centers, PXE is vital for automating early boot phases, particularly in high-performance computing (HPC) environments.</p>
<p>Quarkslab researchers have discovered several vulnerabilities within the EDKII's NetworkPkg IP stack, introduce due to classic issues like buffer overflow, predictable randomization, and improper parsing. These vulnerabilities pose risks, allowing unauthenticated local attackers (and in certain scenarios, remotely) to execute various attacks. Successful exploits can result in denial of service, leakage of sensitive data, remote code execution, DNS cache poisoning, and network session hijacking. To successfully exploit this vulnerable NetworkPkg implementation, the attacker requires the PXE boot option to be enabled.</p>
<p>Tianocore's EDKII is used as a reference code or adopted as-is by many vendors for their UEFI implementation and distributed via supply-chain to other vendors in the PC market. Due to the widespread use of these libraries, these vulnerabilities may be present in a large number of implementations. We recommend users consult vendor specific advisory and details that will help resolve these issues. </p>
<h3 id="impact">Impact</h3>
<p>The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration. An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.</p>
<h3 id="solution">Solution</h3>
<h4 id="apply-updates">Apply updates</h4>
<p>Update to the latest stable version of UEFI firmware that includes fixes to these vulnerabilities. Please follow the advisory and any details provided by your vendor as part of this advisory. Downstream users of Tianocore EDKII that incorporate NetworkPkg should update to the latest version provided by <a href="https://github.com/tianocore/edk2">Tianocore project</a>. Please follow any vendor provided recommended configurations that can limit the exposure of these vulnerabilities as suitable to your environment.</p>
<h4 id="enforce-network-security">Enforce network security</h4>
<p>In operations environments, you may consider the following workarounds to prevent exposure and potential exploitation of these vulnerabilities
* Disable PXE boot if it is not used or supported in your computing environment.
* Enforce Network Isolation so the UEFI Preboot environment is available to specific network that is protected from unauthorized access.
* Deploy available protection to your computing environment from rogue DHCP services using capabilities such as<a href="https://en.wikipedia.org/wiki/DHCP_snooping"> Dynamic ARP inspection and DHCP snooping</a>.</p>
<h4 id="employ-secure-os-deployments">Employ secure OS deployments</h4>
<p>Follow <a href="https://learn.microsoft.com/en-us/mem/configmgr/osd/plan-design/security-and-privacy-for-operating-system-deployment">security best practices</a> in design of the preboot environment that provide OS deployment capabilities to your organization. UEFI supply-chain vendors should also consider migration to modern network boot environments that employ <a href="https://www.intel.com/content/www/us/en/developer/articles/technical/network-boot-in-a-zero-trust-environment.html">secure protocols</a> such as <a href="https://tianocore-docs.github.io/EDKIIHttpsBootGettingStartedGuide/draft/">UEFI HTTPS Boot</a> that can limit abuse of the legacy PXE boot related security issues. </p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the Quarkslab for researching and reporting these vulnerabilities and support coordinated disclosure. </p>
<p>This document was written by Vijay Sarvepalli.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h" class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h</a></li>
<li><a href="https://github.com/tianocore/edk2/security" class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/tianocore/edk2/security</a></li>
<li><a href="https://github.com/tianocore/tianocore.github.io/wiki/NetworkPkg" class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/tianocore/tianocore.github.io/wiki/NetworkPkg</a></li>
<li><a href="https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45237">CVE-2023-45237 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45236">CVE-2023-45236 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45235">CVE-2023-45235 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45234">CVE-2023-45234 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45233">CVE-2023-45233 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45231">CVE-2023-45231 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45230">CVE-2023-45230 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45229">CVE-2023-45229 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-45232">CVE-2023-45232 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2024-01-16</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2024-01-16</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-03-04 19:06 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>7 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23132380 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#811862: Image files in UEFI can be abused to modify boot behavior2023-12-06T18:59:53.288178+00:002024-03-04T19:06:26.226083+00:00https://kb.cert.org/vuls/id/811862
<h3 id="overview">Overview</h3>
<p>Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings. </p>
<h3 id="description">Description</h3>
<p>UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during <a href="https://insights.sei.cmu.edu/media/images/figure3_08012022.max-1280x720.format-webp.webp"> the early phases of an UEFI based OS</a>. One such information stored in the ESP is a personalizable boot logo. </p>
<p>Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label <code>LogoFAIL</code> to track and support coordination and mitigation of these vulnerabilities. </p>
<p>Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.
</p><table><tbody><tr><td><strong>Binarly Advisory</strong></td><td><strong>CVE's</strong></td><td><strong>Primary Vendor</strong></td></tr>
<tr><td>BRLY-2023-018</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-39539">CVE-2023-39539</a></td><td> AMI</td></tr>
<tr> <td>BRLY-2023-006 (1)</td><td> <a href="https://www.cve.org/CVERecord?id=CVE-2023-40238">CVE-2023-40238</a></td><td> Insyde</td></tr>
<tr> <td> BRLY-2023-006 (2) </td><td> <a href="https://www.cve.org/CVERecord?id=CVE-2023-5058">CVE-2023-5058</a></td><td> Phoenix</td></tr>
</tbody></table>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings. </p>
<h3 id="description">Description</h3>
<p>UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during <a href="https://insights.sei.cmu.edu/media/images/figure3_08012022.max-1280x720.format-webp.webp"> the early phases of an UEFI based OS</a>. One such information stored in the ESP is a personalizable boot logo. </p>
<p>Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label <code>LogoFAIL</code> to track and support coordination and mitigation of these vulnerabilities. </p>
<p>Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.
</p><table><tbody><tr><td><strong>Binarly Advisory</strong></td><td><strong>CVE's</strong></td><td><strong>Primary Vendor</strong></td></tr>
<tr><td>BRLY-2023-018</td><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-39539">CVE-2023-39539</a></td><td> AMI</td></tr>
<tr> <td>BRLY-2023-006 (1)</td><td> <a href="https://www.cve.org/CVERecord?id=CVE-2023-40238">CVE-2023-40238</a></td><td> Insyde</td></tr>
<tr> <td> BRLY-2023-006 (2) </td><td> <a href="https://www.cve.org/CVERecord?id=CVE-2023-5058">CVE-2023-5058</a></td><td> Phoenix</td></tr>
</tbody></table>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://uefi.org/specs/UEFI/2.10/33_Human_Interface_Infrastructure.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://uefi.org/specs/UEFI/2.10/33_Human_Interface_Infrastructure.html</a></li>
<li><a href="https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html</a></li>
<li><a href="http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf#page=536" class="vulreflink safereflink" target="_blank" rel="noopener">http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf#page=536</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11" class="vulreflink safereflink" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11</a></li>
<li><a href="https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html</a></li>
<li><a href="https://www.insyde.com/security-pledge/SA-2023053" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.insyde.com/security-pledge/SA-2023053</a></li>
<li><a href="https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023009.pdf" class="vulreflink safereflink" target="_blank" rel="noopener">https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023009.pdf</a></li>
<li><a href="https://www.phoenix.com/security-notifications/cve-2023-5058/" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.phoenix.com/security-notifications/cve-2023-5058/</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-40238">CVE-2023-40238 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-5058">CVE-2023-5058 </a>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-39539">CVE-2023-39539 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-12-06</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-12-06</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2024-03-04 19:06 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>6 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23811862 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#347067: Multiple BGP implementations are vulnerable to improperly formatted BGP updates2023-09-12T16:36:11.380361+00:002023-11-16T14:03:14.733128+00:00https://kb.cert.org/vuls/id/347067
<h3 id="overview">Overview</h3>
<p>Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router. </p>
<blockquote>
<p>This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. <a href="https://datatracker.ietf.org/doc/html/rfc7606#section-1">RFC 7606 Introduction</a> </p>
</blockquote>
<h3 id="description">Description</h3>
<p>The Border Gateway Protocol (BGP, <a href="http://tools.ietf.org/html/rfc4271">RFC 4271</a>) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in <a href="http://tools.ietf.org/html/rfc7606">RFC 7606</a> <em>Revised Error Handling for BGP UPDATE Messages</em> in 2015. </p>
<p>Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).</p>
<p>This vulnerability was first announced as affecting <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig">OpenBSD</a> based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the <a href="#systems">Systems Affected</a> section below.
Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:</p>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481">CVE-2023-4481</a> (Juniper)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802">CVE-2023-38802</a> (FRR)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283">CVE-2023-38283</a> (OpenBGPd)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457">CVE-2023-40457</a> (EXOS)</li>
</ul>
<h3 id="impact">Impact</h3>
<p>A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:</p>
<p><strong>(Juniper)</strong><br>
set protocols bgp bgp-error-tolerance</p>
<p><strong>(Nokia)</strong><br>
[router bgp group]<br>
error-handling update-fault-tolerance</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router. </p>
<blockquote>
<p>This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. <a href="https://datatracker.ietf.org/doc/html/rfc7606#section-1">RFC 7606 Introduction</a> </p>
</blockquote>
<h3 id="description">Description</h3>
<p>The Border Gateway Protocol (BGP, <a href="http://tools.ietf.org/html/rfc4271">RFC 4271</a>) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in <a href="http://tools.ietf.org/html/rfc7606">RFC 7606</a> <em>Revised Error Handling for BGP UPDATE Messages</em> in 2015. </p>
<p>Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).</p>
<p>This vulnerability was first announced as affecting <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig">OpenBSD</a> based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the <a href="#systems">Systems Affected</a> section below.
Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:</p>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481">CVE-2023-4481</a> (Juniper)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802">CVE-2023-38802</a> (FRR)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283">CVE-2023-38283</a> (OpenBGPd)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457">CVE-2023-40457</a> (EXOS)</li>
</ul>
<h3 id="impact">Impact</h3>
<p>A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:</p>
<p><strong>(Juniper)</strong><br>
set protocols bgp bgp-error-tolerance</p>
<p><strong>(Nokia)</strong><br>
[router bgp group]<br>
error-handling update-fault-tolerance</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="http://tools.ietf.org/html/rfc4271" class="vulreflink safereflink" target="_blank" rel="noopener">http://tools.ietf.org/html/rfc4271</a></li>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig" class="vulreflink safereflink" target="_blank" rel="noopener">https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481</a></li>
<li><a href="http://tools.ietf.org/html/rfc7606" class="vulreflink safereflink" target="_blank" rel="noopener">http://tools.ietf.org/html/rfc7606</a></li>
<li><a href="https://github.com/FRRouting/frr/pull/14290 " class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/FRRouting/frr/pull/14290 </a></li>
<li><a href="https://kb.juniper.net/JSA72510 " class="vulreflink safereflink" target="_blank" rel="noopener">https://kb.juniper.net/JSA72510 </a></li>
<li><a href="https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling" class="vulreflink safereflink" target="_blank" rel="noopener">https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-09-12</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-09-12</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-11-16 14:03 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>3 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23347067 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router2023-09-06T12:05:21.316250+00:002023-09-06T20:09:14.652628+00:00https://kb.cert.org/vuls/id/304455
<h3 id="overview">Overview</h3>
<p>An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.</p>
<h3 id="description">Description</h3>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4498">CVE-2023-4498</a> is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).</p>
<h3 id="impact">Impact</h3>
<p>Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.</p>
<h3 id="solution">Solution</h3>
<p>There is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.</p>
<h3 id="description">Description</h3>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4498">CVE-2023-4498</a> is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).</p>
<h3 id="impact">Impact</h3>
<p>Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.</p>
<h3 id="solution">Solution</h3>
<p>There is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4498" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4498</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-4498">CVE-2023-4498 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-09-06</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-09-06</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-09-06 20:09 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>2 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23304455 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account2023-08-28T15:15:33.809507+00:002023-08-28T15:15:33.499639+00:00https://kb.cert.org/vuls/id/757109
<h3 id="overview">Overview</h3>
<p>Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.</p>
<h3 id="description">Description</h3>
<p>Every five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it's possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solution to this problem.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thank you to Dan Revah for reporting this issue.</p>
<p>This document was written by Kevin Stephens.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.</p>
<h3 id="description">Description</h3>
<p>Every five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it's possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solution to this problem.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thank you to Dan Revah for reporting this issue.</p>
<p>This document was written by Kevin Stephens.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-25394">CVE-2023-25394 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-08-28</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-08-28</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-08-28 15:15 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>1 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23757109 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#287122: Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process2023-08-16T16:18:56.828124+00:002023-08-16T16:18:56.594223+00:00https://kb.cert.org/vuls/id/287122
<h3 id="overview">Overview</h3>
<p>Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.</p>
<h3 id="description">Description</h3>
<p>The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main. </p>
<p>By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.</p>
<p><strong>CVE-2023-37250</strong>
The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.</p>
<h3 id="impact">Impact</h3>
<p>By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.</p>
<h3 id="solution">Solution</h3>
<p>The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.</p>
<h3 id="description">Description</h3>
<p>The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main. </p>
<p>By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.</p>
<p><strong>CVE-2023-37250</strong>
The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.</p>
<h3 id="impact">Impact</h3>
<p>By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.</p>
<h3 id="solution">Solution</h3>
<p>The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250" class="vulreflink safereflink" target="_blank" rel="noopener">https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250</a></li>
<li><a href="https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250" class="vulreflink safereflink" target="_blank" rel="noopener">https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-37250">CVE-2023-37250 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-08-16</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-08-16</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-08-16 16:18 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>1 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23287122 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#127587: Python Parsing Error Enabling Bypass CVE-2023-243292023-08-11T22:22:46.010644+00:002023-08-11T22:22:45.866246+00:00https://kb.cert.org/vuls/id/127587
<h3 id="overview">Overview</h3>
<p>urllib.parse is a very basic and widely used basic URL parsing function in various applications.</p>
<h3 id="description">Description</h3>
<p>An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.</p>
<p>urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.</p>
<p><strong>URL Parsing Security</strong> *</p>
<p>The <a href="https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit" title="urllib.parse.urlsplit"><code>urlsplit()</code></a> and <a href="https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse" title="urllib.parse.urlparse"><code>urlparse()</code></a> APIs do not perform <strong>validation</strong> of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.</p>
<p>Instead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.</p>
<p>We recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that <code>scheme</code> make sense? Is that a sensible <code>path</code>? Is there anything strange about that<code>hostname</code>? etc.</p>
<p>What constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living <a href="https://url.spec.whatwg.org/#concept-basic-url-parser">WHATWG spec</a> describes what user facing web clients such as a web browser require. While <a href="https://datatracker.ietf.org/doc/html/rfc3986.html"><strong>RFC 3986</strong></a> is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.</p>
<p>*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508</p>
<h3 id="impact">Impact</h3>
<p>Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.</p>
<p>Because this vulnerability exists in the most basic parsing library, more advanced issues are possible.</p>
<h3 id="solution">Solution</h3>
<p>The fixes are in the following releases:
</p><p>fixed in >= 3.12
<br>fixed in 3.11.x >= 3.11.4
<br>fixed in 3.10.x >= 3.10.12
<br>fixed in 3.9.x >= 3.9.17
<br>fixed in 3.8.x >= 3.8.17
<br>fixed in 3.7.x >= 3.7.17</p><p></p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter, Yebo Cao for researching and reporting this vulnerability.</p>
<p>This document was written by Ben Koo.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>urllib.parse is a very basic and widely used basic URL parsing function in various applications.</p>
<h3 id="description">Description</h3>
<p>An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.</p>
<p>urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.</p>
<p><strong>URL Parsing Security</strong> *</p>
<p>The <a href="https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit" title="urllib.parse.urlsplit"><code>urlsplit()</code></a> and <a href="https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse" title="urllib.parse.urlparse"><code>urlparse()</code></a> APIs do not perform <strong>validation</strong> of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.</p>
<p>Instead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.</p>
<p>We recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that <code>scheme</code> make sense? Is that a sensible <code>path</code>? Is there anything strange about that<code>hostname</code>? etc.</p>
<p>What constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living <a href="https://url.spec.whatwg.org/#concept-basic-url-parser">WHATWG spec</a> describes what user facing web clients such as a web browser require. While <a href="https://datatracker.ietf.org/doc/html/rfc3986.html"><strong>RFC 3986</strong></a> is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.</p>
<p>*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508</p>
<h3 id="impact">Impact</h3>
<p>Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.</p>
<p>Because this vulnerability exists in the most basic parsing library, more advanced issues are possible.</p>
<h3 id="solution">Solution</h3>
<p>The fixes are in the following releases:
</p><p>fixed in >= 3.12
<br>fixed in 3.11.x >= 3.11.4
<br>fixed in 3.10.x >= 3.10.12
<br>fixed in 3.9.x >= 3.9.17
<br>fixed in 3.8.x >= 3.8.17
<br>fixed in 3.7.x >= 3.7.17</p><p></p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to the reporter, Yebo Cao for researching and reporting this vulnerability.</p>
<p>This document was written by Ben Koo.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329" class="vulreflink safereflink" target="_blank" rel="noopener">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329</a></li>
<li><a href="https://github.com/python/cpython/issues/102153" class="vulreflink safereflink" target="_blank" rel="noopener">https://github.com/python/cpython/issues/102153</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-24329">CVE-2023-24329 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-02-17</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-08-11</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-08-11 22:22 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>1 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23127587 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution2023-08-07T15:57:00.716872+00:002023-08-07T15:57:00.515270+00:00https://kb.cert.org/vuls/id/947701
<h3 id="overview">Overview</h3>
<p>Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host.</p>
<h3 id="description">Description</h3>
<p>Freewill Solutions IFIS new trading web application passes a user controlled variable directly to a shell_exec function call on a specific report page. To exploit the vulnerability, an attacker can add shell meta characters to the user controlled variable so that the application executes attacker specified commands.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to the applications web interface can execute code on the remote host. This level of access allows for complete compromise of the affected machine.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solution to this problem.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Sameer Mohite (Mandiant) for reporting the vulnerability.</p>
<p>This document was written by Kevin Stephens.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host.</p>
<h3 id="description">Description</h3>
<p>Freewill Solutions IFIS new trading web application passes a user controlled variable directly to a shell_exec function call on a specific report page. To exploit the vulnerability, an attacker can add shell meta characters to the user controlled variable so that the application executes attacker specified commands.</p>
<h3 id="impact">Impact</h3>
<p>An attacker with access to the applications web interface can execute code on the remote host. This level of access allows for complete compromise of the affected machine.</p>
<h3 id="solution">Solution</h3>
<p>The CERT/CC is currently unaware of a practical solution to this problem.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Sameer Mohite (Mandiant) for reporting the vulnerability.</p>
<p>This document was written by Kevin Stephens.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-08-07</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-08-07</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-08-07 15:57 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>1 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23947701 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation2023-07-27T15:17:19.559471+00:002023-08-03T16:30:23.779963+00:00https://kb.cert.org/vuls/id/813349
<h3 id="overview">Overview</h3>
<p>The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.</p>
<h3 id="description">Description</h3>
<p>D-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.</p>
<p>The following conditions are required to trigger this bug
* The software is installed in a directory with a space in it. (The default settings for directory will work)
* An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)</p>
<h3 id="impact">Impact</h3>
<p>An attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.</p>
<h3 id="solution">Solution</h3>
<p>D-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.</p>
<p>This document was written by Kevin Stephens.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.</p>
<h3 id="description">Description</h3>
<p>D-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.</p>
<p>The following conditions are required to trigger this bug
* The software is installed in a directory with a space in it. (The default settings for directory will work)
* An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)</p>
<h3 id="impact">Impact</h3>
<p>An attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.</p>
<h3 id="solution">Solution</h3>
<p>D-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.</p>
<p>This document was written by Kevin Stephens.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-07-27</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-07-27</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-08-03 16:30 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>2 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23813349 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>
VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities2023-07-20T18:25:22.445705+00:002023-07-31T18:27:14.776411+00:00https://kb.cert.org/vuls/id/653767
<h3 id="overview">Overview</h3>
<p>A command injection vulnerability can be used in the Perimeter81 macOS application to run arbitrary commands with administrative privileges.</p>
<h3 id="description">Description</h3>
<p>At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc.</p>
<p>By combining insufficient checks of an XPC connection and creating a dictionary with the key "usingCAPath" a command can be appended within that value to be run with administrative privileges.</p>
<h3 id="impact">Impact</h3>
<p>By exploiting the vulnerability, attackers can run arbitrary commands with administrative privileges.</p>
<h3 id="solution">Solution</h3>
<p>Perimeter81 has released a fix in version 10.1.2.318
(https://support.perimeter81.com/docs/macos-agent-release-notes)</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Erhad Husovic who also published vulnerability details via (https://www.ns-echo.com/posts/cve_2023_33298.html)</p>
<p>This document was written by Ben Koo.</p>
<div class="row" id="content">
<div class="large-9 medium-9 columns">
<div class="blog-post">
<div class="row">
<div class="large-12 columns">
<h3 id="overview">Overview</h3>
<p>A command injection vulnerability can be used in the Perimeter81 macOS application to run arbitrary commands with administrative privileges.</p>
<h3 id="description">Description</h3>
<p>At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc.</p>
<p>By combining insufficient checks of an XPC connection and creating a dictionary with the key "usingCAPath" a command can be appended within that value to be run with administrative privileges.</p>
<h3 id="impact">Impact</h3>
<p>By exploiting the vulnerability, attackers can run arbitrary commands with administrative privileges.</p>
<h3 id="solution">Solution</h3>
<p>Perimeter81 has released a fix in version 10.1.2.318
(https://support.perimeter81.com/docs/macos-agent-release-notes)</p>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>Thanks to Erhad Husovic who also published vulnerability details via (https://www.ns-echo.com/posts/cve_2023_33298.html)</p>
<p>This document was written by Ben Koo.</p>
</div>
</div>
<div class="row">
<div class="large-12 columns">
<h3> Vendor Information </h3>
<div id="vendorinfo">
One or more vendors are listed for this advisory. Please reference the full report for more information.
</div>
</div>
</div>
<br/>
<div class="row">
<div class="large-12 columns">
<h3> References </h3>
<ul>
<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-33298" class="vulreflink safereflink" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2023-33298</a></li>
<li><a href="https://www.ns-echo.com/posts/cve_2023_33298.html" class="vulreflink safereflink" target="_blank" rel="noopener">https://www.ns-echo.com/posts/cve_2023_33298.html</a></li>
</ul>
</div>
</div>
<h3>Other Information</h3>
<div class="vulcontent">
<table class="unstriped">
<tbody>
<tr>
<td width="200"><b>CVE IDs:</b></td>
<td>
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=2023-33298">CVE-2023-33298 </a>
</td>
</tr>
<tr>
<td>
<b>Date Public:</b>
</td>
<td>2023-07-20</td>
</tr>
<tr>
<td><b>Date First Published:</b></td>
<td id="datefirstpublished">2023-07-20</td>
</tr>
<tr>
<td><b>Date Last Updated: </b></td>
<td>2023-07-31 18:27 UTC</td>
</tr>
<tr>
<td><b>Document Revision: </b></td>
<td>2 </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="large-3 medium-3 columns" data-sticky-container>
<div class="sticky" data-sticky data-anchor="content">
<div class="sidebar-links">
<ul class="menu vertical">
<li><a href="https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+Help" target="_blank" rel="noopener">About vulnerability notes</a></li>
<li><a href="mailto:cert@cert.org?Subject=VU%23653767 Feedback">Contact us about this vulnerability</a></li>
<li><a href="https://vuls.cert.org/confluence/display/VIN/Case+Handling#CaseHandling-Givingavendorstatusandstatement" target="_blank" >Provide a vendor statement</a></li>
</ul>
</div>
</div>
</div>
</div>