Security News Archives | Page 20 of 177

Microsoft Security Bulletin Coverage for January 2023

January 10, 2023/in Threat intelligence /by Security News

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability
ASPY 392: Malicious-exe exe.MP_294

CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
ASPY 393: Malicious-exe exe.MP_295

CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 396: Malicious-exe exe.MP_296

Adobe Coverage:
CVE-2023-21604 Acrobat Reader Buffer Overflow
ASPY 397: Malformed-File pdf.MP_563

CVE-2023-21605 Acrobat Reader Buffer Overflow
ASPY 398: Malformed-File pdf.MP_564

CVE-2023-21581 Acrobat Reader Out-of-bounds Read
ASPY 399: Malformed-File pdf.MP_565

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21525 Windows Encrypting File System (EFS) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21527 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21531 Azure Service Fabric Container Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21535 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21536 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21538 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21539 Windows Authentication Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21540 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21542 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21548 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21549 Windows Workstation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21550 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21551 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21558 Windows Error Reporting Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21559 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21560 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21561 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21563 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21675 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21677 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21678 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21680 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21683 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21724 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21727 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21728 Windows Netlogon Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21729 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21730 Windows Cryptographic Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21733 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21734 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21735 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21736 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21737 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21738 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21739 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21741 Microsoft Office Visio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21742 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21743 Microsoft SharePoint Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21744 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21745 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21746 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21747 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21748 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21749 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21752 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21754 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21755 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21758 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21759 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21761 Microsoft Exchange Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21762 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21763 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21764 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21765 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21766 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21767 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21771 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21772 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21773 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21774 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21776 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21779 Visual Studio Code Remote Code Execution
There are no known exploits in the wild.
CVE-2023-21780 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21781 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21782 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21783 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21784 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21785 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21786 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21787 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21788 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21789 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21790 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21791 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21792 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21793 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

daloRADIUS Web Management RCE

January 6, 2023/in Threat intelligence /by Security News

Overview:

SonicWall Capture Labs Threat Research Team has observed the following threat:

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.

A remote code execution vulnerability has been reported for daloRADIUS. The vulnerability is due to improper sanitation on user controlled input during the update configuration process.

A remote, authenticated attacker can exploit this vulnerability by initiating a POST request to the target server. Successful exploitation could result in the execution of arbitrary commands in the security context of the daloRADIUS service on the target server.

Vendor Homepage

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0048.

CVE Listing

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is not defined.
• The report confidence level of this vulnerability is confirmed.

CVSS Calculator Metrics

Technical Overview:

A sanitation vulnerability exists in daloRADIUS, due to insufficient validation of the post request parameter “config_mail_smtp_fromemail”. An HTTP POST request is sent to /config_mail.php with a custom parameter assigned to “config_mail_smtp_fromemail”. The variables in $_REQUEST are provided to the script via the POST input mechanisms and therefore could be modified by the remote user and cannot be trusted:

fwrite() writes the contents of data to the file stream pointed to by $fp and $var:

Injected Data:

Executed Code For “config-mail.php”:

Attacker attains RCE, modifies server configuration, and elevates permissions (read, modify, delete, and add file).

Triggering the Problem:

• The target must have the vulnerable software installed.
• The attacker must have network connectivity to the target server.
• The attacker must have access to “config_mail_smtp_fromemail” variable.

Triggering Conditions:

The attacker sends an HTTP post request with a malicious “config_mail_smtp_fromemail” parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

The following application protocols can be used to deliver an attack that exploits this vulnerability:
• HTTP
• HTTPS

Example Post Request:

Example Post Response:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 18863 daloRADIUS Mail Settings RCE

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product.
• Filtering attack traffic using the signature above.
The vendor has released the following patch regarding this vulnerability:
Vendor Advisory

TOTOLINK A3000RU Command Injection

December 22, 2022/in Threat intelligence /by Security News

Zioncom (Hong Kong) Technology Limited also know as TOTOLINK is a professional manufacturer for network communication products, including Wireless Router/AP (Indoor & Outdoor), Wireless USB Adapter, Wireless Module, Switch and Wired Router. ZIONCOM (HK) was established on 1999.

A3000RU is a wireless router complies with the latest IEEE 802.11ac wave2 Wi-Fi standard, with MU-MIMO technology offering continual high speed data transmission for multiple devices at the same time.

Command injection vulnerability exists in TOTOLINK A3000RU router.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

TOTOLINK A3000RU Command Injection | CVE-2022-25075
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the “Main” function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

In the following exploit the attacker can pass commands like ‘wget’ via the query string . This command is used to download toto.sh script from the attacker controlled website. The attacker then changes the permissions of the script and executes the malicious script on the device.

SonicWall Capture Labs provides protection against this threat via following signature:

IPS 15515:TOTOLINK A3000RU Command Injection

IoCs
179.43.142.11
36db973e85684633846a2cd9c46ca48896b5703b9aeb174b1f741633428f68c1

Threat Graph

Raspberry Robin Malware Is An Obfuscated Onion

December 22, 2022/in Threat intelligence /by Security News

This week, the SonicWall Capture Labs Threat Research Team analyzed a new sample of Raspberry Robin. First observed in May 2022 by Red Canary, Raspberry Robin is a worm that has evolved to be a delivery system for a host of threat actors and malware platforms (This currently includes EvilCorp, LockBit, BumbleBee, IcedID, and DEV-0950). It is unique in that the authors are using a custom obfuscation method that virtualizes the code and has 15+ layers to prevent detection and/or analysis, as well as deploying a custom Tor client for C2 communications.

Infection Chain

Raspberry Robin is known to spread via infected USB devices, utilizing the ‘AutoRun’ feature on plugin. The malware will run via a .LNK file on the USB drive that executes ‘MSIExec.exe’ to download a first-stage payload. Once the system is found to be a valid target, the second-stage payload drops and connects to a Tor address. Initial analysis of the dropper program shows that it begins as a small .zip file (950kb-1250kb) which unpacks another .zip file of roughly the same size. This second archive unpacks into a ~700MB setup file with a .cpl (Control Panel Item) extension, and a text file with instructions to run the installation (Figure 1). Successful execution creates persistence with a RunOnce Key in the registry (HKEY_CURRENT_USER/ and the next stage is downloaded.

Analysis

Figure 1: First stage that creates a .LNK file on any attached USB

The first item to note is the size of the dropper: a 700mb file once unpacked. Most of this is garbage data located within the final section (Figure 2). The massively inflated size is an attempt to bypass scanning by some AV/EDR products, as well as prevent it from being uploaded to public sandboxes.

Figure 2: Note the bottom section ‘.rxy’ has a massive size; it is nothing but the character ‘[‘ repeated

Figure 3: PeStudio results of the secondary layer showing no libraries, imports, exports

Both the dropper and the payload are built with multiple layers of anti-analysis techniques; each is more akin to a virtually-protected machine than an obfuscated file. There are no strings or imports, and thus no API calls to use for context (or use breakpoints with) in a debugger.

Figure 4: Obfuscation through instruction

Every instruction is a series of mathematical actions (add, sub, mul, etc) to change flags, memory offsets, and dynamically call imports. Though no packer is listed with any static analysis tool, this behavior closely resembles how VMProtect works to virtualize runtime and prevent or hinder analysis. Attempting to run the malware in multiple virtual environments failed to produce malicious activity, but several tools were immediately shutdown when loading the sample for analysis. The DLL file will also unload itself when attempting to use a debugger.

This sample is known to drop a fake payload to distract an analyst or AV/EDR tool, located in ‘C:\User\AppData\Local\Temp’. The real payload will use a custom Tor client and reach out to a random hard-coded address for additional payloads or C2 activities. While targets have mostly been government and telecom agencies, there is no reason why other industries couldn’t be affected in the future. Given the sophistication of Raspberry Robin, care should be taken with USB drives and Windows policies on auto-running content.

SonicWall Capture Labs provides protection against this threat via the following signatures:

GAV:RaspberryRobin.A (Dropper)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cryptonite Ransomware leaves files unrecoverable

December 16, 2022/in Threat intelligence /by Security News

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Cryptonite. It is an open-sourced ransomware that was once available on GitHub but has now been taken down. It exhibited behavior consistent of most ransomware but later versions were found to malfunction and leaving encrypted data unrecoverable.

Infection Cycle:

The ransomware installer arrives as a fake windows update and can use the following filename:

WindowsUpdate.exe

This ransomware is written in Python thus a Python interpreter needs to be present in the victim’s machine for it to successfully run. Therefore upon execution, all the necessary files and modules are dropped in the temp directory under a randomly named folder.

A window then pops up showing the status of the supposed download of a software update, complete with the progress bar.

Meanwhile, encryption of the files are happening in the background. Encrypted files have the file extension “.cryptn8” appended to them.

This ransomware uses the Python cryptography module and more specifically uses an implementation of Fernet to perform encryption.

In our static analysis, we found that this unique key generated using this Fernet implementation appears to be sent out to a remote server hosted on this domain – hxxps://e4c0660414bf.eu.ngrok.io

Upon successful encryption a standard warning message is then presented to the victim which allows the victim to enter a decryption key if they decide to contact the ransomware operator.

However, later samples have been found to not complete the entire infection cycle. During encryption the ransomware application abruptly crashes with an error. Encryption completes but that key never gets sent to the remote server leaving the files unrecoverable. Subsequent execution of the ransomware just encrypts the already encrypted files and thus ransomware essentially just wiped out the data in the victim’s machine.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Cryptonite.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for December 2022

December 13, 2022/in Threat intelligence /by Security News

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-44673 Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability
ASPY: 387: Malicious-exe exe.MP_291

CVE-2022-44675 Windows Bluetooth Driver Elevation of Privilege Vulnerability
ASPY: 389: Malicious-exe exe.MP_293

CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability
ASPY: 388: Malicious-exe exe.MP_292

CVE-2022-44698 Windows SmartScreen Security Feature Bypass Vulnerability
ASPY: 390: Malformed-File js.MP_27

The following vulnerabilities do not have exploits in the wild :
CVE-2022-24480 Outlook for Android Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41074 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-41076 PowerShell Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41077 Windows Fax Compose Form Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41089 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-41094 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41121 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44666 Windows Contacts Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44667 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44668 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44669 Windows Error Reporting Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44671 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44674 Windows Bluetooth Driver Information Disclosure Vulnerability
389There are no known exploits in the wild.
CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
389There are no known exploits in the wild.
CVE-2022-44677 Windows Projected File System Elevation of Privilege Vulnerability
388There are no known exploits in the wild.
CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability
390There are no known exploits in the wild.
CVE-2022-44679 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-44680 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44682 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability
389There are no known exploits in the wild.
CVE-2022-44689 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability
388There are no known exploits in the wild.
CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability
390There are no known exploits in the wild.
CVE-2022-44691 Microsoft Office OneNote Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44692 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44694 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44695 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44696 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44697 Windows Graphics Component Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44699 Azure Network Watcher Agent Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-44702 Windows Terminal Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44707 Windows Kernel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-44710 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability
There are no known exploits in the wild.

Centreon SQL Injection Vulnerability

December 9, 2022/in Threat intelligence /by Security News

Overview:

SonicWall Capture Labs Threat Research Team has observed the following threat:

Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge.

A SQL Injection vulnerability has been reported in the Centreon Web Poller Resource module. The vulnerability is due to insufficient input validation.

A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

Vendor Homepage

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-41142.

CVE Listing

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 7.7 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.

CVSS Calculator Metrics

Technical Overview:

An SQL injection vulnerability exists in Centreon Web, it’s due to insufficient validation of the resource_activate request parameter when adding a new poller resource. An HTTP POST request is sent to /centreon/main.get.php with a parameter p set to “60904”, main.get.php loads the script www/include/configuration/configResources/resources.php which reads the value of parameter o.

When adding poller resources parameter o is set to “a”, and resources.php loads the script www/include/configuration/configResources/formResources.php. formResources.php reads the submitA request parameter, and if present calls the function insertResourceInDB() in script www/include/configuration/configResources/DBFunc.php.

insertResourceInDB() calls insertResource() in the same script, then insertResource() assembles an SQL query based on the request parameters and executes. insertResource() sanitizes some of the request parameters, however it fails to sanitize resource_activate. See “Attack Delivery” below for an example of the HTTP POST request that injects an SQL statement against the Centreon database.

Triggering the Problem:

• The target must have the vulnerable software installed.
• The attacker must have network connectivity to the target server.
• The attacker must have access to Configuration > Pollers > Resources page.

Triggering Conditions:

The attacker authenticates to the server and receives a valid token. Next, the attacker sends an HTTP request with a malicious resource_activate[resource_activate] parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

The following application protocols can be used to deliver an attack that exploits this vulnerability:
• HTTP
• HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 4098 Web Application SQL Injection (CREATE TABLE) 3

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product.
• Filtering attack traffic using the signature above.
The vendor has released the following patch regarding this vulnerability:
Vendor Advisory

Apache Airflow DAG Injection Vulnerability

December 2, 2022/in Threat intelligence /by Security News

Overview:

SonicWall Capture Labs Threat Research Team has observed the following threat:

Apache Airflow is an open-source workflow management platform. Apache Airflow is a flexible, scalable workflow automation and scheduling system for authoring and managing Big Data processing pipelines. Written in Python, the project is highly extensible and able to run tasks written in other languages, allowing integration with commonly used architectures and projects such as AWS S3, Docker, Apache Hadoop HDFS, Apache Hive, Kubernetes, MySQL, Postgres, Apache Zeppelin, and more.

Airflow originated at Airbnb in 2014 and was submitted to the Apache Incubator March 2016. The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced Apache® Airflow™ as a Top-Level Project (TLP).

A OS command injection vulnerability has been reported in Apache Airflow. This vulnerability is due to improper input validation for parameters for directed acyclic graphs (DAGs).

A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in OS command injection.

Vendor Homepage

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-24288.

CVE Listing

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.

CVSS Calculator Metrics

Technical Overview:

Airflow is designed under the principle of “configuration as code”. While other “configuration as code” workflow platforms exist using markup languages like XML, using Python allows developers to import libraries and classes to help them create their workflows. Apache Airflow utilizes the Django web application framework that implements a model-template-views (MTV) architectural pattern.

Directed Acyclic Graphs (DAGs) are collections of tasks users are able to execute; organized in a way that reflects their relationships and dependencies. Airflow uses directed acyclic graphs (DAGs) to manage workflow. There are a number of operations that can be performed including: triggering a DAG task, selecting a graph, viewing trees, deleting DAGs, and viewing code. The Base Airflow install includes examples of DAGs to demonstrate various features inside its package installer.

The example DAG (example_passing_params_via_test_command), shows a templated command with arguments using echo to print a string. The raw arguments of “foo” and “miff” are added to a flat command string and passed to the BashOperator class to execute a Bash command.

Triggering the Problem:

• The target host must have the affected version of the product installed and running.
• The attacker must have network access to the target system.
• The vulnerable DAG must be un-paused.
• The attacker must have access to an account with the RESOURCE_DAG_RUN permission

Triggering Conditions:

A malicious POST request is sent to the target server to run the vulnerable DAG.

Attack Delivery:

The following application protocols can be used to deliver an attack that exploits this vulnerability:
• HTTP
• HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 2606 Apache Airflow DAG Command Injection 1
• IPS: 2607 Apache Airflow DAG Command Injection 2

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:
• Upgrading the product to a non-vulnerable version.
• Filtering traffic based on the signatures above.
• Deleting the vulnerable DAG.
• Minimizing the number of users with the RESOURCE_DAG_RUN permission.
The vendor has released the following advisory regarding this vulnerability:
Vendor Advisory

Delta Electronics Deserialization Vulnerability

November 23, 2022/in Threat intelligence /by Security News

Overview:

SonicWall Capture Labs Threat Research Team has observed the following threat:

Delta Electronics InfraSuite Device Master is a tool for centralized monitoring and control of a large number of devices. Users create a human-machine interface (HMI) to manage the devices. Users observe the status of all devices, query event logs or history data, and assists users in taking appropriate action. InfraSuite Device Master implements a 3-tiered architecture, including the Data Collection layer, Gateway layer and Presentation layer.

An insecure deserialization vulnerability exists in Delta Electronics InfraSuite Device Master. The vulnerability is due to missing input validation when processing messages sent to Device-DataCollect service.

A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation allows arbitrary code execution with privileges of the user running the vulnerable software.

Vendor Homepage

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-38142.

CVE Listing

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.

CVSS Calculator Metrics

Technical Overview:

The vulnerability is due to a combination of a lack of authentication required to access the exposed Device-DataCollect service and also for insecure deserialization when processing messages sent to Device-DataCollect service. When a BinaryFormatter serialized request is sent to DeviceDataCollect, the InfraSuiteManager.Common.PacketHeader object is deserialized by calling the vulnerable method DeSerializeBinary() in the .NET class InfraSuiteManger.Common.Serialization from the method CheckPacket() in the .NET class InfraSuiteManager.Common.PacketOperation.

Next, the method DoUpperLayerNWPacket() in InfraSuiteManager.DataCollectionLayer.DataCollectionLayerMngt is called from the MainLoop() method in the same class to process the packet payload object which is expected to be one of the objects of type:

InfraSuiteManager.Common.DCLayerNWCommand_DeviceObject,
InfraSuiteManager.Common.DCLayerNWCommand_Protocol,
InfraSuiteManager.Common.DCLayerNWCommand_Polling,
InfraSuiteManager.Common.DCLayerNWCommand_Server,
InfraSuiteManager.Common.DCLayerNWCommand_DCServerSand,
InfraSuiteManager.Common.DCLayerNWCommand_LogPollingRawData

This method will call one of the methods: DCLayerNWCommand_DeviceObject(), DCLayerNWCommand_Protocol(), DCLayerNWCommand_Polling(), DCLayerNWCommand_Server(), DCLayerNWCommand_DCServerStatus() or DCLayerNWCommand_LogPollingRawData(), dependent on the value of the i32PayloadType field in the InfraSuiteManager.Common.PacketHeader object. Each of these methods call the vulnerable method DeSerializeBinary() in .NET class InfraSuiteManger.Common.Serialization.

The vulnerable method DeSerializeBinary() invokes the method System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize() where the insecure deserialization can occur. The code does not perform checks on the contents of the serialized object. The attacker can thereby employ ysoserial.net gadget generator to craft malicious payloads instead of PacketHeaderObject or PacketPayloadObject leading to arbitrary code execution vulnerability.

ysoserial

Triggering the Problem:

• The target must have the vulnerable software installed.
• The attacker must have network connectivity to the target server.

Triggering Conditions:

The attacker sends a malicious serialized payload to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

The following application protocols can be used to deliver an attack that exploits this vulnerability:
• Device-DataCollect Protocol

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

• IPS: 2063 Delta Electronics InfraSuite Device Master Insecure Deserialization

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:
• Upgrading the product to a non-vulnerable version.
• Detect and filter malicious traffic using the signature above.
The vendor has released the following advisory regarding this vulnerability:
ICS-CERT Advisory

Tenda AC1200 Cross-Site Scripting

November 18, 2022/in Threat intelligence /by Security News

Tenda products include home networking, business networking, switch, broadband CPE, gateway, powerlines, mobile broadband and IP cameras. Tenda offers AC1200 routers as well. AC means that the router has support for the 802.11ac (or Wi-Fi 5) wireless networking standard, which offers fast WiFi network connections on the 5GHz frequency. The number that comes after AC represents the maximum theoretical bandwidth of the router with 1200 representing 1200 Mbps.

Cross-Site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection attack that occurs when malicious scripts are injected into otherwise benign and trusted websites. An attacker then uses a web application to send malicious code, generally in the form of a browser side script, to the end user.

Reflected XSS attacks abuse the dynamic way websites interact with browsers. These attacks make it possible , for an attacker, to control the victim’s browser and their interaction with a given vulnerable website. Injection attacks display back content provided or controlled by a user, like an URL parameter or an input field. This opens the door to manipulation of the content.

Stored XSS occurs when the injected script is permanently stored on the target servers via a database, message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Tenda Cross-Site Scripting Vulnerability | CVE-2022-40846
Tenda is vulnerable to both Reflected and Stored XSS attacks.
The Tenda AC1200 router does not perform proper validation of user-supplied input and is vulnerable to cross-site scripting attacks via the homepage’s connected application hostname field. This vulnerability exists in the remote web management console.

As seen above the XSS successfully triggers and returns information about session cookies.
Tenda is also vulnerable to stored XSS in the website filtering functionality (CVE-2022-40844). The URL management panel of the website filtering accepts and stores any input without proper validation. Anything injected within the URL body is stored and will be reflected back once its associated group name is clicked in the panel.
Quick check on Shodan reveals vulnerable devices:

SonicWall Capture Labs provides protection against this threat via following signatures:

IPS 18814: Tenda AC1200 Cross-Site Scripting

Posts

Microsoft Security Bulletin Coverage for January 2023

daloRADIUS Web Management RCE

TOTOLINK A3000RU Command Injection

Raspberry Robin Malware Is An Obfuscated Onion

Infection Chain

Analysis

Cryptonite Ransomware leaves files unrecoverable

Microsoft Security Bulletin Coverage for December 2022

Centreon SQL Injection Vulnerability

Apache Airflow DAG Injection Vulnerability

Delta Electronics Deserialization Vulnerability

Tenda AC1200 Cross-Site Scripting

About SonicWall

Products

Solutions

Customers

Support

Posts

Infection Chain

Analysis

About SonicWall

Products

Solutions

Customers

Support

Pin It on Pinterest