Posts

mySCADA Command Injection Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  mySCADA professional tools are for developing and managing HMI (Human-Machine Interface)/SCADA (Supervisory Control and Data Acquisition) industrial processes. myPRO is one tool in mySCADA that is used to allow remote access to HMIs created in mySCADA projects. Users can develop mySCADA projects through myDESIGNER, and upload them to myPRO to allow remote users the ability to access the HMI over the network.

  A command injection vulnerability has been reported in mySCADA myPRO. The vulnerability is due to insufficient sanitization of user data used in commands.

  A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in command execution in the security context of the root user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-2234.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  By default, mySCADA contains an HMI project to help administer the server it’s located in “/opt/myscada/prj2”. mySCADA projects can use server-side Node.js scripts to read or write data from various sources such as the sever database or PLCs (Programmable Logic Controller). The server-side scripts can be interacted with by sending an HTTP POST request to the endpoint “/sss2”, with parameters passed in the HTTP body within a JSON object.

  When myPRO starts, it creates an Nginx reverse proxy with the configuration file “hmi.conf”. The configuration file includes the file “hmi.auth” containing the configuration for endpoints on the server. Requests made to the endpoint “/sss2” will be forwarded to “hxxp://127.0.0.1:8889” to a Node.js server. myPRO will start Node.js and run the file “/opt/mypro/prj2/Scripts/main.js”.

  The main.js file will then call myscada.init() that will call listen() to start the server on port 8889. When the Node.js server receives a user request, the body of the HTTP request will be passed to the function JSON.parse() to parse the request. The decoded body is then passed to the function dataFromViewScripts() to process it. When dataFromViewScripts() is called, the value of the JSON key “type” is compared to multiple strings to determine how the request should be processed. If the “type” key value is “deleteBackup”, the function will first call require() with the parameter “child_process” to include the function exec().

  Next, the function exec() is called with the string “/opt/myscada/bin/Backup -d” concatenated with the value of the “filename” key from the JSON from the user request. However, the value of the “filename” is not sanitized, allowing an attacker to inject arbitrary commands to the command-line before it is executed. If the value of the type key is “createBackup” or “restoreBackup”, the values of the “manualType” or “filename” keys will be added to a command-line and executed in a similar manner.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The attacker must be able to authenticate to the server.

Triggering Conditions:

  The attacker sends a crafted request to the target sever. The vulnerability is triggered when the server attempts to process the crafted request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3278 mySCADA myPRO Command Injection 1
  • IPS: 3280 mySCADA myPRO Command Injection 2
  • IPS: 3287 mySCADA myPRO Command Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating the product to a non-vulnerable version.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Clipboard Hijacker Dropped By STOP Ransomware

Recently we have seen multiple droppers dropping infostealers or banking trojans along with ransomware. Few weeks ago our researchers at SonicWall labs observed a clipbanker i.e. Clipboard Hijacker being dropped by djvu(STOP) ransomware.

Behaviour:
The Clipboard Hijacker malware was downloaded from URL hxxp://acacaca[.]org/files/1/build3[.]exe at path <Appdata>\Local\<UuId>\build3.exe. The dropped malware first uses dynamic API resolution to load APIs needed for further operations. It also makes sure that there is no other instance running by creating mutex “M5/610HP/STAGE2”. The name might implicate that this is the next stage of attack after ransomware execution.
It creates self copy at path <AppData>\Roaming\Microsoft\Network\mstsca[.]exe. This self copy is later executed using a scheduled task “Azure-Update-Task”. Task is scheduled to run every minute. The malware terminates itself after completing setting up scheduled task.

Fig 1. Scheduled Task

The mstsca[.]exe does the main clipboard hijacking activity. This again checks for mutex “M5/610HP/STAGE2” to confirm single instance is running at a time. The clipboard data is retrieved using GetClipboardData API. This data is then checked for string terminatore to check for separate strings in data.

Fig 2. String Check

Once found a string, length of string is calculated and cross-checked with the length of desired wallet address lengths.
After confirming desired length it checks for starting characters of the expected wallet addresses. In some cases few wallets have same length but these are differentiated based on initial characters. Below mentioned is the code snippet checking for bitcoin wallet address(Native SegWit addresses start with bc1q).

Fig 3. Bitcoin Wallet Check

This address from the retrieved clipboard is replaced by the address of same cryptocurrency already present in the binary. It continues to check for presence of other addresses till the clipboard data ends.
The replaced wallet addresses are copied to the current clipboard. The clipboard is cleared using EmptyClipboard and then the new data containing malware’s wallet addresses is copied to clipboard using SetClipboardData.

Fig 4. Clipboard Data Replace

After this, it sleeps for very short time and continues to check for clipboard data.

The malware has multiple wallet addresses of different wallets. One of the binance wallet from the list was mentioned in a magazin’s tweet(hxxps://twitter[.]com/westafricaweek/status/1471631329829834753). For this address, we have mentioned last one month’s amount received in below table.

Wallets:

Address

Wallet Amount Received($)

1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z

bitcoin 1,224.97

3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP

bitcoin 0

bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v

bitcoin

0

bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23

binance 63,337,185
DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc dogecoin

0

0xa6360e294DfCe4fE4Edf61b170c76770691aA111

ETH 918.67

LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis

LitCoin

0

MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk LitCoin

0.23

ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym

LitCoin 0
t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN Zcash

0

Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE

Cardano 482.80

addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl

Cardano

6,683.23

Monero:
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ

 

Although the malware has smaller functionality it may cause huge financial losses to victims. SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

IOCs:
Stop Ransomware(parent file):
327224ab99915741b54b4e5b836ea8248cf2fe90d2113271422095cea8211d96

Clipboard Hijacker(dropped):
hxxp://acacaca[.]org/files/1/build3[.]exe
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0(build3.exe)

Microsoft Exchange Server zero day vulnerabilities

SonicWall Capture Labs Threat Research team is investigating following vulnerabilities in the Microsoft Exchange Server that are being exploited in the wild. First CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and the second, identified as CVE-2022-41082 allows remote code execution (RCE).

Microsoft Exchange Server 2013, 2016, and 2019 are vulnerable to these attacks. CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.

Microsoft has outlined some mitigations here

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15499 :Microsoft Exchange Server SSRF (CVE-2022-41040)
  • IPS 15660 :autodiscover.json Access

In order to detect the exploitation of this vulnerability over HTTPS, server DPISSL needs to be enabled.
Please check for updates as we continue to monitor this threat.

PDF File is being used to spread AgentTesla

SonicWall Capture Labs Threat Research team has observed a PDF file getting detected by SonicWall Real Time Deep Memory Inspection (RTDMI), which comes as an e-mail attachment. The PDF file contains a link which downloads a malicious PowerPoint file, which then executes AgentTesla as the final payload on the victims machine. The threat actors are now more focused on delivery mechanism and infection chain, by keeping a low profile and very less exposure of malicious code to traditional security providers.

PDF File:

The PDF file contains a link to download the PPAM(PowerPoint File Add-in with macro) which is posted on “Mediafire file hosting service”. The PPAM file is downloaded with a genuine looking name as “invoice_4_812937_pdf.ppam”.

Fig : screenshot of PDF file

 

PPAM (PowerPoint) File:

The PowerPoint file has an embedded macro, The macro has an “Auto_Open” function which creates an instance of WScript.Shell object using CLSID {72C24DD5-D70A-438B-8A42-98424B88AFB8}. And using this Shell Object Mshta is executed to run the remote HTML file.

Fig: screenshot of macro

HTML File:

The HTML file contains an obfuscated JavaScript, which tries to kill “WinWord.exe” process and creates a scheduled task as ‘micsrssowfwWorsald’ which opens “http[:]//www[.]4kfgjfkg[.]blogspot[.]com/atom.xml” using Mshta. It also loads a remote hosted PowerShell script using  IRM(Invoke-RestMethod) and runs its using IEX(Invoke-Expression).

Fig: Deobfuscated HTML code

PowerShell Script:

The PowerShell script, creates a folder in ‘C:\ProgramData\’ as ‘MEMEMAN’ and drops 5 files in that folder as:

  • helloitsindian.vbs : First file to be executed which runs two files ‘JIGIJIGI.vbs’ and ‘JIGIJIGI.bat’ and also copies itself at same location.
  • JIGIJIGI.vbs : This VBS file creates two scheduled tasks as ‘Appligation’ which executes helloitsindian.vbs and ‘ChromiumPluginupdate’ which executes ‘ChromeExtentionUpdate.vbs’, both run  at an interval of 120 mins and 45 mins respectively, and then deletes itself.
  • ChromeExtentionUpdate.vbs : This VBS file checks whether it is executed with admin privileges, if not then again execute itself with admin privileges. The it runs ‘JIGIJIGI.bat’, also modify the registry entry ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA’ as ‘0’ to disable Windows User Account Controls notification. Then deletes the ‘ChromiumPluginupdate’ scheduled task and deletes itself.
  • JIGIJIGI.bat : It just executes ‘GOLGAPORA.PS1’ using PowerShell with ‘-NoProfile -ExecutionPolicy Bypass -Command’ arguments.
  • GOLGAPORA.PS1 : This PowerShell script is responsible for transferring execution to the AgentTesla.

GOLGAPORA.PS1:

This PowerShell script first tries to kill “msbuild”, “CasPol”, “jsc”, “cmstp” and “mshta” processes. It has two hex encoded PE files, one is the test.exe(Loader File) and other one is the AgentTesla malware file.

It loads the test.exe($YIV4Z) hex bytes as assembly using ‘System.Reflection.Assembly’ and find TypeDef as ‘CALC.PAYSIAS’, then finds a method named as ‘Execute’ in this TypeDef. It invokes this method three times with two arguments, first argument is the path of a genuine exe(one of these jsc.exe, caspol.exe or Msbuild.exe) and second argument is the byte array of the AgentTesla PE file($WULC4). This method in test.exe, creates the process by the path given as first argument and using Process hollowing techniques replace the code with AgentTesla malware code passed as second argument.

This PowerShell script then runs two more PowerShell commands present is variables $OASI4 and $DEF. Which tries to bypass AMSI, disables script logging, disables AVProtection, add exclusions etc.

The AgentaTesla binary has File Description as ‘Web Browser Pass View’ and Company Name as ‘NirSoft’ to disguise itself as NirSoft password recovery Tool.

AgentTesla:

AgentTesla steals system sensitive information like keystrokes, login credentials used in browsers, collect various types of data likes cookies, clipboard data, system information and email clients used on infected machines. In our cases it connecting to the ftp server hosted at this IP address ‘107[.]182[.]129[.]168’ and posting the a HTML file which has the gathered information of the infected machine on this FTP server, the HTML file name format is PW_[UserName]-[DeivceName]_[Date&Time].html.

We got the credentials of the FTP server where it is keeping all the stolen information. Below is the screenshot of the files present at that server at the time of analysis.

 

Unavailability of the PDF file and AgentTesla PE file in popular threat intelligence sharing portals like the VirusTotal indicates its uniqueness and limited distribution:

Fig: ScreenShot of no presence of PDF file on VT

 

Fig: ScreenShot of no presence of AgentTesla file on VT

The Powerpoint file is on VT with very less AV’s detections.

Fig: Less AV’s detecting the PowerPoint File

SonicWall Real Time Deep Memory Inspection (RTDMI) is detecting the malicious PDF file, PowerPoint file, test.exe and the AgentTesla too.

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

IOCs:

  • PDF files:
    • 025e30e26d9fa00704341845ab5e0dd097421f7ebb3a199aca7b4ca63e38dd0a
    • 11a410994a72dd8c425efb07eb010feab044da83cb8d9297fc58caac9234814e
    • 14a3cf9f5195ff0569e1aca332a678168e4033fd7bb9e2abf58d976091da487f
    • 1eb130b70d0ad9edd8d0c3aae85285e4f5a2b89cb2261270a53520c8e848a8ad
    • 20fffce237d00f8f2f18be97f0923d4539595d2770a3fbfd55612c1a3e6c5c49
    • 30120bc60edfd917684c9db65f0cce73a9200ae7b7e8a67ade47daf470f472fc
    • 347d7ff129922925586b4a85477c5d36653dbdac257f4b8ab3600eac1968e93c
    • 404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf
    • 943bab7877f8f66d0cfd23d377bbe903cc33e8231d83610ff246cf49f2928e11
    • c73eaba24ac6046c98b3a53f533b779d412794b99a6c6b48b2bef0a7cf3e397b
    • fd2ca85f0eaa8150ab386190793d1f5a09f346b17daee7713c5ad5b5de0f7d25
  • PowerPoint Files:
    • 0a78f630b03cdcafaf8a056986ad208651d72ea1365a75f1c53202292b48dfc1
    • 470f45f8b3a5b7dd11f120a37bda0275d27df62c2080e5ce925804cd2f16fc0f
    • 4fd8e19204982c6a0b542d252e51a121bf5e380be79db4e6f52f4541eaac044d
    • b0cf8520a0a7185c96397e1cb36a49d6215fd8643a1790a95bd19dd123130fe2
    • c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8
    • d581f15f3176e4f22c22a61f3506b50a715a4297876e9f250bf37f55880c45b6
    • f7353ec4f751d69464d3b51344e2283e8a5607eb5c2b66cbb5a6b0102a58f697
  • PowerPoint executing remote HTML file:
    • 18f7ee55aeeba4d8e780fa3f56bf48129dfa8fb224c715f83536c2dc7af3ac8b
  • PowerShell file HTML executes:
    • 741a149fbaa0c23f37423c56d0f32372c0b04415980e6e6ed5884e97dca70887
  • test.exe :
    • 39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d
  • AgentTesla :
    • 91e2b07568642b001f91ce89b9cae0fb436dbc82ee0df28c00a756cd96ee94c4

Wavlink WN533A8 Cross-Site Scripting

Wavlink is a wireless network and comprehensive IT peripherals brand that serves countries around the world
Its product offerings include the Wavlink WN533A8, a wireless router with tri-band Wi-Fi technology that adds another independent stream of communication onto 5 GHz to increase network bandwidth.

Cross-Site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection attack that occurs when malicious scripts are injected into otherwise benign and trusted websites. An attacker then uses a web application to send malicious code, generally in the form of a browser side script, to the end user.

XSS attacks abuse the dynamic way websites interact with the browsers. These attacks make it possible , for an attacker, to control the victim’s browser and their interaction with a given vulnerable website. Injection attacks display back content provided or controlled by a user, like an URL parameter or an input field. This opens the door to manipulation of the content.
When the website or application simply reflects back content maliciously manipulated by user it is called a reflected XSS attack. This reflection affects the way browsers displays the page , how they behave and process things.

Wavlink WN533A8 Cross-Site Scripting | CVE-2022-34048
Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter.
The application fails to validate and sanitize input leading to XSS. When a malicious code is passed to the vulnerable login_page , it is reflected back to the victim browser. Since the code comes from a “trusted” server, the browser then executes it .This could lead to disclosure of a user’s session cookie,which in turn could allow the attacker to hijack the user’s session and take over the account.

 

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 1326:Wavlink WN533A8 Cross-Site Scripting

Threat Graph

Malicious Android applications impersonate antimalware to send high cost SMS

SonicWall Capture Labs Threats Research team has been regularly sharing information about the malware threats targeting Android devices. SonicWall has tracked down some active trojan SMS applications.

This Android SMS app purports to be a famous antimalware application for easy initial access and after installation  it acts as a completely different application silently sending SMS without the user’s knowledge.

Infection Cycle :

The application has icons like DrWeb which easily evade users’ attention.

 

Figure 1: DrWeb icon used by the malware author

 

Permissions used by the application are:

  • BATTERY_STATS
  • BLUETOOTH
  • CAMERA
  • SEND_SMS
  • FLASHLIGHT
  • INTERNET
  • READ_PHONE_STATE
  • VIBRATE
  • RECEIVE_SMS
  • READ_SMS
  • RECEIVE_BOOT_COMPLETED
  • WAKE_LOCK

After installation application shows an agreement page.

 

Figure 2: Agreement page

 

The assets folder contains agree.txt which has agreement text written in Russian, and it also contains three .res files that have double base64 encrypted content (number and text)

 

Figure 3: Asset folder

 

Content in the agreement states that it is open access to a paid closed archive of erotic downloads.

 

Figure 4: Agreement content

 

At the time of analysis URL mentioned “hxxp://topfiless[.]com” was not accessible.

 

Figure 5: Inactive URL

 

To decrypt data that contains information of text and numbers it uses base64 twice and is stored in JSON format

Figure 6: Information decryption& message sending

 

Figure 7: Decrypted number and text used to send High-Cost SMS

 

Checks incoming messages and matches the content with desired data, then sends SMS accordingly.

 

Figure 8: Checks for incoming messages

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

 

Indicators of Compromise (IOC):

3e665340efe6cba04ecc3b8f7eecd9dc99927a9c2de3ed0ca08dcf3ed8535836

aaaa88b205b1d9cc91108563dc39182fec41c2861b378fa15d5323f912cc02e6

b20c36c940c55357683bc36abb0d6724e1bd34fdd2a570ca52ca33bfbb5b6cfb

b20c36c940c55357683bc36abb0d6724e1bd34fdd2a570ca52ca33bfbb5b6cfb

b91762614abc1fff7ebebe198346985c9adeceb56b669e73a699da43d87d5ed4

ce540daf89d5bcbef5a0bb8ffbedc9a022de6a9e71d7c320c9e67292e0eff4a9

fd0f880d6c055774d219288e346600aa58039e36795410d937037ad676d5fd0e

Microsoft Security Bulletin Coverage for September 2022

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-34718 Windows TCP/IP Remote Code Execution Vulnerability
IPS 15794:Windows TCP/IP Stack RCE (CVE-2022-34718)

CVE-2022-34721 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
IPS 15795:Windows IKE Remote Code Execution (CVE-2022-34721)

CVE-2022-34725 Windows ALPC Elevation of Privilege Vulnerability
ASPY 106:Malformed-File exe.MP_271

CVE-2022-34729 Windows GDI Elevation of Privilege Vulnerability
ASPY 361:Malformed-File exe.MP_272

CVE-2022-35803 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 104:Malformed-File exe.MP_270

CVE-2022-37954 DirectX Graphics Kernel Elevation of Privilege Vulnerability
ASPY 362:Malformed-File exe.MP_273

CVE-2022-37957 Windows Kernel Elevation of Privilege Vulnerability
ASPY 363:Malformed-File exe.MP_274

For preventing CVE-2022-34721 and CVE-2022-34722 attacks SonicWall recommends blocking IKEv1 by
enabling IKEv1 signatures in App Control

For CVE-2022-34718 Microsoft has following mitigation strategies:

  •   Only systems with the IPSec service running are vulnerable to this attack.
  •   Systems are not affected if IPv6 is disabled on the target machine

The following vulnerabilities do not have exploits in the wild :
CVE-2022-26928 Windows Photo Import API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26929 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30170 Windows Credential Roaming Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30196 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-30200 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-33647 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-33679 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-34700 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34719 Windows Distributed File System (DFS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-34720 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-34723 Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-34724 Windows DNS Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-34726 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34727 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34728 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-34730 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34731 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34732 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34733 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-34734 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35805 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35823 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35828 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-35830 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35831 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-35832 Windows Event Tracing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-35833 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-35834 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35835 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35836 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35837 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-35838 HTTP V3 Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-35840 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-35841 Windows Enterprise App Management Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-37955 Windows Group Policy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37956 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37958 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-37959 Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-37961 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-37962 Microsoft PowerPoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-37963 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-37964 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-37969 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38004 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38005 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38006 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-38007 Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-38008 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38009 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38010 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38011 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38013 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-38019 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-38020 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.

WWBN AVideo Command Injection Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  AVideo is a powerful base platform for uploading, curating, organizing, indexing, and distributing audio and video content. The plugin design allows you to get exactly the solution that addresses your needs today, while ensuring that your Media Broadcast Network implementation can grow and expand with you as your needs evolve.

  A command injection vulnerability has been reported in WWBN AVideo. The vulnerability is due to improper input validation when executing a command.

  A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in execution of arbitrary commands.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-30534.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.9 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The management life cycle of media in AVideo consists of uploading media to temporary storage for encoding and then storing the media for distribution to other users. A user with upload privileges on an instance of AVideo can upload videos by providing a URL where the video can be accessed or uploading a video file for encoding. When a video is uploaded the functionality of AVideo/objects/aVideoEncoder.json.php is used to process the request and encode the video. The encoding step expects a POST request containing the chunkFile parameter that contains the provided file name as well as a ZIP file containing the video to be uploaded and encoded. If the chunkFile parameter is not empty the function decideMoveUploadedToVideos is called in AVideo/objects/functions.php with the value of the chunkFile parameter. The function decideMoveUploadedToVideos then calls the function unzipDirectory. The unzipDirectory function builds a command string to unzip the provided file for further processing.

  However, during the building of the unzip command string the value of the chunkFile parameter is used directly without performing any sanitation. This allows an attacker to provide a request with a crafted chunkFile parameter that contains command injection characters to perform arbitrary operations on the target server. An example of a malicious request is shown below:

Triggering the Problem:

  • The target system must have the vulnerable product installed and enabled.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must be able to authenticate with the vulnerable server with upload permissions.

Triggering Conditions:

  The attacker authenticates with the vulnerable AVideo server. Then the attacker sends a crafted HTTP request to the target server. The vulnerability is triggered when the target server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2142 WWBN AVideo chunkfile Command Injection

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Zimbra Collaboration RCE Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Zimbra Collaboration is a collection of tools designed for collaboration. Tools within the suite include an email server, a chat server, a file sharing server, a shared calendar, and an email client. The application’s web mail client and the admin console can be accessed through HTTP.

  A directory traversal vulnerability has been reported in Zimbra Collaboration. The vulnerability is due to improper validation of zip files uploaded to the mboximport endpoint.

  A remote, unauthenticated attacker could exploit this vulnerability by uploading a crafted zip file to the target server. Successful exploitation could result in the attacker writing files outside of the expected document root, in the worst case, leading to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-27925.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  This vulnerability is due to improper validation of zip files uploaded to the mboximport endpoint. POST requests to the mboximport endpoint are processed by the target server via the doPost() method of MailboxImportServlet. This method searches for the provided account name and whether it already has a mailbox associated with it. If all checks are passed, the importFrom() method is called, which creates a ZipBackupTarget object based on the ZIP file provided in the POST body. Then, the restore() method of this object is called, which eventually calls unzipToTempFiles() to extract the ZIP file’s contents. This method iterates over the files contained in the ZIP file by calling getNextEntry() of java.util.zip.ZipInputStream. For each file, a java.io.File object is created with a temporary directory and the file name from the ZIP. However, no input validation is done on the filename contained in the ZIP, allowing specified names with directory traversal characters, leading to files being created outside of the temporary directory specified.

  A remote, unauthenticated attacker could exploit this vulnerability by uploading a crafted zip file to the target server. Successful exploitation could result in the attacker writing files outside of the expected document root, in the worst case, leading to arbitrary code execution under the security context of the server process.

Triggering the Problem:

  • The target host is running a vulnerable version of the product.
  • The attacker has network connectivity to the target host.

Triggering Conditions:

  The attacker sends a malicious request to the mboximport endpoint on the target server containing a crafted ZIP file in the POST body. The vulnerability is triggered when the affected program processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3214 Zimbra Collaboration mboximport Directory Traversal 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisories regarding this vulnerability:
  Vendor Advisory 1
  Vendor Advisory 2

TightVNC Heap Buffer Overflow Vulnerability

Overview:

  TightVNC is a remote desktop software application. It lets you connect to another computer and display its live remote desktop or control the remote computer with your mouse and keyboard, just as you would sitting in front of that computer. Since it is designed to work out of a box, TightVNC can be very handy not only for system administrators and support service, but for all users who want to benefit from TightVNC. Like other VNC systems, it consists of two parts: the Server, which shares the screen of the machine it’s running on, and the Viewer, which shows the remote screen received from the server.

  A heap buffer overflow vulnerability has been reported in TightVNC vncviewer. This vulnerability is due to missing integer value validation in InitialiseRFBConnection in rfbproto.c.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23967.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  VNC uses the Remote Framebuffer (RFB) protocol; a simple protocol for remote access to graphical user interfaces that allows a client to view and control a window system on another computer.

  A heap buffer overflow exists in TightVNC. The problem occurs while collecting the desktop name from a ServerInit message in InitialiseRFBConnection(). The function calls ReadFromRFBServer() to read the ServerInit message fields excluding the variable sized name-string field. It calls malloc() using the name-length field, stored in si.nameLength, adding an additional byte to include the null termination. When a name-length value of the maximum 32 bit value (0xFFFFFFFF) is sent, an unsigned integer overflow occurs, causing malloc() to be called with a size of 0. The zero size buffer is then used to copy up to 0xFFFFFFFF bytes into the heap.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer. Successful exploitation could lead to remote code execution under the security context of the client process, while an unsuccessful attack could lead to a denial-of-service condition.

  View RFB Protocol

Triggering the Problem:

  • The target system must have the vulnerable product installed.
  • The target must have network connectivity to the attacker port.

Triggering Conditions:

  The target connects to the attacker server, performs the protocol and security handshakes, sends the ClientInit message, and receives the malicious ServerInit message. The vulnerability is triggered when the affected product processes the ServerInit message.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • RFB

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18698 TightVNC Client Heap Buffer Overflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signature above.
    • Blocking VNC connections traffic to untrusted hosts.
    • Avoid using the TightVNC client on Linux systems.
  At the time of writing, the vendor has not released a patch for this vulnerability.
  Bug Report