OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Thursday, March 30, 2023 12:03

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in the OpenImageIO image-parsing library that many popular pieces of 3-D rendering software use.

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Two of the vulnerabilities — TALOS-2023-1707 (CVE-2023-24473) and TALOS-2023-1708 (CVE-2023-22845) — could lead to the disclosure of sensitive information. An adversary could exploit these vulnerabilities by sending the target a specially crafted, malicious Targa (.tga) file.

TALOS-2023-1709 (CVE-2023-24472) is a denial-of-service vulnerability that is a continuation of TALOS-2022-1653 (CVE-2022-43594 and CVE-2022-43595). Talos first discovered CVE-2022-43595 in December, though it was not fixed in the most recent version of OpenImageIO.

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: OpenImageIO Project, version 2.4.7.1. Talos tested and confirmed this version of the library could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 61271, 61272, 61384 and 61385. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser

An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Thursday, March 30, 2023 10:03

_Keane O’Kelley of Cisco ASIG discovered this vulnerability._

Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.

SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.

Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: SNIProxy version 0.6.0-2 and SNIProxy Master, version 822bb80df9b7b345cc9eba55df74a07b498819ba. Talos tested and confirmed these versions of the open-source tool could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:  
61474\. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

Wednesday, March 29, 2023 08:03

We’ve written before about the importance of taking a proactive approach to cybersecurity.

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

We saw this recently with a customer in the education industry vertical. The customer leveraged their Cisco Talos Incident Response retainer after conducting some proactive threat hunting to notify us that they identified some suspicious activity on their network. Talos IR responders quickly noticed that just a single box on the customer’s network alerted, and we isolated the intrusion to a single endpoint within the network. Talos IR concluded with high confidence that the adversary had compromised just a single endpoint with a single, compromised credential. This strong collaborative approach from the customer and Talos allowed us to quickly contain and eradicate the adversary from the environment.

Our Talos IR 2022 Q3 Quarterly Trends reflect pre-ransomware and ransomware activity being the top threat and this continues a trend that we’ve seen across the threat landscape where adversaries are increasingly carrying out pre-ransomware activities to establish a foothold on a network rather than diving in head-first with a full-blown ransomware attack. Regulation and small-medium business targets may be factors for adversaries evolving extortion tactics versus deploying ransomware within a compromised environment. Potential attack targets may just see smaller, potentially innocuous activities from an adversary that doesn’t have to include the encryption of files on a network and request for a ransom payment.

As outlined in Talos’ 2022 Year in Review, education is a particularly vulnerable sector and we expect adversaries to increase the targeting of schools and universities over the summer when students start to return to classes after break.

If you want to detect, quickly respond and eradicate an adversary like this customer, you need to have incident response expertise in place. Cisco Secure’s Security Outcomes Report recently found that there was 11 percent difference in average resilience scores between organizations that have an external incident response retainer versus those that don’t.

A foundational component of this proactive plan is a Cisco Talos Incident Response Retainer. If a Talos IR retainer customer sees something suspicious, we’re there immediately to respond and determine what containment actions are appropriate and if a further forensic investigation is required. Just because you are not experiencing file encryption in your environment does not mean that an adversary doesn’t have the capability to deploy ransomware leading to a business-impacting cybersecurity incident. It is common for an adversary to gain initial access to a target organization and maintain access.

With an incident response retainer, an organization doesn’t have to conglomerate a plan or response together. Instead, it’s a one-size-fits-all package that includes tabletop exercises, cyber range training, purple teaming, intelligence on-demand, and much more. Then, if (more likely when) your worst career day occurs and your organization is the target of a cyber-attack, Talos IR stands at the ready to help the team respond immediately to detect and eradicate an advanced or determined adversary.

We’ll be covering more about Incident Response retainers in our upcoming Talos IR On Air live stream on April 27 at noon Eastern, which you can watch on our LinkedIn and Twitter pages live.

With a retainer from Talos IR, organizations and users will have peace of mind that they have a trusted digital forensic and incident response team ready at any time. There’s no need to purchase emergency incident response services from one vendor, training exercises from another and a third vendor to assist in the creation of an incident response plan to prepare for the next time there’s an incident. Talos IR offers all these services in one package with a retainer.

If a customer doesn’t have a breach or an incident, there are many ways to leverage Talos IR proactively by enlisting us to lead your team through a hypothetical tabletop exercise or conducting a compromise assessment to identify potential gaps in your network before the adversaries can.

Even if your organization doesn’t already have Cisco products in place, Talos IR can work with you — we’re completely vendor-agnostic. Whatever tools and software you have, we’re here to help.

No matter what tools you must detect or scan for the next threat, our responders can start their work immediately to remediate the threat. If you require new hardware or software solutions, our team can always help with that, too.

If you are already a Cisco customer, a Talos IR retainer is the perfect way to continue your security journey with us and become more resilient. We’ll find the full capabilities of your security team and then develop a prescriptive plan for how your security team can best work with us over the lifetime of the retainer. The team that starts working with you from the first day you sign onto a retainer will be there with you.

If you’d like to learn more about a Talos IR retainer, please reach out to us through our website, and tune into the next Talos IR On Air to hear more about this service.

How an incident response retainer can drive proactive security

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 17 and March 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 17 to March 24

Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.

Thursday, March 23, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

After asking ChatGPT to write the newsletter for me two weeks ago, I was tempted to have Google’s Bard do the same, but I resisted making this the newsletter’s new gimmick.

Instead, I wanted to write about another tech giant — Meta.

The company recently doubled down on a threat to remove news links and sharing from its Facebook and Instagram platforms if Canada passes its proposed Online News Act, or bill C-18. The proposed legislation would compel companies like Meta and Google to sign agreements with Canadian news organizations that would pay them each time a user clicks on a news link through one of their platforms (i.e., via a shared link on Facebook or a Google search result).

But as the great Tobey Maguire once said in the cinematic classic “Spider-Man:” “I fail to see how that’s my problem.”

If Facebook stops users from sharing news links on their pages, it could be a net positive. Facebook users are notoriously the biggest offenders for sharing fake news and misinformation. A May 2020 study published in Nature Human Behavior found that Facebook pointed users to fake news websites during the 2016 presidential election at a higher rate than any other social media platform.

A separate study from Harvard found that during the first few months of 2020, the rate of user engagement with fake news to mainstream news stories was 1:3.5, and the International Communications Association found via a study of social media users that, “sharing countermedia content on Facebook is positively associated with ideological extremity and negatively associated with trust in the mainstream news media.”

If Instagram, Facebook and other social media sites were to follow along with this with Canada (Google already started quietly removing news links from its search engine last month in protest of the Online News Act), I think it could go a long way toward fighting disinformation. If users can’t get their news through social media, they may be forced to seek out information independently rather than blindly clicking “share” on Great Aunt Betty’s post, which is just a bad parody from the Babylon Bee.

I also would be remiss to not discuss the benefits this legislation would possibly have on newsrooms in Canada. As a former journalist, and someone who was worried about being laid off 24/7 in my previous jobs, it’s a financial struggle out there right now for legitimate news organizations. Online advertising isn’t what it once was, so many outlets are being forced to pivot to hard paywalls or rely on clickbait articles that don’t deliver any news. If this presents a new way to fund legitimate journalism, especially if the only financial burden falls on the richest companies in the world, it could go a long way to sustaining newsrooms.

Just because something becomes legal in Canada doesn’t mean other countries are going to be adopting the same rules any time soon. But if news sharing does suddenly go away on Facebook in Canada, maybe it will force all of us to think about where we’re really consuming our news from and how we consumed news even just 15 years ago.

**The one big thing**

We’re still reminding people to update their Microsoft Outlook clients as soon as possible after the disclosure of CVE-2023-23397. Attackers have reportedly been exploiting this vulnerability since last year, though a fix is available now through Microsoft. Adversaries could manipulate a targeted system into supplying the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Why do I care?**

Multiple sources, including Microsoft itself, have confirmed that this vulnerability is being used in the wild. Plus, users don’t even have to open the email or any malicious attachments to trigger this vulnerability, the specially crafted email just has to hit the target’s Outlook inbox. This is a high-severity, low-complexity vulnerability everyone should be patching for if they haven’t already.

**So now what?**

Microsoft has released a patch that should be applied, but Talos also has several layers of detection and protection available. If, for some reason, your organization cannot apply this patch, Microsoft also provided a few mitigation options, including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network.

**Top security headlines of the week**

The **popular dark web site BreachForums shut down this week** after the FBI arrested its main admin. This is the latest in a string of law enforcement wins against cybercrime groups, who also brought down the Hive ransomware gang in January and RaidForums, BreachForums’ predecessor, last year. The site’s administrator, who goes by the username “Pompompurin,” also claimed responsibility for a data breach of the FBI’s email system in November 2021. Cyber criminals commonly used BreachForums to buy and sell stolen databases of information and had been at the center of recent high-profile data breaches, including this month's attack on DC Health Link that led to the theft of sensitive information belonging to several Congressional representatives. (Krebs on Security, Axios)

Google’s security research team **discovered several zero-day vulnerabilities in certain Samsung chips** that leave many Google smartphones and other wearable devices vulnerable. There are four critical flaws that could compromise affected devices “silently and remotely” over the cellular network, according to Google Project Zero’s blog post on the matter. An attacker could exploit those vulnerabilities to “remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number.” Google says it was forced to disclose the vulnerabilities without a patch for many of the affected devices because Samsung did not adhere to its 90-day deadline to issue a fix. (TechCrunch, Google Project Zero)

TikTok’s CEO was scheduled to **appear before a U.S. Congressional committee Thursday** to discuss the popular app’s data security and privacy policies as there are renewed calls among the federal government to block the app. Prepared statements from CEO Shou Zi Chew showed that he would tout TikTok’s $1.5 billion investment in storing U.S. users’ information on Oracle servers and allow outside monitors to inspect the company’s source code. U.S. regulators have reportedly threatened to ban TikTok unless the company’s Chinese owners sell their stake, though the actual mechanics of blocking and de-listing the app are more complicated than they seem on the surface. (ABC News, New York Times)

**Can’t get enough Talos?**

*   New threat actor wages espionage campaigns across Central Asia and Eastern Europe
*   Threat Roundup for March 10 - 17
*   Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution
*   Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities
*   Talos Takes Ep. #131: Why does the Prometei botnet keep growing?

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 280c8c4f08700f0fea08f0e3ca6e96eadccf49c414c56b6a855c945769678e66  
**MD5:** cd1f364e46c6367dd96f8469eb226981  
**Typical Filename:** cd1f364e46c6367dd96f8469eb226981.scr  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Upatre::dk

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 23, 2023) — Meta is threatening to ban news sharing in Canada. Good.

In the months leading up to Russia’s invasion of Ukraine, Cisco and Talos did everything we could to support our friends, partners and colleagues, who were facing a reality unlike anything that can be found in any technical training manual, SOP or SLA.

Thursday, March 23, 2023 08:03

As we spoke about in the new ThreatWise TV documentary, “People Matter: A look back on how Cisco Talos has been supporting Ukraine,” war isn’t something that often appears in an organization’s business continuity or disaster recovery plans.

In the months leading up to Russia’s invasion of Ukraine, Cisco and Talos did everything we could to support our friends, partners and colleagues, who were facing a reality unlike anything that can be found in any technical training manual, SOP or SLA.

Once the invasion began, there was an influx of people across Cisco and Talos who wanted to help. That led to the development of an internal Ukraine task unit, which has become a prototype for how we can respond to future global events that are likely to have significant, ongoing cyber implications.

We also deployed and managed Cisco Secure products within a variety of Ukrainian organizations, and refocused parts of our workforce to monitor and detect threats against critical infrastructure. Much of this work continues today as part of an ongoing, comprehensive wartime effort to protect the people of Ukraine and enhance the resilience of Ukrainian organizations.

Many people have asked about our task unit, and what we do on a day-to-day basis to help organizations in Ukraine detect and respond to attacks against their critical infrastructure.

As you can probably imagine, there isn’t a typical day.

One of the key outcomes of the task unit, which has been wonderful to witness, is that people without a technical threat hunting background can add a great deal to our efforts. The power in diversity of thought and experience is explicit in our efforts to support Ukraine.

We decided to encapsulate this difficult, but important, work in the form of a graphic novel, which explores some of the themes we touched on in the documentary. Read it below or click here.

**Further resources**

*   Learn about the trends and threats Cisco Talos observed from monitoring Ukraine critical infrastructure.
*   For the latest on the cybersecurity situation in Ukraine, visit the Talos hub page.

Fighting the Good Fight: Life inside the Talos Ukraine Task Unit

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Thursday, March 23, 2023 07:03

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Talos Intelligence’s website (TalosIntelligence.com) has served as the replacement for SenderBase.org for many years, with TalosIntelligence.com providing the same information as SenderBase.org once did. Since that time, visitors to SenderBase.org have been automatically redirected to TalosIntelligence.com, and the redirect from SenderBase.org is finally being removed on \[date\]. After that, attempts to visit SenderBase.org will fail.

Any users still utilizing bookmarks or links pointing to Senderbase.org should update these to ensure they still work appropriately.

Thank you for assisting us in this process.

Senderbase.org redirects to end in April

Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.
Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.
Since returning, Emotet has leveraged several distinct infection chains, indicating that

Wednesday, March 22, 2023 15:03

*   Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.
*   Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.
*   Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
*   The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

**Initial campaign**

Following its initial return to spamming operations, Emotet was leveraging heavily padded Microsoft Word documents in an attempt to evade detection. By leveraging a large number of inconsequential bytes in their documents, they could increase the size of the documents to surpass the maximum file size restrictions that automated analysis platforms like sandboxes and anti-virus scanning engines enforce.

The initial emails were consistent with what has been commonly observed from Emotet in recent years. They typically contained an attached ZIP archive containing a Microsoft Word document. An example of one such email is shown below.

While the ZIP archives are often small, in some cases only ~646KB, the Microsoft Word document when fully extracted was ~500MB in size.

The document included a large number of 0x00 bytes, a technique commonly referred to as “padding.”

Some of the documents also featured excerpts from the classic novel “Moby Dick,” another attempt to increase the size of the documents for evasion purposes.

The Office documents featured templates consistent with those used by Emotet in the past, as shown below.

The Word documents in this campaign contained malicious VBA macros that, when executed, functioned as a malware downloader, retrieving the Emotet payload from attacker-controlled distribution servers and infecting systems, thus adding them to the Emotet botnets.

**Emotet shifts to OneNote**

Microsoft recently deployed new security mechanisms around protecting endpoints from macro-based malware infections, which resulted in various threat actors moving away from Office document-based malspam campaigns. In many cases, these malware distribution campaigns switched to distributing OneNote documents instead, likely as a result of decreased infections and lower success rates. Emotet is no different — shortly after their return to spamming operations on March 16, 2023, they began distributing OneNote files, as well.

In one example, the sender purported to be from the U.S. Internal Revenue Service (IRS) and requested that the recipient complete the attached form.

The attached OneNote document featured templates similar to what has been observed in other Office document formats over the past several years, prompting the user to click inside the document to view the file.

When clicked, an embedded WSF script linked behind the view button containing malicious VBScript code is executed.

This VBScript downloader is responsible for retrieving the Emotet malware payload from an attacker-controlled server and infecting the system.

Hovering over the next button indicates that an object called “Object1.js” will execute when the button is clicked. This is because the attacker has embedded a clickable object behind the lure image as shown below.

This object is a heavily obfuscated JavaScript downloader responsible for retrieving and executing the Emotet payload on the system. A snippet from the obfuscated downloader is shown below.

In a relatively short period, Emotet has modified its infection chain several times to maximize the likelihood of successfully infecting victims.

**Indicators of Compromise**

Indicators of compromise (IOCs) associated with ongoing Emotet campaigns can be found here.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Talos created the following coverage for this threat.  

**Snort SIDs:**

51967-51971, 43890-43892, 44559, 44560, 47327, 47616, 47617, 48402, 49888, 49889, 52029, 53108, 53353-53360, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929-55931, 56003, 56046, 56047, 56170, 56171, 56528, 56529, 56535, 56536, 56620, 56621, 56656, 56657, 56713, 56714, 56906, 56907, 56924, 56925, 56969, 56970, 56983, 56984, 57901, 58943  

**ClamAV Rules:**

Onenote.Dropper.Emotet-9993911-1

Onenote.Dropper.CodPhish-Emotet-9993220-1

Onenote.Trojan.Agent-9987935-0

Emotet Resumes Spam Operations, Switches to OneNote

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

Tuesday, March 21, 2023 13:03

_Christopher McBee and Dave McDaniel of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

A mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points. Netgear’s Orbi system connects to the user’s modem or gateway and uses “satellites” to extend the Wi-Fi signal to different places throughout the home.

Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.

Two other issues, TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429), exist in the main Orbi router that could also lead to arbitrary command execution if the adversary sends a specially crafted network request or JSON object, respectively.

TALOS-2022-1598 (CVE-2022-38458) also exists in the router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Cisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60474 – 60477 and 60499. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Tuesday, March 21, 2023 09:03

_Carl Hurd of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in WellinTech’s KingHistorian industrial control systems data manager.

KingHistorian is a time-series database that allows users to ingest and process large amounts of data from ICS, including built-in statistical analysis.

Talos discovered an information disclosure vulnerability (TALOS-2022-1683/CVE-2022-45124) in the software’s user authentication function. If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Another vulnerability, TALOS-2022-1674 (CVE-2022-43663) exists in a DLL in the software that could allow an adversary to cause a buffer overflow by sending a malicious packet to the targeted machine.

Cisco Talos worked with WellinTech to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: WellinTech KingHistorian, version 35.01.00.05. Talos tested and confirmed these versions of KingHistorian could be exploited by these vulnerabilities.

The following Snort rule will detect exploitation attempts against this vulnerability: 61093. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.