
ASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.





:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202309003

CVE ID

CVE-2023-38032

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AC86U: 3.0.0.4.386.51529

問題描述

ASUS RT-AC86U 之AiProtection之資安相關功能未對特殊參數作過濾，遠端攻擊者以一般使用者權限登入後，即可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新至3.0.0.4.386\_51915

漏洞通報者

資安人員

公開日期

2023-09-04

CVE-2023-38032: ASUS RT-AC86U - Command injection vulnerability - 2


ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.





:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202309002

CVE ID

CVE-2023-38031

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AC86U: 3.0.0.4.386.51529

問題描述

ASUS RT-AC86U 之Adaptive QoS 之網頁瀏覽歷史功能未對特殊參數作過濾，遠端攻擊者以一般使用者權限登入後，即可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新至3.0.0.4.386\_51915

漏洞通報者

資安人員

公開日期

2023-09-04

CVE-2023-38031: ASUS RT-AC86U - Command injection vulnerability - 1

An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.


CVE-2023-4475

An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.


CVE-2023-3699

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.


CVE-2023-2910

An issue was discovered in attach parameter in GNOME Gmail version 2.5.4, allows remote attackers to gain sensitive information via crafted "mailto" link.

Following the email conversation with David I am raising this security issue as agreed (or some might say a feature/expected behavior)

**Summary**  
By using the "mailto?attach=..." parameter, a website can make GNOME Gmail attach local files to an email message without showing a warning to the user, additionally when user writes an email they can't see that there is an attachment on some systems. Please see test.gif for a demonstration.

To summarize it is an analog of CVE-2020-11879 in GNOME Evolution KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail. https://twitter.com/jensvoid/status/1295357952480751616 Jens originally found this type of issue in email clients. As Jens wrote in the bugzilla report 613425 I quote: "_This is arguable a dangerous feature because it allows an attacker to exfiltrate arbitrary files on disk (and also email from the victim's IMAP account), if the victim sends an email based on attacker controlled mailto input and misses the attachment being added._"

**How to reproduce**

1.  Have GNOME Gmail client installed on Ubuntu and choose GNOME GMail and Chrome as default browsers (I tested on Ubuntu 20.04 and 18.04.4 with latest stable Chrome)
2.  Copy Tux.png to /tmp directory
3.  Open test.html
4.  Click "Send email"
5.  In the GNOME Gmail fill the "To" and "Subject" fields
6.  Click send

  
test.html

    <html>
    <body>
    <p>POC test</p>
    <p><a href="mailto:alikhan@uzakov.io?attach=/tmp/Tux.png">Send email</a></p>
    </body>
    </html>
    

Tux.png https://en.wikipedia.org/wiki/File:Tux.png  
**Additional information**  
On Ubuntu 18.04.4 with Chrome version 83.0.4103.116 attachment isn't shown, as you can see in demo above  
On Ubuntu 20.04 with the latest stable Chrome attachment is shown

CVE-2020-24904: Security issue · Issue #84 · davesteele/gnome-gmail

As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target.

Wednesday, August 9, 2023 08:08

We’ve talked quite a bit about spyware recently, with very good reason. Recently, concerns have grown regarding the rapid growth of commercial spyware tools, and the way in which they are being used against their intended victims.

This Need to Know article talk about the broader effects of spyware becoming more commercialized, how it is being used, and the differences between commercial spyware and digital extortion.

**What is commercial spyware, and why is it a growing trend?**

In general terms, spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data. The term has been around since the 1990s, and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices.  Spyware can even be used to track the device's physical location and record from the camera or microphone.

The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware.  Attackers have long used commercial products developed by legitimate companies to compromise targeted devices.

These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware.

Commercial spyware can be seen as having legitimate reasons to exist, especially in instances of crime and terrorism (as long as it is highly regulated). The problem is that there isn’t a universal or global way in which these companies are being regulated.

As such, we’ve seen a growing number of reports of victims who are targeted with commercial spyware. These victims are not criminals or terrorists, but instead, they are associated with activism. For example, there have been reports of journalists who report on human rights abuses, and activists shining a light on oppressive regimes, who have been targeted and compromised with this tooling.

Problems also arise when organizations turn a blind eye to the usage of commercial spyware.

A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights how the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.

**What ways can you protect yourself if you might be a target of commercial spyware?**

As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target. It is therefore likely that they will try many things to compromise your mobile phone, including using zero-day attacks or unknown vulnerabilities.

That is very concerning to us, however, there are a couple of things that end users can look out for:

Although zero-click exploits do exist, they're not very common. Most of the time, unsolicited messages from various people are the first entry point. So, if you get a bunch of messages from strangers, don't click on the links, and don’t click on any attachments.

Additionally, something as simple as rebooting your phone can help clear the spyware from your device. This is because commercial spyware companies typically do not build persistence into their spyware.

If you are talking to someone who may be a target of commercial spyware (i.e., human rights journalists, activists, dissidents and lawyers) it’s a good idea to reboot your phone before you talk to them. It is entirely possible that these threat actors will go as far as compromising close contacts of their targets.

**Notable example of commercial spyware**

Talos provided a highly informative article on the PREDATOR commercial spyware, which has been around since 2019.

PREDATOR is intended to work with another spyware component called “ALIEN” (it’s not “Alien vs. Predator” this time; they’re working together). They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing, surveillance and remote access capabilities.

**The differences between commercial spyware and digital extortion attacks**

You may have received an email something like, “We know you’ve visited this adult website. We filmed you watching some videos. Now we’re going to send all your friends and family that footage unless you pay us in bitcoins.”

These are typically digital extortion attacks, not actual spyware. Attackers send these emails to multiple accounts, hoping that someone will believe the story, and pay up.

As we’ve talked about, commercial spyware is highly targeted. The customers of these commercial spyware organizations know who their victim(s) are. In digital extortion attacks, cyber criminals generally don’t know who their victims are, but they’re hoping as many people as possible believe the story, and pay up.

They will usually have found your email address via a data breach of a third party. If you receive such an email, just delete it and don’t give it a second thought. The email you received will be one of many thousands.

**What is Cisco doing to take action against the growth of commercial spyware?**

Cisco, Microsoft, and other tech companies have joined in supporting Meta's lawsuit against the NSO Group referenced above through court filings. Cisco was also a key drafter of the Cyber Mercenary Principles document adopted by the Cyber Tech Accord. The document acknowledges the threat realized by these commercial offerings and outlines the steps that organizations are taking to help limit the impacts of commercial spyware.

**Learn more**

Researchers at Cisco Talos recently wrote an ‘On the Radar’ article about the growth of spyware-based intelligence providers, without legal or ethical supervision. The article also looks to the untethered future of commercial spyware and contains advice about what to do if you feel you have been targeted with spyware - especially if you have a higher risk profile (i.e., journalists and dissidents).

Also check out this episode of the Talos Takes podcast, where Asheer Malhotra talks to Jon Munshaw about the dangers of spyware and mercenary groups.

What is commercial spyware?

Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet.
The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections.
"The Android Security Model assumes that all networks are hostile to keep users safe from

Mobile Security / Network Attack

Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet.

The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections.

"The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said.

"Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)."

2G networks, in particular, employ weak encryption and lack mutual authentication, rendering them susceptible to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower.

The threat posed by rogue cellular base stations means that it could be weaponized by malicious actors to intercept communication traffic, distribute malware, as well as launch denial-of-service (DoS) and adversary-in-the-middle (AitM) attacks, posing surveillance concerns.

In June 2020, Amnesty International disclosed how a Moroccan journalist was targeted with network injection attacks, likely using a fake cell tower to deliver the Pegasus spyware.

To make matters worse, an adversary could launch a stealthy downgrade attack using advanced cell-site simulators (aka Stingrays) that force the handsets to connect to a 2G network by taking advantage of the fact that all existing mobile devices still feature support for 2G bands.

Google, in an attempt to address some of these concerns, added an option to disable 2G at the modem level with Android 12 in early 2022. As a next logical step, the company is now putting in place a new restriction that prevents a device's ability to downgrade to 2G connectivity.

Also tackled in the upcoming release of the mobile operating system is the risk of null ciphers (non-encrypted mode or GEA0) in commercial networks, which exposes user voice and SMS traffic, including one-time passwords (OTPs) to trivial on-the-fly interception attacks.

The disclosure comes as Google said that it's enabling E2EE for RCS conversations in its Messages app for Android by default for new and existing users, although the company notes that some users may be asked to agree to Terms of Service provided by their carrier network.

It also follows its plans to add support for Message Layer Security (MLS) to the Messages app for interoperability across other messaging services.

While Google has attempted to publicly pressurize Apple into adopting RCS, the iPhone maker appears to be content with iMessage for encrypted messaging. Nor has it expressed any interest in releasing a version of iMessage for Android, forcing users texting between the two operating systems to switch to a third-party messaging alternative.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android 14 Security Feature: IT Admins Can Now Disable 2G Networks

ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitive information in cleartext.

**\[CVE ID\]**

CVE-2023-39086

**\[PRODUCT\]**

ASUS RT-AC66U B1 – 3.0.0.4.286\_51665

**\[VERSION\]**

ASUS RT-AC66U B1  firmware=3.0.0.4.286\_51665

**\[PROBLEMTYPE\]**

CWE-319: Cleartext Transmission of Sensitive Information

**\[Attack Vectors\]**  
**http://121.41.98.87/2023/07/20/889/  
 \[DESCRIPTION\]**  
\> The latest firmware version of ASUS RT-AC66U B1 is 3.0.0.4.286\_ 51665,  
\> when logging into the management page, the username and password were  
\> not encrypted and only transmitted through Base64 encoding,  
\> transmitting sensitive information in almost plaintext.

CVE-2023-39086: INFO – 当年万里觅封侯

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Tag

#asus