An alleged teen hacker claims to have gained deep access to the company’s systems, but the full picture of the breach is still coming into focus.

On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.”

The company temporarily took down access on Thursday evening to Slack and some other internal services, according to _The New York Times_, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach-notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity.

“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.”

The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. 

Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA-prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multifactor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks.

 The phrase "zero trust" has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft's automation and management program PowerShell. The attackers said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.

Screenshots leaked by the attacker support the claims of this deep access, including to OneLogin. In an analysis on Friday, researchers from the cybersecurity firm Group IB suggested that the attacker may have first breached Uber earlier this week and only made their presence known on Thursday.

One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”

“That’s God—they own that there’s nothing they can’t access," the security engineer added. "It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.” 

The situation at Uber comes on the heels of congressional testimony on Wednesday from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked whistleblower protections as part of accusations alleging deplorable security practices within the social media giant. Zatko's testimony this week got senators fired up about the importance of security within Big Tech. But in the past, even the direst and rattling hacks have led only to incremental progress on the most basic best practices. Zatko's testimony did not seem to impact Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday morning, but it had partly recovered by the closing bell.

For now, the full scope of the situation inside the ride-sharing giant remains unknown.

"I think there are a lot of opportunities to work on detections and preventions proactively," offensive security engineer Owens says. “This can be difficult to execute in practice, though, when you have lots of other fires to put out, political challenges inside of an organization, et cetera. Maybe I’m slowly becoming jaded since I’ve been around in this space for a while.”

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Version 1.8.0 and prior have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution.

CVE-2022-3214

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

2022-09-07 12:56 (CEST) VDE-2022-039  

**Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**

Published

**

2022-09-07 12:56 (CEST)

**

Last update

**

2022-09-07 12:56 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.11.2

myREX24.virtual

<= 2.11.2

**

Summary

**

Multiple vulnerabilities have been found in myREX24 and myREX24.virtual. 

**

Vulnerabilities

**

**Weakness**

Improper Restriction of Excessive Authentication Attempts (CWE-307)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the ..._

**Summary**

_An unauthenticated user can enumerate valid users by checking what kind of response the server sends._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in thein the MySQL access check, allowing an attacker to scan for open ..._

**Weakness**

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices ..._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page._

**Weakness**

URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2_ 

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports._

**Weakness**

Direct Request ('Forced Browsing') (CWE-425)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing._

**Weakness**

Use of Incorrectly-Resolved Name or Reference (CWE-706)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion._

**Weakness**

Incorrect Resource Transfer Between Spheres (CWE-669)

**Summary**

_An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ..._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of ..._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about ..._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**

Impact

**

please see cve id entries

**

Solution

**

****CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,  
CVE-2020-35566, CVE-2020-12527, **CVE-2020-35568**:**** Update to version 2.12.1

**CVE-2020-12528,** **CVE-2020-12529,** **CVE-2020-35560,  
CVE-2020-12530, CVE-2020-35563,** **CVE-2020-35564,  
CVE-2020-35569,** **CVE-2020-35559,**  Update to version >= 2.7.1

**CVE-2020-10384**: Update to version 2.6.2 to close any known way to get to www-data.  
Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2

**CVE-2020-35567**: None  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

**CVE-2020-35565**: None  
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.

**CVE-2020-35561**: Update to version 2.12.1

**

Reported by

**

OTORIO reported the vulnerabilities to MB connect line.

MB connect line reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in verisons of DIAEnergie, an industrial energy management system.

Delta Industrial Automation DIAEnergie

Use of hard-coded credentials for the telnet server of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote unauthenticated attacker to execute an arbitrary OS command.

**CentreCOM AR260S V2 �ɂ����镡���̐Ǝ㐫�ɂ���**

�A���C�h�e���V�X�������  
���J 2022.08.29  

���Ў�舵�����i�̂����A�ȉ��̐��i���Ǝ㐫�ɊY���v���܂��B

1) �Ǝ㐫�̊T�v

    �EGUI�ݒ��ʂɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)
    �ETelnet�ڑ��p�̔F�؏�񂪃n�\[�h�R�\[�h����Ă����� (CWE-798)
    �ETelnet�@�\\������s�ł���h�L�������g�ɋL�ڂ���Ă��Ȃ��B���R�}���h�����݂�����
      (CWE-912)
    �ETelnet�@�\\�ɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)


2) �Ώې��i

    CentreCOM AR260S V2 �� Ver.3.3.7 ���O�̃t�@�\[���E�F�A�o�\[�W����


3) �e��

    ���u�̑�O�҂ɂ���āA�C�ӂ�OS�R�}���h�����s�����\\��������܂��B


4) �΍�

    CentreCOM AR260S V2 �� Ver.3.3.7�ȍ~�Ƀo�\[�W�����A�b�v���ĉ������B
    �A�b�v�f�\[�g��͂��ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX���Ă��������B


5) �����

    �ȉ��̉��������{���邱�ƂŁA�{�Ǝ㐫�̉e�����y�����邱�Ƃ��\\�ł��B

    �E���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h���f�t�H���g����ύX����
      ��O�҂Ƀ��O�C������Ȃ��悤�A���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX����
      ���������B

    �ETelnet��L���ɂ��Ȃ�
      ���Y���i�ł�Telnet�@�\\�̗L��/�����̐ݒ肪�\\�ł����A���T�|�\[�g�̂��߃f�t�H���g��
      �����ɂȂ��Ă��܂��BTelnet�̓����e�i���X��p�̋@�\\�ł���A��ʂ̂��q�l�͂����p��
      �Ȃ�܂���̂ŁA�L�������Ȃ��ł��������B

    �E�t�@�C�A�E�H�\[���@�\\���g�p����
      ���Y���i�ɂ̓t�@�C�A�E�H�\[���@�\\����������Ă���A�f�t�H���g�ŗL���ɂȂ��Ă��܂��B
      �O������̈Ӑ}���Ȃ��A�N�Z�X��h�����߁A�t�@�C�A�E�H�\[���@�\\���g�p���Ă��������B


�ȏ�

CVE-2022-38394: �T�|�[�g�b�Z�L�����e�B�E�Ǝ㐫�ɂ���

This advisory contains mitigations for Improper Access Control, Uncontrolled Resource Consumption, Use of Hard-Coded Credentials, Active Debug Code vulnerabilities in Contec Health CMS8000, a ICU CCU Vital Signs Patient Monitor.

Contec Health CMS8000

Researchers found that mobile applications contain keys that could provide access to both user information and private files from unconnected apps.

As with any piece of software, mobile apps can create an array of security issues and exposures, from rogue programs that are intentionally malicious to apps that contain an obscure but significant flaw. Now, new research is shedding light on systemic oversights in mobile app cloud infrastructure that are all too common and create the risk that users' data could leak where it shouldn't or be compromised.

Researchers from Broadcom's Symantec Threat Hunter team published findings on Thursday about the prevalence of hard-coded authentication credentials lurking in the cloud services that underlie hundreds of mainstream apps. These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company's website or run text through a translation service at a user's request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components. And when multiple apps have been created by the same third-party development firm or incorporate the same publicly available software development kits (SDKs), these static authentication tokens may even grant access to the infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they could potentially unlock massive and disparate troves of sensitive data all by finding one key under one doormat.

“The cloud is still kind of a new frontier. And sometimes when you hear about the practices being used, you realize that a lot of organizations may not be where they are with security on other fronts,” says Symantec's Dick O’Brien. “It’s hard to say whether it’s people cutting corners or whether it’s just an ignorance of what you’re exposing by putting those credentials out there, but it’s certainly obvious that data isn’t being ring-fenced anywhere near the way it should be."

The researchers found 1,859 publicly available apps on both Android and iOS that contained hard-coded Amazon Web Services credentials. The vast majority were iOS apps, a discrepancy Symantec says it has tracked for years but hasn't fully explained. The credentials present in more than three-quarters of the apps granted access to private cloud services, and nearly half of those additionally gave access to private files. Fifty-three percent of the apps contained access tokens that were also found in other, often totally unrelated, apps.

“Initially it was very surprising, but this is a systemic thing,” O’Brien says. “People need to do a complete audit of what they’re using and realize that there are multiple layers there. The practice of implementing hard coded access keys is not great. Temporary credentials that expire after a short period of time are probably the way to go, and also there needs to be greater awareness that you need to silo information.” 

Symantec says it has notified the developers of the apps where it sees the most pressing issues and hopes to raise awareness about how insecure development practices and shared resources can create exposures without careful consideration and segmentation. 

In one case, the researchers realized that several mainstream iOS banking apps were all using the same third-party AI digital identity software development kit that exposed cloud credentials of the shared service. While none of the banking apps themselves created the SDK, the credentials exposed its server structure and infrastructure blueprints, source code, and the AI models underlying the identity service. And more than 300,000 biometric fingerprint files from users of five of the mobile banking apps were leaking and potentially exposed.

In another case, the researchers noticed what it calls a large hospitality and entertainment company working with a technology company on sports betting apps. In total, hard-coded credentials gave infrastructure access to 16 online gambling apps, exposing their cloud services and even granting root access to take control of this backend platform. 

Symantec's O’Brien emphasizes that while the company isn't naming the impacted apps, it hopes the findings will raise awareness about these common pitfalls and their potentially outsize impact on users. “The things we found—it illustrates the significance of what we’re dealing with here,” he says.

Careless Errors in Hundreds of Apps Could Expose Troves of Data

Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.

**Use of Hard-coded Credentials in AgileConfig.Client**

Critical severity GitHub Reviewed Published Aug 19, 2022 • Updated Aug 30, 2022

GHSA-mj5w-w588-j6xg: Use of Hard-coded Credentials in AgileConfig.Client

An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**23\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 08/02/2022

**Risk Rating** High for Gateways.

**Description** Gateway APIs contain functions that are inappropriately authenticated and would allow an authenticated VPN user to inject arbitrary commands.

**Impact** A successful attack would allow an authenticated VPN user to execute arbitrary comments against Aviatrix gateways.

**Affected Products** Aviatrix Gateways

**Solution** Upgrade your Aviatrix Controller and gateway software to:

*   6.6.5712 or later
*   6.7.1376 or later

**Acknowledgement** Aviatrix would like to thank Thomas Wallin from Splunk for the responsible disclosure of this issue.

**22\. Remote Code Execution¶**

**Date** 05/27/2022

**Risk Rating** AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

**Description** Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

**Impact** An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

**Affected Products** Aviatrix Controller and Gateways.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3057
*   6.5.3233
*   6.6.5612
*   6.7.1185

**21\. Post-Auth Remote Code Execution¶**

**Date** 04/11/2022

**Risk Rating** High

**Description** TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

**Impact** A local user to the controller UI could execute arbitrary code.

**Affected Products** Aviatrix Controller.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3049
*   6.5.3166
*   6.6.5545

**20\. Aviatrix Controller and Gateways - Privilege Escalation¶**

**Date** 02/03/2022

**Risk Rating** Medium

**Description** The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

**Impact** A local user to our appliances can escalate his privileges to root.

**Affected Products** Aviatrix Controller and Gateways.

**Solution**

*   Upgrade Copilot to Release 1.6.3.
*   Apply security patch \[AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches\] to controllers.

**19\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 01/11/2022

**Risk Rating** High for Gateways, medium for Controller.

**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

**Impact** Access to configuration information and disruption of service.

**Affected Products** Aviatrix Controller, Gateways and Copilot.

**Solution** Upgrade your controller and gateway software to:

*   6.4.2995 or later.
*   6.5.2898 or later.

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in versions of SICAM TOOLBOX II, a control and monitoring system.

Tag

#hard_coded_credentials