IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM).
The issue, characterized as a "neutralization of Special Elements in Output Used by a Downstream Component," could be abused to result in the execution of remote code or disclosure of sensitive information.
ConnectWise's

IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM).

The issue, characterized as a "neutralization of Special Elements in Output Used by a Downstream Component," could be abused to result in the execution of remote code or disclosure of sensitive information.

ConnectWise's advisory notes that the flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier, are impacted by the critical flaw.

At its core, the issue is tied to an upstream authentication bypass vulnerability in the ZK open source Ajax web application framework (CVE-2022-36537), which was initially patched in May 2022.

"Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9)," the company said, urging customers to upgrade to SBM v6.16.4 shipped on October 28, 2022.

Cybersecurity firm Huntress said it identified "upwards of 5,000 exposed server manager backup instances," potentially exposing companies to supply chain risks.

While there is no evidence of active exploitation of the vulnerability in the wild, a proof-of-concept devised by Huntress researchers John Hammond and Caleb Stewart shows that it can be abused to bypass authentication, gain remote code execution on SBM, and push LockBit 3.0 ransomware to all downstream endpoints.

"It is important to note that the upstream ZK vulnerability not only affects R1Soft, but also any application utilizing an unpatched version of the ZK framework," the researchers said.

"The access an attacker can gain by using this authentication bypass vulnerability is specific to the application being exploited, however there is serious potential for other applications to be affected in a similar way to R1Soft Server Backup Manager."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

A critical security vulnerability gives attackers a way to compromise thousands of systems at ConnectWise's managed service provider (MSP) customer locations and their downstream clients.

ConnectWise has patched a critical remote code execution (RCE) vulnerability in its ConnectWise Recover and R1Soft server backup manager technologies that could give attackers a way to compromise thousands of the company's managed service provider (MSP) customers — and, in turn, their downstream clients.

In an alert Friday, ConnectWise said it had pushed out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and it urged customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4 it released on Friday.

**Severe Bug**

"We have informed our \[customers\] of the fix and encouraged those with on-premises instances of the impacted product to install the patch as soon as possible," Patrick Beggs, CISO of ConnectWise, says in comments sent to Dark Reading. For most organizations using ConnectWise Recover, no further action is required at this point to protect against the vulnerability, but "R1Soft is self-managed; we encourage these \[customers\] to apply the patch quickly," he says.

ConnectWise said it discovered the bug after security vendor Huntress informed the company about the issue and showed proof-of-concept code demonstrating how attackers could exploit the vulnerability to take complete control of affected systems. The company described the bug as one involving "improper neutralization of special elements in output used by a downstream component." The vulnerability exists in ConnectWise Recover v2.9.7 and earlier versions and R1Sof SBM v6.16.3 and earlier versions.

In an Oct. 31 blog post, researchers from Huntress described the issue as tied to an authentication bypass vulnerability (CVE-2022-36537) in a previous version of the ZK Java library, bundled with ConnectWise's server backup manager technology. A researcher from Germany-based security vendor Code White GmbH was the first to discover the vulnerability in the ZK library and report it to the maintainers of the framework in May 2022. Another researcher from the same company discovered that ConnectWise's R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to ConnectWise, Huntress said in its blog post. When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited, on Twitter.

Huntress' researchers used the information in the tweet to replicate the vulnerability and refine the proof-of-concept. They found they could leverage the vulnerability to leak server private keys, software license information, system configuration files and eventually gain remote code execution in the context of a system superuser. 

Huntresses' researchers found they would gain code execution not just on vulnerable ConnectWise systems at MSP locations but all on all downstream registered endpoints. A Shodan scan showed more than 5,000 exposed ConnectWise server backup manager instances that were vulnerable to exploits. Considering that most of these systems were at MSP locations, the actual number of affected organizations is likely significantly higher, Huntress said.

**Classic Software Supply Chain Threat**

Caleb Stewart, security researcher at Huntress, says that the exploit chain that he and a trio of other researchers developed and reported to ConnectWise involved three main components: the original authentication bypass in the ZK library, RCE on the SBM, and RCE on connected clients. 

According to Stewart, the researchers spent about three days on replicating the original vulnerability, and then reverse engineering the R1Soft application so it could be abused for a malicious purpose. Exploiting the vulnerability was complicated, Stewart says. "But \[it was\] feasible for someone to find and exploit in a matter of days if they knew what they were looking for."

The vulnerability is another example of why developers and end customers need to be aware of security advisories for all software in their environment, Stewart says. "This is fundamentally a supply chain vulnerability — customer buys R1Soft SBM, which bundles ZK, which is vulnerable," he says. "Once the severity was evident, I think ConnectWise did a great job at getting a patch out quickly."

John Hammond, senior security researcher at Huntress and part of the team that analyzed the flaw, says the weaponized attack chain they developed could have a wide impact. "From an authentication bypass to full compromise, across not just one endpoint but a mass multiple, this is truly a 'point-and-shoot' exploit with the potential for widespread effects," he says.

Beggs from ConnectWise did not directly respond to a Dark Reading question about why the company did not respond to the original disclosure of the flaw by the researcher at Code White. But one issue could have been the fact that the researcher did not disclose it via the company's usual channel for submitting bug disclosures and security concerns.

"We have long vouched for our Trust Center as the most effective channel to submit security concerns," he says, Queries submitted through other channels do not always get the attention they deserve, Beggs notes.

"In this case," he adds, "Huntress did an admirable job of demonstrating just how dangerous this potential vulnerability could have been, treated the issue responsibly by showing it to us directly, and gave us time to update our products."

Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. If the device connects to an attacker-controlled server, the attacker could send maliciously crafted packets that would be deserialized and executed, leading to remote code execution.

CVE-2022-41779

Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php

Submitted by oretnom23 on Thursday, June 30, 2022 - 13:09.

****Introduction****

This simple project is a **Clinic Patient Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project's main purpose is to provide an **online and automated** platform for managing data for certain **Medical clinics**. This system helps the clinic to easily store, retrieve, and manage their **patients visiting and prescription records**. It has a pleasant user interface with the help of the **Bootstrap Framework and AdminLTE Template** that provides a better experience to the end-users. It also consists of multiple user-friendly features and functionalities.

****About the Clinic Patient Management System****

The project was developed with the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Clinic Patient Management System** is only accessible to the **clinic's management**. It requires the system users to log in with their valid credentials in order to gain access to the features and functionalities of the system. System users can manage the list of **Medicines**, **Medicine Details**, **Patients**, and **Patient Prescriptions**. Here the management can store the patients' visit information with some relevant data such as the blood pressure, weight, disease, and more. The management can create a prescription for the patient for its specific illness or based on her diagnosis. Using the system, the clinic's management can easily retrieve the patient history with the clinic. It also generates a printable and downloadable PDF Report for **Patients Visits Records** and **Diseases Records**.

****Features****

*   **Dashboard Page**
    *   Display the summary.
*   **Medicine Management**
    *   Add New Medicine
    *   List All Medicines
    *   Edit/Update Medicine Details
*   **Medicine Details Management**
    *   Add New Medicine Details
    *   List All Medicine Details
    *   Edit/Update Medicine Details Details
*   **Patient Management**
    *   Add New Patient
    *   List All Patients
    *   Edit/Update Patient Details
    *   Add New Patient's Prescription
    *   Patient's History List
*   **Report**
    *   Generating Printable and Downloadable Reports
        *   Patient Visits
        *   Disease Records
*   **User Management**
    *   Add New User
    *   List All Users
    *   Edit User Details
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Login****

****Dashboard****

****Medicine Details List Page****

****Patient List Page****

****Patient Visits Report****

****Disease Record Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** naming ****pms\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****pms\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Clinic Patient Management System** in a **browser**. i.e. ****http://localhost/pms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Clinic Patient Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   6445 views

CVE-2022-40471: Clinic's Patient Management System in PHP/PDO Free Source Code

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.

CVE-2022-3360

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

The maintainers of the SQLite database engine have patched a high severity vulnerability that attackers could exploit to crash or control programs that rely on the software.

Developers of the software have offered The Daily Swig a convincing argument that the flaw would be difficult to exploit in practice. Even so, they have revised the software with a patch to defend against the flaw – rather than dismissing the issue as something that can be safely ignored.

SQLite is a popular open source C-language library that underpins many enterprise apps and services. Notable users of SQLite include Apple, Adobe, Google, Facebook, and Microsoft. There are billions of copies of SQLite deployed worldwide.

The SQLite team is quick to fix emerging vulnerabilities in the software due to their potentially wide-reaching impact. However, a vulnerability disclosed this month by Trail of Bits was introduced 22 years ago and highlighted how initially secure functionality could have unintended consequences much further down the line.

Catch up with the latest database-related security news and analysis

In a blog post dated October 25, Trail of Bits researcher Andreas Kellas said the vulnerability was introduced in SQLite version 1.0.12, a 2000 release that landed when the software was primarily based on 32-bit architectures. According to Kellas, the bug “may not have seemed like an error” at the time.

The high severity vulnerability is tracked as CVE-2022-35737, scoring a CVSS severity score of 7.5.

Trail of Bits said the bug impacts any app that relies on the SQLite library API.

The vulnerability is exploitable on 64-bit systems when large string inputs contain %Q, %q, or %w format substitution types that – in this scenario – might cause programs to crash or worse.

In the most severe cases – when the ! special character exists in the format string – it may be “possible to achieve arbitrary code execution, in the worst case, or to cause the program to hang and loop (nearly) indefinitely,” according to the researchers.

**Root cause analysis**

Speaking to The Daily Swig, the creator of SQLite, D. Richard Hipp, said the root cause of the problem was the use of signed 32-bit integers as a byte index into the input string and to compute the size of the output string. When an input string was large enough, the integer would overflow, and “all kinds of problems” ensued.

However, the potential impact of the flaw appears to be limited.

Hipp told us that it is not possible to reach the vulnerability for malicious purposes via SQL inputs or by passing SQLite a malformed database file. Instead, an attacker would have to abuse the use the sqlite3\_mprintf() function – or “similar C-level interfaces with a format string that includes one of the non-standard \[;...\] conversion symbols, and then pass in a string that is over 2GB in size”.

The software developer added:

“Lots of applications use SQLite, but only a small percentage of those use the sqlite3\_mprintf() API, and an even smaller percentage make use of %Q, %q, or %w. Of those that do, most do not provide a way for an attacker to arrange for a 2GB+ string to be passed into the argument to %Q, %q, or %w.”

**Unearthing Fossil**

In addition, while the project uses the Fossil control system and this software uses printf, the team couldn’t find a way to inject a 2GB string.

CVE-2022-35737 was reported to the Computer Emergency Response Team (CERT) Coordination Center by Trail of Bits on July 14. CERT confirmed the issue, reached out to SQLite maintainers, and the team fixed the bug in the software’s source code only three days later – a task accomplished by converting to the use of 64-bit integers.

The patched SQLite version, v3.39.2, was released on July 21.

“We are grateful for the responsible disclosure from the researchers who found it,” Hipp said. “It doesn’t hurt to upgrade to a newer release of SQLite. But very few if any real-world applications should be affected by this.”

The Daily Swig has reached out to Trail of Bits with additional queries and we will update this story as and when we hear back.

RELATED HyperSQL DataBase flaw leaves library vulnerable to RCE

SQLite patches 22-year-old code execution, denial of service vulnerability

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Gentoo Linux Security Advisory 202210-30 - Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in remote code execution. Versions less than 21.1.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: X.Org X server, XWayland: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #857780  
       ID: 202210-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in the Xorg Server and  
XWayland, the worst of which can result in remote code execution.

Background  
==========

The X Window System is a graphical windowing system based on a  
client/server model.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-base/xorg-server       < 21.1.4                    >= 21.1.4  
  2  x11-base/xwayland          < 22.1.3                    >= 22.1.3

Description  
===========

Multiple vulnerabilities have been discovered in X.Org X server and  
XWayland. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All X.Org X server users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.4"

All XWayland users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xwayland-22.1.3"

References  
==========

[ 1 ] CVE-2022-2319  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2319  
[ 2 ] CVE-2022-2320  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2320

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-30

In wolfSSL versions prior to 5.5.1, malicious clients can cause a buffer overflow during a resumed TLS 1.3 handshake. If an attacker resumes a previous TLS session by sending a maliciously crafted Client Hello, followed by another maliciously crafted Client Hello. In total 2 Client Hellos have to be sent. One which pretends to resume a previous session and a second one as a response to a Hello Retry Request message.

# wolfssl before 5.5.1: CVE-2022-39173 Buffer overflow when refining  
cipher suites  
==================================================================================

## INFO  
=======

The CVE project has assigned the id CVE-2022-39173 to this issue.

Severity: high 7.5  
Affected version: before 5.5.1  
End of embargo: The embargo for this vulnerability ended 29th of September, 2022

## SUMMARY  
==========

In wolfSSL before 5.5.1 malicious clients can cause a buffer-overflow  
during a resumed TLS 1.3 handshake. If an attacker resumes a previous  
TLS session by sending a maliciously crafted Client Hello, followed by  
another maliciously crafted Client Hello. In total 2 Client Hellos  
have to be sent. One which pretends to resume a previous session and a  
second one as a response to a Hello Retry Request message.

The malicious Client Hellos contain a list of supported cipher suites,  
which contain at least `⌊sqrt(150)⌋ + 1 = 13` duplicates and less than  
150 ciphers in total. The buffer-overflow occurs in the `RefineSuites`  
function. An overflow of 44700 bytes has been confirmed. Therefore,  
large portions of the stack can get overwritten, including return  
addresses.

We confirmed the vulnerability by sending packets over TCP to a  
Wolfssl server, freshly built from the sources with the  
`--enable-session-ticket` flags (or simply `--enable-all`). We can  
provide sources for our software (tlspuffin) that produce those  
packets (and that automatically found the attack trace). The command  
given at the end of this document triggers the buffer overflow.

It is very likely that there is a way to craft an exploit which can  
cause a RCE. We have not yet created such an exploit as it would  
likely depend on the memory layout of the binary which uses wolfSSL.

Moreover, the size of the overflow can be fine-tuned in order to not  
smash the stack and continue the execution with a too large length of  
suites buffer and that will cause other routines that iterate over  
thus buffer (e.g., `FindSuiteSSL`) to misbehave. Hypothetically, this  
might be exploited to make the server use a cipher it should not  
accept such as `nullcipher` that would open up new attack vectors such  
as downgrade attacks.  
While this has not been confirmed yet, the buffer overflow itself has  
been confirmed.

## DETAILS  
==========

Line numbers below are valid for the wolfSSL Git tag  
[v5.4.0-stable](https://github.com/wolfSSL/wolfssl/tree/v5.4.0-stable).

The bug we found is in the `RefineSuites` function. In the following  
we want to explain why the function is able to overflow the `suites`  
array.  
```c  
/* Refine list of supported cipher suites to those common to server and client.  
 *  
 * ssl         SSL/TLS object.  
 * peerSuites  The peer's advertised list of supported cipher suites.  
 */  
static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)  
{  
    byte   suites[WOLFSSL_MAX_SUITE_SZ];  
    word16 suiteSz = 0;  
    word16 i, j;

    XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);

    for (i = 0; i < ssl->suites->suiteSz; i += 2) {  
        for (j = 0; j < peerSuites->suiteSz; j += 2) {  
            if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&  
                ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {  
                suites[suiteSz++] = peerSuites->suites[j+0];  
                suites[suiteSz++] = peerSuites->suites[j+1];  
            }  
        }  
    }

    ssl->suites->suiteSz = suiteSz;  
    XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));  
#ifdef WOLFSSL_DEBUG_TLS  
    [...]  
#endif  
}  
```  
tls13.c:4355

The `RefineSuites` function expects a `WOLFSSL` struct which contains  
a list of acceptable ciphers suites (`ssl->suites->suites`), as well  
as an array of peer cipher suites (`peerSuites`). Both inputs are  
bounded by `WOLFSSL_MAX_SUITE_SZ`, which is equal to 300 bytes or 150  
cipher suites.

Let us assume that `ssl->suites` consists of a single cipher suite  
like `TLS_AES_256_GCM_SHA384` and the `peerSuites` list contains the  
same cipher repeated thirteen times. The `RefineSuites` function will  
iterate for each element in `ssl->suites` over `peerSuites` and append  
the suite to `suites` if it is a match. The `suites` array has a  
maximum length of `WOLFSSL_MAX_SUITE_SZ == 300 bytes == 150 suites`.

With the just mentioned example input, the length of `suites` will now  
equal thirteen. The `suites` array is now copied to the `WOLFSSL`  
struct in the last line of the listing above. Therefore, `ssl->suites`  
contains now thirteen times the `TLS_AES_256_GCM_SHA384` cipher suite.

Let us now call the same `RefineSuites` function again on the modified  
`WOLFSSL` struct and the same `peerSuites` list. The `RefineSuites`  
function will iterate for each element in `ssl->suites` over  
`peerSuites` and append the suite to `suites` if it is a match.  
Because `ssl->suites` contains already 13 times the  
`TLS_AES_256_GCM_SHA384` cipher suite, in total 13 x 13 = 169 cipher  
suites are written to `suites`. 169 cipher suites require 338 bytes,  
which is more than what's available on the stack. The `suites` buffer  
overflows.

The maximum size of `peerSuites` is 150 cipher suites. Therefore, an  
overflow of 44700 bytes is possible and has been confirmed.

The buffer `ssl->suites->suites` is supposed to be reset to only  
contain the acceptable ciphers at each session start, and thus  
initially contains no duplicate. However, by provoking a `HELLO CLIENT  
RETRY REQUEST`, it is possible to make the server call `RefineSuites`  
twice as explained next.

## TRIGGERING THE BUFFER OVERFLOW  
=================================

In order to cause the above buffer-overflow, it is required to call  
`RefineSuites` twice. Malicious clients need to perform the handshake  
in a certain way to reach this situation.  
The buffer overflow at the attacked server can be obtained at least in  
the following situation:

1. Resume the previous session by sending a second Client Hello  
(`CH2`) with the following criteria:  
   - Exclude the `support_group_extension`, to cause a Hello Retry Request  
   - Include a binder which cryptographically binds this session to  
the previous one.  
   - Include a list of cipher suites that contains a repetition of `n`  
times the same cipher `c` with `13 <= n < 150`, deemed acceptable by  
the server.

   The server will parse this message, enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` and stores at least `n` times  
the cipher `c` in `ssl->suites->suites` by calling `RefineSuites`.

2. Sending a third Client Hello (`CH3`) with the same criteria as in step 2.  
   The server will parse this message and because  
`ssl->suites->suites` already contains `n` times the cipher `c`,  
`RefineSuites` will write in `suites` at least until `suites[nˆ2]`  
which overflows since `nˆ2 > 300`.

## DETAILS ABOUT STEP 1.  
========================

During step 2., we want to cause the server to perform a Hello Retry Request.

This is possible by not sending a supported group in the `CH2`. By not  
sending a support group extension, the function  
`TLSX_SupportedGroups_Find` will return false.

```c  
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)  
{  
    ...  
        /* Check consistency now - extensions in any order. */  
        if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))  
            continue;  
    ...  
```  
tls.c:8374

This will cause clientKSE to be `NULL` and `doHelloRetry` will be set to 1.

```c  
int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)  
{  
    ...  
    /* No supported group found - send HelloRetryRequest. */  
    if (clientKSE == NULL) {  
        /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */  
        *doHelloRetry = 1;  
        return TLSX_KeyShare_SetSupported(ssl);  
    }  
    ...  
```  
tls.c:9273

Finally, the server enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` in the function  
`VerifyServerSuite` while verifying the server suite when processing  
`CH2`.

```c  
    /* Make sure server cert/key are valid for this suite, true on success  
     * Returns 1 for valid server suite or 0 if not found  
     * For asynchronous this can return WC_PENDING_E  
     */  
    static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)  
    {  
        ...  
        if (IsAtLeastTLSv1_3(ssl->version) &&  
                                      ssl->options.side == WOLFSSL_SERVER_END) {  
            int doHelloRetry = 0;  
            /* Try to establish a key share. */  
            int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);  
            if (doHelloRetry) {  
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;  
            }

            ...  
        }  
        ...  
```  
tls.c:30688

## DETAILS ABOUT STEP 2.  
====================

The server is now in a state in which it expects another Client Hello  
(`CH3`) from the client.

The server is now in the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
and will process the third ClientHello (`CH3`) with the call of  
`ProcessReply` before reaching the `TLS13_ACCEPT_SECOND_REPLY_DONE`  
state.

```c  
int wolfSSL_accept_TLSv13(WOLFSSL* ssl)  
{  
    ...  
        case TLS13_ACCEPT_FIRST_REPLY_DONE :  
            if (ssl->options.serverState ==  
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {  
                ssl->options.clientState = CLIENT_HELLO_RETRY;  
                while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {  
                    if ((ssl->error = ProcessReply(ssl)) < 0) {  
                        WOLFSSL_ERROR(ssl->error);  
                        return WOLFSSL_FATAL_ERROR;  
                    }  
                }  
            }

            ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;  
            WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");  
            FALL_THROUGH;  
    ...  
```  
tls13.c:10909

## VULNERABILITY VARIANTS  
=========================

### Adjusting the overflow  
Note that the length of the list of ciphers in `CH2` does not  
necessarily have to be the same as the one of `CH1` and can be  
adjusted to fine-tune the size of the overflow.

### Make the server parse `CH2`  
Note also that, on the contrary to `CH1`, `CH2` does not necessarily  
have to put the server in the `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
state (which should be forbidden by the TLS 1.3 RFC) or make it return  
an error, and can thus contain a supported group, which could be  
included to possibly make the server continue the processing of `CH2`  
without returning an error.  
We have confirmed that we can make the server parses `CH2` until the  
end and starts computing a Server Hello with `ssl->suites->suiteSz`  
that exceeds 300.

### Resuming an existent session  
It is also possible to trigger the vulnerability by trying to resume  
an existent and genuine session established through a full initial  
handshake (step 0.):  
0. Sending an initial genuine Client Hello (`CH1`) to the server and  
then completing a full handshake, thus establishing a PSK.

## EXPLOITATION  
===============

We suspect that it is possible to craft an exploit which could lead to  
RCE if any of the above bytes coincides with the memory address of  
executable code. Depending on the memory layout of the binary it could  
be possible to gain RCE.  
More bytes could be used to overflow `suites` if more ciphers were  
configured to be accepted with the server, e.g., with options like  
`--enable-blake2`.

We confirmed that this could also be exploited to smash the stack and  
cause the server to crash with a segmentation fault by using a large  
list of ciphers.

Finally, by fine-tuning the length of the overflow and by including  
the supported group in `CH3`, it could be possible to make the server  
process `CH3` with a `ssl->suites->suites->suiteSz` value that exceeds  
300. This way, routines like `FindSuiteSSL` that will iterate over  
`ssl->suites->suites` (allocated on 300 bytes) until  
`ssl->suites->suiteSz` (>300) will also iterate over bytes that  
contain other fields such as `ssl->suites->hashSigAlgo`. It is likely  
that this could be exploited to make such routines return arbitrary  
values. For example, it might be exploited to make the server use a  
cipher it should not accept such as `nullcipher`; thus breaking  
confidentiality.

## FURTHER CONCERNS  
==================

We observed that the server is accepting the `CH2` Client Hello  
message and issues a Hello Retry Request, even though `CH2` does not  
contain supported groups. Clients are not allowed to add the supported  
groups extension in the retry Client Hello (`CH3`) according to the  
RFC 8446 in section  
[4.1.2](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2). The  
addition of supported groups is not allowed when retrying the Client  
Hello.  
We suggest aborting the handshake when receiving `CH2` instead of  
offering the client a retry.

wolfSSL Buffer Overflow

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

Tag

#rce