Researchers discover a dozen serious vulnerabilities in Akuvox smart intercom, but the vendor has not released any patches.
The post Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying appeared first on SecurityWeek.
A serious vulnerability in Veeam Backup & Replication may allow attackers to obtain encrypted credentials from the configuration database.
The post Serious Vulnerability Patched in Veeam Data Backup Solution appeared first on SecurityWeek.
Booking.com recently patched several vulnerabilities that could have been exploited to take control of a user’s account.
The post Critical Vulnerabilities Allowed Booking.com Account Takeover appeared first on SecurityWeek.
Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).
The post Top 10 Security, Operational Risks From Open Source Code appeared first on SecurityWeek.
Fortinet provides clarifications following ‘sensationalized reports’ related to exploitation attempts targeting the FortiNAC vulnerability CVE-2022-39952
The post Fortinet Shares Clarifications on Exploitation of FortiNAC Vulnerability appeared first on SecurityWeek.
A severe vulnerability in the web portal of Toyota’s global supplier management network allowed a security researcher to gain access to sensitive information.
The issue was identified by US-based researcher Eaton Zveare in Toyota’s Global Supplier Preparation Information Management System (GSPIMS), a web portal that provides Toyota employees and suppliers with access to ongoing projects, surveys, information on purchases, and more.
The issue, Zveare says, was related to the implementation of JWT (JSON Web Token) authentication and could allow access to any account to anyone using a valid email address.
Essentially, JWT is a session token that is typically generated when logging in to a website, and which is then used to authenticate the user to secure sections of the website or APIs.
What the researcher discovered was that Toyota’s GSPIMS contained a function that would allow users to generate a JWT based on the provided email address, without requiring a password.
With corporate Toyota email addresses easy to guess – as they are using the format firstname.lastname@toyota.com – the researcher was able to guess an email address by searching the internet for Toyota employees that might be involved in the supply chain.
Next, Zveare used that email address to generate a valid JWT and used it to access the GSPIMS. After some reconnaissance on the portal, he discovered an account with system administrator privileges and used the same method to access it.
The system admin account, the researcher says, provided access to everything on the portal, including information on over 14,000 user accounts, control over roles each account could have, details on all available projects, surveys, and various classified documents.
According to the researcher, the GSPIMS also provides the system admin with the option to log in as any of the available 14,000 users, to supervise their activities. The function that generates the JWT based on email address was apparently implemented to enable this option, but it also created a backdoor into the network.
An attacker with system admin access to GSPIMS could have created a rogue account for persistence, exfiltrated all available data, tampered with or deleted the data, and fetched the corporate email and roles of all 14,000 user accounts to target them in phishing attacks.
The researcher reported the vulnerability to Toyota on November 3, 2022. The car maker patched the issue shortly after.
Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses
Related: Toyota’s Japan Production Halted Over Suspected Cyberattack
Related: Vulnerabilities Expose Lexus, Toyota Cars to Hacker Attacks
The post Vulnerability Provided Access to Toyota Supplier Management Network appeared first on SecurityWeek.
Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.
OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.
Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns.
The first of the identified issues is described as an unauthenticated arbitrary file read and exists because the OpenEMR installer does not delete itself after the installation is completed.
Because the installation process is divided into several steps, an unauthenticated attacker could abuse a user-controlled parameter to perform some of these steps (but not a complete setup).
The attacker can invoke a function to read the current theme from the database, which results in a database connection being established using attacker-controlled properties.
A MySQL statement can be used to load the contents of a file to the database table, and a modifier can be supplied so that the file is read from the client instead of the server.
“A malicious server can request the content of another file, even in response to a totally different query from the client,” Sonar notes.
This allows an unauthenticated attacker to use a rogue MySQL server to read OpenEMR files such as backups, certificates, passwords, and tokens.
Sonar also discovered that an attacker could abuse a cross-site scripting (XSS) flaw to execute JavaScript code in the victim’s browser. The attacker can upload a PHP file and exploit a local file inclusion (LFI) to achieve RCE.
The XSS exists because, when requesting a PHP file, the browser first renders the HTML code, and only then the JavaScript context, which allows the attacker to use HTML entities within an event handler.
The LFI, Sonar explains, exists because a user-controlled variable is concatenated to a path and not sanitized, which allows an attacker to upload a PHP file and use a path traversal via the LFI to execute the file.
Sonar reported the security defects in October 2022. One month later, the vendor patched all bugs by adding sessions and CSRF checks and restricting the installation process, by encoding the character ‘&’ for an HTML entity to prevent the XSS, and by sanitizing the user-controlled parameter to prevent the LFI.
OpenEMR version 7.0.0 resolves all vulnerabilities. Users are advised to update their installations as soon as possible.
Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services
Related: Most Cacti Installations Unpatched Against Exploited Vulnerability
Related: Exploitation of Control Web Panel Vulnerability Starts After PoC Publication
The post Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data appeared first on SecurityWeek.
The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.
The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.
The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.
According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.
For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.
Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.
The third vulnerability, CVE-2022-3924, impacts the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. If the number of clients waiting for recursion to complete is high enough, a race may occur between providing a stale answer to the longest waiting client and sending an early timeout SERVFAIL, causing named to crash.
All three vulnerabilities were resolved with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9. ISC says it is not aware of any of these vulnerabilities being exploited, but encourages all users to update their BIND installations as soon as possible.
ISC also warns of CVE-2022-3488, a bug impacting all supported BIND preview edition versions (a special feature preview branch provided to eligible customers).
The issue can be triggered by sending two responses in quick succession from the same nameserver, both ECS pseudo-options, but with the first response broken, causing the resolver to reject the query response. When processing the second response, named crashes.
BIND preview edition version 9.16.37-S1 resolves all four security defects. Additional information on the addressed vulnerabilities can be found in the BIND 9 security vulnerability matrix.
Related: BIND Updates Patch High-Severity Vulnerabilities
Related: High-Severity Vulnerabilities Patched in BIND Server
Related: High-Severity DoS Vulnerability Patched in BIND DNS Software
The post BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws appeared first on SecurityWeek.
A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.
Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).
The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).
“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.
Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.
What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.
As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.
Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.
Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.
After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.
Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates
Related: Google Migrating Android to Memory-Safe Programming Languages
Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data
The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.
Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.
Disclosed in August 2021, the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.
The bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.
The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.
In a new report, Palo Alto Networks warns of an increase in attacks attempting to exploit the security defect.
“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.
The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.
A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.
Looking at mid-to-large sized deployments, the researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).
According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.
To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.
Most of the observed malicious payloads are Mirai, Gafgyt and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting early September 2022.
An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam with 17.8% and Russia at 14.6%.
“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited,” Palo Alto Networks concludes.
Related: Most Cacti Installations Unpatched Against Exploited Vulnerability
Related: Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers
Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day
The post Attacks Targeting Realtek SDK Vulnerability Ramping Up appeared first on SecurityWeek.
