-
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System. This vulnerability exists in the sonicfiles RAC_DOWNLOAD_TAR method, which allows users to download a tar file from a… Read more
-
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability arises due to lack of sufficient output encoding when displaying postscript file names within the management interface. Due to CVE-2021-20040, this issue can be exploited by a remote,… Read more
-
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below, are vulnerable to multiple stack-based and heap-based buffer overflows in the fileexplorer component, which can be reached by an unauthenticated attacker, calling the sonicfiles RAC_COPY_TO method. These vulnerabilities arise due to the unchecked use of strcpy with a fixed size buffer. Impact… Read more
-
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with root privileges. The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users. When restoring system settings, an… Read more
-
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a heap-based buffer overflow vulnerability in the sonicfiles RAC_GET_BOOKMARKS_HTML5 API. This vulnerability arises due to the unchecked use of the strcat function on a fixed size buffer, when displaying user bookmarks. This vulnerability requires authentication as a low privileged user.… Read more
-
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Summary SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory. Impact An unauthenticated attacker may be able to write files with controlled content to arbitrary locations on disk,… Read more
-
Why IoT Security Matters
Introduction Internet of Things security can mean any number of things for your product and its users. This will depend largely on the context of the product and its deployment, and can include specific requirements, such as integrity, confidentiality, availability, safety, privacy, consent, authenticity, and more. Understanding how security fits into the product’s threat modelling… Read more
-
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Summary The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP requests. The Flash request was… Read more
-
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. The prevalence of encrypted traffic As a company that provides Managed Network… Read more
-
Tracking a P2P network related to TA505
For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. During our research, we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace), a remote administration tool (RAT) used exclusively by TA505
-
Conference Talks – December 2021
This month, members of NCC Group will be presenting their work at the following conferences: Matt Lewis (NCC Group) & Mark McFadden, “Show me the numbers: Workshop on Analyzing IETF Data (AID)”, to be presented at the IETF Internet Architecture Board Workshop on Analyzing IETF Data 2021 (November 29 – December 1 2021) Michael Gough,… Read more
-
Public Report – Zendoo Proof Verifier Cryptography Review
During the summer of 2021, Horizen Labs engaged NCC Group to conduct a cryptography review of Zendoo protocol’s proof verifier. This system generates and verifies modified Marlin proofs with a polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. The system also provides optimized batch verification of accumulated proofs.… Read more
-
An Illustrated Guide to Elliptic Curve Cryptography Validation
Elliptic Curve Cryptography (ECC) has become the de facto standard for protecting modern communications. ECC is widely used to perform asymmetric cryptography operations, such as to establish shared secrets or for digital signatures. However, insufficient validation of public keys and parameters is still a frequent cause of confusion, leading to serious vulnerabilities, such as leakage… Read more
-
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
Following on from our previous blog post ‘The Challenges of Fuzzing 5G Protocols’, in this post, we demonstrate how an attacker could use the results from the fuzz testing to produce an exploit and potentially gain access to a 5G core network. In this blog post we will be using the PFCP bug (CVE-2021-41794) we’d… Read more
-
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Slides Alex Plaskett presented “Pwning the Windows 10 Kernel with NTFS and WNF” at Power Of Community (POC) on the 11th of November 2021