Technical Advisory

Summary U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB…

The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. Two vulnerabilities were uncovered with the…

Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) but other serial download functionality still enabled (SDP_DISABLE=0) can be abused to read memory contents in warm and cold boot attack scenarios. In lieu of an enabled SDP READ_REGISTER operation, an attacker can use a series of…

Vendor: OpenJDK Project Vendor URL: https://openjdk.java.net Versions affected: 8-17+ (and likely earlier versions) Systems Affected: All supported systems Author: Jeff Dileo <jeff.dileo[at]nccgroup[dot]com> Advisory URL / CVE Identifier: TBD Risk: Low (implicit data validation bypass) Summary The private static InetAddress::getAllByName(String,InetAddress) method is used internally and by the public static InetAddress::getAllByName(String) to…

Juplink’s RX4-1800 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. An attacker can remotely take over a device after using a targeted or phishing attack to change the router’s administrative password, effectively locking…

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it’s been…

The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven…

Summary ExpressLRS is a high-performance open source radio control link. It aims to provide a low latency radio control link while also achieving maximum range. It runs on a wide variety of hardware in both 900 Mhz and 2.4 GHz frequencies. ExpressLRS is very popular in FPV drone racing and…

By Nicolas Bidron, and Nicolas Guigo. [Editor’s note: This is an updated/expanded version of these advisories which we originally published on June 3 2022.] U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such…

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: Technical Advisory: Stored XSS in Web Interface…

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with…

On the 6th of April 2022, NCC Group's Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Current Vendor: SerComm Vendor URL: https://www.sercomm.com Systems Affected: SerComm h500s Versions affected: lowi-h500s-v3.4.22 Authors: Diego Gómez Marañón @rsrdesarrollo CVE Identifier: CVE-2021-44080 Risk: 6.6(Medium)- AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The h500s is a router device manufactured by SerComm and packaged by a few telecoms providers in Spain (and possibly other regions) to provide CPE…

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and…

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the…

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops…

Summary Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the…

This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100.

Summary In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write vulnerability in the xar utility and was due to improper handling of path separation (forward-slash) characters when processing files contained within directory symlinks. Whilst analysing the patch for CVE-2021-30833, an additional vulnerability was identified which…

Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes child processes which perform system configuration and maintenance tasks. Impact Elevation of privilege. An attacker can elevate their privileges…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System. This vulnerability exists in the sonicfiles RAC_DOWNLOAD_TAR method, which allows users to download…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability arises due to lack of sufficient output encoding when displaying postscript file names within the management interface. Due to CVE-2021-20040, this issue can…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below, are vulnerable to multiple stack-based and heap-based buffer overflows in the fileexplorer component, which can be reached by an unauthenticated attacker, calling the sonicfiles RAC_COPY_TO method. These vulnerabilities arise due to the unchecked use of strcpy with…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with root privileges. The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users.…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a heap-based buffer overflow vulnerability in the sonicfiles RAC_GET_BOOKMARKS_HTML5 API. This vulnerability arises due to the unchecked use of the strcat function on a fixed size buffer, when displaying user bookmarks. This vulnerability requires authentication…

Summary SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory. Impact An unauthenticated attacker may be able to write files with controlled content…

Summary The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP…

Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: Technical Advisory – Default WiFi…

Summary Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to…

Summary XAR is a file archive format used in macOS, and is part of various file formats, including .xar, .pkg, .safariextz, and .xip files. XAR archives are extracted using the xar command-line utility. XAR was initially developed under open source, however, the original project appears to be no longer maintained.…

Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur. Impact Exploitation of this vulnerability would lead to denial of service…

Summary McAfee’s Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt the drive contents. The versions prior to 7.3.0 HF1 had a vulnerability in the kernel driver MfeEpePC.sys that could be exploited on certain Windows systems for privilege escalation or DoS. Impact…

Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an insecure user creation and authentication, that allows a local attacker  to impersonate a user account while it is being created.  The user is created in two steps:  First the user is created without…

Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker could steal a victim’s session tokens, log their keystrokes, steal private data, or perform privileged actions in the context of a victim’s…

Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the…

Summary New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate vaccine credentials added to it, allowing forged credentials to be stored by users. Impact This…

Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. This vulnerability is a bypass of the patch for CVE-2020-8260. Impact Successful exploitation of this issue results in Remote Code Execution on…

Summary Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control…

Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators.  Impact Successful exploitation…

Summary Nagios Log Server is a Centralized Log Management, Monitoring, and Analysis software that allows organizations to monitor, manage, visualize, archive, analyse, and alert on all of their log data. Version 2.1.8 of the application was found to be vulnerable to Stored and Reflected XSS. This occurs when malicious JavaScript…

Summary Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients…

Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers. Impact Sensitive PII such as credit card numbers and passwords can…

Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard…

Summary When running PC-Doctor modules, the Dell SupportAssist service attempted to load DLLs from a world-writable directory. Furthermore, it did not validate the signature of libraries loaded from this directory, leading to a “DLL Hijacking” vulnerability. Impact Successful exploitation of this issue would allow a low privileged user to execute…

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919) NSDP…

Current Vendor: Gigaset Vendor URL: https://www.gigaset.com/es_es/gigaset-dx600a-isdn/ Versions affected: V41.00-175.00.00-SATURN-175.00 Systems Affected: DX600A Authors: Manuel Ginés - manuel.gines[at]nccgroup[dot]com Admin Service Weak Authentication CVE Identifier: CVE-2021-25309 Risk: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AT Command Buffer Overflow CVE Identifier: CVE-2021-25306 Risk: 4.5 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Summary According to the oficial documentation, the Gigaset DX600A…

Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the…

Summary Silver Peak’s Unity EdgeConnect offering enables customers to easily setup and manage virtual networks using SD-WAN (Software Defined Wide Area Networking). At a high level it consists of physical or virtual EdgeConnect appliances and the Orchestrator management platform. The EdgeConnect appliances are essentially network devices that are installed at…

Summary Based on the Oracle product documentation page, “Oracle Communications Diameter Signaling Router is a market-leading cloud-ready Diameter signaling controller solution that centralizes routing, traffic management and load balancing, creating an architecture that enables IMS and LTE networks to be truly elastic and adapt to increasing service and traffic demands…

Summary Pulse Connect Secure suffers from an arbitrary file read vulnerability in the pre/post logon message component. An authenticated administrative user could exploit this issue to read arbitrary files from the underlying Operating System. Impact Successful exploitation of this issue could facilitate the attacker in extracting source code, credentials, or…

Summary The Pulse Connect Secure appliance suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Impact Successful exploitation by an authenticated administrator results in Remote Code Execution on the underlying Operating System with root privileges. An attacker…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27162 Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Summary Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client,…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27161 Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Summary Impact Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi…

Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after…

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an…

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse…

Summary: Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices. Location: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx Impact: An attacker…

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library…

Multiple HTML injection vulnerabilities were found in several KaiOS mobile applications that are pre-installed on KaiOS mobile devices. The following vulnerabilities affected multiple KaiOS mobile devices: KaiOS Email Application HTML Injection (CVE-2019-14756) KaiOS Contacts Application HTML Injection (CVE-2019-14757) KaiOS File Manager Application HTML Injection (CVE-2019-14758) KaiOS Recorder Application HTML Injection…

Summary: The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself. FreePBX has a sizable install base, with Shodan showing over 32 thousand public results for the Sangoma Apache server…

Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and…

Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. Location: ~/ktadmin/Default.aspx Impact: An attacker can gain administrative access to KwikTag Web Admin by logging…

A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory…

Summary: PlaySMS is an open source SMS gateway, which has a web management portal written in PHP. PlaySMS supports a custom PHP templating system, called tpl (https://github.com/antonraharja/tpl). PlaySMS double processes a server-side template, resulting in unauthenticated user control of input to the PlaySMS template engine. The template engine’s implementation then…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: ThoughtSpot - Authorization Bypass Allows for Pinboard Corruption Release Date: 2019-06-10 Application: ThoughtSpot Versions: 5.x before 5.1.2 4.4.1.x onwards Severity: Medium Author: Will Enright Vendor Status: Update Released [2] CVE Candidate: CVE-2019-12782 Reference: https://www.vsecurity.com/resources/advisory/201912782-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ From ThoughtSpot's…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Deltek Vision - Arbitrary SQL Execution Release Date: 2019-04-09 Application: Deltek Vision Versions: 7.x before 7.6 March 2019 CU (Cumulative Update) Severity: High Author: Robert Wessen Vendor Status: Updates available, see vendor for information. CVE Candidate: CVE-2018-18251 Reference: https://www.vsecurity.com/download/advisories/2018-18251.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996…

Summary Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Shellshock Advisory 25 Sep 2014 – iSEC Partners Executive Summary Immediate patches are required to fix a vulnerability in bash that allows arbitrary code execution from unauthenticated users. The…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw Release Date: 2014-09-17 Application: Apple iOS Foundation Framework Apple OS X Foundation Framework Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4 Severity: High Author: George D. Gal Vendor Status: Fix Available…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Heartbleed (CVE-2014-0160) Advisory 10 Apr 2014 – Andy Grant, Justin Engler, Aaron Grattafiori News of a major widespread vulnerability discovered by Neel Mehta came out Monday, April 7 2014.…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks Release Date: 2013-06-19 Application: IBM WebSphere Commerce Versions: 5.6.X, 6.0.X, 7.0.X, possibly others Credit: Timothy D. Morgan George D. Gal Vendor Status: Patch Available by Request [5] CVE Candidate: CVE-2013-0523 Reference: http://www.vsecurity.com/resources/advisory/20130619-1/…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- The IQRD service is HTC's implementation of a Carrier IQ…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: libraptor - XXE in RDF/XML File Interpretation Release Date: 2012-03-24 Applications: libraptor / librdf (versions 1.x and 2.x) Also Affected: OpenOffice 3.x, LibreOffice 3.x, AbiWord, KOffice Author: tmorgan {a} vsecurity * com Vendor Status: Patches available; major downstream vendors and…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From [1]: "VMware Tools is a suite of…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple HFS+ Information Disclosure Vulnerability Release Date: 2011-03-22 Application: Apple OS X kernel (XNU) Versions: All versions fbt_offset + user_bootstrapp->fbt_length > 1024) return EINVAL; If a user provides values for the fbt_offset and fbt_length members such that their sum overflows…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From [1]: "OpenOffice.org 3…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Citrix Access Gateway Command Injection Vulnerability Release Date: 2010-12-21 Application: Citrix Access Gateway Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) Access Gateway Standard & Advanced Edition (prior to 5.0) Severity: High Author: George D. Gal Vendor Status: Updated Software…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Linux RDS Protocol Local Privilege Escalation Release Date: 2010-10-19 Application: Linux Kernel Versions: 2.6.30 - 2.6.36-rc8 Severity: High Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com > Vendor Status: Patch Released [3] CVE Candidate: CVE-2010-3904 Reference: http://www.vsecurity.com/resources/advisory/20101019-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Coda Filesystem Kernel Memory Disclosure Release Date: 2010-08-16 Application: Coda kernel module for NetBSD and FreeBSD Versions: All known versions Severity: Medium Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com > Vendor Status: Patch Released [2][3] CVE Candidate: CVE-2010-3014…

VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs Release Date: 2010-07-13 Application: WebLogic Plugin Versions: All known versions Severity: High Discovered by: Timothy D. Morgan < tmorgan (at) vsecurity {dot} com > Contributors: George D. Gal < ggal {at} vsecurity (dot) com > Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities Release Date: 2010-07-02 Application: Cisco Content Services Switch (CSS) / ACE Products Versions: Cisco CSS 11500 - 08.20.1.01 Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5) (Other versions…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Authentication Bypass Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.2.1 and possibly earlier Severity: Critical Discovered by: Jon Hart and Timothy D. Morgan Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: Medium Discovered by: Jon Hart Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status: Firmware…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions: 4.0.249.78, 3.0.195.38, and likely earlier Severity: Medium/Low Author: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status: Update Released [2] CVE Candidate: CVE-2010-0556 Reference:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Java Web Start File Inclusion via System Properties Override Release Date: 2008-12-03 Application: Sun Java Runtime Environment / Java Web Start Versions: See below Severity: High Author: Timothy D. Morgan <tmorgan {a} vsecurity.com> Vendor Status: Patch Released [3] CVE Candidate:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Format String Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.5 and likely earlier. 2.2.6-2.2.8 contain a subset of these vulnerabilities. Severity: Low Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified, Limited Fixes…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions Severity: Low to Medium Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2055 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Buffer Overflows Discovered in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0 and likely earlier Severity: High Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2007-2053 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-overflows.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow Release Date: 2006-05-23 Application: PDF Tools AG - PDF Form Filling and Flattening Tool Version: 3.0 (Windows) (other versions and platforms untested) Severity: High Author: George D. Gal <ggal_at_vsecurity.com> Vendor Status: Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA < 7.0.4.12 Cisco PIX OS < 6.3.5(112) FWSM 2.3.x FWSM…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10 (other versions untested) Severity: High Author: Timothy D. Morgan <tmorgan (at) vsecurity (dot) com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10 (other versions untested) Severity: High Author: Timothy D. Morgan <tmorgan (at) vsecurity (dot) com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference:…