Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Vendor: Kwikset/Weiser (Spectrum Brands) Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 2.9.1.21765p. Systems Affected: Kevo smart locks, including Kevo Contemporary Author: Sultan Qasim Khan Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Vendor: Tesla, Inc. Vendor URL: https://www.tesla.com Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. Model Y is likely also affected. Author: Sultan Qasim Khan <sultan.qasimkhan[at]nccgroup[dot]com> Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> An attacker within Bluetooth signal range of a mobile device configured … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)

Vendor: Ruby on Rails Vendor URL: https://rubyonrails.org Versions affected: versions prior to 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Operating Systems Affected: ALL Author: Álvaro Martín Fraguas <alvaro.martin[at]nccgroup[dot]com> Advisory URLs: - https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777 Accepted commit for the fix in the official master branch: - https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85 Risk: Medium (XSS vulnerability in some cases for some Rails methods). Summary … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)

Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)

This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100.

Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)

Vendor: Apple Vendor URL: https://www.apple.com/ Systems Affected: macOS Monterey before 12.3, macOS Big Sur before 11.6.5 and macOS 10.15 Catalina before Security Update 2022-003 Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URLs: https://support.apple.com/en-us/HT213183, https://support.apple.com/en-us/HT213185, https://support.apple.com/en-gw/HT213185 CVE Identifier: CVE-2022-22582 Risk: 5.0 Medium CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Summary In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write … Continue reading Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)

Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

Vendor: Lenovo Vendor URL: https://www.lenovo.com/ Versions affected: 1.1.20.2 Systems Affected: Windows Author: rick.veldhoven@fox-it.com Advisory URL: https://support.lenovo.com/us/en/product_security/LEN-75210 CVE Identifier: CVE-2021-3922, CVE-2021-3969 Risk: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R CVSSv3.1: 7.1 Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes … Continue reading Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion

Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 9.1 (Critical) Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote … Continue reading Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion

Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS

Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 8.2 (High) Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability … Continue reading Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS

Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)

Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026 CVE Identifier: CVE-2021-20045 Risk: CVSS 9.4 (Critical) Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below, are vulnerable to multiple stack-based and heap-based buffer … Continue reading Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)