Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Vendor: Open5GS Vendor URL: https://github.com/open5gs/open5gs Versions affected: 1.0.0 to 2.3.3 Systems Affected: Linux Author: mark.tedman[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2021-41794 Risk: CVSSv3.1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set … Continue reading Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)

Vendor: McAfee Vendor URL: https://kc.mcafee.com/corporate/index?page=content&id=sb10361 Versions affected: Prior to 7.3.0 HF1 Systems Affected: Windows OSs without NULL page protection Author: Balazs Bucsay <balazs.bucsay[ at ]nccgroup[.dot.]com> @xoreipeip CVE Identifier: CVE-2021-23893 Risk: 8.8 - CWE-269: Improper Privilege Management Summary McAfee's Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt … Continue reading Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)

Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Vendor: Garuda Linux Vendor URL: https://garudalinux.org/ Versions affected: previous commit 29b03856 Systems Affected: Garuda Linux user creation panel Author: Jesus Olmos <jesus.olmos[at]fox-it[dot]com> CVE Identifier: CVE-2021-3784 Risk: 4.4 - Local user impersonation in the moment of the user creation Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an … Continue reading Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307 Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker … Continue reading Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Vendor: New York State Vendor URL: https://covid19vaccine.health.ny.gov/excelsior-pass Versions affected: iOS 1.4.1, Android 1.4.1 Systems Affected: iOS, Android Author: Dan Hastings dan.hastings[at]nccgroup[dot]trust Advisory URL / CVE Identifier: Risk: Information Leakage Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior … Continue reading Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery

Vendor: New York State Vendor URL: https://play.google.com/store/apps/details?id=gov.ny.its.healthpassport.wallet Versions affected: 1.2.0 Systems Affected: Android Google Play Store Author: Siddarth Adukia sid.adukia[at]nccgroup[dot]com Summary New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate … Continue reading Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery

Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Vendor: Ivanti Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.11R11.5 or below Systems Affected: Pulse Connect Secure (PCS) Appliances Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 CVE Identifier: CVE-2021-22937 Risk: 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite … Continue reading Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)

Vendor: Sunhillo Vendor URL: https://www.sunhillo.com/ Versions affected: SureLine <= 8.7.0 Systems Affected: Any using SureLine Author: Liam Glanfield <liam.glanfield@nccgroup.com> Advisory URL / CVE Identifier: CVE-2021-36380 Risk: Critical - complete compromise of the host Summary Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection … Continue reading Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)

Technical Advisory – ICTFAX 7-4 – Indirect Object Reference

Vendor: ICTFAX Vendor URL: https://www.ictfax.org Versions affected: ICTFax Version 4.0.2 Author: Derek Stoeckenius Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within … Continue reading Technical Advisory – ICTFAX 7-4 – Indirect Object Reference

Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)

Vendor: Nagios Vendor URL: https://www.nagios.com/ Versions affected: >= 2.1.8 Systems Affected: Nagios Log Server Author: Liew Hock Lai <hocklai.liew@nccgroup.com> Advisory URL: https://www.nagios.com/downloads/nagios-log-server/change-log/ CVE Identifier: CVE-2021-35478 (Reflected XSS), CVE-2021-35478 (Stored XSS) Risk: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) (client-side script execution) Summary Nagios Log Server is a Centralized Log Management, Monitoring, and Analysis software that allows organizations to monitor, manage, … Continue reading Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)