Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Vendor: Garuda Linux Vendor URL: https://garudalinux.org/ Versions affected: previous commit 29b03856 Systems Affected: Garuda Linux user creation panel Author: Jesus Olmos <jesus.olmos[at]fox-it[dot]com> CVE Identifier: CVE-2021-3784 Risk: 4.4 - Local user impersonation in the moment of the user creation Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an … Continue reading Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307 Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker … Continue reading Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Vendor: Ivanti Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.11R11.5 or below Systems Affected: Pulse Connect Secure (PCS) Appliances Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858 CVE Identifier: CVE-2021-22937 Risk: 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite … Continue reading Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)

Technical Advisory – ICTFAX 7-4 – Indirect Object Reference

Vendor: ICTFAX Vendor URL: https://www.ictfax.org Versions affected: ICTFax Version 4.0.2 Author: Derek Stoeckenius Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within … Continue reading Technical Advisory – ICTFAX 7-4 – Indirect Object Reference

Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)

Vendor: Dell Vendor URL: https://www.dell.com/support/home/en-us/product-support/product/wyse-wms/drivers Versions affected: Prior to version 3.3 Systems Affected: Any Author: Stephen Tomkinson stephen.tomkinson@nccgroup.com Advisory URL / CVE Identifier: https://www.dell.com/support/kbdoc/en-us/000189363/dsa-2021-137-dell-wyse-management-suite-wms-security-update-for-multiple-vulnerabilities CVE-2021-21586, CVE-2021-21587 Risk: High – can lead to compromise of administrative sessions Summary Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management … Continue reading Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)

Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Vendor: Shopify Vendor URL: https://shop.app/ Versions affected: Shop Android 2.19.0-release+307, Shop iOS 2.20.0 Authors: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to … Continue reading Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Vendor: ParcelTrack Vendor URL: https://www.parceltrack.de/ Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3 Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords … Continue reading Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919)NSDP Authentication Bypass (CVE-2020-35231)Unauthenticated Firmware Update Mechanism … Continue reading Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)

Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com && Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective … Continue reading Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)

Shellshock Advisory

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Shellshock Advisory 25 Sep 2014 - iSEC Partners Executive Summary Immediate patches are required to fix a vulnerability in bash that allows arbitrary code execution from unauthenticated users. The full impact of vulnerable vectors … Continue reading Shellshock Advisory