Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27162 Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Summary Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client, and libraries for third party … Continue reading Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)

Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27161 Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Summary & Impact Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi Meet servers. Details In … Continue reading Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)

There’s A Hole In Your SoC: Glitching The MediaTek BootROM

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group's Hardware & Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an attack vector that is … Continue reading There’s A Hole In Your SoC: Glitching The MediaTek BootROM

Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse Connect Secure (PCS) appliances before … Continue reading Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)

Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)

Vendor: Lansweeper Software Vendor URL: https://www.lansweeper.com/ Versions affected: 8.0.130.17 known affected versions, others likely Systems Affected: Windows 10 Authors: Joshua Dow <joshua.dow@nccgroup.com>, Daniel King <daniel.king@nccgroup.com> Advisory URL / CVE Identifier: CVE-2020-13658 Risk: High Summary: Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management … Continue reading Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)

Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications

Multiple HTML injection vulnerabilities were found in several KaiOS mobile applications that are pre-installed on KaiOS mobile devices. The following vulnerabilities affected multiple KaiOS mobile devices: KaiOS Email Application HTML Injection (CVE-2019-14756)KaiOS Contacts Application HTML Injection (CVE-2019-14757)KaiOS File Manager Application HTML Injection (CVE-2019-14758)KaiOS Recorder Application HTML Injection (CVE-2019-14760)KaiOS Note Application HTML Injection (CVE-2019-14761)KaiOS FM Radio … Continue reading Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications

Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application

Vendor: Sangoma TechnologiesVendor URL: https://freepbx.comVersions affected: FreePBX 13, 14, and 15Systems Affected: FreePBX UCP applicationAuthor: Bill MarquetteAdvisory URLs:SEC-2020-06: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cel+moduleSEC-2020-07: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cdr+moduleRisk: High Summary: The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself. FreePBX has a … Continue reading Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application

Technical Advisory – KwikTag Web Admin Authentication Bypass

Vendor: ImageTagVendor URL: https://www.kwiktag.comVersions affected: 4.5.2 - 9.0Systems Affected: KwikTag Web AdminAuthor: Clayton LowellAdvisory URL / CVE Identifier: https://www.kwiktag.com/admin-security-advisory_202005/Risk: High Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. … Continue reading Technical Advisory – KwikTag Web Admin Authentication Bypass

Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory safety vulnerabilities, allowing adversaries with … Continue reading Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption