The Challenges of Fuzzing 5G Protocols

If you have ever looked at fuzzing in any depth you will quickly realize it’s not as trivial as it first appears. There are many different types of fuzzers, but here we are focused on network fuzzers.  These fuzzers are of particular interest as they are most suited to fuzzing telecoms products/protocols, where the application … Continue reading The Challenges of Fuzzing 5G Protocols

Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Vendor: Open5GS Vendor URL: https://github.com/open5gs/open5gs Versions affected: 1.0.0 to 2.3.3 Systems Affected: Linux Author: mark.tedman[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2021-41794 Risk: CVSSv3.1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set … Continue reading Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)

Vendor: McAfee Vendor URL: https://kc.mcafee.com/corporate/index?page=content&id=sb10361 Versions affected: Prior to 7.3.0 HF1 Systems Affected: Windows OSs without NULL page protection Author: Balazs Bucsay <balazs.bucsay[ at ]nccgroup[.dot.]com> @xoreipeip CVE Identifier: CVE-2021-23893 Risk: 8.8 - CWE-269: Improper Privilege Management Summary McAfee's Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt … Continue reading Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)

Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Vendor: Garuda Linux Vendor URL: https://garudalinux.org/ Versions affected: previous commit 29b03856 Systems Affected: Garuda Linux user creation panel Author: Jesus Olmos <jesus.olmos[at]fox-it[dot]com> CVE Identifier: CVE-2021-3784 Risk: 4.4 - Local user impersonation in the moment of the user creation Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an … Continue reading Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)

Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Vendor: PDFTron Vendor URL: https://www.pdftron.com/ Versions affected: WebViewer UI 8.0 or below Systems Affected: Web applications hosting the affected software Author: Liyun Li <liyun.li[at]nccgroup[dot]com> CVE Identifier: CVE-2021-39307 Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker … Continue reading Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)

Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Vendor: Shopify Vendor URL: https://shop.app/ Versions affected: Shop Android 2.19.0-release+307, Shop iOS 2.20.0 Authors: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to … Continue reading Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Vendor: ParcelTrack Vendor URL: https://www.parceltrack.de/ Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3 Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords … Continue reading Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

SAML XML Injection

The Single Sign-On (SSO) approach to authentication controls and identity management was quickly adopted by both organizations and large online services for its convenience and added security. The benefits are clear; for end-users, it is far easier to authenticate to a single service and gain access to all required applications. And for administrators, credentials and … Continue reading SAML XML Injection

Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919)NSDP Authentication Bypass (CVE-2020-35231)Unauthenticated Firmware Update Mechanism … Continue reading Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)

Current Vendor: Gigaset Vendor URL: https://www.gigaset.com/es_es/gigaset-dx600a-isdn/ Versions affected: V41.00-175.00.00-SATURN-175.00 Systems Affected: DX600A Authors: Manuel Ginés - manuel.gines[at]nccgroup[dot]com Admin Service Weak Authentication CVE Identifier: CVE-2021-25309 Risk: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AT Command Buffer Overflow CVE Identifier: CVE-2021-25306 Risk: 4.5 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Summary According to the oficial documentation, the Gigaset DX600A is a high-end ISDN desktop … Continue reading Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)