Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with the associated technical advisories below: … Continue reading Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)

Current Vendor: SerComm Vendor URL: https://www.sercomm.com Systems Affected: SerComm h500s Versions affected: lowi-h500s-v3.4.22 Authors: Diego Gómez Marañón & @rsrdesarrollo CVE Identifier: CVE-2021-44080 Risk: 6.6(Medium)- AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The h500s is a router device manufactured by SerComm and packaged by a few telecoms providers in Spain (and possibly other regions) to provide CPE DSL network connectivity and … Continue reading Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)

Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Vendor: Kwikset/Weiser (Spectrum Brands) Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 2.9.1.21765p. Systems Affected: Kevo smart locks, including Kevo Contemporary Author: Sultan Qasim Khan Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Vendor: Tesla, Inc. Vendor URL: https://www.tesla.com Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. Model Y is likely also affected. Author: Sultan Qasim Khan <sultan.qasimkhan[at]nccgroup[dot]com> Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> An attacker within Bluetooth signal range of a mobile device configured … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)

Vendor: Ruby on Rails Vendor URL: https://rubyonrails.org Versions affected: versions prior to 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Operating Systems Affected: ALL Author: Álvaro Martín Fraguas <alvaro.martin[at]nccgroup[dot]com> Advisory URLs: - https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777 Accepted commit for the fix in the official master branch: - https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85 Risk: Medium (XSS vulnerability in some cases for some Rails methods). Summary … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)

Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)

Vendor: Apple Vendor URL: https://www.apple.com/ Systems Affected: macOS Monterey before 12.3, macOS Big Sur before 11.6.5 and macOS 10.15 Catalina before Security Update 2022-003 Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URLs: https://support.apple.com/en-us/HT213183, https://support.apple.com/en-us/HT213185, https://support.apple.com/en-gw/HT213185 CVE Identifier: CVE-2022-22582 Risk: 5.0 Medium CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Summary In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write … Continue reading Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)

Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

Vendor: Lenovo Vendor URL: https://www.lenovo.com/ Versions affected: 1.1.20.2 Systems Affected: Windows Author: rick.veldhoven@fox-it.com Advisory URL: https://support.lenovo.com/us/en/product_security/LEN-75210 CVE Identifier: CVE-2021-3922, CVE-2021-3969 Risk: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R CVSSv3.1: 7.1 Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes … Continue reading Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion

Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 9.1 (Critical) Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote … Continue reading Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion

Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS

Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 8.2 (High) Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability … Continue reading Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS