Security News

 Vulnerability News SecurityWeek Feed
  • VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

    The Versiant LYNX Customer Service Portal(CSP)is a"full-service customer portal that provides real-time information to terminal operators on the status of shipments into and out of a marine container terminal". The LYNX CSP,version 3.5.2,is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user.
  • VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities

    The Vertiv Avocent UMG-4000 contains multiple vulnerabilities that could allow an authenticated attacker with administrative privileges to remotely execute arbitrary code. The web interface does not sanitize input provided from the remote client,making it vulnerable to command injection,stored cross-site scripting,and reflected cross-site scripting. CVE-2019-9507 - CWE-95 The web interface of the Avocent UMG-4000 version is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands within the web application are executed as root,this could allow a remote attacker authenticated with an administrator account to execute arbitrary commands. The CVSS 2.0 score below is based on CVE-2019-9507. CVE-2019-9508 - CWE-79 The web interface of the Avocent UMG-4000 version is vulnerable to stored XSS. A remote attacker authenticated with an administrator account could store a maliciously named file within the web application that would execute each time a user browsed to the page. CVE-2019-9509 - CWE-79 The web interface of the Avocent UMG-4000 version is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page,which could allow a remote attacker authenticated with a user account to execute arbitrary code.
  • VU#354840: Microsoft Windows Type 1 font parsing remote code execution vulnerabilities

    Adobe Type Manager,which is provided by atmfd.dll,is a kernel module that is provided by Windows and provides support for OpenType fonts. Two vulnerabilities in the Microsoft Windows Adobe Type Manager library may allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. This vulnerability affects all supported versions of Windows,as well as Windows 7. This vulnerability is being exploited in the wild.
  • VU#425163: Machine learning classifiers trained via gradient descent are vulnerable to arbitrary misclassification attack

    This vulnerability results from using gradient descent to determine classification of inputs via a neural network. As such,it is a vulnerability in the algorithm. In plain terms,this means that the currently-standard usage of this type of machine learning algorithm can always be fooled or manipulated if the adversary can interact with it. What kind or amount of interaction an adversary needs is not always clear,and some attacks can be successful with only minor or indirect interaction. However,in general more access or more interaction options reduce the effort required to fool the machine learning algorithm. If the adversary has information about some part of the machine learning process(training data,training results,model,or operational/testing data),then with sufficient effort the adversary can craft an input that will fool the machine learning tool to yield a result of the adversary's choosing. In instantiations of this vulnerability that we are currently aware of,"sufficient effort"ranges widely,between seconds and weeks of commodity compute time. Within the taxonomy by Kumar et al.,such misclassifications are either perturbation attacks or adversarial examples in the physical domain. There are other kinds of failures or attacks related to ML systems,and other ML systems besides those trained via gradient descent. However,this note is restricted to this specific algorithm vulnerability. Formally,the vulnerability is defined for the following case of classification. Let x be a feature vector and y be a class label. Let L be a loss function,such as cross entropy loss. We wish to learn a parameterization vectorθfor a given class of functions f such that the expected loss is minimized. Specifically,let In the case where f(θ,x)is a neural network,finding the global minimizerθ*is often computationally intractable. Instead,various methods are used to findθ^,which is a"good enough"approximation. We refer to f(θ^,.)as the fitted neural network. If stochastic gradient descent is used to findθ^for the broadly defined set of f(θ,x)representing neural networks,then the fitted neural network f(θ^,.)is vulnerable to adversarial manipulation. Specifically,it is possible to take f(θ^,.)and find an x' such that the difference between x and x' is smaller than some arbitrary and yet f(θ^,x)has the label y and f(θ^,x')has an arbitrarily different label y'. (Mathematicians,please excuse our abuse of^as\hat and*as_\star.) The uncertainty of the impact of this vulnerability is compounded because practitioners and vendors do not tend to disclose what machine learning algorithms they use. However,training neural networks by gradient descent is a common technique. See also the examples in the impact section.
  • VU#872016: Microsoft SMBv3 compression remote code execution vulnerability

    Microsoft Server Message Block 3.1.1(SMBv3)contains a vulnerability in the way that it handles connections that use compression. This vulnerability may allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is"wormable."
  • VU#782301: pppd vulnerable to buffer overflow due to a flaw in EAP packet processing

    PPP is the protocol used for establishing internet links over dial-up modems,DSL connections,and many other types of point-to-point links including Virtual Private Networks(VPN)such as Point to Point Tunneling Protocol(PPTP). The pppd software can also authenticate a network connected peer and/or supply authentication information to the peer using multiple authentication protocols including EAP. Due to a flaw in the Extensible Authentication Protocol(EAP)packet processing in the Point-to-Point Protocol Daemon(pppd),an unauthenticated remote attacker may be able to cause a stack buffer overflow,which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect,arbitrary data can be copied into memory and cause memory corruption possibly leading to execution of unwanted code. The vulnerability is in the logic of the eap parsing code,specifically in the eap_request()and eap_response()functions in eap.c that are called by a network input handler. These functions take a pointer and length as input using the the first byte as a type. If the type is EAPT_MD5CHAP(4),it looks at an embedded 1-byte length field. The logic in this code is intended to makes sure that embedded length is smaller than the whole packet length. After this verification,it tries to copy provided data(hostname)that is located after the embedded length field into a local stack buffer. This bounds check is incorrect and allows for memory copy to happen with an arbitrary length of data. An additional logic flaw causes the eap_input()function to not check if EAP has been negotiated during the Line Control Protocol(LCP)phase. This allows an unauthenticated attacker to send an EAP packet even if ppp refused the authentication negotiation due to lack of support for EAP or due to mismatch of an agreed pre-shared passphrase in the LCP phase. The vulnerable pppd code in eap_input will still process the EAP packet and trigger the stack buffer overflow. This unverified data with an unknown size can be used to corrupt memory of the target system. The pppd often runs with high privileges(system or root)and works in conjunction with kernel drivers. This makes it possible for an attacker to potentially execute arbitrary code with system or root level privileges. The pppd software is also adopted into lwIP(lightweight IP)project to provide pppd capabilities for small devices. The default installer and packages of lwIP are not vulnerable to this buffer overflow. However if you have used the lwIP source code and configured specifically to enable EAP at compile time,your software is likely vulnerable to the buffer overflow. The recommended update is available from Git repoistory This type of weakness is commonly associated in Common Weakness Enumeration(CWE)with CWE-120 Buffer Copy without Checking Size of Input('Classic Buffer Overflow'). A Proof-of-Concept exploit for PPTP VPN Servers is provided by CERT/CC in their Github repository
  • VU#498544: ZyXEL pre-authentication command injection in weblogin.cgi

    CWE-78:Improper Neutralization of Special Elements used in an OS Command('OS Command Injection') Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters,it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user,many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such,it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. Exploit code for this vulnerability that targets NAS devices is available on the internet. For this reason,we have created a PoC exploit that has the ability to power down affected ZyXEL NAS devices.
  • VU#597809: IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI) service

    IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java 1.4.2 are no longer supported. ServeRAID Manager uses a Java Remote Method Invocation(RMI)on port 34571/tcp that listens on all interfaces by default. ServeRAID Manager runs with SYSTEM privileges on Microsoft Windows systems. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. This appears to be an instance of CVE-2011-3556. The ServeRAID product name is used for hardware and software components variously owned and maintained by IBM,Lenovo,and other vendors. This vulnerability applies to IBM ServeRAID Manager software and no products or components from Lenovo or any other vendor.
  • VU#261385: Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution

    CVE-2020-3110 Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value(TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111 Cisco Voice over Internet Protocol(VoIP)phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value(TLV). CVE-2020-3118 Cisco's CDP subsystem of devices running,or based on,Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow. CVE-2020-3119 Cisco's CDP subsystem of devices running,or based on,Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet(PoE)type-length-value(TLV). CVE-2020-3120 Cisco's CDP subsystem of devices running,or based on,Cisco NX-OS,IOS XR,and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition.
  • VU#390745: OpenSMTPD vulnerable to local privilege escalation and remote code execution

    OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol(SMTP)that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr()function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty,smtp_mailaddr()will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
  • VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability

    Microsoft Internet Explorer contains a scripting engine,which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability. This vulnerability was detected in exploits in the wild.
  • VU#335217: Multiple caching service providers are vulnerable to HTTP cache poisoning

    CDNs use HTTP caching software to provide high availability and high performance by distributing the service spatially relative to end-users. The HTTP caching software interprets the HTTP request from a website visitor(web client)using the supplied HTTP headers to select and deliver appropriate content. The content can either be delivered from the local cache or collected by reaching the appropriate back end web servers. This vulnerability works by sending arbitrary headers into the HTTP request stream,which may be processed by the back end web server or by the HTTP caching software. If either the web server or the HTTP caching software is vulnerable,it will include the attackers injected content in the response without performing any type of sanitization. Once the attacker's malicious content is returned,it will also be cached by the HTTP caching software. The HTTP caching software will continue to serve the malicious content to all future visitors of the website until the cache expires or is deleted. This allows the attacker to inject arbitrary content once and have multiple future visitors of the CDN hosted website collect the attacker's content and execute unwanted scripts. HTTP header injection using traditional headers,like the Host header and X-Forwarded-Host header,is not a new attack method. New HTTP headers like X-Forwarded-Proto,Referer,Upgrade-Insecure-Requests,and X-DNS-Prefetch-Control have been created to provide more capabilities for HTTP processing. Cloud caching in addition to newly available headers allows for an increase in prolonged,large scale attacks against busy and popular websites. Some examples of the vulnerable headers are: Content-Security-Policy-Report-Only Forwarded Server-Timing Set-Cookie Strict-Transport-Security X-Forwarded-Proto Location Accept-Language Cookie X-Forwarded-For X-Forwarded-Host Referer Max-Forwards There are at least two common reasons why these attacks are possible: 1. Certain HTTP headers(e.g.,X-Forwarded-Host)are sent by the reverse proxy or CDN to the web server and are many times presumed to be generated/modified by the CDN and therefore trusted. 2. Certain HTTP headers(e.g.,User-Agent)are not sanitized by the CDN before being delivered to the web server.
  • VU#491944: Microsoft Windows Remote Desktop Gateway allows for unauthenticated remote code execution

    Microsoft Windows Remote Desktop Gateway(RD Gateway)is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway(TS Gateway)with Windows Server 2008,RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example,guidance has been provided for using RD Gateway with AWS,and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts. Microsoft RD Gateway in Windows Server 2012 and later contain two vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges. It is reported by Kryptos Logic that the flaws lie in handling of fragmentation. This vulnerability is exploitable by connecting to the RD Gateway service listening on UDP/3391.
  • VU#849224: Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

    The Microsoft Windows CryptoAPI,which is provided by Crypt32.dll,fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result,an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority. Any software,including third-party non-Microsoft software,that relies on the Windows CertGetCertificateChain()function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain. Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior,as well as the Server 2012 R2 and prior counterparts,do not support ECC keys with parameters. For this reason,such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.
  • VU#619785: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability

    Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote,unauthenticated attacker. Although the bulletin does not describe details about the vulnerability,the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt(/../)and also requests that attempt to access the/vpns/directory. Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the/vpns/path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible. A link of the following form can be used to determine if a system is affected: https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf For example,the following curl command can be used: curl https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf --path-as-is -k -f The"CITRIXGATEWAY"string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error,then the mitigations outlined below have likely been applied. However,if retrieving the link results in the contents of a smb.conf file,then the system is vulnerable.