Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-22137: TALOS-2022-1449 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

CVE
#vulnerability#web#mac#windows#microsoft#linux#cisco#intel#pdf

Summary

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Accusoft ImageGear 19.10

Product URLs

ImageGear - https://www.accusoft.com/products/imagegear-collection/

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-131 - Incorrect Calculation of Buffer Size

Details

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed IOCA file, we end up with the following situation:

(1bf4.175c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8:
71928758 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:d0d0d0a0=????????

When looking at the call stack, we can observe the crash is happening during the free process as detailed below:

STACK_TEXT:  
0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b

Inspecting the argument indicates the parameter to free() is not a valid address: 0xd0d0d0c0.
Tracing back through the call stack leads us to the function IGDIBRunEnds::delete_table_mys_rbg_ptr with the following pseudo code:

LINE1  void __thiscall IGDIBRunEnds::delete_table_mys_rbg_ptr(IGDIBRunEnds *this,int pixpos,int some_buffer)
LINE2  {
LINE3    if (this->mys_RGB != (mys_RGB *)this->table_mys_rgb[pixpos]) {
LINE4       operator_delete((mys_RGB *)this->table_mys_rgb[pixpos]);
LINE5    }
LINE6    if (some_buffer == 0) {
LINE7       some_buffer = (int)this->mys_RGB;
LINE8    }
LINE9    this->table_mys_rgb[pixpos] = some_buffer;
LINE10   this->field_0x48 = 1;
LINE11   return;
LINE12 }

The free is corresponding to the operator_delete called in LINE4, which is indexed by pixpos to delete a specific element.

When looking at how this is constructed, the table_mys_rgb object in this case lands in the following code:

LINE13 void __thiscall IGDIBRunEnds::FUN_743f6aa0(IGDIBRunEnds *this)
LINE14 {  
LINE15   if (this->table_mys_rgb == (dword *)0x0) {
LINE16     size_to_allocate = this->size_Y * 4;
LINE17     buffer = (dword *)operator_new(-(uint)((int)(size_to_allocate >> 0x20) != 0) |
LINE18                                    (uint)size_to_allocate);
LINE19     if (this->table_mys_rgb != buffer) {
LINE20       operator_delete(this->table_mys_rgb);
LINE21       this->table_mys_rgb = buffer;
LINE22     }
LINE23     size_y = this->size_Y;
LINE24     while (size_y != 0) {
LINE25       size_y = size_y - 1;
LINE26       this->table_mys_rgb[size_y] = (dword)this->mys_RGB;
LINE27     }
LINE28   }
LINE29   return;
LINE30 }

So we can see the allocation in LINE17, followed by a while loop between LINE24 and LINE27 to fill the memory allocated. Now the issue is happening when size_Y read from the file is null, thus the allocation of buffer becomes uncontrolled and a zero byte allocation is made in LINE17, returned by a malloc null operation. Thus the while loop (LINE24) is not processed and the flow continues without initializing any element in table_mys_rgb. When the thread reaches the function IGDIBRunEnds::delete_table_mys_rbg_ptr, even with a null pixpos value, the pointer at table_mys_rgb[0] (which is not initialized, since table_mys_rgb has a size of 0) is freed via operator_delete, possibly leading to an arbitrary free.

Crash Information

0:000:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 1905

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 34355

    Key  : Analysis.Init.CPU.mSec
    Value: 5030

    Key  : Analysis.Init.Elapsed.mSec
    Value: 119236

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 123

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 1162

    Key  : Timeline.Process.Start.DeltaSec
    Value: 84

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 1.0.1.1


NTGLOBALFLAG:  2000000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 71928758 (verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: d0d0d0a0
Attempt to read from address d0d0d0a0

FAULTING_THREAD:  0000175c

PROCESS_NAME:  Fuzzme.exe

READ_ADDRESS:  d0d0d0a0 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  d0d0d0a0

STACK_TEXT:  
0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+b8

MODULE_NAME: verifier_71920000

IMAGE_NAME:  verifier.dll

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_verifier.dll!AVrfpDphFindBusyMemoryNoCheck

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  10.0.19041.1

FAILURE_ID_HASH:  {bd57151c-e59f-3c94-75ca-6923d50e6d0d}

Followup:     MachineOwner
---------

Vendor Response

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

Download Links Windows: https://download.accusoft.com/imagegear/pro/ImageGear_for_C_and_CPP_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear_for_C_Cpp20.0.0-Linux64.tar.gz

https://download.accusoft.com/imagegear/pro/ImageGear_for_C_and_CPP_v20.0.exe

Timeline

2022-01-26 - Vendor disclosure
2022-04-29 - Vendor Patched
2022-05-02 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

Related news

Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted. "Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open

Red Hat Security Advisory 2022-1681-01

Red Hat Security Advisory 2022-1681-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.4 General Availability release images. This update provides security fixes, bug fixes, and updates container images. Issues addressed include bypass and traversal vulnerabilities.

Syxsense Enterprise Unifies Endpoint Security and IT Management for Real-Time Vulnerability Monitoring and Remediation

IT Teams can now manage, detect, and secure all endpoints with 100% visibility across desktop, laptop, server, and mobile devices.

CVE-2021-27425: GitHub - cesanta/mongoose-os: Mongoose OS - an IoT Firmware Development Framework. Supported microcontrollers: ESP32, ESP8266, CC3220, CC3200, STM32F4, STM32L4, STM32F7. Amazon AWS IoT, Microsoft Azur

Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

Unpatched DNS-Poisoning Bug Affects Millions of Devices, Stumps Researchers

The security vulnerability puts wide swaths of industrial networks and IoT devices at risk of compromise, researchers warn.

CVE-2022-22368: IBM Spectrum Scale information disclosure CVE-2022-22368 Vulnerability Report

IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 221012.

CVE-2021-29854: Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854)

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.

CVE-2022-28599: A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 · Issue #595 · daylightstudio/FUEL-CMS

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

Syxsense Launches Unified Endpoint Security and Management Platform

Syxsense Enterprise delivers real-time vulnerability monitoring and remediation for all endpoints across an organization’s entire network.

RHSA-2022:1681: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4.4 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.4.4 General Availability release images. This update provides security fixes, bug fixes, and updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23555: vm2: vulnerable to Sandbox Bypass * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-0235: node-fetch: exposure o...

CVE-2022-23400: TALOS-2022-1465 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Tenda HG6 3.3.0 Remote Command Injection

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

Red Hat Security Advisory 2022-1600-01

Red Hat Security Advisory 2022-1600-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.12.

Red Hat Security Advisory 2022-1520-01

Red Hat Security Advisory 2022-1520-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.6.2 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.

Red Hat Security Advisory 2022-1519-01

Red Hat Security Advisory 2022-1519-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.6.2 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.

Teleport Raises $110 Million Series C at $1.1 Billion Valuation Led by Bessemer Venture Partners

Funding follows dramatic revenue growth as identity-based access requirements skyrocket.

CVE-2022-28589: Cross-Site Scripting (XSS) in "admin/pages.php?action=add_new" · Issue #23 · pixelimity/pixelimity

A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an

OccamSec Unveils New Cybersecurity Platform

Providing continuous penetration testing with context, and a host of other features, the Incenter platform is built to give organizations what they need to effectively secure their environment.

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

Developing Software? Get Accountability Right First

Software accountability offers a fresh perspective for creating and managing digital products, mainly by making processes more reliable and transparent for every stakeholder.

Mozilla: Lack of Security Protections in Mental-Health Apps Is ‘Creepy’

Popular apps to support people’s psychological and spiritual well-being can harm them by sharing their personal and sensitive data with third parties, among other privacy offenses.

TLS Flaws Leave Avaya, Aruba Switches Open to Complete Takeover

In the latest incarnation of the TLStorm vulnerability, switches from Avaya and Aruba — and perhaps others — are susceptible to compromise from an internal attacker.

RHSA-2022:1676: Red Hat Security Advisory: gzip security update

An update for gzip is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products. The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems. <!--adsense--> uClibc is known to be used by major

CVE-2022-20737: Cisco Security Advisory: Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or to obtain portions of process memory from an affected device. This vulnerability is due to insufficient bounds checking when parsing specific HTTP authentication messages. An attacker could exploit this vulnerability by sending malicious traffic to an affected device acting as a VPN Gateway. To send this malicious traffic, an attacker would need to control a web server that can be accessed through the Clientless SSL VPN portal. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition, or to retrieve bytes from the device process memory that may contain sensitive information.

CVE-2022-20759: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Privilege Escalation Vulnerability

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15. This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.

CVE-2022-20742: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.

CVE-2022-20746: Cisco Security Advisory: Cisco Firepower Threat Defense Software TCP Proxy Denial of Service Vulnerability

A vulnerability in the TCP proxy functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. This vulnerability is due to improper handling of TCP flows. An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CVE-2022-20748: Cisco Security Advisory: Cisco Firepower Threat Defense Software Local Malware Analysis Denial of Service Vulnerability

A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. This vulnerability is due to insufficient error handling in the local malware analysis process of an affected device. An attacker could exploit this vulnerability by sending a crafted file through the device. A successful exploit could allow the attacker to cause the local malware analysis process to crash, which could result in a DoS condition. Notes: Manual intervention may be required to recover from this situation. Malware cloud lookup and dynamic analysis will not be impacted.

CVE-2022-20629: Cisco Security Advisory: Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.

CVE-2022-20744: Cisco Security Advisory: Cisco Firepower Management Center Software Information Disclosure Vulnerability

A vulnerability in the input protection mechanisms of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view data without proper authorization. This vulnerability exists because of a protection mechanism that relies on the existence or values of a specific input. An attacker could exploit this vulnerability by modifying this input to bypass the protection mechanism and sending a crafted request to an affected device. A successful exploit could allow the attacker to view data beyond the scope of their authorization.

CVE-2022-20740: Cisco Security Advisory: Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks and gain access to sensitive browser-based information.

CVE-2022-20751: Cisco Security Advisory: Cisco Firepower Threat Defense Software Snort Out of Memory Denial of Service Vulnerability

A vulnerability in the Snort detection engine integration for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause unlimited memory consumption, which could lead to a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient memory management for certain Snort events. An attacker could exploit this vulnerability by sending a series of crafted IP packets that would generate specific Snort events on an affected device. A sustained attack could cause an out of memory condition on the affected device. A successful exploit could allow the attacker to interrupt all traffic flowing through the affected device. In some circumstances, the attacker may be able to cause the device to reload, resulting in a DoS condition.

CVE-2022-20767: Cisco Security Advisory: Cisco Firepower Threat Defense Software DNS Enforcement Denial of Service Vulnerability

A vulnerability in the Snort rule evaluation function of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of the DNS reputation enforcement rule. An attacker could exploit this vulnerability by sending crafted UDP packets through an affected device to force a buildup of UDP connections. A successful exploit could allow the attacker to cause traffic that is going through the affected device to be dropped, resulting in a DoS condition. Note: This vulnerability only affects Cisco FTD devices that are running Snort 3.

CVE-2022-20743: Cisco Security Advisory: Cisco Firepower Management Center File Upload Security Bypass Vulnerability

A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system. This vulnerability is due to improper validation of files uploaded to the web management interface of Cisco FMC Software. An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges.

CVE-2022-20715: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability

A vulnerability in the remote access SSL VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of errors that are logged as a result of client connections that are made using remote access VPN. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to cause the affected device to restart, resulting in a DoS condition.

CVE-2022-20745: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Denial of Service Vulnerability

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a crafted HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CVE-2022-20730: Cisco Security Advisory: Cisco Firepower Threat Defense Software Security Intelligence DNS Feed Bypass Vulnerability

A vulnerability in the Security Intelligence feed feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the Security Intelligence DNS feed. This vulnerability is due to incorrect feed update processing. An attacker could exploit this vulnerability by sending traffic through an affected device that should be blocked by the affected device. A successful exploit could allow the attacker to bypass device controls and successfully send traffic to devices that are expected to be protected by the affected device.

CVE-2022-20760: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS Inspection Denial of Service Vulnerability

A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. This vulnerability is due to a lack of proper processing of incoming requests. An attacker could exploit this vulnerability by sending crafted DNS requests at a high rate to an affected device. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.

CVE-2022-20729: Cisco Security Advisory: Cisco Firepower Threat Defense Software XML Injection Vulnerability

A vulnerability in CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject XML into the command parser. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted input in commands. A successful exploit could allow the attacker to inject XML into the command parser, which could result in unexpected processing of the command and unexpected command output.

CVE-2022-20757: Cisco Security Advisory: Cisco Firepower Threat Defense Software Denial of Service Vulnerability

A vulnerability in the connection handling function in Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper traffic handling when platform limits are reached. An attacker could exploit this vulnerability by sending a high rate of UDP traffic through an affected device. A successful exploit could allow the attacker to cause all new, incoming connections to be dropped, resulting in a DoS condition.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907