Headline
9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.
Wednesday, October 25, 2023 12:10
Cisco Talos has disclosed 17 vulnerabilities over the past two weeks, including nine that exist in a popular VPN software.
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.
Talos’ Vulnerability Research team also found a cross-site scripting (XSS) vulnerability in the Peplink Surf series of home and wireless routers that could allow an attacker to manipulate HTML elements into executing arbitrary JavaScript. However, this vulnerability is not considered to be particularly serious, with a CVSS severity score of only 3.4 out of 10.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
**SoftEther VPN client **
Discovered by Lilith >_>.
The SoftEther VPN client contains multiple vulnerabilities that could lead to a variety of conditions, including allowing an adversary to cause a denial of service or execute arbitrary code on the targeted machine. SoftEther is an open-source, cross-platform, multi-protocol VPN managed as part of an academic project at the University of Tsukuba in Japan.
Four of the vulnerabilities Talos disclosed last week exist when an adversary sends a specific set of packets to the targeted device, and can cause the software to crash entirely, leading to a denial of service:
- TALOS-2023-1736 (CVE-2023-22325)
- TALOS-2023-1741 (CVE-2023-23581)
- TALOS-2023-1737 (CVE-2023-22308)
- TALOS-2023-1743 (CVE-2023-25774)
The most serious of these issues is TALOS-2023-1735 (CVE-2023-27395), a vulnerability in the VPN that could lead to a heap-based buffer overflow, potentially allowing an attacker to execute arbitrary code. This vulnerability is considered critical, with a CVSS score of 9.0 out of 10.
Two other vulnerabilities — TALOS-2023-1755 (CVE-2023-32634) and TALOS-2023-1754 (CVE-2023-27516) — could allow an adversary to gain unauthorized access to the VPN session by viewing the default RPC server credentials. This opens the door for the attackers to install certificates and carry out man-in-the-middle attacks or dump the VPN’s authentication settings and further compromise the endpoint connected to the VPN session.
A man-in-the-middle attack could also be used to exploit TALOS-2023-1768 (CVE-2023-31192) and TALOS-2023-1753 (CVE-2023-32275), which leads to the disclosure of sensitive information in certain packets.
**JustSystems Ichitaro word processor remote code execution vulnerabilities **
Discovered by a Cisco Talos researcher.
Talos researchers recently found four vulnerabilities in the JustSystems Ichitaro word processor that could lead to arbitrary code execution, albeit with varying paths.
Ichitaro is one of the most popular word processing systems in the Japanese market and utilizes the ATOK input method. An adversary could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted, malicious file in the program.
The vulnerabilities all exist in various parsers in the software:
- TALOS-2023-1758 (CVE-2023-34366)
- TALOS-2023-1808 (CVE-2023-38127)
- TALOS-2023-1809 (CVE-2023-38128)
- TALOS-2023-1825 (CVE-2023-35126)
**XSS, command injection vulnerabilities in SOHO router **
Discovered by Matt Wiseman.
A stored cross-site scripting vulnerability exists in the Peplink Surf line of small and home office (SOHO) wireless routers that can lead to the execution of arbitrary JavaScript in another user’s browser.
An attacker could trigger TALOS-2023-1781 (CVE-2023-34354) or TALOS-2023-1782 (CVE-2023-35194 and CVE-2023-35193) by making an authenticated HTTP request.
The Surf routers also contain three vulnerabilities that could allow an attacker to execute arbitrary commands in the context of the router’s operating system. To exploit TALOS-2023-1778 (CVE-2023-34356), TALOS-2023-1779 (CVE-2023-28381) and TALOS-2023-1780 (CVE-2023-27380), an attacker first needs to be authenticated on the device and then make a specially crafted HTTP request.
Related news
Research conducted by Cisco Talos last year uncovered multiple vulnerabilities rated as low severity despite their ability to allow for full arbitrary code execution.
An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
An authentication bypass vulnerability exists in the CiRpcServerThread() functionality of SoftEther VPN 5.01.9674 and 4.41-9782-beta. An attacker can perform a local man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the CtEnumCa() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.
A denial-of-service vulnerability exists in the vpnserver ConnectionAccept() functionality of SoftEther VPN 5.02. A set of specially crafted network connections can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.
An integer underflow vulnerability exists in the vpnserver OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
A denial-of-service vulnerability exists in the vpnserver EnSafeHttpHeaderValueStr functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service.
An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. An attacker can send a network request to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8.
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8.
An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.