When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-41835

An argument injection vulnerability has been identified in the 
administrative web interface of the Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3.4.0, and OpenScape "BCF" before versions V10R10.12.00 and V10R11.05.02. This allows an 
unauthenticated attacker to gain root access to the appliance via SSH (scope change) and also bypass authentication for the administrative interface and gain
 access as an arbitrary (administrative) user.

%PDF-1.4 %���� 3 0 obj <> /Annots \[ 9 0 R 10 0 R \] /Contents 4 0 R>> endobj 4 0 obj <> stream �1%���?�þʭ�Ʉ񿽍i�:�J<��)E�~DXV@�/ۻ���};��@�����r�!|�F��+�4S#J�j����\*h�Ɵ2ɝ!��+;W�A���5��V����s=��eH�Bp�>����-}��d���C/SER��,�(��3�e���\*��+������,�� '��I��(�46ܨc(���{/v�z�\\99c���Ԋ��!?�3zp7���k}Y\]hd}�FEף�W96�%�r������ձ�U�P9��B �J�9V-E�gP�"����{�\_HҤ\*��W�V 2u��E��P!~�Z4'D<��2�׺7�;?����5D'�8s2x���>���=�X�W4�Ohў%\\'��j���� ����N��QR�%S��|�LX܃�m( ��7k���V�9�#�K�Ǭ�}� R5��}�\`TW����������"+?��K5�U�3v\*l��\*��p1�0 $#��J�J�j�\_\*��Gdw�g������LfI�����9t��Ѽ�tt\[���Y�\\�?��A��TDdƖk�\\M�E�Y�F�)(�9�\*�����|�n2Q��\`,o�K~7,������܍��ο�'���b3"j�:=���������^�^ƑѺ�(���5O�}�βAL��N����e���ה�G�%,\*{���N��N�}-����P\*��$)���j4D��&�IC(�����H�����h���#���e�^1iZe;%��� 9QE@ .\[���x���=}�c����iH�E\*�4\*HF8.��:��S�e��PE\*���$����\_J�5ޅB�s{��bM��:m0��R4�v}C:e�n\_~\*<�M?<2j�39Ӄ}�\_"S{FJqVE��T�T�9:�t^�/�Fv�%�(Q��f\`�X�KX�����͘\\\_zph$��\_6��eд�LJ3WGr��a����ne'\[Tǔ>��ᔬ�>�y��5 x�UDS���zӉ:�2���ER�C��ᯗ�����M��;F�j�������e��4�L����|�%�$א�4)�����.L�h�L.�\*b�C�Xɋ�i+��d�I=���&j��'$~�2p�1��Jx��ZG�sr���"\\~׾B!%ڼ�����J�^%�AZ��%^��P�wL�N���D��Ҩri�f�4o��Nk4��;�k�����x\_E��\_ȗu/ ��MM��\_-�@N7��=���mR�kM\[O��o2{ɷ�v����گvci�����u��(��ӌ+6�D>\`4b�dҿ�^� U$\`Jl\`W�kIX�Y��g8\[2�f�X�T�0C��e�D��"�:��4��F�<�;���(4��Ӷ�S�FX�P���\]�e��KN��r�k�1"0�8�5IF6��������#Oa|�0�襤#�U�f���;@� D�,"H͆U{?a1�LgWXcGa���|���S�&�&��� �w߲6��8�H��4���\*'�H���|�Bm��\\b��Oo�p�W$��8�,�� \*���m/�~ohr�\*yu����{�H�=��\`���n�:\\�)W��x�̡Uƌ�u��8{���Zu�f��4�n,N/� endstream endobj 5 0 obj <> /Annots \[ 11 0 R \] /Contents 6 0 R>> endobj 6 0 obj <> stream ���\\v,XM���E 2�=�q�uT�Ӡ�g���rp������=v�V?s�-�1�)�F��e�����9�\\y{�%��w�}�����Ul��ڀ�aF8���\]ˬb�\_���a���^��\_=�ê��(�G6ۇ;<�=p�|��Ȉ����i���!j\*3�A\`W�0��� ����G0D!��.!-7\`��4�~��r� G-��>�5�,�;��M0��c�(�P�!�ϲ�gNG�ā�s�"��ʡ�P���>τs�߆+�6S�m�8k̖�W��L6��BV�\_n'y�:���2������\`����\*�u4˝ LRd��W��E��yf���um�%s��P�N���E�:ʺ� 4�Q)��\\j���\_d ����:�����b\_,v���s�Y�\_-�ތ����/&�\[��7���X=o RH콮�6q.��G�����\_��Iy�^���;Wb7!k�k�J�\`��{�ė:P\*�z�(��9��Xv�9�c�\`SI)\_��ҍ+�-\\���a�'?�12l1Ӿ�DF����$�t�k��ј�QN��t~�� �FZ��ܵ�G^��!��&\_ i��"W�B���C\\�M�a ��x@y�����MDo����;�d�ɳs8�@Z\]��fg���% FY���/է\\Њ� x\]��p\*�����dn��7���V �e��nqt��� ͦ+���8js�EA�璅FIA���nc�!F p��$ϭ�CPy�)6(���'0v��'�vܕ�Ңj�ʘ�>�Q����=K���aǃ��)�Ѣxm���ĕ��\*h��%Z�� h�O���\\y��7����� �A�kW��}H���S<�y\_oRJ����l����l%�/���P��(-A��Ȣ�V$H�#�\]iȂK+X���t��z7S��)\\�A߾6�I\]= �?���O����iʶ/��Q�)}�5����o� ��OP��.���J7����Pc���qx۠�\]�<6Jq�=ya�Y�\[���X�6�P�JP�߳�IK6��:t���\`�T��R�\`: 4X\[Njٿ�v�5����� �ɒLBR=\[�J����P���q��i������f�SJ\*1�'���ŀ�\[� = w�B:bE�=���$�"��|��%��\[��=8�%V#k֬Z��J�S������Ģ�� ��w�xC�}Zu�F~��P����z\[�(ae"��QIW��v�ea)wVn� �P�e�H�>/%��n^�޵�R٥H/�K� �j�Z��\]px��(�}����C1F�帨��!@qn6��ɦ����� ��\_J9P\\8�9D�(��?����������bIK't4z�(-�k�+�4z�¤���D%Ӣ<�Y����a����M��KC���}�Ҩ9T�;�j�O�b~\*� �c�Asm�~�h����\[��,�C�lֿ-G�"SY}��!JV�\\3��0gv�X�I$�N���LCݡLz�(goU�M����F�0���KR�z\[���d��O���V@� y̱7Ȋ\`F%���W>�Y�S2��@���a&$#�� w%�d�i�<��b\]Y��zY�,��i�X �W�l����) �-^��-Y���O�h\`��V����Y�=JXSk%���9��B�yB�&�S$�;�ݗ��� 樭E9��;K��9���-���24�,��C�5j��1N�g�Ge��S���t\]RZ6��(� .bn���{yc\[� \*4꟣���

CVE-2023-6269

The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.

2023-12-05 08:00 (CET) VDE-2023-044  

**Wago: Vulnerabilities in IEC61850 Server / Telecontrol**  
Share: Email | Twitter  

**Published**

2023-12-05 08:00 (CET)

**Last update**

2023-12-04 08:35 (CET)

**Vendor(s)**

WAGO GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

Telecontrol Configurator

\= \*

WagoAppRTU

< 1.4.6.0

**Summary**

The Library WagoAppRTU which is part of the Wago Telecontrol Configurator is prone to improper input validation. By sending specifically crafted MMS packets an attacker can trigger a denial-of-service condition.

**CVE ID**

**Last Update:**

Oct. 26, 2023, 11:55 a.m.

**Severity**

**Weakness**

Improper Input Validation  (CWE-20) 

**Summary**

The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.

**Details**

**Impact**

Affected devices will stop working after receiving specifically crafted packets until restart.

**Solution**

**Mitigation**

*   Restrict network access to the device.
*   Do not directly connect the device to the internet.

**Remediation**

A fix for WAGO Telecontrol Configurator is contained within the IEC-library WagoAppRTU 1.4.6.0 and available via Wago support. (A new release is planned for the end of the year.)

**Reported by**

The vulnerability was reported by Sofia Pisani.

Coordination done by CERT@VDE.

CVE-2023-5188: VDE-2023-044 | CERT@VDE

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

Most Machine Language (ML) tools — including the development frameworks used for managing ML life cycles — are relatively new, which means they could well  have security vulnerabilities. 

After finding two Common Vulnerabilities and Exposures (CVEs)  in the Togglz web console (the cross-site scripting \[XSS\] CVE-2020-28192 and the cross-site request forgery \[CSRF\]  CVE-2020-28191), I decided to check out MLflow, a development framework for ML life cycle management, thinking that it could potentially be vulnerable. 

It was. Specifically, I found a misconfigured application programming interface (API) that fails to check the content-type header. This means that an attacker can make a simple request to localhost without triggering a preflight — i.e., an HTTP request of the OPTIONS method, sent before the request itself, in order to determine if it is safe to send the request. I found that this could be done in MLflow by using a text/plain content type, instead of the more proper application/JavaScript Object Notation (JSON) content type. 

**An existential threat to companies being built around ML **

The result is an extremely dangerous vulnerability that threatens ML models: A successful attack can lead to the leaking of both an ML model and all training data to an attacker. This is an existential threat to companies being built around an ML model. Given a successful exploit of this vulnerability, an attacker could gain access/control that would be the equivalent of gaining write access with the source code of a company that writes software. 

I reported this CVE — designated CVE-2023-43472 — on Sept. 5, 2023 and directly emailed Databricks, the original creator and current maintainer of MLflow. I informed Databricks that I would be giving a talk describing the issue at the DefCamp security conference on Friday, Nov. 24. As of Nov. 29, Databricks reported that it was working on a fix that was scheduled to be released later this week.

This CVE impacts all versions of MLflow from at least 2.6.0, and most likely all 2.x versions. 

I'm not sure exactly how widely used MLflow is, but based on the number of stars it’s garnered on GitHub, it’s more popular than the Kubernetes-based Kubeflow: 15.9K stars for MLflow, vs. 13.2K for Kubeflow. For what it’s worth, when Canonical recently announced its Charmed MLflow MLops platform, Canonical Vice President of Product Management Cédric Gégout called MLflow “the leading AI framework for streamlining all ML stages.” 

**The vulnerability**

The MLflow user interface (http://localhost:5000/) contains a REST API. Normally, this wouldn't be vulnerable to Simple Request Attacks, as the POST request uses a content type of application/JSON, which would trigger a preflight request and therefore would not be vulnerable.

But in this case, the API doesn't check the content type header. Therefore, it’s possible to trigger a request with a content type of text/plain.

As can be seen in the above Request/Response, while the request body is valid JSON, the content-type set is text/plain. The API should reject this request, given that it’s of an unexpected type, but the API apparently doesn’t check the content type.

Using that, if you can get the MLflow user to visit a website for which you control the JavaScript — say, by creating a MLfLow tutorial website — you can effectively modify the Default Experiment and set the artifact location to a globally writable S3 bucket that you control. An adversary can then use that to exfiltrate any data sent to the bucket.

Unfortunately, the API is lacking some functionality. You can neither modify Experiments artifact\_uri via the API nor delete the Default Experiment. But you can create new ones and modify the existing experiment name, so the new experiment is named “Default.”

The attack does the following:

*   Modify the Default experiment name to "Old.”

*   Create a new experiment named "Default" with an artifact\_uri of an S3 bucket.

*   Once a new MLFLow run is done — e.g., mlflow run sklearn\_elasticnet\_wine -P alpha=0.5, experiment-name Default — the result of the run will be uploaded to the S3 bucket.

The payload is available here. 

**Impact**

This vulnerability allows an attacker to exfiltrate a serialized version of the ML model and the data used to train the model, if the attacker is able to get the MLFlow user to access a website they control.

**Attacking a developer environment via drive-by localhost attacks**

To put this vulnerability into context, there’s a widespread belief that services that are only bound to localhost are not accessible from the outside world. Unfortunately, this is not always the case. Developers, for the sake of convenience, configure the services that they are developing in a less secure way compared with how they would (hopefully!) configure them in higher-security environments. 

By compromising websites used by developers — simply by injecting JavaScript into advertisements served on those sites or by serving up a phishing attack that gets the developer to open a web browser on a compromised page — it is possible to reach out via non-pre-flighted HTTP requests to those services bound to localhost, either by exploiting common misconfigurations in the Spring application framework or via known vulnerabilities found by myself, including the recently disclosed CVE that I found in the popular Quarkus Java framework.

As I demonstrated during Friday’s Def Camp talk, it is possible to generate a remote code execution (RCE) on the developer’s machine or on other services on their private network. Given that developers have write access to codebases, AWS keys, server credentials, etc., access to the developer’s machine gives an attacker a great deal of scope to pivot to other resources on the network, as well as to either modify or to entirely steal the codebase.

**Easy to exploit**

CVE-2023-43472 would be relatively simple to exploit: an attacker merely has to get a target to visit a website that they control. At that point, the attacker can silently modify the location the data is saved to to be an S3 bucket under their control.

An exploit could be used to send data to a globally writable S3 bucket, from which it can be exfiltrated. 

Amazon S3 buckets are used to store all sorts of data: they’re just a way to store data programmatically in the cloud. There are no AWS security guardrails that could limit the extent of damage somebody could do in an exploit, given that the S3 bucket is created and owned by the attacker. 

**How this could affect ML models**

A successful exploit could lead to more than data exfiltration. Given that an ML model is stored in the bucket, there would be potential to poison the ML model itself. In such an attack, an adversary is able to inject bad data into the model’s training pool, causing it to learn something it shouldn’t. 

If/when the model is read by the victim, there’s also the potential for a modified model.pkl file to contain a Python pickle exploit, which can lead to RCE on the victim’s machine.

**What to do**

MLflow users should upgrade to the new version as soon as it's available.

**Read more:**

*   Contrast discovers zero-day flaw in popular Quarkus Java framework (blog)
*   Contrast API Security Testing Platform (product page)
*   Hands-on testing and protecting APIs (virtual workshop) 
*   Defense-in-depth web AppSec: The case for having both RASP and WAF (white paper PDF)
*   The Future of API Security (webinar)
*   Protecting Apis: An Uphill Battle (white paper PDF)
*   Building a modern API security strategy: A five-part series — Overview (blog)

CVE-2023-43472: Contrast discovers MLflow framework zero-day that threatens to poison machine language models


Dell OS10 Networking Switches running 10.5.2.x and above contain an Uncontrolled Resource Consumption (Denial of Service) vulnerability, when switches are configured with VLT and VRRP. A remote unauthenticated user can cause the network to be flooded leading to Denial of Service for actual network users. This is a high severity vulnerability as it allows an attacker to cause an outage of network. Dell recommends customers to upgrade at the earliest opportunity.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-39248

Dell OS10 Networking Switches running 10.5.2.x and above contain an Uncontrolled Resource Consumption (Denial of Service) vulnerability, when switches are configured with VLT and VRRP. A remote unauthenticated  
user can cause the network to be flooded leading to Denial of Service for actual network users. This is a high severity vulnerability as it allows an attacker to cause an outage of network. Dell recommends customers to upgrade at the earliest opportunity.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-39248

Dell OS10 Networking Switches running 10.5.2.x and above contain an Uncontrolled Resource Consumption (Denial of Service) vulnerability, when switches are configured with VLT and VRRP. A remote unauthenticated  
user can cause the network to be flooded leading to Denial of Service for actual network users. This is a high severity vulnerability as it allows an attacker to cause an outage of network. Dell recommends customers to upgrade at the earliest opportunity.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed

Product

Software/Firmware  
 

Affected Versions 

Remediated Versions

Link

CVE-2023-39248

Dell Networking OS10

 

10.5.5.5

10.5.5.6

Dell SmartFabric OS10, 10.5.5.6, GNS3 Bundle

CVEs Addressed

Product

Software/Firmware  
 

Affected Versions 

Remediated Versions

Link

CVE-2023-39248

Dell Networking OS10

 

10.5.5.5

10.5.5.6

Dell SmartFabric OS10, 10.5.5.6, GNS3 Bundle

**Workarounds and Mitigations**

CVE ID

Workaround and Mitigation

CVE-2023-39248

Workaround: Not enabling VRRP when VLT is enabled prevents the vulnerability from being exploitable.  
Mitigation: Example : Enable flooding prevention. CLI/WebUI

For both Workaround or Mitigation; this must be something our Customers should be able to act within the administrative consoles of the product (CLi/WebUi)

If none of either then simply write : None

**Revision History**

Revision 

Date

Description

1.0

2023-12-04

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-39248: DSA-2023-278: Dell Networking OS10 Security Updates for Uncontrolled resource Consumption.


Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.



**Impact**

High

**Details**

   

Third-Party Component

CVE

CVSS Base Score

CVSS Vector String

OpenSSH

CVE-2023-38408

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

   

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44288

Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-44295

Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.

6.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 

   

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44288

Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-44295

Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.

6.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

    

CVE(s) Addressed

Product

Affected Version(s)

Remediated Version(s)

Link

CVE-2023-38408

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.15

Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.

PowerScale OneFS Downloads Area

CVE-2023-38408

PowerScale OneFS

Version 9.5.0.0 through 9.5.0.6

RUP for version 9.5 is expected in January 2024

PowerScale OneFS Downloads Area

CVE-2023-44295

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article : 000219929 : "SyncIQ and SmartSync do not preserve file quarantine attributes"

CVE-2023-44288

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article: 000219931 "NDMP does not automatically close the connection from the security scanner."

    

CVE(s) Addressed

Product

Affected Version(s)

Remediated Version(s)

Link

CVE-2023-38408

PowerScale OneFS

Version 9.4.0.0 through 9.4.0.15

Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.

PowerScale OneFS Downloads Area

CVE-2023-38408

PowerScale OneFS

Version 9.5.0.0 through 9.5.0.6

RUP for version 9.5 is expected in January 2024

PowerScale OneFS Downloads Area

CVE-2023-44295

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article : 000219929 : "SyncIQ and SmartSync do not preserve file quarantine attributes"

CVE-2023-44288

PowerScale OneFS

Version 8.2.2.x through 9.6.0.x

None

Please refer to KB article: 000219931 "NDMP does not automatically close the connection from the security scanner."

Any version prior to PowerScale OneFS version 9.4.0.16 not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.4.0.16.

CVE-2023-38408: Customer on 9.6.0.x should upgrade to upcoming 9.7 release (Expected to release in December 2023). RUP for version 9.5 is expected in January 2024.

**Workarounds and Mitigations**

 

CVE

Workaround/mitigation

CVE-2023-38408

Please refer to the OpenSSH security advisory for a workaround.

Note: The user with ISI\_PRIV\_LOGIN\_SSH or ISI\_PRIV\_LOGIN\_CONSOLE is potentially impacted. 

CVE-2023-44295

Please refer the KB Link for mitigation.

CVE-2023-44288

Please refer the KB Link for mitigation.

**Revision History**

Revision

Date

Description

1.0

2023-12-05

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-44295: DSA-2023-417: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Softing OPC Suite version 5.25 and before has Incorrect Access Control, allows attackers to obtain sensitive information via weak permissions in OSF_discovery service.

Publisher: Softing Industrial Automation GmbH

Document category: csaf\_security\_advisory

Initial release date: 2023-11-29T13:17:39.103Z

Engine: Secvisogram 2.2.16

Current release date: 2023-11-29T13:17:39.103Z

Build Date: 2023-12-01T13:18:04.701Z

Current version: 1.0.0

Status: final

CVSSv3.1 Base Score: 5.6

Severity: medium

Original language: en-US

Language:

Also referred to:

**Vulnerabilities****(CVE-2023-37572)**

OSF\_discovery service is started with weak permissions. The service executable could be changed or the service could be deleted.

CWE:

CWE-284:Improper Access Control

Discovery date:

2022-10-14T10:00:00.000Z

**Product status****Known affected**

Product

CVSS-Vector

CVSS Base Score

Softing OPC Suite <= V5.25

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

5.6

**Fixed**

*   Softing OPC Suite V5.30

**Acknowledgments**

*   Tobias Klenert from vi2vi GMS GmbH

**Softing Industrial Automation GmbH**

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at \[email protected\]

**Revision history**

Version

Date of the revision

Summary of the revision

1.0.0

2023-11-29T13:17:39.103Z

Initial version

**Disclaimer**

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-37572: SYT-2023-5: Improper access control vulnerability in OPC Suite

An issue was discovered in Vonage Box Telephone Adapter VDV23 version VDV21-3.2.11-0.5.1, allows local attackers to bypass UART authentication controls and read/write arbitrary values to the memory of the device.

I was experimenting with a Vonage device that I own and discovered a few header pins installed on the board by default that appeared in the configuration of a UART test point.

I hooked the board up to a Tigard (FTDI) and was able to view the UART output. 

Once I was on there it showed that I needed a username/password to authenticate to the device (which was a good sign):

After running the boot sequence a few times I noticed there were options "1", "2", and "p" on the boot sequence. Options "1" and "2" seemed to boot into a regular boot image.

The image that is loaded appears to be VDV21-3.2.11-0.5.1. I tried "p" and this asked me to enter configuration details for the router. After I hit enter through the defaults I found that the device returned to a default menu of some kind.

From within this menu I found that I was able to read/write to memory without any authentication whatsoever, which would likely lead to code execution with a bit more work. Currently it just operates as a data leak / denial-of-service in that I can crash the router on boot.

After looking at the boot sequence in more depth I noticed that it returned memory addresses and other information that could be useful to an attacker or a malicious actor seeking to gain access to your intellectual property by dumping the device's firmware using the arbitrary read/write accessible here.

CVE-2023-47304: CVE-2023-47304: Unsecured UART in Vonage Box Telephone Adapter VDV23 (SW VDV21-3.2.11-0.5.1)

Memory Corruption in Radio Interface Layer while sending an SMS or writing an SMS to SIM.

CVE-2023-21634

Improper URL validation from InstantPlay deeplink in Galaxy Store prior to version 4.5.64.4 allows attackers to execute JavaScript API to access data.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Source

CVE