Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.
Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

With AlphaBay shuttered, Operation Bayonet enters its final phase: driving the site’s refugees into a giant trap. But one refugee hatched his own plan.

The Hunt for the Kingpin Behind AlphaBay, Part 6: Endgame

Raiden MAILD Mail Server website mail field has insufficient filtering for user input. A remote attacker with general user privilege can send email using the website with malicious JavaScript in the input field, which triggers XSS (Reflected Cross-Site Scripting) attack to the mail recipient.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202211002

CVE ID

CVE-2022-41676

CVSS

5.4 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

影響產品

村榮資訊 雷電MAILD Mail Server v4.7

問題描述

雷電MAILD Mail Server網站的郵件欄位未過濾使用者輸入字串，遠端攻擊者以一般使用者權限登入後，在郵件欄位注入JavaScript語法並發送郵件，當受害者瀏覽郵件後，就會執行反射型XSS( Reflected Cross-site scripting)攻擊。

解決方法

更新版本至v4.7.4以上

漏洞通報者

Mason Yang (Acer Cyber Security Inc., ACSI)

公開日期

2022-11-29

CVE-2022-41676: 村榮資訊 雷電MAILD Mail Server -- Cross-Site Scripting

A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202211001

CVE ID

CVE-2022-41675

CVSS

8.0 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

影響產品

村榮資訊 雷電MAILD Mail Server v4.7

問題描述

雷電MAILD Mail Server網站的表單匯出功能未檢查所匯出的CSV檔案內容，遠端攻擊者以一般使用者權限登入後，可以將惡意程式注入到表單中，當其他使用者下載表單時，會取得惡意的CSV檔案，觸發任意程式碼執行，並對系統進行任意操作或中斷服務。

解決方法

更新版本至v4.7.4以上

漏洞通報者

Mason Yang (Acer Cyber Security Inc., ACSI)

公開日期

2022-11-29

CVE-2022-41675: 村榮資訊 雷電MAILD Mail Server -- Formula Injection


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable.

CVE-2022-4020

super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

@@ -12,7 +12,9 @@ import com.intellij.uiDesigner.core.Spacer; import org.apache.log4j.LogManager; import org.apache.log4j.Logger; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor;  
import javax.swing.\*; import javax.swing.border.TitledBorder; @@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) { } configTemplate = configStr;  
Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); configObj = yaml.load(configStr);  
try { @@ -684,7 +686,7 @@ public void initPluginSave() { }  
public void refreshConfig() { Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); StringWriter writer = new StringWriter(); yaml.dump(configObj, writer); configStr = writer.toString();

CVE-2022-41958: yaml rce · 4ra1n/super-xray@4d0d596

TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication buffer overflow via parameter command in the setTracerouteCfg function.

CVE-2022-44258

Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2020-23584**

**OPTILINK E-PON "MODEL NO: OP-XT71000N" with "HARDWARE VERSION: V2.2"; & "FIRMWARE VERSION: OP\_V3.3.1-191028"**

Unauthenticated remote code execution on "OPTILINK OP-XT71000N, Hardware Version: V2.2". The issue occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag\_tracert\_admin.asp " in the "PingTest" parameter that leads to command execution.

**TARGET**

/diag\_tracert\_admin.asp

**Attack Vector**

pass arbitrary commands with IP-ADDRESS using " | " to execute commands.

**REGARDS**

Huzaifa Hussain

https://twitter.com/disguised\_noob

https://www.linkedin.com/in/huzaifa-hussain-046791179

Tag

#acer