Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.

CVE-2020-11946: Read me | OpManager Help

CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests.

**Vulnerability type**

CWE-400: Uncontrolled Resource Consumption

**Attack type**

Remote

**Impact**

Denial-of-service, Resource consumption (memory)

**Affected component(s)**

HTTP/1 codec

**Attack vector(s)**

A TCP buffer with many pipelined HTTP requests

**Discoverer(s)/Credits**

Alyssa Wilk (Google LLC)

**Description (full; not included in CVE but will be published on GitHub later and linked)**

Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests. In the case of illegally formed requests, Envoy sends an internally generated 400 error, which is sent to the Network::Connection buffer. If the client reads these responses slowly, it is possible to build up a large number of responses, and consume functionally unlimited memory. This bypasses Envoy’s overload manager, which will itself send an internally generated response when Envoy approaches configured memory thresholds, exacerbating the problem.

CVE-2020-8661

D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.

**Introduction**

ISE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

*   All 13 routers evaluated can be taken over from the local network
    *   4 of these attacks require no active management session.
*   11 of 13 routers evaluated can be taken over from the WAN
    *   2 of these attacks require no active management session.

**Motivation**

Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.

ISE initially set out to evaluate the security of ten popular, off-the-shelf SOHO wireless routers. The final scope of the research project was expanded to include thirteen unique devices. Our research indicates that a moderately skilled adversary with LAN or WLAN access can exploit all thirteen routers. We also found that nearly all devices had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control. At least half of the routers that provided network attached storage (NAS) were found to be accessible by a remote adversary (full details will be disclosed in a future article).

We further categorize these remotely and locally accessible vulnerabilities by indicating their associated attack requirements:

*   Trivial attacks can be launched directly against the router with no human interaction or access to credentials.
*   Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials.
*   Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.

We considered client-side attacks to be in scope, so long as they consist entirely of HTML and JavaScript code running in a web browser.

**Impact; new threats**

SOHO router vulnerabilities impact consumers in a number of ways that differ from the vulnerabilities that typically afflict end-systems, and through those vulnerabilities new threats arise. The number of parties affected by an individual or widespread router compromise is expanded, there could be lasting damage to users or soho networking device vendors, and detecting or recovering from an exploit of this type can be difficult.

**Affected parties: who is the victim?**

A typical end-system compromise pegs the end-user as the victim. Certainly, advanced threats leverage end-system compromise to gain a network foothold and attempt to compromise lateral systems, but in general there is one victim, and one party responsible for cleaning up the mess.

A SOHO router compromise not only affects that device, but the many end-systems it supports, the infrastructure of which it is a part, the community of sites visited by the end-users, and even the soho networking device vendor.

**Implications**

The impact of these routers' security flaws is exacerbated by the fact that unauthenticated attacks can target not only the administrator of a victim router's (W)LAN, but any user on the (W)LAN. A parent or child in the case of the home, any or all students behind a university router, or any guest or untrained user of a small office or enterprise network can be targeted and leveraged to gain full control of the SOHO networking device, which may also lead to additional attacks being launched against other users.

**Significance of compromise**

Once compromised, any router—SOHO or otherwise—may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router's domain. This includes sniffing and rerouting all non-SSL protected traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers. Worse still, is that these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended.

**Difficult Recovery; Persistent issue**

The overall community impact could be much worse. Considering that many soho networking device administrators are not computer or security savvy, default settings are undoubtedly prevalent. Even in the case where the vulnerabilities identified here and elsewhere are addressed by the vendor, it may not be reasonable to expect that SOHO networking device owners know about these issues, or will upgrade/patch their routers' firmware, which is the predominant distribution mechanism for SOHO networking device updates. In such cases, the vulnerabilities may remain unresolved indefinitely.

"Bricking" of SOHO networking devices could also become an issue due to the cumbersome and unauthenticated nature of the firmware upgrade process. As we've identified, in all routers evaluated a remote adversary can replace a vendor's firmware with their own. If such firmware were (intentionally) faulty, it could render a device unusable. The damage to users and vendors could be significant depending upon the number of devices in the field, the rate at which they can be compromised or "bricked," and the cost to replace or repair them.

**Large-scale threats**

So far we have acknowledged that users belonging to an affected router's domains are at risk, but if any ISP deploys a router at scale with these types of vulnerabilities—or has many customers using routers with these types of vulnerabilities—an adversary may leverage the vulnerabilities to directly attack the provider, core infrastructure, or other organizational targets, e.g., corporations and nation-states. This also presents a large surface for new botnet deployment or command and control (C2) strategies to facilitate DDoS attacks and cybercrime activities.

**Mitigations**

Unfortunately, there is little the average end-user can do to fully mitigate these attacks. Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims).

**Recommendations for Vendors**

SOHO networking device VENDORS should take the following actions to help mitigate these issues.

*   Prepare and make available firmware upgrades that address these issues.
*   Notify registered users of these vulnerabilities, and distribute instructions on how to upgrade device firmware.
*   Regularly audit devices for security vulnerabilities, produce and distribute security patches in a timely manner, and notify registered customers.

SOHO networking device VENDORS should incorporate the following design changes in to their product lines.

*   Using authenticated (digitally signed, and verifiable by the router) firmware updates.
*   Designing a method for automatic firmware updates, that can be opted out of by users.
*   Perform regular security audits to ensure devices are as hardened as possible.

**Recommendations for Device Administrators**

SOHO networking device ADMINISTRATORS should take the following actions to help mitigate these issues.

*   Upgrade your firmware regularly.
*   Disable (or do not enable) remote administration.
*   Disable (or do not enable) network services that are not utilized within the LAN, e.g., FTP, SMB, UPnP.
*   Log out from, and restart, your SOHO networking device after logging in for administrative tasks.
*   Clear browser cookies and active logins after logging out from your router.
*   Choose a non-standard (W)LAN IP address range (subnet), which will make generic automated attacks less effective against your network.
*   If possible, enable HTTPS for all administrative connections. For all of the routers we evaluated that had this feature, it was disabled by default.
*   Make sure your WLAN is protected using WPA2 encryption and is not left as an open WiFi network or protected with the outdated WPA or WEP standards.
*   ONLY install firmware from the router manufacturers website.
*   Choose a secure router administration password consisting of upper/lowercase alphanumeric and special characters that is at least 12 characters in length.
*   If your SOHO device is behind an additional firewall, restrict inbound access to this device from the greater WAN.

**Recommendations for End Users**

END-USERS behind SOHO networking devices should take the following actions to help mitigate these issues.

*   Do not discount browser or other software warnings of potential MITM attacks.
*   Do not follow links sent through email or by other means, especially ones that are directed to what could potentially be a SOHO networking device (e.g., 192.168.2.1).
*   Be diligent, and browse safely.

**Disclosures**

For all vulnerabilities identified in this research, ISE has disclosed the issues to the product vendors through their typical vulnerability reporting mechanism, as well as any other channels for which we had access. We've given what we believe is adequate time to address the issues disclosed, and to the extent it has been reasonable, we've helped those vendors develop or implement mitigations. We welcome all vendor feedback, and are happy to assist with any additional information that may facilitate a quick resolution to any of these vulnerabilities.

Beyond the vulnerabilities listed in this case study, our research has brought to light 17 issues that have received Common Vulnerabilities and Exposure (CVE) numbers, and 21 CVE submissions pending.

*   CVE-2013-0126: Cross-Site Request Forgery
*   CVE-2013-2644: FTP Directory Traversal
*   CVE-2013-2645: Cross-Site Request Forgery
*   CVE-2013-2646: Denial of Service
*   CVE-2013-3064: Unvalidated URL Redirect
*   CVE-2013-3065: DOM Cross-Site Scripting
*   CVE-2013-3066: Information Disclosure
*   CVE-2013-3067: Cross-Site Scripting
*   CVE-2013-3068: Cross-Site Request Forgery
*   CVE-2013-3069: Cross-Site Scripting
*   CVE-2013-3070: Information Disclosure
*   CVE-2013-3071: Authentication Bypass
*   CVE-2013-3072: Unauthenticated Hardware Linking
*   CVE-2013-3073: SMB Symlink Traversal
*   CVE-2013-3074: Media Server Denial of Service
*   CVE-2013-3083: Cross-Site Request Forgery
*   CVE-2013-3084: Cross-Site Scripting
*   CVE-2013-3085: Authentication Bypass
*   CVE-2013-3086: Cross-Site Request Forgery
*   CVE-2013-3087: Cross-Site Scripting
*   CVE-2013-3088: Authentication Bypass
*   CVE-2013-3089: Cross-Site Request Forgery
*   CVE-2013-3090: Cross-Site Scripting
*   CVE-2013-3091: Authentication Bypass
*   CVE-2013-3092: Failure to Validate HTTP Authorization Header
*   CVE-2013-3095: Cross-Site Request Forgery
*   CVE-2013-3096: Unauthenticated Hardware Linking
*   CVE-2013-3097: Cross-Site Scripting

**Related Work**

As stated earlier in this article, there has been little research published in the area of SOHO router security, however some interesting results have been disclosed by security researchers in recent years.

In March, 2013, Michael Messner disclosed vulnerabilities ranging from minor to critical in D-Link, TP-Link, Netgear, and Linksys routers. The vulnerabilities disclosed included authenticated and unauthenticated arbitrary command injection, information disclosure, unencrypted password storage, directory traversal, and persistent cross-site scripting.

In January, 2013, HD Moore disclosed that numerous home routers exposed UPnP services, including SSDP Discovery and SOAP, to the Internet (WAN) side of the device. This could lead to remote attackers modifying firewall rules or accessing private media files using DLNA. Worse, many of the UPnP implementations had numerous buffer overflow vulnerabilities.

Also in January, 2013, DefenseCode released an advisory describing a remote, unauthenticated format string vulnerability in the Broadcom UPnP software that escalated to root shell access.

At BlackHat 2012, Phil Purviance (Superevr) demonstrated a cross-site file upload vulnerability in the Linksys WRT54GL. In early 2013, Purviance researched the Linksys EA2700 and found numerous vulnerabilities, including cross-site scripting, directory and file traversal, unauthenticated password changes, and source code disclosure vulnerabilities.

In May, 2012, it was disclosed that WiFi Protected Setup (WPS) uses an eight-digit PIN for authentication, and an attacker can determine if the first four digits of an attempted PIN are correct, without regard to the last four. Worse, as this CERT vulnerability disclosed, many home routers fail to implement any rate limiting after successive incorrect PIN attempts.

At BlackHat 2009, Felix Lindner explored the feasibility and techniques that could be used to attack commercial grade routers. He found very few public vulnerabilities in this class of equipment.

**Future work**

Six months after releasing the advisories for the 13 routers, ISE will upgrade the firmware on all 13 routers and perform a reassessment to determine what—if any—impact deeper scrutiny from the security community has brought to the SOHO router industry. ISE may also expand the scope of the next study to include additional routers.

**Attribution and acknowledgments**

This research was conducted by Jacob Holcomb of Independent Security Evaluators and directed by Stephen Bono and Sam Small. Jacob Thomspon, Kedy Liu, Ali Jad Khalil, and Vincent Faires made additional contributions.

**References**

Messner, Michael. Multiple Vulnerabilities in D-Link DIR-600 and DIR-300. Revision B. February 2013.

Beardsley, Tom. Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates. Rapid7 Metasploit Blog. March 28, 2013.

Moore, HD. Security Flaws in Universal Plug and Play. Rapid7, Inc., January 2013.

Broadcom UPnP Remote Preauth Code Execution Vulnerability. January 31, 2013.

Allar, Jared. WiFi Protected Setup (WPS) PIN brute force vulnerability. US CERT Vulnerability #723755. May 10, 2012.

Lindner, Felix. Router Exploitation. Black Hat 2009.

Purviance, Phil. Don't Use Linksys Routers. Superevr. April 5, 2013.

Mimoso, Michael. Serious Vulnerabilities Found in Popular Home Wireless Routers. threatpost. April 8, 2013

CVE-2013-4855: Exploiting SOHO Routers

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. We then published “Fuzzing para-virtualized devices in Hyper-V”, which has been the focus of our friends at the Virtualization Security Team.

Attacking the VM Worker Process

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVE-2019-15218

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVE-2019-15221

In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.

CVE-2018-20961

An exploitable remote code execution vulnerability exists in the ping and tracert functionality of the TP-Link TL-R600VPN HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3 http server. A specially crafted IP address can cause a stack overflow, resulting in remote code execution. An attacker can send a single authenticated HTTP request to trigger this vulnerability.

**Summary**

An exploitable remote code execution vulnerability exists in the ping and tracert functionality of the TP-Link TL-R600VPN http server. A specially crafted IP address can cause a stack overflow, resulting in remote code execution. An attacker can send a single authenticated HTTP request to trigger this vulnerability.

**Tested Versions**

TP-Link TL-R600VPN HWv3 FRNv1.3.0 TP-Link TL-R600VPN HWv2 FRNv1.2.3

**Product URLs**

https://www.tp-link.com/us/products/details/cat-4909\_TL-R600VPN.html

**CVSSv3 Score**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The TP-Link r600vpn does not properly check the size of the data passed to its ‘ping\_addr’ field when performing a ping operation. By sending a large amount of data to this field, it is possible to overflow the stack buffer, causing the device’s HTTP server to crash. It is further possible to craft the data passed through the ‘ping\_addr’ field to exploit this vulnerability and gain remote code execution on the device.

\[Annotated Disassembly / Decompilation output\] The user-supplied ping address is obtained from the environment variable “ping\_addr” and placed into the register $s4 toward the beginning of the function PingIframeRpmHtm. LOAD:004773D0 loc\_4773D0: LOAD:004773D0 la $a1, dword\_520000 LOAD:004773D4 move $a0, $s2 LOAD:004773D8 la $t9, httpGetEnv LOAD:004773DC jalr $t9 ; httpGetEnv LOAD:004773E0 addiu $a1, (aPingAddr - 0x520000) # “ping\_addr” LOAD:004773E4 move $a0, $s2 LOAD:004773E8 lw $gp, 0x78+var\_60($sp) LOAD:004773EC move $s4, $v0 # holds the user-supplied buffer

The $s4 register is not set again before a call to the function ipAddrDispose, where it is passed as the first argument. LOAD:004777B8 move $a0, $s4 LOAD:004777BC lw $gp, 0x78+var\_60($sp) LOAD:004777C0 la $t9, ipAddrDispose LOAD:004777C4 jalr $t9 ; ipAddrDispose LOAD:004777C8 move $s1, $v0

The $a0 register is then moved into the $s2 register for a strlen call in ipAddrDispose. During this same instruction, we see the register $s3 being loaded with a stack address. LOAD:0049B098 move $s0, $zero LOAD:0049B09C la $t9, strlen LOAD:0049B0A0 move $s2, $a0 LOAD:0049B0A4 jalr $t9 ; strlen LOAD:0049B0A8 addiu $s3, $sp, 0x78+var\_50

A loop is then entered where each character is loaded into a stack-based buffer one by one. LOAD:0049B0D4 li $a3, 0x20 LOAD:0049B0D8 addiu $a2, $sp, 0x78+var\_60 # load a stack pointer into $a2 LOAD:0049B0DC addu $v0, $s2, $a0 LOAD:0049B0E0 LOAD:0049B0E0 loc\_49B0E0: LOAD:0049B0E0 addiu $a0, 1 LOAD:0049B0E4 lbu $v0, 0($v0)  
LOAD:0049B0E8 slt $a1, $a0, $s1 LOAD:0049B0EC beq $v0, $a3, loc\_49B0FC LOAD:0049B0F0 addu $v1, $s0, $a2 # calculate an offset on the stack buffer LOAD:0049B0F4 addiu $s0, 1 LOAD:0049B0F8 sb $v0, 0x10($v1) # write the byte to the stack buffer LOAD:0049B0FC LOAD:0049B0FC loc\_49B0FC: LOAD:0049B0FC bnez $a1, loc\_49B0E0 LOAD:0049B100 addu $v0, $s2, $a0 LOAD:0049B104

When the function epilogue is entered, the values for $ra and $s0-$s3 are overwritten with the values from the user-controlled stack buffer. LOAD:0049B2FC loc\_49B2FC: LOAD:0049B2FC LOAD:0049B2FC lw $ra, 0x78+var\_8($sp) LOAD:0049B300 move $v0, $v1 LOAD:0049B304 lw $s3, 0x78+var\_C($sp) LOAD:0049B308 lw $s2, 0x78+var\_10($sp) LOAD:0049B30C lw $s1, 0x78+var\_14($sp) LOAD:0049B310 lw $s0, 0x78+var\_18($sp) LOAD:0049B314 jr $ra LOAD:0049B318 addiu $sp, 0x78 LOAD:0049B318 # End of function ipAddrDispose

**Crash Information**

    [   18.484000] do_page_fault() #2: sending SIGSEGV to httpd for invalid read access from
    [   18.484000] 42424242 (epc == 42424242, ra == 42424242)
    [   18.508000] Cpu 0
    [   18.520000] $ 0   : 00000000 1000a400 00000000 00000000
    [   18.528000] $ 4   : 0067bc68 00000000 00000000 00000000
    [   18.532000] $ 8   : 00000434 00000001 00000001 00000007
    [   18.540000] $12   : 00000003 00000000 00000002 00000003
    [   18.544000] $16   : 41414141 41414141 41414141 41414141
    [   18.548000] $20   : 0067bc68 00520000 00000040 00000004
    [   18.560000] $24   : 8f055f08 004be740                  
    [   18.568000] $28   : 00598790 7d9ff8e0 7d9ffa62 42424242
    [   18.572000] Hi    : 00000005
    [   18.576000] Lo    : 00000000
    [   18.576000] epc   : 42424242 0x42424242
    [   18.584000]     Not tainted
    [   18.584000] ra    : 42424242 0x42424242
    [   18.588000] Status: 0000a413    USER EXL IE 
    [   18.592000] Cause : 10800008
    [   18.600000] BadVA : 42424242
    [   18.608000] PrId  : 00019300 (MIPS 24Kc)
    [   18.608000] Modules linked in:
    [   18.612000] Process httpd (pid: 9668, threadinfo=8f0cc000, task=8f07e4c0, tls=00000000)
    [   18.624000] Stack : 43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343
    [   18.628000]         43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343
    [   18.644000]         43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343
    [   18.652000]         43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343
    [   18.660000]         43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343
    [   18.668000]         ...
    [   18.672000] Call Trace:
    [   18.676000] 
    [   18.684000] 
    [   18.684000] Code: (Bad address in epc)
    [   18.692000] 
    [   18.700000] httpd/9668: potentially unexpected fatal signal 11.
    [   18.708000] 
    [   18.708000] Cpu 0
    [   18.716000] $ 0   : 00000000 1000a400 00000000 00000000
    [   18.732000] $ 4   : 0067bc68 00000000 00000000 00000000
    [   18.736000] $ 8   : 00000434 00000001 00000001 00000007
    [   18.744000] $12   : 00000003 00000000 00000002 00000003
    [   18.748000] $16   : 41414141 41414141 41414141 41414141
    [   18.752000] $20   : 0067bc68 00520000 00000040 00000004
    [   18.764000] $24   : 8f055f08 004be740                  
    [   18.772000] $28   : 00598790 7d9ff8e0 7d9ffa62 42424242
    [   18.776000] Hi    : 00000005
    [   18.780000] Lo    : 00000000
    [   18.780000] epc   : 42424242 0x42424242
    [   18.784000]     Not tainted
    [   18.784000] ra    : 42424242 0x42424242
    [   18.788000] Status: 0000a413    USER EXL IE 
    [   18.792000] Cause : 10800008
    [   18.792000] BadVA : 42424242
    [   18.796000] PrId  : 00019300 (MIPS 24Kc)
    

**Timeline**

2018-06-28 - Vendor Disclosure  
2018-10-09 - Vendor provided beta  
2018-10-11 - Patch tested and confirmed fix  
2018-11-19 - Public Release

Tag

#acer