Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation.


Podatność w oprogramowaniu Uptime DC

**CVE ID**

CVE-2023-4997

**Data publikacji**

05 października 2023

**Producent podatnego oprogramowania**

ProIntegra S.A

**Nazwa podatnego oprogramowania**

UptimeDC

**Podatne wersje**

wszystkie poniżej 2.0.0.33940

**Typ podatności (CWE)**

Missing Authorization (CWE-862)

**Źródło zgłoszenia**

Zgłoszenie do CERT Polska

**Opis podatności**

CERT Polska otrzymał zgłoszenie o podatności w oprogramowaniu UptimeDC i uczestniczył w jej koordynacji. Podatność pozwala każdemu zalogowanemu użytkownikowi zmienić hasło na kontach innych użytkowników (w tym administratorów), w efekcie czego możliwa była eskalacja uprawnień. Podatność, której nadano identyfikator CVE-2023-4997, została potwierdzona przez producenta i naprawiona w wersji 2.0.0.33940.

**Podziękowania**

Za zgłoszenie podatności dziękujemy Antoniemu Kwietniewskiemu z Alior Banku.

Więcej o procesie zgłaszania podatności można przeczytać na stronie https://cert.pl/cvd/

CVE-2023-4997: Podatność w oprogramowaniu Uptime DC

Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole WP-CopyProtect [Protect your blog posts] plugin <= 3.1.0 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WP-CopyProtect \[Protect your blog posts\] Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37995: WordPress WP-CopyProtect [Protect your blog posts] plugin <= 3.1.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in CAGE Web Design | Rolf van Gelder Optimize Database after Deleting Revisions plugin <= 5.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Optimize Database after Deleting Revisions Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25980: WordPress Optimize Database after Deleting Revisions plugin <= 5.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Saphali Saphali Woocommerce Lite plugin <= 1.8.13 versions.

**Solution**

 Fixed

Update the WordPress Saphali Woocommerce Lite plugin to the latest available version (at least 1.9.0).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Saphali Woocommerce Lite Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.9.0.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25788: WordPress Saphali Woocommerce Lite plugin <= 1.8.13 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Jeff Sherk Update Theme and Plugins from Zip File plugin <= 2.0.0 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Update Theme and Plugins from Zip File Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25489: WordPress Update Theme and Plugins from Zip File plugin <= 2.0.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-2422: cve-details

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Hi @cescoffier

> It seems that each token is encrypted individually. Why not encrypt the whole content of the cookie?

Good question, thanks. This is done now in the PR by default, let me clarify, there was too much text in the description, copying the related part here:

*   Optimizes the way the tokens are encrypted, right now it is quite sub-optimal, where up to 3 JWE encryptions will be done and 3 cipher texts saved in the session cookie - instead, now only a single encryption is done on all the 3 tokens concatenated together. For example, now, instead of q_session=encrypted_id_token|encrypted_access_token|encrypted_refresh_token you will see q_session=encrypted(id_token_access_token_refresh_token).

You can see it confirmed for example, here.

The session cookie format is q_session=IDTOKEN|ACCESSTOKEN|REFRESHTOKEN, and you are right, on main, each of these tokens is encrypted individually, but like you say, with this PR, the whole cookie value is now encrypted.

What may be a bit confusing is that we have options to split the session cookie, (split_tokens=true), so we'd have 3 cookies in such cases:  
q_session=IDTOKEN  
q_session_at=ACCESSTOKEN  
q_session_rt=REFRESHTOKEN

This has been done to support the situations where a single session cookie size exceeds 4096 bytes - if the tokens are in JWT format, their size can be massive, some providers (and I specifically recall issues with Azure) can put a lot of claims into for ex ID token, and when it is all signed and base64url encoded to have JWT, the size can be big. So if 3 tokens concatentated together exceed 4096 limit, browsers can lose them.  
So for such cases, a split option is possible, where each of these tokens will be saved in their own cookie, in which case, in case of the encryption, indeed, every token will be encrypted individually.

But the default, out of the box option, will now have the whole session cookie value, with all 3 tokens, encrypted once.

CVE-2023-1584: Encrypt OIDC session cookie value by default by sberyozkin · Pull Request #32192 · quarkusio/quarkus

Location-enabled tech designed to make our lives easier is often exploited by domestic abusers. Refuge, a UK nonprofit, helps women to leave abusive relationships, secure their devices, and stay safe.

Pick up any piece of tech and Emma Pickering knows how it can be used to abuse, harass, and stalk women. Amazon’s Ring home doorbell cameras can monitor when someone leaves the house and who is visiting them. Until recently, Netflix showed the IP addresses where users were logged in, allowing their location to be tracked. Workout apps and websites such as Strava show where and when people are exercising. And abusers often slip small GPS trackers or audio recorders into women’s belongings or attach them to their cars.

“Perpetrators buy them in bulk, and they’ll buy probably 60 very cheaply; they’re very small and discrete,” says Pickering, who works at Refuge, the UK’s largest domestic abuse organization, where she heads a team that helps women secure their devices. Pickering says that in one case “over 200” recording devices were found in a woman’s home.

Refuge launched its Technology-Facilitated Abuse and Economic Empowerment Team in 2017, amid a surge of abusers weaponizing apps, devices, and online services to harm women. The charity helps women and their children leave abusive relationships, providing emergency accommodation, legal help, financial aid, and more. Almost every case now involves technology in some form, Pickering says, and the issue is so serious that every person the organization places into a refuge goes through a tech assessment to secure their accounts. The tech abuse team, which is made up of 11 people, is the only one of its kind in the UK and just one of a handful of similar organizations around the world.

Technology-facilitated abuse can range from harassment via phone call or text message to logging into someone’s social media and email accounts without their permission, which allows abusers to read, delete or send messages. In more extreme cases, they might install “stalkerware” on victims’ phones to monitor every tap and scroll. Nonconsensual image-sharing, commonly known as “revenge porn,” and economic abuse, where money and banking apps may be controlled by an abuser, are also frequent. In August, a report from MPs in the UK concluded that tech abuse is becoming “increasingly common.”

Pickering says her team primarily focuses on helping people in the more severe cases. “Firstly, we need to establish if it’s safe to speak to them on their device,” she says. If it isn’t, Refuge will send women a burner phone and then set them up with a new email address, using the encrypted email service Proton Mail, before sending them extra information. It’s the start of a meticulous process—known as an “attack assessment” by the team—to secure accounts and devices.

“We go through everything,” Pickering says. Refuge will ask the person they are helping to list every device and online account they and any children have. These can easily number into the hundreds. “Within the home, if they’ve fled the relationship, we also need to check anything they’ve left behind to unsync from any devices or accounts that they could still be using back home.” This will include products like Google Home Hubs, and Amazon’s Ring doorbells and Alexa, and it requires checking who set up the devices and is the administrator of the accounts, as well as which names phone contracts are in. From there, a safety plan is created, Pickering says. This can include going through the accounts and checking settings for who has access to them, removing devices connected to accounts, using secure passwords, and setting up measures such as two-factor authentication. On average, Pickering says, it can take three weeks to get through the entire process, although more complex cases take much longer.

“I don’t think people realize how serious it is, the consequences for perpetrators to have access to this information, to see that there’s evidence in someone’s phone that they’re planning to leave a relationship, read emails about financial settlements, child contact orders—it puts someone at really significant risk,” Pickering says. Even for those in nonabusive relationships, the charity has created a digital breakup tool with cybersecurity firm Avast to detail the process of separating everything from delivery apps to gaming accounts from former partners.

While the technology itself isn’t usually the problem—it’s how abusers use it to harass their victims that creates the issues—Pickering says tech companies don’t put enough thought into how their services can be used maliciously. They also don’t put enough effort into preventing such abuses. They’re not “considering having features built in that can mitigate these risks,” she says.

For instance, Apple launched its small AirTag GPS tracker without many safety features, and dozens of people have subsequently reported being tracked by the devices. (The company has made some improvements and is now working with other tracker manufacturers to make it easier to identify trackers someone has placed on your belongings). One of the biggest issues currently, Pickering says, is satellite navigation systems within cars. “My car, for instance, if I drive it somewhere, it’s connected to an app, and I don’t know how many people are on my app, it doesn’t give me notifications,” she says. There are also boundary settings that can alert a vehicle’s owner if it travels beyond a specific set of locations.

Aside from designing products better, tech companies need to make it easier for people to understand the settings on their phone and digital accounts. “Many people come to us and their confidence around tech is very limited,” Pickering says. “We have to do a lot of work with them initially to make them feel comfortable.”

While tech abuse is rising, Pickering aims to increase understanding around the problem and tackle some of the issues at its roots. “We’ve got a really big ambition to train the police,” she says, adding that officers often don’t know what to look for in cases of tech abuse and may not take issues seriously. The Refuge team has already worked with one tech company, which she says she cannot name due to an NDA, to advise on safety. “Amazon and Google could work with us,” Pickering says. “And we could help make sure that their products are developed with safety in mind.”

_This article first appeared in the November/December 2023 issue of WIRED UK._

The Team Helping Women Fight Digital Domestic Abuse

Microsoft has detailed a new campaign in which attackers unsuccessfully attempted to move laterally to a cloud environment through a SQL Server instance.
"The attackers initially exploited a SQL injection vulnerability in an application within the target's environment," security researchers Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen said in a Tuesday report.
"This allowed the

Cloud Security / Cyber Threat

Microsoft has detailed a new campaign in which attackers unsuccessfully attempted to move laterally to a cloud environment through a SQL Server instance.

"The attackers initially exploited a SQL injection vulnerability in an application within the target's environment," security researchers Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen said in a Tuesday report.

"This allowed the attacker to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM)."

In the next stage, the threat actors leveraged the new permissions to attempt to move laterally to additional cloud resources by abusing the server's cloud identity, which may possess elevated permissions to likely carry out various malicious actions in the cloud that the identity has access to.

Microsoft said it did not find any evidence to suggest that the attackers successfully moved laterally to the cloud resources using the technique.

"Cloud services like Azure use managed identities for allocating identities to the various cloud resources," the researchers said. "Those identities are used for authentication with other cloud resources and services."

The starting point of the attack chain is an SQL injection against the database server that allows the adversary to run queries to gather information about the host, databases, and network configuration.

In the observed intrusions, it's suspected that the application targeted with the SQL injection vulnerability had elevated permissions, which permitted the attackers to enable the xp\_cmdshell option to launch operating system commands to proceed to the next phase.

This included conducting reconnaissance, downloading executables and PowerShell scripts, and setting up persistence via a scheduled task to start a backdoor script.

Data exfiltration is achieved by taking advantage of a publicly accessible tool called webhook\[.\]site in an effort to stay under the radar, since outgoing traffic to the service is deemed legitimate and unlikely to be flagged.

"The attackers tried utilizing the cloud identity of the SQL Server instance by accessing the \[instance metadata service\] and obtaining the cloud identity access key," the researchers said. "The request to IMDS identity's endpoint returns the security credentials (identity token) for the cloud identity."

The ultimate goal of the operation appears to have been to abuse the token to perform various operations on cloud resources, including lateral movement across the cloud environment, although it ended in failure due to an unspecified error.

The development underscores the growing sophistication of cloud-based attack techniques, with bad actors constantly on the lookout for over-privileged processes, accounts, managed identities, and database connections to conduct further malicious activities.

"This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven't seen before in SQL Server instances," the researchers concluded.

"Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks. This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Cyber Attacks Attempting to Breach Cloud via SQL Server Instance

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.

When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices.

In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.

Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US. Meanwhile, Human Security says it has also taken down advertising fraud linked to the scheme, which likely helped pay for the operation.

“They’re like a Swiss Army knife of doing bad things on the internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.” Reid says the company has shared details of facilities where the devices may have been manufactured with law enforcement agencies.

Human Security’s research is divided into two areas: Badbox, which involves the compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, dubbed Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.

First, Badbox. Cheap Android streaming boxes, usually costing less than $50, are sold online and in brick-and-mortar shops. These set-top boxes often are unbranded or sold under different names, partly obscuring their source. In the second half of 2022, Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. When Milisic posted his initial findings about the T95 Android box in January, the research also pointed to the flyermobi domain. The team at Human purchased the box and multiple others, and started diving in.

In total the researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. (Some of these have also been identified by other security researchers looking into the issue in recent months). The company’s report, which has data scientist Marion Habiby as its lead author, says Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.

The TV devices are built in China. Somewhere before they reach the hands of resellers—researchers don’t exactly know where—a firmware backdoor is added to them. This backdoor, which is based on the Triada malware first spotted by security firm Kaspersky in 2016, modifies one element of the Android operating system, allowing itself to access apps installed on the devices. Then it phones home. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.

Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses.

The findings tally with those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at security firm Trend Micro, says the company has seen two Chinese threat groups that have used backdoored Android devices—one it has researched deeply, the other is the one Human Security looked at. “The infection of devices is quite similar,” Yarochkin says.

Trend Micro has found a “front end company” for the group it investigated in China, Yarochkin says. “They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. Based on Trend Micro’s network data, Yarochkin believes these figures to be credible. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”

Then there’s what Human Security calls Peachpit. This is an app-based fraud element, which has been present on both the TV boxes as well as Android phones and iPhones, Reid says. The company identified 39 Android, iOS, and TV box apps that were involved. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.

The apps performed a range of fraudulent behavior, including hidden advertisements, spoofed web traffic, and malvertising. The research says that while those behind Peachpit appear different from those behind Badbox, it is likely they are working together in some way. “They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being dropped on the Badbox,” Santos says, referring to a software development kit. “That was another level of connection that we found.”

Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculate. (The Badbox backdoor was found only on Android, not on any iOS devices.) Reid says that based on the data the company has, which isn’t a complete picture due to the complexity of the ad industry, those behind the scheme could have easily earned $2 million in one month alone.

Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. “The off-brand devices discovered to be Badbox-infected were not Play Protect–certified Android devices,” Fernandez says, referring to Google’s security testing system for Android devices. “If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.” The company has a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules. Four of them have done so, as of publication.

Toward the end of 2022 and in the first part of this year, Reid says, Human Security took action against the advertising fraud elements of Badbox and Peachpit. According to data shared by the company, the amount of fraudulent ad requests from the schemes taking place now has completely dropped off. But the attackers adapted to the disruption in real time. Santos says when the countermeasures were first deployed, those behind the schemes started by sending out an update to obfuscate what they were doing. Then, he says, those behind Badbox took down the C2 servers powering the firmware backdoor.

While the attackers have been slowed, the boxes are still in people’s homes and on their networks. And unless someone has technical skills, the malware is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says. Ultimately, for people buying TV streaming boxes, the advice is to buy branded devices, where the manufacturer is clear and trusted. As Reid says, “Friends don't let friends plug in weird IoT devices into their home networks.”

Tag

#auth