Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to authentication bypass and command injection.
The three vulnerabilities are listed below -

CVE-2023-35138 (CVSS score: 9.8) - A command injection vulnerability that could allow an

Firewall / Network Security

Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to authentication bypass and command injection.

The three vulnerabilities are listed below -

*   **CVE-2023-35138** (CVSS score: 9.8) - A command injection vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request.
*   **CVE-2023-4473** (CVSS score: 9.8) - A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.
*   **CVE-2023-4474** (CVSS score: 9.8) - An improper neutralization of special elements vulnerability that could allow an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device.

Also patched by Zyxel are three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if successfully exploited, could allow attackers to obtain system information and execute arbitrary commands. It's worth noting that both CVE-2023-37927 and CVE-2023-37928 require authentication.

The flaws impact the following models and versions -

*   NAS326 - versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
*   NAS542 - versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)

The advisory comes days after the Taiwanese networking vendor shipped fixes for nine flaws in select firewall and access point (AP) versions, some of which could be weaponized to access system files and administrator logs, as well as cause a denial-of-service (DoS) condition.

With Zyxel devices often exploited by threat actors, it's highly recommended that users apply the latest updates to mitigate potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices

An issue was discovered in Huddly HuddlyCameraService before version 8.0.7, not including version 7.99, allows attackers to manipulate files and escalate privileges via RollingFileAppender.DeleteFile method performed by the log4net library.

2023-11-20

This article provides technical descriptions of two vulnerabilities that allowed for local privilege escalation in HuddlyCameraService. During a previous assessment, these vulnerabilities helped to escalate privileges from regular user to SYSTEM, establish command and control (C2), evade the installed EDR by DLL sideloading a non-Microsoft binary, and install persistence on the host since the service started on system boot.  

The first vulnerability, CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users. The second vulnerability, which was identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context. 

The vulnerabilities were reported on August 10, 2023, and Huddly promptly addressed them by releasing a fix on September 21, 2023. The solution to resolve these vulnerabilities involves upgrading to version 8.0.7 of the program, officially released on September 21, 2023. Our team has thoroughly tested this patch, and it has effectively rectified the issues.

Official release notes and security advisory can be found at this Huddly support page.

**Privilege Escalation via Insecure Installation Directory (CVE-2023-45252) **

The first vulnerability, identified as CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users, affecting version <8.0.7 of Huddly’s Camera Windows software. 

**Identification and Exploitation **

By using Microsoft's Process Monitor (ProcMon), which can be used to analyze and monitor file operations on a Windows system, it was found that the HuddlyCameraService.exe file was executed as NT AUTHORITY\\SYSTEM from the C:\\Windows\\Temp\\.net\\HuddlyCameraService folder, as highlighted in Figure 1. Additionally, the process attempted to load missing dynamic-link library (DLL) files from the same folder. 

_Figure 1 - Process attempting to load missing DLLs._

Due to regular users having write permissions in C:\\Windows\\Temp\\.net\\HuddlyCameraService, which contains permissions inherited from C:\\Windows\\Temp, the service was susceptible to a local privilege escalation attack that could be exploited through a DLL hijacking attack. The permission inheritance is demonstrated in Figure 2 and Figure 3.

Figure 2 - Permissions for C:\\Windows\\Temp.

Figure 3 - Permissions for C:\\Windows\\Temp\\.net\\HuddlyCameraService.

To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=, and then reboot the machine. This often works because Windows uses a pre-defined search path to find DLL, which searches in a specific order.

****Arbitrary File Write Leading to Privilege Escalation (CVE-2023-45253)****

The second vulnerability, identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context

This vulnerability affects version <8.0.7 of Huddly’s Camera Windows software. 

**Identification**

When the log4net library performs a rollover via the RollingFileAppender class (an Appender that rolls log files based on size or date or both), and if the maximum number of size backups is reached (set with maxSizeRollBackups), then the oldest file is deleted, as can be seen in Figure 4.

Figure 4 - DeleteFile when maxSizeRollBackups is reached.

The DeleteFile method will delete a file if it exists. Figure 5 shows that a new filename is generated, containing a tick count, which is the number of milliseconds elapsed since the system started. Then, the file is first moved to a new filename and then deleted. This allows the file to be removed even when it cannot be deleted, but it still can be moved.

_Figure 5 - DeleteFile generates a new name and moves/renames the file._

By following the call chain for System.IO.File.Move, it ends up calling Kernel32$MoveFileEx. This is where the flaw is - the service does never attempt to impersonate the user but performs all actions in the context of NT AUTHORITY\\SYSTEM. Therefore, the file move operation is done on a file that unprivileged users can manipulate in the context of NT AUTHORITY\\SYSTEM. If files are moved from C:\\ProgramData\\Huddly\\Logs\\ to, for example, C:\\Program Files\\Huddly, then the file moved to the new location will have access rights inherited from the old location, as demonstrated in Figure 6.

_Figure 6 - Inherited access rights on FakeDll.dll after successful exploitation._

By using Microsoft's Process Monitor (ProcMon), the file operations performed by the HuddlyCameraService can be seen, as shown in Figure 7.

_Figure 7 - ProcMon shows the file operations performed by the Huddly service._

The SetRenameInformationFile call originates from the Win32 MoveFileEx() function. Further inspecting the operation showed that it did not impersonate the user but was executed as NT AUTHORITY\\SYSTEM, as demonstrated in Figure 8. If the application did impersonate the user, it would have included Impersonating: <domain>\\<username> in the Event Properties.

_Figure 8 - No impersonation is being performed by the service._

The arbitrary file move as SYSTEM results in a Local Privilege Escalation. To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=,  as shown in Figure 9. After rebooting the machine, the malicious code would be executed as SYSTEM. There are also multiple other ways to escalate privileges with the ability to move files as SYSTEM.

_Figure 9 - Paths that resulted in NAME NOT FOUND._

**Exploitation**

When the service creates test.5.log, the service will soon open the file again to be moved/renamed. There is a short time between the file creation and the file move operation, where the attacker can modify the behavior of the file move. The exploit code will place an Opportunistic Lock (Oplock) on the test.5.log after the service creates it because this will allow the attacker to block file operations on a given file for as long as they choose to hold the lock, making it easier to win the race. The attacker cannot perform any operations on the file while the Oplock is there. However, the attacker can achieve what they want by creating Object Manager symbolic links.

Therefore, the strategy to exploit this flaw is configuring the logging with a maximum file size of 0 and setting the log folder to a folder initially used as a junction point to another "physical" directory. Then, when the service is started, it will write the logs into the junction and store them inside the other physical folder. When this is done, we can continue to phase 2 of the exploit.

Phase 2 of the exploit will attempt to open test.log.5. When it successfully opens the file, it will place an Oplock on the file. When the Oplock is triggered, the exploit code generates a new filename with the tick count, switches the mountpoint to an Object Directory, and creates two symbolic links. The test.log.5 file will point to a file owned by the attacker, and the test.log.5.TickCount.DeletePending file will point to where the attacker wants to write, for example, C:\\Program Files\\Huddly\\FakeDll.dll. After releasing the Oplock, the service will perform the final move operation through the two symbolic links. These steps are described in more detail below.

**Prepare the workspace and log4net configuration**

Create the workspace directory with the following structure:

C:\\ProgramData\\Huddly\\Logs\\workspace

|\_\_ <DIR> bait

|\_\_ <DIR> mountpoint

|\_\_ FakeDll.dll

The mountpoint directory will first be a junction to the bait directory, then switched to a junction to the RPC Control Object Directory. The DLL file is the file to be moved to a secure location such as C:\\Program Files\\Huddly\\.

Additionally, as shown in Figure 10, the log4net configuration file will be updated to write into the mountpoint directory, and the maximumFileSize will be set to 0. The maxSizeRollBackups decide how many backup files there will be. The default was five, which is why we will be looking for test.log.5.

_Figure 10 - log4net configured for exploitation._

**Create the mountpoint from mountpoint to bait**

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait

**Start the service / reboot the machine**

The logs will be written to C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.log because of the junction created.

**Start phase 2 – Find the test.log.5 file and set an Oplock**

This phase will attempt to race the log4net rollover function. The exploit code enters a loop that will attempt to open the test.log.5 file. When the file open is successful, an Oplock will be placed on it, which helps win the race by allowing us to pause the operation.

**Wait for the Oplock**

The Oplock will be triggered when log4net in the service opens the test.log.5. When the Oplock is triggered, the exploit generates the new file name, switches the mountpoint, and creates two symbolic links.

Before the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> bait

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.5.log

After the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> \\RPC Control

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\FakeDll.dll

C:\\ProgramData\\Huddly\\Logs\\workspace\\test.5.log.<TickCount>.DeletePending = C:\\Program Files\\Huddly\\FakeDll.dll

**Release the Oplock**

Upon Oplock release, the final MoveFileEx() call redirection will occur due to the symbolic links. Consequently, the DLL will be moved to the C:\\Program Files\\Huddly folder.

Figure 11 shows the important parts of the Proof of Concept code used to exploit the vulnerability.

 

_Figure 11 - Proof of concept code to exploit the vulnerability._

After a short time, the race is won, and the FakeDll.dll was placed inside C:\\Program Files\\Huddly with inherited access rights from C:\\ProgramData\\Huddly\\Logs, as was demonstrated in Figure 6 earlier. 

**Disclosure Timeline**

*   2023-08-07 – Identified the vulnerabilities
*   2023-08-10 – Vulnerabilities reported to Huddly
*   2023-08-28 – Huddly verified vulnerabilities
*   2023-09-21 –Patch available
*   2023-10-23 - Verified the effectiveness of the patch
*   2023-11-20 - Released the full disclosure of the vulnerabilities

**Acknowledgment**

I want to thank Huddly and everyone involved with the patch for these vulnerabilities. They were kind and demonstrated a collaborative spirit, making them easy to work with.

Article written by: Henrik Pedersen, XLENT Cyber Security Norway

**References**

1.  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking
2.  https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching
3.  https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
4.  https://logging.apache.org/log4net/release/sdk/html/M\_log4net\_Appender\_RollingFileAppender\_DeleteFile.htm
5.  https://logging.apache.org/log4net/log4net-1.2.12/release/sdk/log4net.Appender.RollingFileAppender.RollOverRenameFiles.html
6.  https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main
7.  https://itm4n.github.io/cve-2020-0787-windows-bits-eop/

CVE-2023-45253: Security Disclosure of Vulnerabilities: CVE-2023-45252 and CVE-2023-45253


Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.



**Impact**

Medium

**Details**

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

**Workarounds and Mitigations**

Dell Rugged Control Center UI would provide an SHA-256 hash of the Policy File to the administrator, which can be used to cross-verify the legitimacy of the policy file after transfer.  

**Revision History**

Revision

Date

Description

1.0

2023-11-30

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-43089: DSA-2023-371: Dell Rugged Control Center Security Update for an Improper Access Control Vulnerability

By Waqas
Immediate Action Required: Update Your Apple Devices, Including iPads, MacBooks, and iPhones, NOW!
This is a post from HackRead.com Read the original post: Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

Apple has recently released security updates to tackle two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that hackers are actively exploiting.

Apple Inc. today released crucial security updates aimed at mitigating two critical zero-day vulnerabilities identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities have been actively exploited by hackers, posing a significant risk to a wide range of Apple devices.

The vulnerabilities allow attackers to execute arbitrary code and access sensitive data on compromised devices. These security flaws are particularly concerning because they can be exploited through malicious web pages, exploiting a memory corruption bug to gain unauthorized access.

****Affected Devices****

Apple’s advisory lists a comprehensive range of devices vulnerable to these exploits:

*   iPhone XS and later models
*   iPad Pro 10.5-inch
*   iPad (6th generation and later)
*   iPad Air (3rd generation and later)
*   iPad mini (5th generation and later)
*   iPad Pro 11-inch (1st generation and later)
*   iPad Pro 12.9-inch (2nd generation and later)
*   Mac computers running macOS Monterey, Ventura, and Sonoma

****Immediate Action Recommended****

Apple urges all users of these devices to update their software immediately. The updates are designed to patch the vulnerabilities and protect devices from potential exploits. Users can update their devices by going to the ‘Settings’ menu, selecting ‘General’, and then tapping on ‘Software Update’.

The urgent release of these security patches highlights the growing challenges in cybersecurity. Security experts advise users to always keep their software updated to the latest version and to be cautious of suspicious web pages and downloads.

In a comment to Hackread.com, Michael Covington, VP of Portfolio Strategy at Apple device security and management company Jamf, urged users to immediately update their devices.

“These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content,” Michael said. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users,” he wanted.

****How to Update Your Apple Devices?****

Apple provides detailed instructions to ensure that users update their devices effectively. For iPhone and iPad users, navigate to Settings > General and click on Software Update.

For macOS users, click on the Apple menu (), go to System Settings, select General, and then click on Software Update. Automatic updates should be enabled to receive the Rapid Security Response patches seamlessly. Restarting the device may be necessary to complete the update process.

****_RELATED ARTICLES_****

1.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
2.  **Update NOW! Pegasus Spyware Exploiting iPhones on Latest iOS**
3.  **Apple issues iPhone software update after fake police ransomware scam**

Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. An admin credential is passed as a value of URL parameters without encryption, so it allows remote attackers to steal the password and gain full control of Loytec device configuration.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Thu, 23 Nov 2023 02:54:46 +0000  

\[+\] CVE                                 : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 
\[+\] Title                                : Multiple vulnerabilities in Loytec LINX Configurator 
\[+\] Vendor                           : LOYTEC electronics GmbH
\[+\] Affected Product(s)     : LINX Configurator 7.4.10
\[+\] Affected Components : LINX Configurator
\[+\] Discovery Date             : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

 CVE-2023-46383 : Insecure Permissions
 Loytec LINX Configurator could be connected to Loytec devices with
 an administrator credential, and it could configure device settings. 
 Since it uses HTTP Basic Authentication, which transmits usernames 
 and passwords in base64-encoded cleartext, so anyone could easily
 steal credentials if they sniff network traffics. Once obtaining the
 admin password, attackers could connect and control Loytec devices 
 via LINX configurator.
 
 CVE-2023-46384 :  Insecure Permissions 
 Following registry key contains hard-coded clear text admin password 
 for recently connected Loytec device. (password cache) If an attacker 
 succeeds in getting this registry key value, attackers could connect 
 and control Loytec devices via LINX configurator.

  Key: Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\LOYTEC\\LOYTEC LINX Configurator\\OhioIni
  Value name: ftp\_pass
  Value dada: <admin password>

 CVE-2023-46385 : Insecure Permissions
 When Loytec LINX Configurator connects to a device, it sends HTTP GET 
 request to login. Since cleartext password is passed as an URL parameter, 
 "password" without sufficient protection, anyone could easily steal 
 credentials if they sniff network traffics. Once obtaining the admin 
 password, attackers could connect and control Loytec devices via LINX 
 configurator.
 http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login


\[Timeline\]

 01-Sep-2021 : Vulnerabilities discovered
 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
 07-Oct-2022 : ICS CERT reported to vendor (no response)
 03-Nov-2023 : Public Disclosure

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46383, CVE-2023-46384, CVE-2023-46385\] Multiple vulnerabilities in Loytec products (2)** _Chizuru Toyama (Nov 27)_

CVE-2023-46385: [CVE-2023-46383, CVE-2023-46384, CVE-2023-46385] Multiple vulnerabilities in Loytec products (2)

ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation.

**Impact**

The ZStack Cloud releases before 3.10.38(included) are vulnerable to unauthorized access.

**Patches**

The problem already patched in ZStack 3.10.40 and all further versions (ZStack Cloud 4.x are not vulnerable).

**Workarounds**

We strongly suggest users upgrade to patched versions.

If you have a Web Application Firewall(WAF), filter requests GET /calls/uuids could reduce the impact of this vulnerability.

if you do not have a WAF, iptables could be an alternative(make sure running bellow command on all management node)

iptables -I INPUT -i br\_eth0 -p tcp --dport 5000 -m string --string "/calls/uuids" --algo kmp -j DROP  
# replace br\_eth0 and 5000 to corresponding network interface and port number

**For more information**

If you have any questions or comments about this advisory:

*   Contact our support ZStack
*   Open an issue in ZStack Github Repo
*   Email us at contact@zstack.io

CVE-2023-46326: Unauthorized access in ZStack Cloud

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 Firmware 7.2.4 are vulnerable to Incorrect Access Control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Thu, 23 Nov 2023 02:57:14 +0000  

\[+\] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  
\[+\] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers
\[+\] Vendor                            : LOYTEC electronics GmbH
\[+\] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4
\[+\] Affected Components : L-INX Automation Servers
\[+\] Discovery Date              : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

CVE-2023-46386 : Insecure Permissions
'registry.xml' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting registry.xml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46387 : Improper Access Control
'/var/lib/lgtw/dpal\_config.zml' file is accessible via file download API. 
 'dpal\_config.wbx' which is extracted from 'dpal\_config.zml' includes
sensitive configuration information such as smtp client information.  
 Authentication is required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal\_config.zml

CVE-2023-46388 : Insecure Permissions
'dpal\_config.wbx' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting dpal\_config.zml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46389 : Improper Access Control
'/tmp/registry.xml' file is accessible via file download API. 
 'registry.xml' includes device configuration information which includes
sensitive information such as smtp client information. Authentication is
required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/tmp/registry.xml


\[Timeline\]

01-Sep-2021 : Vulnerabilities discovered
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
07-Oct-2022 : ICS CERT reported to vendor (no response)
03-Nov-2023 : Public Disclosure


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389\] Multiple vulnerabilities in Loytec products (3)** _Chizuru Toyama (Nov 27)_

CVE-2023-46389: [CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389] Multiple vulnerabilities in Loytec products (3)

Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47307: overflow/LBT-T310 Buffer overflow.md at main · forever-more-cjy/overflow

Early disclosures related to September compromise insisted less than 1% of Okta customers were impacted; now, the company says it was all of them.

Source: Ilnur Khisamutdinov via Alamy Stock Photo

Identity access management vendor Okta has released an update following an investigation into a hack this fall on its systems, revising the number of impacted customers up from less than 1% to a staggering 100%.

A blog post dated Nov. 29 from Okta chief security officer David Bradbury explained that an analysis of a breach from September revealed that an unauthorized user was able to run a report on Sept. 28 containing data on every user of Okta's customer support system, which leaked the following data: company name, contact information, user name, role description, and a "collection of other data." This type of information could be useful to threat actors in launching social engineering attacks, like the ones that leveraged Okta to breach MGM Resorts and Caesars Entertainment.

Thus, Okta is warning all of its customers to be prepared for similar phishing and social engineering cyber-scams.

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users," Bradbury wrote. "While 94% of Okta customers already require MFA \[multifactor authentication\] for their administrators, we recommend all Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security."

The company added that it does not have any evidence the compromised Okta customer data is being actively exploited yet, however. Even so, cybersecurity experts advise Okta customers to focus on cybersecurity best practices, including user training.

"What is needed to secure Okta customers is a focus on best practices; for example, 6% of their users do not have multifactor authentication enabled," says Viakoo CEO Bud Broomhead. "Likewise, setting session timeouts or requiring reauthentication for sessions from a new IP address should be done across all Okta users."

**Okta Breach Brand & Financials Ramifications**

That bit of bad news for Okta customers was tempered by another piece of data out of Okta on Nov. 29. According to its latest quarterly financial report, the company announced that it has seen a more than 20% increase in revenues. The bottom-line growth increase is marked for the quarter ending Oct. 31, the same quarter Okta's systems were used in high-profile breaches of MGM and Caesars.

"Our Q3 performance was highlighted by solid top-line growth, record non-GAAP operating profit, and record free cash flow," Todd McKinnon, CEO and co-founder of Okta, said in a statement about the company's earnings. "We are particularly enthusiastic about the adoption of Okta Identity Governance and the general availability of Okta Privileged Access, which uniquely positions us as the only unified modern identity platform. Over 18,800 leading organizations around the world put their trust in Okta and we are thankful for their continued partnership."

The news of the leaked customer data did drive down Okta stock prices when it happened, but the investor fallout appears to be hovering in the single digits.

That said, the time lag for sales revenues to be impacted by major cyber incidents like the ones Okta has experienced should be taken into account when analyzing whether the breach impacted the brand, according to Jasson Casey, CEO of Beyond Identity.

"The sales cycle for midmarket customers is typically three to four months, while the enterprise sales cycle can be six-plus months," Casey tells Dark Reading. "Revenue numbers being reported today don't reflect the market's processing and intake of the latest news."

However, Casey tells Dark Reading that personally, he's seeing a market shift away from Okta.

"Anecdotally, we're seeing a large number of companies actively search for migration pathways from Okta to other SSO \[single sign-on\] platforms due to the continued string of news related to Okta security practices," he adds. "Okta has a hard road in front of them to convince the mid/enterprise market that security is a foundational principle given their continued missteps over the last two years."

Okta declined to comment on customer reactions to the compromise.

Okta Breach Widens to Affect 100% of Customer Base

Cybercriminals use legal search terms to ensnare unwitting victims, then launch ransomware or business email compromise attacks.

Source: The Lightwriter via Adobe Stock

Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and business email compromise (BEC).

On Nov. 24, managed service provider CTS, which provides IT services to law firms, acknowledged that the firm had suffered a breach, but did not give details about the source of the attack. The incident has reportedly affected services to dozens of law firms, particularly in the real estate sector. The attack follows claims by the LockBit group that it compromised London-based law firm Allen & Overy, listing the firm among the victims on its data-leak site and demanding a ransom. The firm confirmed a breach, but did not acknowledge the ransomware attack.

The attacks are only the latest to target law firms and legal departments. At least one attack group has targeted law firms specifically, seeding compromised sites with legal jargon to make the sites rise in search rankings and then deliver a ransomware attack chain to visitors, says Keegan Keplinger, a senior security researcher with managed detection and response firm eSentire.

"When \[the targeting\] hasn't been a legal organization, it's often been the legal department or a legal user — a paralegal or the legal consultant — in an organization," he says. "We saw a hospital get hit once, but it was the legal user in that hospital that downloaded \[the malware\]."

GootLoader, which leads to Blackcat ransomware, has focused heavily on law firms. Source: eSentire

Hackers have long favored law firms as a way to steal secrets, absconding with Uber drivers' personal information from law firm Genova Burns LLC in January; hijacking data on the contracts and personal emails from 200 high-profile celebrities — including Lady Gaga, Madonna, and Rod Stewart — from New York law firm Grubman Shire Meiselas & Sacks in 2020; and allegedly leaking the "Panama Papers" — 11.5 million documents on wealthy tax evaders — from Panama-based law firm Mossack Fonseca.

Traditionally, the attraction for online attackers has not been money, says Ilia Kolochenko, chief architect at application security firm ImmuniWeb.

"Law firms are pretty far from being attractive victims for cybercriminals," he says. "However, their clients — namely, secrets of their clients — make law firms a magnet for all kind of cybercriminals."

**Clickbait Turns to SEO Poisoning**

That has changed, as cybercriminals increasingly focus on law firms as a way to cash in with ransomware and BEC attacks. More than a quarter of law firms (27%) suffered a security breach in 2022, up from 25% in 2021, according to the American Bar Association's annual cybersecurity report, which stresses that a security breach is not as severe a classification as a data breach. The legal sector is the fourth most targeted sector by cybercriminals — behind services, manufacturing, and financial firms, according to eSentire's data.

The most significant threat to law firms may be GootLoader, a browser-based threat that is delivered through search engine optimization (SEO) poisoning. The group behind GootLoader has seeded malicious content and malvertising linked to 3.5 million search terms, a high percentage of which are legal terms. As a result, a lawyer or paralegal who searches for specific content may find the top search result leading to a GootLoader-infected file. Downloading and opening the file will execute the program, which almost always leads to BlackCat ransomware, says Joe Stewart, a principal security researcher at eSentire.

"This \[is\] what I call a landmine approach," he says. "They're just mining the entire Web with these search keywords and just waiting for somebody in the legal profession, or somebody who needs this legal document, to just stumble on it and open it up, say, 'What's this? Oh, I will click on this JavaScript. No problem.'"

Ransomware is not the only worry for law firms. A number of threat groups are also targeting law firms with BEC scams. Law firms are the perfect victims for such schemes, says Dan Caplin, director of cybersecurity and incident response at S-RM, a cybersecurity consultancy.

"Firstly, they do a lot of business over and in emails, and secondly, law firms often occupy a privileged position in situations where payment instructions and details are exchanged — this, again, is mostly done over email," he says. "This makes email account takeover, intercepting a thread about a legitimate payment, and diverting funds to a fraudulent bank account a really effective approach."

**Will Get Worse Before It Gets Better**

Because law firms tend to be smaller, often just one or two people, cybersecurity knowledge is often lacking, says ImmuniWeb's Kolochenko.

"Solo practitioners and small law firms are usually poorly protected, having very modest budgets for cybersecurity," he says. "Large law firms, however, increasingly spend more on cybersecurity and cyber defense, \[but most firms\] have similar problems as all other industries including shadow IT, working from home, \[and\] underprotected third parties."

Unfortunately, law firms are often tasked as the custodian of extremely sensitive information, making any breach a problem and making the firm more likely to pay a ransom. It's little wonder that GootLoader has targeted the industry, says eSentire's Keplinger.

"For a variety of reasons, law firms are behind the curve a little bit on security," he says. "With ransomware — especially the double whammy (both stealing and encrypting the data) — legal firms are an obvious organization that would be vulnerable to that — especially, that would care about publishing their data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#auth