A vulnerability has been identified in SiPass integrated (All versions < V2.90.3.8). Affected server applications improperly check the size of data packets received for the configuration client login, causing a stack-based buffer overflow.

This could allow an unauthenticated remote attacker to crash the server application, creating a denial of service condition.

%PDF-1.5 %���� 53 0 obj << /Length 2894 /Filter /FlateDecode >> stream xڵZKs�8��W�TU�I��8���x-9SS�h��Y#QZ��7�~�P&)�aJ��D$4��\_��C@��'��'� 1���}S��(��!���||gY�N�r2�g�bWL�L�Y�� �-��r���~�n��ϭ���f�\[T�7�=��9���b~�р�0�H,X�X�|��K��\[@�0:x�3ׁT�()�y�N�}B�P�o�&���P͇hjIL,�$�~D�12�� R��H{�Φ�K&��C��R��1�K���ݤ\`���"&��!��X�DG�\*Y����a�DD�Q�D�fz�gf� �)�� �@,�������N��L�/���J���1B����('D�hHqB k�u�p���"��V\]r)I��c�2��1$':6Cr 1�d\[�,�a<��1q� ��/�t�m %:\\ϲk�HIYr/�&��c���Ad� �tJc�E���.�\*}(�\*\]���}���� !���!4���ǆw�=�M��V��̗jP{�hڌ���&�D�b��Ή �nݭ$�I�)WD�ٵ�;\[�V�"��M���{0�\[��Z�S.�4�2��q9��(�\_%e���n�n���ɪ�\]Q��\_�u�i�%��%�,���\]�u6s�� ��ӻ�L}�^���D�0&�U;D�������=N@��ϋ"�!4�v��~�tv3Q4�7�(d�m��!@��|\]���!<�FC"���0����O.���D�y�z�}�x5�b�WI��o�+�Ӿ��� 7 ����td��u;Z=&UM~��%���JX\`3iЁF��ֱ�y�'��<��Jf,����&M�=��čV��(P?I����2upDR�E�v\[;��zy �����~�i�%+������~P�2CRĹ)1ƴ����۶"�\`@�U���¥H|��l(��{�뛢��I�������"�\*L�.�5l�,��3�jm�շ�O.�M�²�7�$���P@ib�P ������Ç�����\`� ��f�^\\'8�Q�x�b�!jjq}�N�����|�M����D@t+�\\ѐ@,��6���sU�(�9��1�F��HL��������������<� Uwkc�V�����o���� T�0Y��nA��/���3r�jA'�4��qα�c5�" �-h��F\_\[��$�u�q�I'\]��uavȝ4�k"$Q(�p����1��w}@�"LD�\*DP �C�5rI~�9u n��u�>�ǹ�4�ue��lX�mil/�q,jl"��2/EN�9wNA ���Z��LL!�@��g+\_�e���O墳P��U���~�T�mOqn�:D&�K�.D�#����\*i �zc  X��XU����i��n퉘 +���\]Y�&&�1�GJ�f� ���Ey��|��-�'(p�Z����S�b�x>eT'����+��\_W�# ��Q!s ����H^9P���L�HIb;i�)��j����a����� ��\\�a�Uāg<Cb�b\*�ۂ�"��˒Gq�zec(�������j���r~��lbh��c������v� ��8r��ϖ��6\]dЅ�ž���G�u�yx�\]�k ����aW���n4J�j \_|s���̾Л�ղS�g�ծA�E4HF��@I#�\*�ew�P��F+�\[�A?�ؤbyX�z�S�B^e}\\��7?:�J��\*="h2��u���/nή��@�#v~��yL�Ż��|�w�%M�����������\`�$e�<Ԍx�������@�H������˧O�mkn��F�8 ���vQ ��&���8P�����;<����р�\\��a��5�w|G,���bS����%O�g�o�6��s�X�egYҌcj��A)��r�m\_�\\��9�&,|t/�>n�X���:\]<&yV�DOS�XxY����#���l"�A�n\`� �al/}=��I��u��$��}r�iS,-2r��$ (chX+�#��;!�t�O}�fݟyC�������9��l �W�'�$�ɕ�$R����}p�П\[���l>�\["��#HĊ@��,��X�x1;�����N@NX��\`�ᜍ��x�6�w9�d��ݪSҬ�����eH�p�N��Jr�x"�+�U���^k����T+p{�����U�V�d|���h��C�0"�O� t�Z�e8�:��.?\\��3����Xdo�lp�1�5=G�8�X��8��o@p�� ���4�C\[pw�v�l�t�w���}ޕ�<�t��gwo�ʅO�n�X�p�2�U������0B-�n#� P�}5�N�/I��$����۫(j��=??O� \*�(+�)NOey��KHs<��%L�l�Ɂ�I+����Zx�����.��ܬ�� ڪ�йJa�?�-������i �dx �C�z��: �v;l^��B�r3��Z ��G�ˏz�~�o�����a�"�����\]�W��ƃ,ob�ǳ�l��~�e ՗����+�RV+�}�9k�ޮ���ҩ!t�UI\`@����K�3\[yTxw5b�h�\`8�݂��0�hL0\`�0�� �<0���7ҥ��}O�W�h�\]�>��|���f\[����� |�j��u�qD�����=�/p/w�F\` ,p�%�+�P�9�0�F�\]ռ�\*ݺ�L���I��K���^�W0��tU�,O�\`��zLI����zk2�:�̴�\[���Y�}��9N�a\[4���v���-��^ Q���L�$\[���5�}��\_oz�L�z\]﫩�}�׹Ү�'�޾z,ֱ9V��:-.�J,� �L��}d�V}�iY�\_��W��Mbb8�;.�>�4����+6���)�q:���k�{�(�M5r endstream endobj 64 0 obj << /Length 1924 /Filter /FlateDecode >> stream xڥXms�8�ί��˙�"�j�|� m�K�\\��ܴ��cL�l���z��V^�\`�Pn�X��zv�Ѿ�:u��^�z�׊: <�9���S�=��(�;���ɝ&�:N����ڝ�Q���r��'N��?�<�IA\];u���sk��6��Qq6����Y���\]o2�}�1D���/��{��Pg��9��@;��ʵ#� J x^9��=j������ H�(� �d���h%�o%�h �8�=��\]ߣn�J�mx���i�hƄG��?� \\���"�-�I"�TGT0�4�\[J��M�r>L3Zi�5f�.�P�,8-�f\`ɉҙ�A�x�0~��"��nQx���s�V�0n6�$ �$C�xn��l�M�L\[��e�2����b\[��?}X�t���yX��~�m�9Nn�>s�8 �Et�\[��,\*+�s�,�L)�3�V0�q��\\w�5�VI�H�U���/�9 �

CVE-2022-31810

A heap buffer overflow vulnerability was found in sox, in the lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can lead to a denial of service, code execution, or information disclosure.

'2212291?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-34432: Invalid Bug ID

A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-34318: cve-details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 db2set is vulnerable to a buffer overflow, caused by improper bounds checking.  An attacker could overflow the buffer and execute arbitrary code.  IBM X-Force ID:  252184.

  

**Summary**

IBM® Db2® db2set is vulnerable to arbitrary code execution.

**Vulnerability Details**

**CVEID:**   CVE-2023-30431  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) db2set is vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow the buffer and execute arbitrary code.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252184 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

10.5.0.11

Server

IBM® Db2®

11.1.4.7

Server

IBM® Db2®

11.5.x

Server

All platforms are affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT198274

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT198274

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT198274

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

07 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"},{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}\],"Version":"11.5,11.1,10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-30431: IBM® Db2® db2set is vulnerable to arbitrary code execution. (CVE-2023-30431)

A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Skip to content

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

Page load link

CVE-2023-33715: Index

Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE-2023-25201: Security Advisories - usd HeroLab

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Thursday, July 6, 2023 11:07

*   Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.
*   An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.
*   This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.

Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

The MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices’ tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices’ VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.

The Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.

**Attack scenario overview**

In this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.

MilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device’s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.

The UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L’s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.

_An illustration of the proposed attack scenario._

The graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:

**Attack walkthrough**

After locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:

From this point, an attacker could exploit TALOS-2023-1701 (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the _LoginAuth_ function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The _LoginAuth_ code is shown below:

        function LoginAuth(res,postdata,connection){ 
            console.info('#######log.node:loginauth start'); 
            var sha512=crypto.createHash('sha512'); 
            sha512.update(postdata.pwd); 
            var pwd=sha512.digest('hex'); 
    [1]     $sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; 
    [2]     connection.query($sql).then(function(data){ 
                var result={}; 
                if(data['error']) 
                { 
                    [...] 
                } 
                else 
                { 
                    if(data['result'].length>0) 
                    { 
                        var dt=data['result']; 
                        result['status']=1; 
                        var token=generateToken(dt[0]['user']); 
                        var exp=new Date(
                            new Date().getTime()+
                                expiretime*1000).toUTCString(); 
                        res.setHeader('Set-Cookie',['token='+token]); 
                        console.info('#######log.node:loginauth success'); 
                        res.write(JSON.stringify(result)); 
                        res.end(); 
                    } 
                    else 
                    { 
                        [...] 
                    } 
                } 
            }); 
        } 
    

At _[1],_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at _[2]_, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of _Set-Cookie_. This function is vulnerable to a SQL injection vulnerability because the "preparation" of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.

After bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.

From here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:

From here, several attack paths are possible. TALOS-2023-1697 (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).

The attacker's only requirement is to be able to communicate with the router's HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the _decrypt_string_ function of the _uhttpd_ binary, the UR32L’s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The _decrypt_string_ will Base64 decode and then AES decrypt the password.

The _uhttpd_ binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries' code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.

The binary is executed as root and makes use of functions such as _system_ and _popen_, as such, one of the options would be to mount an attack aiming to execute OS commands.

The following is a code snippet of the _uhttpd’ decrypt_string_:

    void decrypt_string(
        char *b64_encrypted_password,
        char *decrypted_password,
        size_t size_decrypted_password)
    { 
        [...] 
        uchar stack_decrypted_string [72]; 
        [... init the AES_key variable] 
        [... init the AES_IV variable] 
        [... calculate the __size variable value ...] 
        base64_decoded_string_start = (uchar *)malloc(__size); 
        [...] 
        memset(base64_decoded_string_start,0,__size); 
        processed_len = 0; 
        base64_decode_string_cursor = base64_decoded_string_start; 
        do { 
            // this check allow to base64 decode the string before decrypting it 
            if ((password_len_ - padding) <= processed_len) { 
                *base64_decode_string_cursor = '\0'; 
                ctx = EVP_CIPHER_CTX_new(); 
                [... check error ...] 
                cipher_type = EVP_aes_128_cbc(); 
                processed_len = EVP_DecryptInit_ex(
                    ctx,
                    cipher_type,
                    (ENGINE *)0x0,
                    AES_key,
                    AES_IV); 
                [... check error ...] 
    [1]         processed_len = EVP_DecryptUpdate(
                    ctx,
                    stack_decrypted_string,
                    &output_len,
                    base64_decoded_string_start,
                    (base64_decode_string_cursor + 
                        (-1 - base64_decoded_string_start)));                              
                [... check error ...] 
                processed_len = output_len; 
                iVar3 = EVP_DecryptFinal_ex(
                    ctx,
                    stack_decrypted_string + output_len,&output_len); 
                [... check error ...] 
                processed_len = processed_len + output_len; 
                EVP_CIPHER_CTX_free(ctx); 
                stack_decrypted_string[processed_len] = '\0'; 
                EVP_cleanup(); 
                ERR_free_strings(); 
                free(base64_decoded_string_start); 
    [2]         strncpy(
                    decrypted_password,
                    (char*)stack_decrypted_string,
                    size_decrypted_password);                 
                return; 
            } 
            [...] 
    [3]    	[... base64 decode ...]                 
        } while( true ); 
    } 
    

This function has three parameters: the _b64_encrypted_password_ parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; _decrypted_password_ is the destination buffer where the decoded and decrypted password will be copied;  _size_decrypted_password_ is the size of the _decrypted_password_ buffer. At _[3]_ the _b64_encrypted_password_ string is Base64 decoded and then, at _[1],_ the decoded value is AES decrypted into stack_decrypted_string, a 72-byte long stack buffer. Eventually, at _[2],_ _size_decrypted_password_ bytes will be copied from the _stack_decrypted_string_ buffer into the decrypted_password buffer.

In the _decrypted_password_ only _size_decrypted_password_ bytes will be copied, which will prevent any type of buffer overflow in the _decrypted_password_ buffer.

At _[1]_ the _OpenSSL's EVP_DecryptUpdate_ function will perform the AES decryption of the Base64 decoded user-controlled data into the _stack_decrypted_string_ stack buffer. Because the _stack_decrypted_string_ stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the _stack_decrypted_string_ buffer.

Essentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value.  The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.

The exploitation of this vulnerability becomes easier because of the epilogue of this function:

      strncpy(
          decrypted_password,
          (char*)stack_decrypted_string,
          size_decrypted_password);          
      return; 
    

The _decrypted_password_ is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:

    ldr r0, [sp,#0xc]  
    bl strncpy  
    add sp, sp, #0x84  
    pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} 
    

The function that copies the plain text password into the _decrypted_password_ array, which is also the last function call before returning to the caller, is _strncpy_. The r0 register is used for passing the first argument of the function; in the case of _strncpy_, _r0_ points to the destination buffer. After the _strncpy_ function call r0 will point to the beginning of the plaintext password.

The fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the _system_ function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the _system_ function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.

The _pc_ is the last instruction of the _decrypt_string_ function and the return address was overwritten with the system plt entry, know because the binary is not PIE, and the _r0_ registry points to the _controllable_ string. So, the _decrypt_string_ returning will execute _system(“controllable”)_.

**Vulnerability Details**

The following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:

*   TALOS-2023-1694 (CVE-2023-23550)
*   TALOS-2023-1698 (CVE-2023-22306)
*   TALOS-2023-1699 (CVE-2023-22659)
*   TALOS-2023-1706 (CVE-2023-24519 - CVE-2023-24520)
*   TALOS-2023-1710 (CVE-2023-24582 - CVE-2023-24583)
*   TALOS-2023-1711 (CVE-2023-22365)
*   TALOS-2023-1712 (CVE-2023-22299)
*   TALOS-2023-1713 (CVE-2023-24595)
*   TALOS-2023-1714 (CVE-2023-22653)
*   TALOS-2023-1723 (CVE-2023-25582 - CVE-2023-25583)

There are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.

*   TALOS-2023-1697 (CVE-2023-23902)
*   TALOS-2023-1715 (CVE-2023-24018)
*   TALOS-2023-1716 (CVE-2023-25081 - CVE-2023-25124)
*   TALOS-2023-1718 (CVE-2023-24019)

TALOS-2023-1705 (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.

There is also an access violation vulnerability — TALOS-2023-1696 (CVE-2023-23571) — that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. TALOS-2023-1695 (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.

Talos also discovered five vulnerabilities in the MilesightVPN:

*   TALOS-2023-1700 (CVE-2023-22844): Authentication bypass vulnerability
*   TALOS-2023-1701 (CVE-2023-22319): SQL injection vulnerability
*   TALOS-2023-1702 (CVE-2023-23907): Directory traversal vulnerability
*   TALOS-2023-1703 (CVE-2023-22371): Command injection vulnerability
*   TALOS-2023-1704 (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability

**Coverage**

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 – 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

A stack-based buffer overflow vulnerability exists in the urvpn_client http_connection_readcb functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the urvpn\_client http\_connection\_readcb functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers a service called Milesight VPN, a VPN service that will connect to the Milesight VPN software. The vulnerability described in this report requires this service to be enabled by the admin, as it is disabled by default. The binary client used for this service is urvpn_client. This binary will connect to the specified Milesight VPN server. The first request is used to “authenticate” the router to the server. Essentially, the router will send information about itself to the server. After the request, the http_connection_readcb function will be executed to read the response of the server. Following the http_connection_readcb function:

    void http_connection_readcb(undefined4 param_1,http_connection *connection)
    
    {
      [... variable declaration ...]
    
      [...]
      associated_request = connection->associated_request;
      input_obj = bufferevent_get_input(param_1);
      evbuffer_search_eol(auStack_f0,input_obj,0,&line_length,1);
      tmp = (char *)evbuffer_get_length(input_obj);
      response_body_len = associated_request->content_size;
      inbody = associated_request->inbody;
      status = associated_request->status;
      iVar4 = line_length;
      log_message("httptransport.c",0x152,"http_connection_readcb",0,
                  "libevent begin : http input receive size %d, req->response_body_len %d, 
                  req->inbody % d, req->status %d line_length %d"
                  ,tmp,response_body_len,inbody,status,line_length);
      if (((int)associated_request->content_size < 1) && (line_length == 0)) {
        log_message("httptransport.c",0x156,"http_connection_readcb",0,"Did not receive enough data",tmp
                    ,response_body_len,inbody,status,iVar4);
        log_message("httptransport.c",0x157,"http_connection_readcb",0,"Did not receive enough data");
        return;
      }
      if (associated_request->content_size == 0xffffffff) {
        log_message("httptransport.c",0x15e,"http_connection_readcb",1,
                    "req->response_body_len == -1, this is a fresh request, handle response header",tmp,
                    response_body_len,inbody,status,iVar4);
        input_line = (char *)evbuffer_readln(input_obj,0,1);                                                [1]
        log_message("httptransport.c",0x165,"http_connection_readcb",0,"line %s",input_line);
        iVar1 = sscanf(input_line,"HTTP/%d.%d %d %s",http_major_version,http_minor_version,
                       &http_status_code,http_status_message);                                              [2]
        if (iVar1 < 1) {
          log_message("httptransport.c",0x169,"http_connection_readcb",3,"Couldn\'t parse HTTP response"
                     );
          probably_free_associated_req(&connection->associated_request,&associated_request);
          free(input_line);
          return;
        }
        free(input_line);
        associated_request->status = http_status_code;
        associated_request->content_size = 0;
      }
      [...]
    }
    

At [1] the first line of the response is fetched, then at [2] is parsed, expecting to be of the HTTP/%d.%d %d %s form. So, the protocol version is parsed, as well as the status code and the status message. For containing the status message, the http_status_message stack buffer is used. Because no check is performed against the line received at [1], and because the http_status_message buffer is only 52 bytes long, this function is vulnerable to a stack-based buffer overflow that can occur at [2].

Because HTTPS is used for the connection to the server, it would seems impossible to man-in-the-middle this communication. Because of TALOS-2023-1705 this is actually possible because the client does not verify the server.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-24019: TALOS-2023-1718 || Cisco Talos Intelligence Group

Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to a buffer overflow. An attacker can send HTTP requests to trigger these vulnerabilities.This buffer overflow occurs in the set_openvpn_client function with the remote_subnet and the remote_mask variables.

CVE-2023-25124: TALOS-2023-1716 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the libzebra.so.0.0.0 security_decrypt_password functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to a buffer overflow. An authenticated attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the libzebra.so.0.0.0 security\_decrypt\_password functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to a buffer overflow. An authenticated attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The Milesight router offers several functionalities through the /cgi endpoint. The “core” functionality we are considering is called yruo_usermanagement. In this “core” there is one function called “set”. This API is used to change user related settings (for example, changing the password of a specific user). Following the vtysh_ubus’s usermng_set function, responsible for managing the “set” functionality:

        void usermng_set(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,
                        undefined4 *param_5)
    
        {
        [... variable declaration ...]
    
        [... variable initialization ...]
        [...]
        value_obj = (void *)blob_memdup(tb_outer.values);
        data = (void *)blobmsg_data(value_obj);
        values_obj_n = blobmsg_data_len(value_obj);
        blobmsg_parse(usermng_set_value_policy,7,tb_inner,data,values_obj_n);
        [...]
        if (((tb_inner[4] != (blob_attr *)0x0) && (tb_inner[5] != (blob_attr *)0x0)) &&
         (tb_inner[6] != (blob_attr *)0x0)) {
            tmp_encrypted = blobmsg_get_string((char *)tb_inner[4]);                                        [1]
            security_decrypt_password(tmp_encrypted,old_password_decrypted,0x20);
            tmp_encrypted = blobmsg_get_string((char *)tb_inner[5]);                                        [2]
            security_decrypt_password(tmp_encrypted,new_password_decrypted,0x20);
            tmp_encrypted = blobmsg_get_string((char *)tb_inner[6]);                                        [3]
            security_decrypt_password(tmp_encrypted,confirm_password_decypted,0x20);
        }
        [...]
        }
    

The function uses the blobmsg structures for parsing the received data. Each entry in tb_inner represents a specific parameter in the request’s JSON data. Following an example of a JSON input that could be used for this API. Note that this request must be sent by an authenticated user.

    {
        "id": 60,
        "execute": 10,
        "core": "yruo_usermanagement",
        "function": "set",
        "values": [
            {
                "base": "security",
                "index": "index",
                "value": {
                    "old_password": "264ISdU4Pqdnyksk0N1ssQ==",
                    "new_password": "nW+tKhD05KjqWkOYjjz/xg==",
                    "confirm_password": "luDNLgAE+s9LzVRK0ed8/Ujh/E+mduZm5GBcH/UVt/c="
                }
            }
        ]
    }
    

The code at [1] parses the old_password parameter, the code at [2] parses new_password and the code at [3] parses confirm_password. All three parameters are AES-encrypted Base64-encoded. Indeed, the three parameters are passed to the security_decrypt_password function that will Base64 decode and AES decrypt them.

Following the libzebra.so.0.0.0’s security_decrypt_password function:

    void security_decrypt_password(byte *enc_string,char *dec_string,size_t out_len)
    
    {
        [... variable declaration ...]
    
        [... variable initialization ...]
        encoded_len = strlen(encoded_string);
        b64_decoded = base64_decode(encoded_string,encoded_len,&b64_decoded_len);
        decrypt_len = ys_aes_decrypt(b64_decoded,b64_decoded_len,AES_key,AES_IV,decrypted_tmp);             [4]
        decrypted_tmp[decrypt_len] = 0;
        [...]
        strncpy(dec_string,(char *)decrypted_tmp,out_len);                                                  [5]
        [...]
    }
    

The function takes three parameters: - enc_string the encoded input string - dec_string the output buffer, where the result will be written - out_len the len of the dec_string output buffer

This function will call the base64_decode function to Base64 decode the enc_string string. Then the ys_aes_decrypt function is called, at [4], and will decrypt the Base64 decoded string into the decrypted_tmp stack buffer. Eventually the strncpy at [5] is reached and, at most, out_len bytes are copied from decrypted_tmp to the dec_string buffer.

A stack-based buffer overflow exists during the execution of the ys_aes_decrypt function. Indeed, it will decrypt the arbitrarily long enc_string into the decrypted_tmp stack buffer that is fixed in length.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#buffer_overflow