There is a denial of service vulnerability in CV81-WDM FW versions 01.70.49.29.46. Successful exploitation could cause denial of service.

There is a denial of service vulnerability in some Huawei products. Successful exploitation could cause denial of service. (Vulnerability ID: HWPSIRT-2022-27465)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-29798.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220601-01-f75b152f-en

Product Name

Affected Version

Resolved Product and Version

CV81-WDM FW

01.70.49.29.46

01.94.59.32.46

Successful exploitation could cause denial of service.

The severity of the vulnerability in this advisory has been assessed by the Common Vulnerability Scoring System Version 3.0 (CVSS v3 Specification Document).

Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score: 7.0 (E:F/RL:O/RC:C)

Overall Score: 7.0  

This vulnerability can be exploited only when the following conditions are present:  
An attacker could send a crafted message to the device.

Vulnerability details:  
There is a denial of service vulnerability in some Huawei products. The device does not handle a specific message correctly in an abnormal scenario, which causes memory unreleased. Successful exploitation could cause denial of service.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

This vulnerability was discovered by Huawei internal tester.  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-29798: huawei-sa-20220601-01-f75b152f-en

Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions

On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

The plugin developers quickly replied and we sent over the full disclosure on the same day. Fully patched versions of all vulnerable components were made available on May 10, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against these vulnerabilities on April 5, 2022. Sites still running the free version of Wordfence received the same protection 30 days later, on May 4, 2022.

We strongly recommend updating to the latest patched version for your installation as soon as possible, since this will remove the vulnerabilities. If you are using the classic Jupiter theme, you should  update to at least version 6.10.2. If you are using the JupiterX theme, you should update to at least version 2.0.8 of the JupiterX Core plugin, and at least version 2.0.7 of the JupiterX Core theme, which are the latest versions available at the time of this writing.

**Description:** Authenticated Privilege Escalation and Post deletion  
**Affected Software:** Jupiter Theme and JupiterX Core Plugin  
**Slug(s):** jupiter (theme), jupiterx-core(plugin)  
**Developer:** ArtBees  
**Affected Versions:** Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7  
**CVE ID:** CVE-2022-1654  
**CVSS score:** 9.9 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H  
**Researcher(s):** Ramuel Gall  
**Fully Patched Versions:** Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

**Description:** Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification  
**Affected Software:** JupiterX Theme and JupiterX Core Plugin  
**Slug(s):** jupiterx (theme), jupiterx-core(plugin)  
**Developer:** ArtBees  
**Affected Versions:** JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6  
**CVE ID:** CVE-2022-1656  
**CVSS score:** 6.5 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  
**Researcher(s):** Ramuel Gall  
**Fully Patched Versions:** JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

**Description:** Authenticated Path Traversal and Local File Inclusion  
**Affected Software:** JupiterX Theme and Jupiter Theme  
**Slug(s):** jupiterx (theme), jupiter(theme)  
**Developer:** ArtBees  
**Affected Versions:** JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1  
**CVE ID:** CVE-2022-1657  
**CVSS score:** 8.1 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N  
**Researcher(s):** Ramuel Gall  
**Fully Patched Versions:** JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

**Description:** Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion  
**Affected Software:** Jupiter Theme  
**Slug(s):** jupiter (theme)  
**Developer:** ArtBees  
**Affected Versions:** Jupiter Theme <= 6.10.1  
**CVE ID:** CVE-2022-1658  
**CVSS score:** 6.5 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  
**Researcher(s):** Ramuel Gall  
**Fully Patched Versions:** Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.

**Description:** Information Disclosure, Modification, and Denial of Service  
**Affected Software:** JupiterX Core Plugin  
**Slug(s):** jupiterx-core (plugin)  
**Developer:** ArtBees  
**Affected Versions:** JupiterX Core Plugin <= 2.0.6  
**CVE ID:** CVE-2022-1659  
**CVSS score:** 6.3 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L  
**Researcher(s):** Ramuel Gall  
**Fully Patched Versions:** JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

**Timeline**

**April 5, 2022** – The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure.  
**April 28, 2022** – A partially patched version of the JupiterX theme and JupiterX Core plugin is released.  
**May 3, 2022** – We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme.  
**May 4, 2022** – Firewall rule becomes available to Wordfence free users.  
**May 10, 2022 –** Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed.

**Conclusion**

In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges.

Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022.

We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately.

Since several versions across several slugs are impacted, we’ll reiterate what you should update:

If you are running the **Jupiter Theme** version **6.10.1** or below, you should immediately update to version **6.10.2** or higher.

If you are running the **JupiterX Theme** version **2.0.6** or below, you should immediately update to version **2.0.7** or higher.

If you are running the **JupiterX Core Plugin** version **2.0.7** or below, you should immediately update it to version **2.0.8** or higher.

If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

CVE-2022-1654: Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes

The annual report is always filled with useful security information. Here are several of the most important lessons from this year's edition.

The data in the new Verizon "Data Breach Investigations Report" (DBIR) offers critical insights into the current state of cybersecurity. After a year of data breaches and cyberattacks consistently dominating headlines, this year's report closely examines what adversaries are looking for when they're trying to infiltrate businesses and organizations. This year's DBIR, the 15th edition, confirms what we assumed: Cyber threats are on the rise and we must work together to better our security posture. The findings collected in the report are timely for the trained security researcher, but here are three takeaways I think are the most important.

**Conducting the Symphony of Disruption**

The most common action that adversaries are taking to disrupt their target's IT ecosystem is launching denial-of-service (DoS) attacks that effectively flood a network with traffic or information in the pursuit of crashing it. The 2022 DBIR says that 46% of all incidents were DoS attacks, followed by remote access–led attacks, including backdoor and command-and-control-based attacks. Distracting and disrupting the IT and security teams in this way can help obfuscate and bury the other adversarial activities in their toolkit as they look for their initial access.

Ransomware, phishing, stolen credentials, and several other types of attacks round out the list, but one attack vector stands out from the rest. More than 60% of security incidents over the past year were conducted through a Web application, consistent with data collected by Verizon in past years.

Because Web applications — closely followed by email — are where your organization most frequently connects to the Internet, it makes sense that they'd be the primary vectors for threat actors trying to breach your environment. While a Web application may fall victim to a hacker proficient with SQL or with an exploit handy, email is the domain of virtually every employee at every organization. That's why social engineering played a role in nearly all 5,212 breaches recorded in the 2022 DBIR.

**Is Your Human Secure?**

The 2022 DBIR highlights the importance of maintaining a strong security awareness program, which I believe is a critical element of securing an organization. Just about 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

Though the DBIR found just 2.9% of employees actually clicked on phishing emails last year, that's more than enough for hackers to work with, especially if they're able to steal credentials or dump their malware of choice following the phish. For me, the important point is that there is a continuing trend for staff to report more phishing attempts – and even more importantly, to report them after they have responded to a phishing email.

Building an organizational culture that allows staff to be comfortable admitting they were duped is a difficult task because security awareness traditionally is a stick used to punish people and a metric to cover the company's compliance checkboxes.

Security leaders need to create a program that goes of their organization and doesn't just shame them for failing. For example, we need to create programs that don't automatically "fail" someone for clicking a link, because that's why links exist! A program that seeks to trick their own colleagues into failing is generally unproductive in the educational process and does almost nothing for the company's security posture.

A good security awareness training program is consistent, targeted, and limited in scope to allow employees to learn and practice one security skill at a time. Avoiding information overload will keep employees engaged and ready for emerging threats.

And lastly, security awareness is not just a corporate project. Strong awareness and education will help staff be more aware of digital risks in their personal lives as well. Well-implemented security awareness programs take advantage of this blurring to encourage their staff to care about security.

**The Ransomware Business Is Booming**

Ransomware, to nobody's surprise, is increasing in frequency by 13% over the prior year, with almost 70% of malware breaches involving some form of it. The dramatic increase in ransomware attacks — as large as the increases of the last five years combined, according to the report — makes sense, as hackers looking to make a quick buck need only encrypt their target's data rather than seek out specific financial information or credentials within their environment.

The report also states that 40% of ransomware incidents last year involved the use of desktop-sharing software. For example, cybercriminals used this tactic when exploiting vulnerabilities in Microsoft RDP, or just weak or stolen user credentials. On the other hand, 35% of ransomware incidents involved the use of email, leading to researchers recommending that organizations lock down their RDP and ensure their emails are scanned for potential phishing attempts. How we are in 2022 and still suffering from attacks over such a well-known attack vector as email is surely one of the biggest questions to come out of this report.

**Final Thoughts**

The DBIR is an excellent resource for the cybersecurity community to evaluate a tumultuous past 12 months, and the data within can be evaluated to predict the trends in attack types, vectors, and the motivations of hackers throughout the next year. In 2021, adversaries made it clear they were more focused on money than anything else, and with vulnerability exploits doubling from the previous year, it's a safe bet to say that once again the fundamentals of cybersecurity – across both IT hygiene and human engagement – will be the key to reducing the risk of damage and loss.

3 Big Takeaways From the Verizon DBIR 2022

The DoS vulnerability allows an attacker to create a Brotli "zip bomb," resulting in acute performance issues on Envoy proxy servers.

Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn't implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a "zip bomb" — i.e., a malicious archive file designed to crash or render useless a program or system.

The vulnerability could thus be exploited by a malicious actor uploading a Brotli zip bomb to the server, resulting in acute performance issues.

"In most cases the machine's memory will not be able to handle such large amounts of data and the Envoy process will eventually crash," the JFrog blog post warned. "In most cases, before the process crashes, there will be severe performance issues due to the processor allocating a lot of resources to the decompression process."

The blog post advised users to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, which it said would completely fix the issue. However, organizations that can't make the upgrade are advised to prohibit their configuration from allowing Brotli decompression. This can be done by removing the Brotli decompressor in its entirety, or otherwise replacing it with the Gzip decompressor.

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, explains that open source technology is often susceptible to vulnerabilities that can be exploited using older attack vectors — like a zip-bomb for exhausting memory.

“The cloud serves many always-on applications, which often leads to a lack of patching,” McCarthy says. "CVE-2022-29225 highlights the importance of cloud exploitation research, as this attack surface is growing."

He adds that when responsible disclosure occurs, virtual patching becomes an excellent mitigation option for attacks in the cloud.

DoS Vulnerability Allows Easy Envoy Proxy Crashes

By Deeba Ahmed
In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow…
This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

****In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow attackers to take full system control, including “the ability for an attacker to remotely manipulate door locks.”****

Vulnerability researchers at XDR firm Trellix Threat Labs have discovered eight zero-day vulnerabilities in the commonly used industrial control systems provided by HVAC giant Carrier.

Researchers claim that these vulnerabilities impact the access control products using HID Mercury controllers and can allow hackers to unlock doors remotely. The 0-days are tracked as:

1.  CVE-2022-31479
2.  CVE-2022-31480
3.  CVE-2022-31481
4.  CVE-2022-31482
5.  CVE-2022-31483
6.  CVE-2022-31484
7.  CVE-2022-31485
8.  CVE-2022-31486

Image credit: Trellix

For your information, Trellix was launched in 2022 after the merger of FireEye and McAfee Enterprise.

**Details of the Flaws**

Among the eight 0-days, seven have been assigned high severity or critical rating, with most having a CVSS score of 7.5. Reportedly, the 0-days impact the LenelS2 Mercury access control panel that provides access to facilities and integration with complex building automation deployments.

LenelS2 is a subsidiary of Carrier and offers physical security solutions. Trellix researchers noted that all OEM partners using specific hardware controllers are impacted by these flaws. 

> Our research was performed on Carrier’s LenelS2 access control panels, manufactured by HID Mercury and used by organizations across healthcare, education, transportation, and government physical security. Through this work, we found eight zero-day vulnerabilities leading to full system control, including the ability for an attacker to remotely manipulate door locks.
> 
> Trellix – Blog Post

Researchers analyzed the flaws using reverse engineering of software and hardware hacking. Later, they developed a PoC (proof-of-concept) exploit to demonstrate how the attacker can unlock a door and disrupt monitoring systems.

**More Smart and OT Flaw News**

*   Hacker uses Toy to Hack and Open Garage Doors in Seconds
*   Master Key Hack Exploits Flaw in Key System to Unlock Hotel Rooms
*   Using a laser on Alexa & Google Home hackers can unlock your front door
*   Attackers Can Unlock Tesla Cars, Smart Devices by Exploiting Bluetooth Flaws
*   PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

**Potential Dangers**

The flaws could be disruptive because Carrier’s LenelS2 Mercury panels are used by hundreds of organizations across crucial sectors, including health care, education, transportation, and even federal government agencies/organizations. 

According to Trellix’s senior security researcher, Sam Quinn, these systems must not be exposed to the internet. These systems should be used with a firewall instead of directly connecting to the internet.

Furthermore, the flaws can be exploited for command injection, remote code execution, denial-of-service, writing arbitrary files, and information spoofing. Attackers can exploit most of the vulnerabilities without needing authentication. However, they would need a direct connection to the targeted system. 

Carrier has already released patches and a detailed advisory on mitigation methods. Furthermore, the US CISA (Cybersecurity and Infrastructure Security Agency) also published an advisory to warn organizations about the potential risk caused by the flaws.

*   Sensitive Data: Securing Your Most Important Asset
*   Experts Show How Easy It Is To Hack Home, Industrial Robots Remotely
*   Hackers-for-hire using malicious 3Ds Max plugin for industrial espionage
*   Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider
*   Crash Override – The 2nd industrial malware to target Ukraine’s power supply

Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution.  Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2021-37404

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

Hello folks,

I've run into an odd issue with some of the simple web servers we run (they serve some text in index.html). Specifically, it seems like there are connections that get stuck in close\_wait and eat up 100% of CPU resources.  
To note, these are 1 core VMs we run this on.

This issue started when we updated from lighttpd 1.4.55-2 to 1.4.57-1. I am going to provide full context on what was done in case it helps. Initially after this upgrade, I noticed that the service stopped starting up and saw these warnings:  
2021-01-13 20:21:21: (configfile.c.2269) server.upload-dirs doesn't exist: /var/cache/lighttpd/uploads  
2021-01-13 20:21:21: (plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod\_openssl.so /usr/lib/lighttpd/mod\_openssl.so: cannot open shared object file: No such file or directory  
2021-01-13 20:21:21: (server.c.1238) loading plugins finally failed

and:  
2021-01-13 20:21:21: (configfile.c.253) Warning: please add "mod\_openssl" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x **will not** automatically load mod\_openssl and lighttpd **will not** use SSL/TLS where your lighttpd.conf contains ssl.\* directives

So I went in and edited /etc/lighttpd/lighttpd.conf and added mod\_openssl and installed the lighttpd-mod-openssl package. That resolved the issue with the service not running.

After this point, the servers ran normally for a while, then we got an alert about CPU usage. Taking a look it seemed like lighttpd was constantly consuming the entire core. Luckily enough, it still seemed to be accepting connections normally (as far we we could tell from access.log and errors.log didn't show anything out of the ordinary).

At this point, looking at lsof, it showed the following (with some stuff deleted of course):  
  
mitd:~$ sudo lsof -p 157648  
COMMAND     PID     USER   FD      TYPE             DEVICE  SIZE/OFF    NODE NAME  
lighttpd 157648 www-data  cwd       DIR              254,1      4096       2 /  
lighttpd 157648 www-data  rtd       DIR              254,1      4096       2 /  
lighttpd 157648 www-data  txt       REG              254,1    375136 1966696 /usr/sbin/lighttpd  
lighttpd 157648 www-data  mem       REG              254,1     23160 1967130 /usr/lib/x86_64-linux-gnu/libnss_cache.so.2.0  
lighttpd 157648 www-data  mem       REG              254,1     51696 1968527 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so  
lighttpd 157648 www-data  mem       REG              254,1     14408 1844237 /usr/lib/lighttpd/mod_staticfile.so  
lighttpd 157648 www-data  mem       REG              254,1     30792 1841268 /usr/lib/lighttpd/mod_dirlisting.so  
lighttpd 157648 www-data  mem       REG              254,1   3076960 1967430 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1  
lighttpd 157648 www-data  mem       REG              254,1    593696 1967535 /usr/lib/x86_64-linux-gnu/libssl.so.1.1  
lighttpd 157648 www-data  mem       REG              254,1     22600 1835392 /usr/lib/lighttpd/mod_accesslog.so  
lighttpd 157648 www-data  mem       REG              254,1     55520 1839916 /usr/lib/lighttpd/mod_openssl.so  
lighttpd 157648 www-data  mem       REG              254,1     14408 1843016 /usr/lib/lighttpd/mod_redirect.so  
lighttpd 157648 www-data  mem       REG              254,1     14408 1835607 /usr/lib/lighttpd/mod_alias.so  
lighttpd 157648 www-data  mem       REG              254,1    149608 1968567 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so  
lighttpd 157648 www-data  mem       REG              254,1   1839792 1967267 /usr/lib/x86_64-linux-gnu/libc-2.31.so  
lighttpd 157648 www-data  mem       REG              254,1     43048 1966278 /usr/lib/x86_64-linux-gnu/libxxhash.so.0.8.0  
lighttpd 157648 www-data  mem       REG              254,1    257528 1966472 /usr/lib/x86_64-linux-gnu/libnettle.so.8.0  
lighttpd 157648 www-data  mem       REG              254,1     18688 1968044 /usr/lib/x86_64-linux-gnu/libdl-2.31.so  
lighttpd 157648 www-data  mem       REG              254,1    464848 1967316 /usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3  
lighttpd 157648 www-data  mem       REG              254,1     14408 1835248 /usr/lib/lighttpd/mod_access.so  
lighttpd 157648 www-data  mem       REG              254,1     14408 1842895 /usr/lib/lighttpd/mod_indexfile.so  
lighttpd 157648 www-data  mem       REG              254,1    177928 1966929 /usr/lib/x86_64-linux-gnu/ld-2.31.so  
lighttpd 157648 www-data    0u      CHR                1,3       0t0    7949 /dev/null  
lighttpd 157648 www-data    1u      CHR                1,3       0t0    7949 /dev/null  
lighttpd 157648 www-data    2u     unix 0xffff98ddb1b31800       0t0 1393254 type=STREAM  
lighttpd 157648 www-data    3w      REG               0,23         7 1393271 /run/lighttpd.pid  
lighttpd 157648 www-data    4u     IPv4            1393272       0t0     TCP *:http (LISTEN)  
lighttpd 157648 www-data    5u     IPv6            1393273       0t0     TCP *:http (LISTEN)  
lighttpd 157648 www-data    6u     IPv4            1393274       0t0     TCP *:https (LISTEN)  
lighttpd 157648 www-data    7u     IPv6            1393275       0t0     TCP *:https (LISTEN)  
lighttpd 157648 www-data    8w      REG              254,1   3423240 3670309 /var/log/lighttpd/error.log  
lighttpd 157648 www-data    9w      REG              254,1 117697465 3670308 /var/log/lighttpd/access.log  
lighttpd 157648 www-data   10u  a_inode               0,13         0    7868 [eventpoll]  
lighttpd 157648 www-data   11u     IPv4            1586902       0t0     TCP #####:https->#####.com:52059 (ESTABLISHED)  
lighttpd 157648 www-data   12u     IPv4            1435873       0t0     TCP ME.com:https->#####.com:41960 (CLOSE_WAIT)  
lighttpd 157648 www-data   13u     IPv4            1586953       0t0     TCP .com:https->:59153 (ESTABLISHED)  
lighttpd 157648 www-data   19u     IPv4            1415541       0t0     TCP ME.com:http->***********.com:43470 (CLOSE_WAIT)  
lighttpd 157648 www-data   20r      REG              254,1        27 3670597 /var/www/html/index.html  

You can see 12u and 19u are both stuck in close\_wait. They stayed in that state for hours. An strace of the lighttpd process showed the similar messages to the following spammed repeated:

epoll\_ctl(10, EPOLL\_CTL\_MOD, 12, {EPOLLERR|EPOLLHUP, {u32=1349789952, u64=94078313441536}}) = 0  
epoll\_ctl(10, EPOLL\_CTL\_MOD, 12, {EPOLLIN|EPOLLERR|EPOLLHUP|EPOLLRDHUP, {u32=1349789952, u64=94078313441536}}) = 0  
getsockopt(21, SOL\_TCP, TCP\_INFO, "\\10\\0\\0\\0\\0\\4x\\0\\200 \\5\\0@\\234\\0\\0\\264\\5\\0\\0\\264\\5\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\374\\231c\\1\\0\\0\\0\\0\\30\\231c\\1\\234\\257b\\1\\334\\5\\0\\0\\350\\301\\0\\0007\\275\\1\\0\\233\\336\\0\\0\\377\\377\\377\\177\\n\\0\\0\\0\\264\\5\\0\\0\\3\\0\\0\\0\\0\\0\\0\\0\\20r\\0\\0\\0\\0\\0\\0", \[104\]) = 0

At this point using the following I was able to kill the 12u and 19u specifically after which CPU usage returned to normal and strace stopped showing the previous messages:  
gdb -p pid  
call (int)close(12)  
call (int)close(19)  
exit

To mitigate this in the short term, I have setup a cron job to check CPU usage and restart the service if CPU usage is above a percentage.  
Any help to get to the bottom of this bug would be appreciated, let me know what other info you may need.

CVE-2022-30780: Bug #3059: Connections stuck in Close_Wait causing 100% cpu usage - Lighttpd

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-JPEGJS-2859218
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    6 Jun 2022
    
*   **credit**
    
    Sohom Datta
    

**How to fix?**

Upgrade jpeg-js to version 0.4.4 or higher.

**Overview**

Affected versions of this package are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

**PoC**

1.  Create a npm workspace npm init
2.  Install the jpeg-js library
3.  Create a JS file with the following code: \`\`\`js const jpeg = require('jpeg-js');

let buf = Buffer.from( 'ffd8ffc1f151d800ff51d800ffdaffde', 'hex' ); jpeg.decode( buf );

\`\`\` 4) Run the file and observe that the code never stops running

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25851: Denial of Service (DoS) in jpeg-js | CVE-2022-25851 | Snyk

This affects all versions of package posix.
 When invoking the toString method, it will fallback to 0x0 value, as the value of toString  is not invokable (not a function), and then it will crash with type-check.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-POSIX-2400719
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    14 Feb 2022
    
*   **credit**
    
    Snyk Research Team
    

**How to fix?**

There is no fixed version for posix.

**Overview**

posix is a missing POSIX system calls for Node.

Affected versions of this package are vulnerable to Denial of Service (DoS). When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable (not a function), and then it will crash with type-check.

**PoC**

    const posix = require('posix')
    
    try{
            console.log('[!] Trying invokation')
            posix.setegid({toString:1});
            console.log('[!] Made it!')
    }catch(e){
            console.log('[!] Excepted')
            console.error(e)
    }
    
    console.log("but we ok")
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-21211: Denial of Service (DoS) in posix | CVE-2022-21211 | Snyk

As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities.
"The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security

As many as eight zero-day vulnerabilities have been disclosed in Carrier's LenelS2 HID Mercury access control system that's used widely in healthcare, education, transportation, and government facilities.

"The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News.

The issues, in a nutshell, could be weaponized by a malicious actor to gain full system control, including the ability to manipulate door locks. One of the bugs (CVE-2022-31481) includes an unauthenticated remote execution flaw that's rated 10 out of 10 for severity on the CVSS scoring system.

Other shortcomings could lead to command injection (CVE-2022-31479, CVE-2022-31486), denial-of-service (CVE-2022-31480, CVE-2022-31482), user modification (CVE-2022-31484), and information spoofing (CVE-2022-31485) as well as achieve arbitrary file write (CVE-2022-31483).

LenelS2 is employed in environments to grant physical access to privileged facilities and integrate with more complex building automation deployments. The following HID Mercury access panels sold by LenelS2 are impacted -

*   LNL-X2210
*   LNL-X2220
*   LNL-X3300
*   LNL-X4420
*   LNL-4420
*   S2-LP-1501
*   S2-LP-1502
*   S2-LP-2500, and
*   S2-LP-4502

Trellix noted that by chaining two of the aforementioned weaknesses, it was able to gain root-level privileges on the device remotely and unlock and control the doors, effectively subverting the system monitoring protections.

Coinciding with the public disclosure is an industrial control systems (ICS) advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging users to update the access panels to the latest firmware version (CARR-PSA-006-0622).

"Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition," the agency said in an alert.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#dos