SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

CVE-2022-38108: Published | Zero Day Initiative

In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in configuration files leads to admin panel access.

**PCSecure V5.0.8.xw - Use of Hard-coded Credentials in configuration files leads to admin panel access****Summary**

Vendor: PCTechSoft SAS

Product: PCSecure

Affected version(s): 5.0.8.xw

CodeName: PapiQuieroPollo00

**Vulnerability**

Type: Use of Hard-coded Credentials (CWE-798)

CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score: 7.8 (High)

Exploit available: No

CVE ID: CVE-2022-42176

**Description**

The configuration file (system.bmp) in PCSecure V5.0.8.xw stores the credentials for access to admin panel in plain text, which allows a local user without privileges to login in as administrator and execute commands as windows local admin or reduce security control via reading the file from Chrome or Firefox.

**Proof of Concept****Demo**

**Steps to reproduce**

1.  Read the file system.bmp from Chrome using the following URI: "view-source:file:///C:/Archivos%20de%20programa/ARCHIVOS%20COMUNES/CONFIG/system.bmp"
    
2.  Identify the password for each user. The first line contains all the usernames separed by "\*", the second line contains the password for each username.
    
3.  Launch PCSecure admin panel. Press Ctrl + Mayus + P or Execute "C:\\archivos de programa\\personal\\pcsecure" or launch from windows Start menu.
    
4.  Login as Admin
    
5.  Change security profile and execute any command
    

**Tested on**

Windows 7

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Oreocato aka Miguel Chaparro Pedraza

**References**

Vendor page: https://www.pctechsoft.net

**Timeline**

2019-09-07: Vulnerability discovered.

2019-09-07: Vendor contacted.

2022-09-28: Public Disclosure.

2022-10-20: CVE ID assigned

CVE-2022-42176: CVE-Advisories/PapiQuieroPollo00 at main · soy-oreocato/CVE-Advisories

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

2022-09-26 10:00 (CEST) VDE-2022-029  

**Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0**  
Share: Email | Twitter  

**

Published

**

2022-09-26 10:00 (CEST)

**

Last update

**

2022-09-26 12:00 (CEST)

**Vendor(s)**

Carlo Gavazzi Controls SpA  

**Product(s)**

Article No°

Product Name

Affected Version(s)

SBP2CPY24

CPY Car Park Server

< 2.8.3

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

< 8.5.0.3

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

< 8.5.0.3

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security Enhanced

< 8.5.0.3

**

Summary

**

The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.

**

Vulnerabilities

**

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify ..._

**Weakness**

Missing Authentication for Critical Function (CWE-306)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a missing authentication allows for full access via API._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to ..._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service._

**Summary**

_An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions Web-App which allows an authentication bypass to the context of ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a ..._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service._

**

Impact

**

An attacker can get full access to the affected devices. See the vulnerability descriptions for details.

**

Solution

**

**General recommendations**

*   Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
*   Use firewalls to protect and separate the control system network from other networks
*   Use VPN (Virtual Private Networks) tunnels if remote access is required
*   Activate and apply user management and password features
*   Use encrypted communication links
*   Limit the access to both set-up and control system by physical means, operating system features, etc.
*   Protect the set-up and control system by using up to date virus detecting solutions

**Remediation**

Please update to software/firmware versions as described below:

**Article Nr.**

**Product Name and Description**

**Fixed in version**

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

\>= 8.5.0.3  
available from April 27th,2022

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security  
Enhanced

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

SBP2CPY24

CPY Car Park Server

\>= 2.8.3  
available from June 28th,2022

**

Reported by

**

Carlo Gavazzi thanks the following parties for their efforts:

*   CERT@VDE for coordination and support with this publication
*   Vera Mens from Claroty Research for reporting to CERT@VDE

CVE-2022-28816: VDE-2022-029 | CERT@VDE

An alleged teen hacker claims to have gained deep access to the company’s systems, but the full picture of the breach is still coming into focus.

On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.”

The company temporarily took down access on Thursday evening to Slack and some other internal services, according to _The New York Times_, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach-notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity.

“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.”

The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. 

Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA-prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multifactor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks.

 The phrase "zero trust" has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft's automation and management program PowerShell. The attackers said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.

Screenshots leaked by the attacker support the claims of this deep access, including to OneLogin. In an analysis on Friday, researchers from the cybersecurity firm Group IB suggested that the attacker may have first breached Uber earlier this week and only made their presence known on Thursday.

One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”

“That’s God—they own that there’s nothing they can’t access," the security engineer added. "It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.” 

The situation at Uber comes on the heels of congressional testimony on Wednesday from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked whistleblower protections as part of accusations alleging deplorable security practices within the social media giant. Zatko's testimony this week got senators fired up about the importance of security within Big Tech. But in the past, even the direst and rattling hacks have led only to incremental progress on the most basic best practices. Zatko's testimony did not seem to impact Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday morning, but it had partly recovered by the closing bell.

For now, the full scope of the situation inside the ride-sharing giant remains unknown.

"I think there are a lot of opportunities to work on detections and preventions proactively," offensive security engineer Owens says. “This can be difficult to execute in practice, though, when you have lots of other fires to put out, political challenges inside of an organization, et cetera. Maybe I’m slowly becoming jaded since I’ve been around in this space for a while.”

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Version 1.8.0 and prior have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution.

CVE-2022-3214

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

2022-09-07 12:56 (CEST) VDE-2022-039  

**Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**

Published

**

2022-09-07 12:56 (CEST)

**

Last update

**

2022-09-07 12:56 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.11.2

myREX24.virtual

<= 2.11.2

**

Summary

**

Multiple vulnerabilities have been found in myREX24 and myREX24.virtual. 

**

Vulnerabilities

**

**Weakness**

Improper Restriction of Excessive Authentication Attempts (CWE-307)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the ..._

**Summary**

_An unauthenticated user can enumerate valid users by checking what kind of response the server sends._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in thein the MySQL access check, allowing an attacker to scan for open ..._

**Weakness**

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices ..._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page._

**Weakness**

URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2_ 

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports._

**Weakness**

Direct Request ('Forced Browsing') (CWE-425)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing._

**Weakness**

Use of Incorrectly-Resolved Name or Reference (CWE-706)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion._

**Weakness**

Incorrect Resource Transfer Between Spheres (CWE-669)

**Summary**

_An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ..._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of ..._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about ..._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**

Impact

**

please see cve id entries

**

Solution

**

****CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,  
CVE-2020-35566, CVE-2020-12527, **CVE-2020-35568**:**** Update to version 2.12.1

**CVE-2020-12528,** **CVE-2020-12529,** **CVE-2020-35560,  
CVE-2020-12530, CVE-2020-35563,** **CVE-2020-35564,  
CVE-2020-35569,** **CVE-2020-35559,**  Update to version >= 2.7.1

**CVE-2020-10384**: Update to version 2.6.2 to close any known way to get to www-data.  
Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2

**CVE-2020-35567**: None  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

**CVE-2020-35565**: None  
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.

**CVE-2020-35561**: Update to version 2.12.1

**

Reported by

**

OTORIO reported the vulnerabilities to MB connect line.

MB connect line reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in verisons of DIAEnergie, an industrial energy management system.

Delta Industrial Automation DIAEnergie

Use of hard-coded credentials for the telnet server of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote unauthenticated attacker to execute an arbitrary OS command.

**CentreCOM AR260S V2 �ɂ����镡���̐Ǝ㐫�ɂ���**

�A���C�h�e���V�X�������  
���J 2022.08.29  

���Ў�舵�����i�̂����A�ȉ��̐��i���Ǝ㐫�ɊY���v���܂��B

1) �Ǝ㐫�̊T�v

    �EGUI�ݒ��ʂɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)
    �ETelnet�ڑ��p�̔F�؏�񂪃n�\[�h�R�\[�h����Ă����� (CWE-798)
    �ETelnet�@�\\������s�ł���h�L�������g�ɋL�ڂ���Ă��Ȃ��B���R�}���h�����݂�����
      (CWE-912)
    �ETelnet�@�\\�ɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)


2) �Ώې��i

    CentreCOM AR260S V2 �� Ver.3.3.7 ���O�̃t�@�\[���E�F�A�o�\[�W����


3) �e��

    ���u�̑�O�҂ɂ���āA�C�ӂ�OS�R�}���h�����s�����\\��������܂��B


4) �΍�

    CentreCOM AR260S V2 �� Ver.3.3.7�ȍ~�Ƀo�\[�W�����A�b�v���ĉ������B
    �A�b�v�f�\[�g��͂��ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX���Ă��������B


5) �����

    �ȉ��̉��������{���邱�ƂŁA�{�Ǝ㐫�̉e�����y�����邱�Ƃ��\\�ł��B

    �E���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h���f�t�H���g����ύX����
      ��O�҂Ƀ��O�C������Ȃ��悤�A���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX����
      ���������B

    �ETelnet��L���ɂ��Ȃ�
      ���Y���i�ł�Telnet�@�\\�̗L��/�����̐ݒ肪�\\�ł����A���T�|�\[�g�̂��߃f�t�H���g��
      �����ɂȂ��Ă��܂��BTelnet�̓����e�i���X��p�̋@�\\�ł���A��ʂ̂��q�l�͂����p��
      �Ȃ�܂���̂ŁA�L�������Ȃ��ł��������B

    �E�t�@�C�A�E�H�\[���@�\\���g�p����
      ���Y���i�ɂ̓t�@�C�A�E�H�\[���@�\\����������Ă���A�f�t�H���g�ŗL���ɂȂ��Ă��܂��B
      �O������̈Ӑ}���Ȃ��A�N�Z�X��h�����߁A�t�@�C�A�E�H�\[���@�\\���g�p���Ă��������B


�ȏ�

CVE-2022-38394: �T�|�[�g�b�Z�L�����e�B�E�Ǝ㐫�ɂ���

This advisory contains mitigations for Improper Access Control, Uncontrolled Resource Consumption, Use of Hard-Coded Credentials, Active Debug Code vulnerabilities in Contec Health CMS8000, a ICU CCU Vital Signs Patient Monitor.

Tag

#hard_coded_credentials