A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

2022-09-07 12:56 (CEST) VDE-2022-039  

**Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**

Published

**

2022-09-07 12:56 (CEST)

**

Last update

**

2022-09-07 12:56 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.11.2

myREX24.virtual

<= 2.11.2

**

Summary

**

Multiple vulnerabilities have been found in myREX24 and myREX24.virtual. 

**

Vulnerabilities

**

**Weakness**

Improper Restriction of Excessive Authentication Attempts (CWE-307)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the ..._

**Summary**

_An unauthenticated user can enumerate valid users by checking what kind of response the server sends._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in thein the MySQL access check, allowing an attacker to scan for open ..._

**Weakness**

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices ..._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page._

**Weakness**

URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2_ 

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports._

**Weakness**

Direct Request ('Forced Browsing') (CWE-425)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing._

**Weakness**

Use of Incorrectly-Resolved Name or Reference (CWE-706)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion._

**Weakness**

Incorrect Resource Transfer Between Spheres (CWE-669)

**Summary**

_An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ..._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of ..._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about ..._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**

Impact

**

please see cve id entries

**

Solution

**

****CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,  
CVE-2020-35566, CVE-2020-12527, **CVE-2020-35568**:**** Update to version 2.12.1

**CVE-2020-12528,** **CVE-2020-12529,** **CVE-2020-35560,  
CVE-2020-12530, CVE-2020-35563,** **CVE-2020-35564,  
CVE-2020-35569,** **CVE-2020-35559,**  Update to version >= 2.7.1

**CVE-2020-10384**: Update to version 2.6.2 to close any known way to get to www-data.  
Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2

**CVE-2020-35567**: None  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

**CVE-2020-35565**: None  
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.

**CVE-2020-35561**: Update to version 2.12.1

**

Reported by

**

OTORIO reported the vulnerabilities to MB connect line.

MB connect line reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in verisons of DIAEnergie, an industrial energy management system.

Delta Industrial Automation DIAEnergie

Use of hard-coded credentials for the telnet server of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote unauthenticated attacker to execute an arbitrary OS command.

**CentreCOM AR260S V2 �ɂ����镡���̐Ǝ㐫�ɂ���**

�A���C�h�e���V�X�������  
���J 2022.08.29  

���Ў�舵�����i�̂����A�ȉ��̐��i���Ǝ㐫�ɊY���v���܂��B

1) �Ǝ㐫�̊T�v

    �EGUI�ݒ��ʂɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)
    �ETelnet�ڑ��p�̔F�؏�񂪃n�\[�h�R�\[�h����Ă����� (CWE-798)
    �ETelnet�@�\\������s�ł���h�L�������g�ɋL�ڂ���Ă��Ȃ��B���R�}���h�����݂�����
      (CWE-912)
    �ETelnet�@�\\�ɂ�����OS�R�}���h�C���W�F�N�V�����̖�� (CWE-78)


2) �Ώې��i

    CentreCOM AR260S V2 �� Ver.3.3.7 ���O�̃t�@�\[���E�F�A�o�\[�W����


3) �e��

    ���u�̑�O�҂ɂ���āA�C�ӂ�OS�R�}���h�����s�����\\��������܂��B


4) �΍�

    CentreCOM AR260S V2 �� Ver.3.3.7�ȍ~�Ƀo�\[�W�����A�b�v���ĉ������B
    �A�b�v�f�\[�g��͂��ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX���Ă��������B


5) �����

    �ȉ��̉��������{���邱�ƂŁA�{�Ǝ㐫�̉e�����y�����邱�Ƃ��\\�ł��B

    �E���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h���f�t�H���g����ύX����
      ��O�҂Ƀ��O�C������Ȃ��悤�A���ׂẴ��\[�U�\[�A�J�E���g�̃p�X���\[�h��ύX����
      ���������B

    �ETelnet��L���ɂ��Ȃ�
      ���Y���i�ł�Telnet�@�\\�̗L��/�����̐ݒ肪�\\�ł����A���T�|�\[�g�̂��߃f�t�H���g��
      �����ɂȂ��Ă��܂��BTelnet�̓����e�i���X��p�̋@�\\�ł���A��ʂ̂��q�l�͂����p��
      �Ȃ�܂���̂ŁA�L�������Ȃ��ł��������B

    �E�t�@�C�A�E�H�\[���@�\\���g�p����
      ���Y���i�ɂ̓t�@�C�A�E�H�\[���@�\\����������Ă���A�f�t�H���g�ŗL���ɂȂ��Ă��܂��B
      �O������̈Ӑ}���Ȃ��A�N�Z�X��h�����߁A�t�@�C�A�E�H�\[���@�\\���g�p���Ă��������B


�ȏ�

CVE-2022-38394: �T�|�[�g�b�Z�L�����e�B�E�Ǝ㐫�ɂ���

This advisory contains mitigations for Improper Access Control, Uncontrolled Resource Consumption, Use of Hard-Coded Credentials, Active Debug Code vulnerabilities in Contec Health CMS8000, a ICU CCU Vital Signs Patient Monitor.

Contec Health CMS8000

Researchers found that mobile applications contain keys that could provide access to both user information and private files from unconnected apps.

As with any piece of software, mobile apps can create an array of security issues and exposures, from rogue programs that are intentionally malicious to apps that contain an obscure but significant flaw. Now, new research is shedding light on systemic oversights in mobile app cloud infrastructure that are all too common and create the risk that users' data could leak where it shouldn't or be compromised.

Researchers from Broadcom's Symantec Threat Hunter team published findings on Thursday about the prevalence of hard-coded authentication credentials lurking in the cloud services that underlie hundreds of mainstream apps. These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company's website or run text through a translation service at a user's request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components. And when multiple apps have been created by the same third-party development firm or incorporate the same publicly available software development kits (SDKs), these static authentication tokens may even grant access to the infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they could potentially unlock massive and disparate troves of sensitive data all by finding one key under one doormat.

“The cloud is still kind of a new frontier. And sometimes when you hear about the practices being used, you realize that a lot of organizations may not be where they are with security on other fronts,” says Symantec's Dick O’Brien. “It’s hard to say whether it’s people cutting corners or whether it’s just an ignorance of what you’re exposing by putting those credentials out there, but it’s certainly obvious that data isn’t being ring-fenced anywhere near the way it should be."

The researchers found 1,859 publicly available apps on both Android and iOS that contained hard-coded Amazon Web Services credentials. The vast majority were iOS apps, a discrepancy Symantec says it has tracked for years but hasn't fully explained. The credentials present in more than three-quarters of the apps granted access to private cloud services, and nearly half of those additionally gave access to private files. Fifty-three percent of the apps contained access tokens that were also found in other, often totally unrelated, apps.

“Initially it was very surprising, but this is a systemic thing,” O’Brien says. “People need to do a complete audit of what they’re using and realize that there are multiple layers there. The practice of implementing hard coded access keys is not great. Temporary credentials that expire after a short period of time are probably the way to go, and also there needs to be greater awareness that you need to silo information.” 

Symantec says it has notified the developers of the apps where it sees the most pressing issues and hopes to raise awareness about how insecure development practices and shared resources can create exposures without careful consideration and segmentation. 

In one case, the researchers realized that several mainstream iOS banking apps were all using the same third-party AI digital identity software development kit that exposed cloud credentials of the shared service. While none of the banking apps themselves created the SDK, the credentials exposed its server structure and infrastructure blueprints, source code, and the AI models underlying the identity service. And more than 300,000 biometric fingerprint files from users of five of the mobile banking apps were leaking and potentially exposed.

In another case, the researchers noticed what it calls a large hospitality and entertainment company working with a technology company on sports betting apps. In total, hard-coded credentials gave infrastructure access to 16 online gambling apps, exposing their cloud services and even granting root access to take control of this backend platform. 

Symantec's O’Brien emphasizes that while the company isn't naming the impacted apps, it hopes the findings will raise awareness about these common pitfalls and their potentially outsize impact on users. “The things we found—it illustrates the significance of what we’re dealing with here,” he says.

Careless Errors in Hundreds of Apps Could Expose Troves of Data

Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.

**Use of Hard-coded Credentials in AgileConfig.Client**

Critical severity GitHub Reviewed Published Aug 19, 2022 • Updated Aug 30, 2022

GHSA-mj5w-w588-j6xg: Use of Hard-coded Credentials in AgileConfig.Client

An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**23\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 08/02/2022

**Risk Rating** High for Gateways.

**Description** Gateway APIs contain functions that are inappropriately authenticated and would allow an authenticated VPN user to inject arbitrary commands.

**Impact** A successful attack would allow an authenticated VPN user to execute arbitrary comments against Aviatrix gateways.

**Affected Products** Aviatrix Gateways

**Solution** Upgrade your Aviatrix Controller and gateway software to:

*   6.6.5712 or later
*   6.7.1376 or later

**Acknowledgement** Aviatrix would like to thank Thomas Wallin from Splunk for the responsible disclosure of this issue.

**22\. Remote Code Execution¶**

**Date** 05/27/2022

**Risk Rating** AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

**Description** Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

**Impact** An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

**Affected Products** Aviatrix Controller and Gateways.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3057
*   6.5.3233
*   6.6.5612
*   6.7.1185

**21\. Post-Auth Remote Code Execution¶**

**Date** 04/11/2022

**Risk Rating** High

**Description** TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

**Impact** A local user to the controller UI could execute arbitrary code.

**Affected Products** Aviatrix Controller.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3049
*   6.5.3166
*   6.6.5545

**20\. Aviatrix Controller and Gateways - Privilege Escalation¶**

**Date** 02/03/2022

**Risk Rating** Medium

**Description** The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

**Impact** A local user to our appliances can escalate his privileges to root.

**Affected Products** Aviatrix Controller and Gateways.

**Solution**

*   Upgrade Copilot to Release 1.6.3.
*   Apply security patch \[AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches\] to controllers.

**19\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 01/11/2022

**Risk Rating** High for Gateways, medium for Controller.

**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

**Impact** Access to configuration information and disruption of service.

**Affected Products** Aviatrix Controller, Gateways and Copilot.

**Solution** Upgrade your controller and gateway software to:

*   6.4.2995 or later.
*   6.5.2898 or later.

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in versions of SICAM TOOLBOX II, a control and monitoring system.

Siemens SICAM TOOLBOX II

OMICARD EDM has a hard-coded machine key. An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code, manipulate system data and disrupt service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202206011TVN-202206011

CVE ID

CVE-2022-32965

CVSS

9.8 (Critical)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

沛盛資訊 OMICARD EDM v5.8~v6.0

問題描述

OMICARD EDM使用Hard-code的Machine Key，遠端攻擊者不須權限，可以利用ViewState進行反序列化攻擊，執行任意程式碼。

解決方法

聯繫沛盛資訊進行版本更新

漏洞通報者

Xin-Yue, Song (CHT Security)

公開日期

2022-08-04

CVE-2022-32965: 沛盛資訊 OMICARD EDM行銷發送系統 - Use of Hard-coded Credentials

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.

July 8th, 2022

**(0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability****ZDI-22-959  
ZDI-CAN-17139**

CVE ID

CVE-2022-35866

CVSS SCORE

9.8, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Vinchin  

AFFECTED PRODUCTS

Backup and Recovery  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system.  

ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120-day deadline.

04/29/22 – ZDI attempted to contact the vendor PSIRT and obtain secure keys via the contact information on their website as well as using the chat support feature.  
05/17/22 – ZDI made another attempt to contact the vendor with no response back.  
05/25/22 – ZDI made one final attempt to contact the vendor’s key leadership.  
06/30/22 –  ZDI confirmed that this vulnerability is still exploitable and has not been patched.  
07/01/22 –  ZDI notified the vendor of the intention to publish the case as 0-day advisory on 07/8/22  

\-- Mitigation:  
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

  

DISCLOSURE TIMELINE

*   2022-07-08 - Vulnerability reported to vendor
*   2022-07-08 - Coordinated public release of advisory
*   2022-07-14 - Advisory Updated

CREDIT

Esjay  

BACK TO ADVISORIES

Tag

#hard_coded_credentials