Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

*   **Cybersecurity**
*   About us
*   Trust center
*   Bulletins and patches
*   Vulnerability disclosures
*   Helpful resources

*   BD Pyxis™ Products - Default Credentials

This notification provides product security information and recommendations related to the use of default credentials in specific BD Pyxis™ products. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (HISAC).

**Products in Scope**

The product list below identifies existing BD Pyxis™ products that may use default credentials.

*   BD Pyxis™ Anesthesia Station ES
*   BD Pyxis™ CIISafe
*   BD Pyxis™ Logistics
*   BD Pyxis™ MedBank
*   BD Pyxis™ MedStation™ 4000
*   BD Pyxis™ MedStation™ ES
*   BD Pyxis™ MedStation™ ES Server
*   BD Pyxis™ ParAssist

*   BD Pyxis™ Rapid Rx
*   BD Pyxis™ StockStation
*   BD Pyxis™ SupplyCenter
*   BD Pyxis™ SupplyRoller
*   BD Pyxis™ SupplyStation™
*   BD Pyxis™ SupplyStation™ EC
*   BD Pyxis™ SupplyStation™ RF auxiliary
*   BD Rowa™ Pouch Packaging Systems

**Vulnerability Details**

**CVE-2022-22767 -** Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate a facility’s network, and gain access to individual devices and/or servers.

The default credentials are primarily managed by BD support personnel. In cases where customers have domain-joined servers, BD support personnel will work with customer representatives to jointly manage credentials.

The use of default credentials in BD Pyxis™ devices is documented in BD Product Security White Papers, which customers can request from the BD Cybersecurity Trust Center. BD Product Security White Papers detail how security and privacy practices have been applied and provide information to help customers safeguard product security throughout each product's life cycle.

**Vulnerability Score**

*   CVSS: 8.8 (High) CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Rationale: Adjacent access is required to exploit this vulnerability, meaning the attack needs to be initiated from the same shared physical or logical network. The attack complexity is low and is based on access to default credentials still in use. The scope is considered unchanged as this vulnerability is specific to only the impacted application. The vulnerability has a high impact on confidentiality, integrity and availability as specific default credentials potentially allow threat actors to gain privileged access to specific devices.

**Mitigations and Compensating Controls**

BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates.

BD is currently piloting a credential management solution that is initially targeted for specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediations.

Additionally, BD recommends the following compensating controls for customers using BD Pyxis™ products that utilize default credentials:

*   Limit physical access to only authorized personnel.
*   Tightly control management of system passwords provided to authorized users.
*   Monitor and log network traffic attempting to reach the affected products for suspicious activity.
*   Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
*   Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

**Additional Resources**

For product- or site-specific concerns, contact your BD service representative.

**Company**

*   Contact us
*   BD code of conduct
*   Careers
*   Inclusion and diversity
*   Sustainability
*   Suppliers
*   News
*   Investors
*   Video gallery
*   External funding program

**Support**

*   Technical support
*   Product security and privacy
*   Live chat
*   Order status
*   Customer portals
*   Alerts and notices
*   Electronic instructions for use
*   COVID-19

CVE-2022-22767: BD Pyxis<sup>™</sup> Products - Default Credentials

LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a hardcoded password for the SSL certificate.

From: Lifeng Zhao <lifeng.zhao@linkplay.com> Sent: Sunday, December 12, 2021 5:03 PM To: Hidden Subject: Re: Security Vulnerability \*\*\* The Answer \*\*\* Hi Ohana, Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support. Best, Lifeng From: Hidden Date: 2021-12-12 21:24 To: security@linkplay.com Subject: Security Vulnerability \*\*\* The vulnerability \*\*\* Bug Type: Hard-coded secret key Impact: RCE, Supply chain attack Platforms: IOS + Android applications Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below). It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe. We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion. Summary: We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities In details: We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha). To exploit this, you can add the API key to each request sent to the server. 1.Within the SoundBar application, we found the password of certificate\_new\_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443. Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding. As a result, we can communicate with HTTPS requests with the device. 2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB…. We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications. 3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2). Thus, it is vulnerable to the following CVEs: 1. CVE-2020-7931 2. From the frog website Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps: ·https://play.google.com/store/apps/details?id=com.medion.speaker ·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha ·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle ·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier ·https://play.google.com/store/apps/details?id=com.wifiaudio.jam ·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ ·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice ·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B ·https://play.google.com/store/apps/details?id=com.ihome.ama ·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome ·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative

CVE-2022-28605: hardcoded on LinkPlay app

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.

This post discloses two vulnerabilities in Flower, a popular open-source web application deployed along with Celery (a task queue for Python):

*   Lack of CSRF or SSRF protections in Flower, allowing remote API invocations on internally-hosted instances
*   An OAuth authentication bypass allowing anyone to login and access all Flower functionality

These issues are tracked under CVE-2022-30034.

I created a PR which fixes the OAuth bypass and disables the API unless authentication is configured. The maintainer did not respond to attempts at contact so it is unclear if this will be merged: https://github.com/mher/flower/pull/1216.

The vulnerabilities themselves are moderately interesting, but a more interesting question to ask is “what could an attacker _do_ with Flower?”:

*   Invoke arbitrary tasks registered with Celery (basically, RPC; but the tasks would be highly dependent on application context)
*   Apache Airflow is probably the most popular software which uses Celery, and registers a Celery task in a default configuration. Through Flower, an attacker could invoke airflow tasks run with arbitrary parameters, which could (dependent on configuration or other vulnerabilities) be used to achieve RCE

**Background**

Flower is a web app which allows monitoring and managing Celery, which is a task queue for Python.

*   Flower has more than 5000 stars on Github and is included in the default deployments of other extremely popular software such as Apache Airflow.
*   Flower is (or was) included but not enabled by default in some managed Airflow deployments such as Google Cloud Composer.
*   Shodan shows more than 2000 publicly-exposed instances, although most instances appear to require authentication with basic authentication, and thus would not be vulnerable.
*   There are likely many more instances which are only accessible on internal/corporate networks.

**Lack of CSRF and SSRF Protections**

Flower lacks CSRF protection, meaning that if a user with access to a Flower instance visits a malicious website, that site could run JavaScript which calls Flower’s APIs. This would primarily be used to exploit other vulnerabilities, such as through the arbitrary task invocation issue. The lack of CSRF protections apply to all web routes, APIs, and the api/task/events websocket endpoint. In particular, websocket connections can be used to solidly confirm the presence of the vulnerable listener on internal networks and also leak some minor information.

Lack of authentication by default also means that SSRF attacks would be straightforward on any instance not configured for authentication.

Flower also has a strange (i.e. broken) CORS policy, but it doesn’t appear to lead to any additional impact. _Note:_ a recent PR opened the CORS headers up with a wildcard, which would increase the exploitability of CSRF.

Overall, I think the likelihood of CSRF exploitation through Flower is relatively low, so my PR didn’t attempt to add CSRF protections, because doing so would likely require breaking all existing Flower API clients (e.g. requiring a custom HTTP header). Rather, the PR disables the API if authentication is disabled.

**OAuth Bypass Vulnerability**

Flower supports OAuth login via Google, Github, Okta, and Gitlab. When configuring OAuth according to the documentation, Flower requires the user to provide a regular expression which is checked against the user email that Flower receives after the user logs in:

    flower --auth_provider=flower.views.auth.GitLabLoginHandler --auth=.*@example.com
    

The above command line is intended to configure Flower to use Gitlab OAuth and only allow users whose emails are registered with example.com. However, the regular expression check _lacks regex anchors_, thus allowing anyone to authenticate as long as they can sign up to the OAuth identity provider with a user-controlled email.

Example scenarios:

*   For .*@example.com, a valid user might be alice@example.com, but attacker@example.com.attacker.com can also login.
*   Specifying me@gmail.com would only be intended to allow one user to login, but me@gmail.com.attacker.com also works.
*   Because the regular expression is provided on the command line, the period may not be correctly escaped. For a literal period provided in a shell command, a double backslash is generally needed to get a literal backslash in the argument. The documentation examples use either zero or one backslashes. As a result, .*@corp.example.com or .*@corp\.example\.com could be bypassed with attacker@corpZexample.com even if anchors were applied.

**Reproduction**

I demonstrated the vulnerability in a local deployment of Flower with the following configuration:

1.  Create a public Gitlab user user1@tannerprynn.com (the intended user of the application)
    *   Configure an application under this user to login to Flower
2.  Create a second public Gitlab user user1@tannerprynn.com.pry.nz
3.  Flower configuration:
    *   Command-line options --auth_provider=flower.views.auth.GitLabLoginHandler --auth=.*@tannerprynn.com
    *   Environment variables FLOWER_OAUTH2_KEY, FLOWER_OAUTH2_SECRET, FLOWER_OAUTH2_REDIRECT_URI

**Recommendations for Flower**

1.  Disable the API unless authentication is configured for Flower
2.  Implement CSRF protections (primarily relevant to the API); the most straightforward would be to require a custom non-CORS-exempt header for all API requests
3.  Fixing the OAuth bypass will likely require either a breaking change for users, or using custom logic to match the user-provided string without interpreting a single period as a wildcard character

**Post-Exploitation**

With the ability to send requests to Flower, an attacker would primarily use its APIs - in particular, POST /api/task/apply/{taskname} which allows invoking any Celery task. Assuming the attacker is not operating through blind CSRF, they can use GET /api/task/types and other APIs to list which tasks can be called and the parameters, and attempt to exploit those specific tasks. Given the expectation that these calls would only come from internal, trusted systems, it is likely that any custom-developed tasks have vulnerabilities or cause some dangerous actions. However, those vulns would be highly application/context-specific.

I was interested in one specific deployment of Flower, which is with Airflow, a very popular open-source app. Flower is deployed without authentication in the default Airflow configuration (when deployed with the recommended docker-compose configuration and Helm chart). Airflow registers a single task airflow.executors.celery_executor.execute_command which allows invoking an Airflow task via the equivalent of a command-line invocation of airflow tasks run.

    POST /api/task/apply/airflow.executors.celery_executor.execute_command HTTP/1.1
    Host: flower:5555
    Content-Type: text/plain
    Content-Length: 84
    
    {"args":[["airflow", "tasks", "run", "example_bash_operator", "runme_1", "1234"]]}
    

Initially, I was relatively confident that this would lead directly to RCE, but it doesn’t appear straightforward:

*   Although the arguments appear to specify a command-line invocation, they don’t actually pass through a shell at any point. Celery passes these arguments through a message queue (e.g. Redis) and they invoke the execute_command Python method after being picked up by an Airflow worker, which then parses the arguments using its own command-line parser.
*   The first three arguments ("airflow", "tasks", "run") are validated and cannot be changed to invoke other airflow CLI commands.
*   The last argument is execution_date_or_run_id which is used unsafely in Airflow’s example_bash_operator, but this argument appears to be validated.

That’s not to say that this is safe. An attacker can still specify arbitrary arguments after airflow tasks run, which would include parameters such as --cfg-path and --subdir. If combined with the ability to write a file somewhere on the filesystem, either of these configuration options allows picking up and running arbitrary python code. Without that ability, the impact would be limited to calling the DAGs/tasks that are already set up on the system.

**Recommendations for Airflow**

1.  If possible, strip all parameters from the arguments provided to this invocation path so that an attacker does not have the ability to change the configuration in a way which might allow unexpected code execution
2.  Although run_id seems to be validated, preventing injection in example_bash_operator, that doesn’t seem to be a documented expectation in general, so you should handle it safely in your example code
3.  If Flower isn’t a necessary component of Airflow, consider removing it from the default docker-compose/Helm setup
4.  Alternatively, set up docker-compose and Helm to use basic auth with randomly-generated passwords for Flower (even a weak static password would actually help limit CSRF/SSRF attacks)

From discussions with the Airflow maintainer, Flower is seen as a development-only tool that should not be used in any production deployment. However, given that Flower itself does not appear to be actively maintained, the Airflow maintainer decided that they would disable Flower by default in their docker-compose and Helm chart (starting in version 2.3.1).

**Disclosure Timeline**

*   05 April 2022: Initial contacts to Apache Security team
*   06 April 2022: Partial disclosure to Airflow maintainer of impact and recommendations for Airflow
*   06 April 2022: Initial attempt to contact the Flower maintainer (mher)
*   06-21 April 2022: Follow up emails to the Airflow maintainer
*   12-25 April 2022: Discussion with Airflow maintainer
*   23-26 April 2022: Attempts to reach a maintainer for Flower via the associated Celery project’s team members, but no team member was able to give me a working contact
*   26 April 2022: Opened an issue on the public Flower repo asking for a security contact
*   03 May 2022: Followed up on the public issue to state that disclosure would occur in 14 days (17 May) due to lack of response
*   16 May 2022: Airflow maintainer requested a short delay to allow a new release of Airflow which disables Flower by default
*   25 May 2022: Airflow updated to 2.3.1
*   26 May 2022: Public disclosure

CVE-2022-30034: Multiple Vulnerabilities in Flower and Downstream Attacks on Airflow

** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in WinAPRS 2.9.0. A buffer overflow in DIGI address processing for VHF KISS packets allows a remote attacker to cause a denial of service (daemon crash) via a malicious AX.25 packet over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Hackers have been breaching computer system defenses for more than half a century, and the networks they use to exploit those weaknesses have been around for far longer than that. With the internet replacing most wirelines and wavelengths, and with the rise of cybercrime sophistication from petty thieves to organized nation-states, the threat landscape has exploded over the last 20 years. Yet one of the oldest network protocols – amateur or “ham” radio – is still used to this day in emergency communications during times of war and disaster, and to this day can still be used in binary exploitation.

Ham radio evokes an image of old guys turning knobs on vintage, tube radios and talking to other hobbyists about their configurations. Nowadays, radios are getting much more complicated, and with the built-in ability to perform digital communications, the possibilities are almost limitless. You can hook them up to computers to do anything from text messaging and email to sharing images and tracking weather balloons. There’s still something magical about connecting to a device or contacting someone across the planet without being hooked up to the internet or a phone line.

I recently passed the Offensive Security Exploit Developer (OSED) exam and wanted to apply what I’d learned to real-world security problems. I’m always looking for ways to improve my threat modeling, attack simulation, and penetration testing skills, and thought that ham radio would be a fun environment to explore. Amateur radio equipment and frequency spectrums are accessible all over the world and are instructive for a blog series that shows how the vulnerabilities of older technologies can be leveraged with today’s hacking fundamentals. With ham radio as our testing and proving ground, we’ll look at reverse engineering, the creation of custom exploits, and developing skills to bypass security mitigations. We’ll also take a look at writing handmade Windows shellcode and adopting older techniques to more modern versions of Windows.

**Packet Radio**

I've been messing around with packet radio and various digital modes on and off for years and have wondered if any vulnerabilities exist that could allow an attacker to obtain remote code execution through the airwaves. I always thought it was a fun idea to be able to hack a computer that isn't even hooked up to the internet. Many ham programs are written by enthusiasts and are quite old, so it seemed likely that there would be exploitable vulnerabilities. In my research I decided to focus mainly on vulnerabilities that could lead to remote code or command execution, though if I found other vulnerabilities, I didn't ignore them. I also decided to start by focusing on Windows software, since the OSED exam focused on Windows user-mode exploitation and it's where I have the most experience. I started this project with a specific goal in mind: get a remote shell over ham radio.

As a hacker, I am most interested in the various digital modes that ham radio has to offer. There are many, and for my research I decided to focus on software that uses the AX.25 protocol.

"Packet radio" generally refers to a very specific digital mode of operation that uses the AX.25 protocol. AX.25 is a data-link layer protocol (layer 2 of the OSI model). In this mode, data is split into packets and transmitted over the air. AX.25 has support for different packet types and includes modes that are similar to Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) on Ethernet. In some cases, the protocol can do some error correcting, like TCP. Another mode will just send packets out into the air without waiting for any kind of acknowledgement, like UDP. Windows does not have any built-in way to handle AX.25 traffic, so end-user software would have to do this on its own or it must be abstracted away. The Linux kernel has built-in support for AX.25, so you can potentially set up AX.25 network interfaces that have callsigns for addresses instead of IP addresses.

AX.25 is commonly used today for Automatic Packet Reporting System (APRS), Winlink email over ham radio, Bulletin Board Systems (BBS) operations, and more. It seems it is more generally used for a ham to make a contact with a computer, as opposed to making live contacts with other hams. More information about the AX.25 protocol can be found here: http://www.ax25.net/AX25.2.2-Jul%2098-2.pdf

**Automatic Packet Reporting System (APRS)**

The most common use of AX.25 is with the Automatic Packet Reporting System (APRS). Therefore, I decided to focus first on APRS software for this research project. APRS allows hams to transmit telemetry data such as GPS coordinates, weather data, small generic messages, and more. An APRS station can send out a broadcast message, or it can send a message addressed to another specific station. Since the range on the 2m band isn’t that great, APRS stations can “digipeat” the packets out again. This means that if one station receives a packet, it will retransmit it to send it further away. There are also “IGate” systems which are bridged to the internet via the APRS Internet Service (APRS-IS) backbone (http://www.aprs-is.net). This adds extra usability to the APRS system and means you can transmit data globally using the internet if desired. In fact, you can view APRS traffic anywhere in the world at https://aprs.fi and you don’t even need a license to check it out.

How do APRS stations find each other? How does one station find an IGate to bridge to the internet? You can transmit APRS on basically any amateur frequency for which you are licensed, but around the globe each region generally has an allotted frequency where this traffic is used. In the US, that frequency is 144.390 MHz. Just about anywhere in the country you can tune a radio to this frequency and hear data being transmitted at least every minute or so.

APRS is a protocol that runs on top of AX.25, like how HTTP runs on top of TCP. APRS packets make use of the AX.25 unnumbered information (UI) frames. Since I was going to be reverse engineering APRS software, it made sense to examine APRS data frames to understand their structure. AX.25 UI frames look like this:

  
**Image from** **http://www.aprs.org/doc/APRS101.PDF**

In an AX.25 UI frame, all addresses will be ham radio callsigns with an optional SSID appended to them. If your callsign was K7HAX, your address could be something like K7HAX-14. The digipeater addresses field can contain up to eight digipeater addresses to specify the path the packet should take. A digipeater is a radio station that listens for packets and then retransmits those packets to extend the range. The information field contains user-specified data. APRS makes heavy use of this field and it’s likely to be the most interesting field to play with.

The APRS specification allows for various data types, formats, and encodings. Most of this information is stored in the information field of the AX.25 packet. A generic APRS information field structure looks like this:

  
**Image from** **http://www.aprs.org/doc/APRS101.PDF**

The data type specifies what kind of APRS data follows. Options include GPS position, direction finding, weather information, messages, and more. Here’s a real APRS message I pulled from https://aprs.fi:

:Are you working tonight?

The colon denotes that the APRS data contains a message. The rest of the data is just the plaintext message. In this case the APRS data extension and comment fields are unused. Here’s another example:

\=3319.44S/06012.46W# 144.930MHz. SNDigi

The equal sign denotes that the data contains position data without a timestamp. Immediately following that is the actual position data. Between the two coordinates is a forward slash and immediately following the data is a hash symbol. Combined, these symbols would make “/#”. This data tells the receiving station what type of station sent the message and what symbol or icon to use to display the station on a map.

APRS has two tables full of different symbols (car, truck, bicycle, balloon, etc.). The forward slash specifies which table to use. The hash tells which symbol to use in that table. After the hash symbol is some additional message data which appears to list the transmitting frequency and probably the software or device used to transmit (SNDigi). There’s so much more to APRS than just this but it gives a rough idea of how the packets look and what we can expect APRS software to be doing when decoding messages. More information about the APRS protocol can be found here: http://www.aprs.org/doc/APRS101.PDF

Since APRS is probably the most common packet protocol in use today, and there is no shortage of APRS software to choose from, I decided to start my research here. I focused on Windows-based APRS software that was written in C or C++ so I could continue honing my IDA and WinDbg reversing skills.

**Hardware for Packet Radio**

There is a huge number of combinations of hardware to get on the air with packet, but in general you’ll need three main components: a transceiver, a terminal node controller (TNC), and a computer. You use the computer to interact with the various packet radio software you want to use. The transceiver sends and receives the communications over the radio. The TNC is basically a packet radio modem that sits between the two, converting the data into sound. It works similarly to a dial-up modem, but for radio instead of telephone lines. A TNC is typically a little box that’s hooked up to the computer and the radio. A TNC will often have a built-in microcomputer with its own operating system so you can open a terminal and send and receive messages right from the TNC. My TNC has a built-in mailbox where other hams can leave messages. It can decode APRS messages with its own software and display them in a human-readable format via serial console. Here’s a photo of the hardware I’m using for my receiving station:

****

**Keep It Simple, Stupid! (KISS)**

Each TNC make and model has its own set of commands you must use to send packets, and they may display packets differently to the user. The computer software must therefore understand how to interface with each make and model, which is cumbersome. To remedy this, most TNCs support a mode called KISS (Keep It Simple, Stupid). This mode disables all the “smart” features of the TNC and turns it into a dumb modem. The TNC will simply demodulate the signals from the radio and transmit the raw data back to your PC and vice versa. To simplify things, I’ll be placing my TNC into KISS mode for testing and using it wherever possible.

The important bit to know about the KISS protocol is that the TNC will add a 0xC0 control character to the beginning and end of each packet, and it will expect those characters to be there for any outgoing transmissions. There are also a few other special control characters the TNC will watch for, which is important to be aware of when writing shellcode later. These characters would be considered “bad characters” when writing shellcode and must be avoided. A full description of the KISS protocol can be found here: http://www.ax25.net/kiss.aspx

**Choosing an APRS Program**

The aprs-is.net website has a list of some known APRS client software.

Looking over the list, I figured an older client would be the most likely to contain exploitable memory corruption vulnerabilities. Looking at the various options, I found that the WinAPRS download page said it hadn't been updated since January 14, 2013. I figured that was a good sign that the software was likely not maintained and would therefore contain vulnerabilities. I downloaded the latest version (2.9.0) and got to work.

**Next Steps**

The next post in this series will discuss the reverse engineering process using WinDbg. We’ll dive into the nitty gritty technical details of an exploitable memory corruption vulnerability in WinAPRS including how it was found and why it’s exploitable.

CVE-2022-24700: Hacking Ham Radio: WinAPRS – Part 1

An analysis of leaked chats from the notorious Conti ransomware group earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices.
"Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals,"

An analysis of leaked chats from the notorious Conti ransomware group earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices.

"Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals," firmware and hardware security firm Eclypsium said in a report shared with The Hacker News.

"Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system."

Specifically, this includes attacks aimed at embedded microcontrollers such as the Intel Management Engine (ME), a privileged component that's part of the company's processor chipsets and which can completely bypass the operating system.

The conversations among the Conti members, which leaked after the group pledged its support to Russia in the latter's invasion of Ukraine, have shed light on the syndicate's attempts to mine for vulnerabilities related to ME firmware and BIOS write protection.

This entailed finding undocumented commands and vulnerabilities in the ME interface, achieving code execution in the ME to access and rewrite the SPI flash memory, and dropping System Management Mode (SMM)-level implants, which could be leveraged to even modify the kernel.

The research ultimately manifested in the form of a proof-of-concept (PoC) code in June 2021 that can gain SMM code execution by gaining control over the ME after obtaining initial access to the host by means of traditional vectors like phishing, malware, or a supply chain compromise, the leaked chats show.

"By shifting focus to Intel ME as well as targeting devices in which the BIOS is write protected, attackers could easily find far more available target devices," the researchers said.

That's not all. Control over the firmware could also be exploited to gain long-term persistence, evade security solutions, and cause irreparable system damage, enabling the threat actor to mount destructive attacks as witnessed during the Russo-Ukrainian war.

"The Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools," the researchers said.

"The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks

Technique skirts web security controls

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls using WordPress.

The hack, discovered by security researcher Paulos Yibelo, relies on abusing same origin method execution.

This technique uses JSON padding to call a function. That’s the sort of thing that might allow the compromise of a WordPress account but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have as yet.

Catch up with the latest WordPress related security news

Yibelo told The Daily Swig that they have not gone as far as attempting the trick on live sites, restricting exploits to a test research site they themselves owned.

“I haven’t really attempted to because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have a HTML injection – which is illegal to do,” Yibelo explained, adding they hadn’t attempted to exploit the bug in the wild on bug bounty sites either.

The researcher added that they reported it to WordPress three months ago via HackerOne. After failing to get a reply, Yibelo went public with the findings through a technical blog post.

**Endpoint endgame**

Attacks are potentially possible in two scenarios: 1) websites that don’t use WordPress directly but have an endpoint of WordPress on the same-domain or subdomain, and 2) a website hosted on WordPress with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform \[remote code execution\] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.

The Daily Swig invited WordPress’s core development team to comment on the research. No word back, as yet, but we’ll update this story as and when we hear more.

Yibelo concluded: “I hope Wordpress fixes it so CSP stays relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.

YOU MAY ALSO LIKE WordPress theme Jupiter patches critical security hole

Researcher goes public with WordPress CSP bypass hack

SAN DIEGO, May 31, 2022 /PRNewswire/ -- ESET, a global leader in cybersecurity, has announced a new suite of products for the Telecommunications and Internet Service Provider (Telco and ISP) industry, with the aim of offering extensive protection to consumers. Cybercrime is a borderless problem and ESET telemetry shows that the volume of cyberattacks is increasing, with a trend toward attacks against smartphones. ESET's newly launched NetProtect suite ensures that service providers and their end users have the tools they need to combat these advanced and evolving mobile threats.

**About the new ESET NetProtect products  
**The new offering includes ESET NetProtect for Mobile and ESET NetProtect for Mobile Advanced, which offer security via mobile networks, and ESET NetProtect for Home Advanced, which helps secure fixed network connections. These solutions protect customer devices connected to Telco and ISP networks (fixed or mobile) against malicious web domains or domain categories such as malware, phishing and potentially unwanted content. With ESET NetProtect Advanced (fixed or mobile), parents also have full control of their children's filters through Web Content Filter. The management portal for end users allows them to manage the ESET NetProtect settings of their connected devices, manage their domain whitelists and blacklists, and generate security reports, giving users an insight into how ESET protects their devices as well as summary information about detected threats, blocked webpages and more.

Thanks to easy integration into Telco and ISP network services and existing activation processes, network-level solutions do not require any software installation on end user devices, and are compatible with both Android and iOS. The solutions are provided as a one-click service activation from the users' trusted internet provider and automatically provide protection to any connected device. Security tailored to customers' needs is ensured by offering robust local customer and partner support coverage along with comprehensive protection that is a step ahead of online threats via ESET's first access to a unique set of malware detected and pooled at a worldwide network of research and development centers.

"We are thrilled to launch this new suite of advanced cybersecurity products designed for service providers and their customers, which represents a critical threat vector for bad actors," said Brent McCarty, President of ESET North America. "At ESET, we always develop products with our customers in mind, and with our ESET NetProtect offering we have created an easy-to-use and elegant solution not only for the industry leaders in the Telco and ISP sector, but for the consumers who are the actual end users of our products."

For more than 30 years, ESET has invested heavily in multiple layers of proprietary technology that prevent breaches of its customers' endpoints and systems, by both known and never-before-seen threats. These products are informed by world-class threat analysis and expertise from the company's global research team. With a presence in over 200 countries worldwide and 13 research and development centers around the world, ESET offers its over 400,000 business customers peace of mind that their interests are protected at all times. ESET also helps protect the Google Play store and is trusted by millions of consumers around the world. To read more about the new offering for Telcos and ISPs or to contact the ESET team for more information, please click here.

**About ESET  
**For more than 30 years, ESET® has been providing enterprises across the globe with industry-leading IT security software and services, including endpoint detection and response, encryption and authentication, and comprehensive security services packages. With high-performing, easy-to-use solutions that cater to businesses of all sizes, ESET protects customers from increasingly sophisticated digital threats in an ever-evolving landscape. ESET delivers to the enterprise market the people, expertise, and cutting-edge technology required to keep businesses safe and running without interruption. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.

SOURCE ESET

ESET Launches NetProtect Suite of Advanced Cybersecurity Offerings for Telcos and ISPs

Industry veterans roll out end-to-end incident response services and innovative tech-enabled platform, following successful incubation.

PHILADELPHIA, May 31, 2022 /PRNewswire/ -- Surefire Cyber today launched as a new incident response company to help cyber insurers, brokers, law firms, and the organizations they support to better manage cyber events such as ransomware, email compromise, and other cybercrimes. The company also announced $10 million in Series A funding, led by Forgepoint Capital.

Industry veterans roll out end-to-end incident response services and innovative tech-enabled platform, following success

"Surefire Cyber's goal is to work with our clients and partners to swiftly manage a cyber incident and then bring forward capabilities to help them become more cyber resilient. Our delivery of end-to-end digital forensics and incident response capabilities is built on a tech-enabled framework and delivered through a platform that aligns and connects an organization's executives, technical team, insurance carrier, and legal counsel." said Billy Gouveia, the CEO and Founder of Surefire Cyber.

Mark Greisiger, President and Founder of NetDiligence®, comments that "Surefire Cyber is committed to being great partners to carriers, brokers, Breach Coaches®, and the clients they work together to support. We are pleased to welcome them as new contributors to the cyber insurance ecosystem who offer deep experience and a valuable perspective."

Given two long-term trends, the rising cost of cyber incidents and the growing adoption of cyber insurance, industry veterans created Surefire Cyber as a purpose-built response firm that leverages a proven team and a tech-enabled platform to improve transparency, accelerate decision making, reduce business interruption, and guide organizations from recovery through to long term resilience.

Surefire Cyber is backed by Forgepoint Capital, the world's most active early-stage venture capital firm focused on cybersecurity. Prior to launching Surefire Cyber, Gouveia joined Forgepoint as an Entrepreneur-in-Residence to incubate and develop the company's strategy, model, technology, and team while establishing valuable partnerships with companies across the firm's portfolio.

"Our support from Forgepoint Capital enabled us to bring aboard a highly-experienced team of skilled responders, to develop a tech-enabled solution for collaboration with clients and partners during a response, and to leverage the leading cyber venture firm's unmatched capabilities of over 30 portfolio companies so that our clients can better protect their data and defend their organizations," continued Gouveia.

"Surefire Cyber has brought together leading responders with hands-on experience in preparing for all aspects of a cyber incident, expertise to collaboratively guide clients and partners through high-stakes response events, and skill in helping organizations emerge stronger," said Don Dixon, Managing Director of Forgepoint Capital. "What Billy and team are building is truly unprecedented and serves a critical gap in the market."

To learn more, please visit www.surefirecyber.com.

**About Surefire Cyber**

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities. Surefire Cyber was founded to provide clients confidence by helping them prepare, respond, and recover from cyber incidents--and to fortify their cyber resilience after an incident. To learn more, please visit: www.surefirecyber.com or follow us on LinkedIn.

Breach Coach is a registered trademark of NetDiligence®.

**About Forgepoint Capital**

Forgepoint Capital is the most active cybersecurity venture capital firm in the world, with 36 active portfolio companies and the largest and most diverse team dedicated to investing in the sector. The firm brings over 100 years of proven company-building experience and its Advisory Council of more than 75 senior executives across industries to support entrepreneurs advancing innovation as they protect the digital future. Founded in 2015, Forgepoint has raised $770 million, deployed over $500 million, and empowered industry leaders such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv, Huntress, IronNet Cybersecurity (NYSE: IRNT), Noname Security, NowSecure, ReversingLabs, Uptycs and more to reach their market potential. Learn more about Forgepoint at https://forgepointcap.com or follow us on LinkedIn.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Surefire Cyber Launches to Help Cyber Insurance Ecosystem from Response to Resilience, with $10 Million in Funding by Forgepoint Capital

New web targets for the discerning hacker

New web targets for the discerning hacker

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.

**The latest bug bounty programs for June 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aztec Network**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$1 million

Outline:  
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:  
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

**Balancer**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$2.4 million

Outline:  
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:  
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

**Chain**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$5 million

Outline:  
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:  
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

**Cudos Network**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$4,500

Outline:  
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:  
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

**Doctolib**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€20,000

Outline:  
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:  
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

**Gojek**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:  
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

**LinkedIn**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$15,000

Outline:  
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:  
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

**Razorpay**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:  
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

**Quebec Ministry of Cybersecurity and Digital**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
C$1,500

Outline:  
Le ministère de la Cybersécurité et du Numérique has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:  
The ministry has 12 web assets in scope and is offering a maximum payout of C$1,500.

Check out Le ministère de la Cybersécurité et du Numérique bug bounty page at YesWeHack for more details

**Wealthsimple**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$20,000

Outline:  
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:  
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
*   Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
*   YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
*   The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
*   Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base\-Vulnerability Disclosure Program (DIB-VDP), which concluded in April

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty Radar // The latest bug bounty programs for June 2022

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

Tag

#ios