#linux

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to

This Metasploit module demonstrates a command injection vulnerability in Ray via cpu_profile.

This Metasploit modules demonstrates remote code execution in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication.

DiCal-RED version 4009 provides a network server on TCP port 2101. This service does not seem to process any input, but it regularly sends data to connected clients. This includes operation messages when they are processed by the device. An unauthenticated attacker can therefore gain information about current emergency situations and possibly also emergency vehicle positions or routes.

DiCal-RED version 4009 makes use of unmaintained third party components with their own vulnerabilities.

DiCal-RED version 4009 is vulnerable to unauthorized log access and other files on the device's file system due to improper authentication checks.

DiCal-RED version 4009 has an administrative web interface that is vulnerable to path traversal attacks in several places. The functions to download or display log files can be used to access arbitrary files on the device's file system. The upload function for new license files can be used to write files anywhere on the device's file system - possibly overwriting important system configuration files, binaries or scripts. Replacing files that are executed during system operation results in a full compromise of the whole device.

DiCal-RED version 4009 provides an administrative web interface that requests the administrative system password before it can be used. Instead of submitting the user-supplied password, its MD5 hash is calculated on the client side and submitted. An attacker who knows the hash of the correct password but not the password itself can simply replace the value of the password URL parameter with the correct hash and subsequently gain full access to the administrative web interface.

DiCal-RED version 4009 has a password that is stored in the file /etc/deviceconfig as a plain MD5 hash, i.e. without any salt or computational cost function.

DiCal-RED version 4009 provides an FTP service on TCP port 21. This service allows anonymous access, i.e. logging in as the user "anonymous" with an arbitrary password. Anonymous users get read access to the whole file system of the device, including files that contain sensitive configuration information, such as /etc/deviceconfig. The respective process on the system runs as the system user "ftp". Therefore, a few files with restrictive permissions are not accessible via FTP.