Miele Benchmark Programming Tool versions 1.1.49 and 1.2.71 suffer from a privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220427-0 >  
=======================================================================  
               title: Privilege Escalation  
             product: Miele Benchmark Programming Tool  
  vulnerable version: at least 1.1.49 and 1.2.71  
       fixed version: 1.2.72  
          CVE number: CVE-2022-22521  
              impact: Medium  
            homepage: https://www.miele.com/  
               found: 2022-01-24  
                  by: J. Kruchem (Office Vienna)  
                      W. Schober (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"There are many good reasons for choosing Miele. Since the company's founding in  
1899, Miele has remained true to its "Immer Besser" brand promise. This means  
that we will do all that we can to be "Immer Besser" (forever better) than our  
competitors and "Immer Besser" (forever better) than we already are. For our  
customers, this means the peace of mind of knowing that choosing Miele is a  
good decision – and probably the decision of a lifetime."

Source: https://www.mieleusa.com/c/about-us-9.htm

Business recommendation:  
------------------------  
The vendor provides a patched version which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised,  
as the software may be affected from further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Privilege Escalation (CVE-2022-22521)  
The path where the Miele Benchmark Programming Tool is installed is writable  
for any user on the Windows operation system. This allows replacing the Uninstall  
binary and thus an attacker gaining local admin privileges if uninstalled.

Proof of concept:  
-----------------  
1) Privilege Escalation (CVE-2022-22521)  
The Uninstall string can be found in the following registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{<UUID of Miele Benchmark Programming>}

The UninstallString field has the following value:

UninstallString  
"C:\MIELE_SERVICE\Miele Benchmark Programming Tool\Uninstall Miele Benchmark Programming Tool.exe" /allusers

For exploitation, replace the "Uninstall Miele Benchmark Programming Tool.exe"  
with a malicious binary and uninstall via Software Center or call the admin  
and let them uninstall the Miele Benchmark Programming Tool.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested, which were the latest versions available  
during the time of the test:

* 1.1.49  
* 1.2.71

Other (lower) software versions may be affected as well.

Vendor contact timeline:  
------------------------  
2022-03-21: Contacting vendor through psirt@miele.com  
2022-03-22: Vendor answered that they will check the provided information  
2022-04-07: Vendor confirmed the vulnerability and answered with aim to fix it asap  
2022-04-11: Vendor sent their advisory (including CVE) and fixed version  
2022-04-27: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version v1.2.72 which can be downloaded here:

https://www.miele.com/en/com/downloads-6770.htm

Workaround:  
-----------  
Adapt permissions of the C:\MIELE_SERVICE directory according to the least privilege  
principle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem / @2022

Miele Benchmark Programming Tool 1.1.49 / 1.2.71 Privilege Escalation

Trojan-Downloader.Win32.Agent malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/fb3ac3c9d808de7f4b5ede68715f658f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.AgentVulnerability: Insecure PermissionsDescription: The malware writes a PE file to the "Windows\System" directory granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.Family: AgentType: PE32MD5: fb3ac3c9d808de7f4b5ede68715f658fVuln ID: MVID-2022-0570Dropped files: alg.exeDisclosure: 04/26/2022 Exploit/PoC:C:\>cacls \Windows\System\alg.exeC:\Windows\System\alg.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>dir \Windows\System\alg.exe Volume in drive C has no label. Directory of C:\Windows\System04/10/2022  01:18 AM           882,688 alg.exe               1 File(s)        882,688 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Downloader.Win32.Agent Insecure Permissions

Backdoor.Win32.Cafeini.b malware suffers from a man-in-the-middle vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/851f8945d1b5923990f4722d627156a0_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Port Bounce ScanDescription: The malware runs an FTP server on TCP port 23. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.Family: CafeiniType: PE32MD5: 851f8945d1b5923990f4722d627156a0Vuln ID: MVID-2022-0569Disclosure: 04/26/2022Exploit/PoC:C:\>nmap -n -Pn -b test:test@192.168.18.125:23  -p21,22,80 192.168.18.237 -vStarting Nmap 7.80 ( https://nmap.org ) at 2022-04-20 14:50 UTC-11Resolved FTP bounce attack proxy to 192.168.18.125 (192.168.18.125).Attempting connection to ftp://test:test@192.168.18.125:23Connected:220 CAFEiNi 1.1 FTP serverLogin credentials accepted by FTP server!Initiating Bounce Scan at 14:50Removed 22Changed my mind about port 22Removed 21Changed my mind about port 21Discovered open port 80/tcp on 192.168.18.237Completed Bounce Scan at 14:50, 2.21s elapsed (3 total ports)Nmap scan report for 192.168.18.237Host is up.PORT   STATE  SERVICE21/tcp closed ftp22/tcp closed ssh80/tcp open   httpRead data files from: C:\Program Files (x86)\NmapNmap done: 1 IP address (1 host up) scanned in 11.39 secondsDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b Man-In-The-Middle

Trojan-Downloader.Win32.Small.ahlq malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/d859ba54086fd0313dc34b73b5b1eccb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.Small.ahlqVulnerability: Insecure Permissions Description: the malware creates a directory with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: SmallType: PE32MD5: d859ba54086fd0313dc34b73b5b1eccbVuln ID: MVID-2022-0567Disclosure: 04/26/2022Exploit/PoC:C:\>cacls TempC:\Temp BUILTIN\Administrators:(OI)(CI)(ID)F        NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F        BUILTIN\Users:(OI)(CI)(ID)R        NT AUTHORITY\Authenticated Users:(ID)C        NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)CC:\>dir Temp Volume in drive C has no label. Directory of C:\Temp04/14/2022  04:03 AM           761,344 vjrgq12Server_Setup.exe               1 File(s)        761,344 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Downloader.Win32.Small.ahlq Insecure Permissions

Third party file and theft

Doubts have arisen about the veracity of research that purportedly demonstrates a serious vulnerability involving VirusTotal, a Google-owned antivirus comparison and threat intel service.

VirusTotal (VT) offers a service that allows security researchers, sysadmins, and the like to analyze suspicious files, domains, IPs, and URLs through an aggregated service that bundles close to 70 antivirus products and scan engines.

Samples submitted through the service are automatically shared amongst the security community including, but not limited to, the vendors who maintain scanning engines used by VT.

Catch up on the latest cybersecurity industry news and analysis

In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within \[the\] VirusTotal platform and gain access to its various scans capabilities”.

The attack relies on a doctored DJVU file with a malicious payload added to the file’s metadata. This payload relies on the CVE-2021-22204 vulnerability in a metadata analysis tool, Exiftool, to then achieve remote code execution (RCE) and a remote shell.

Cysource researchers’ findings were submitted via Google’s VRP in April 2021 and resolved a month later.

But rather than demonstrating a way to weaponize VirusTotal, as they suggest, all Cysource has shown is a means to hack an unpatched, third-party antivirus toolbox, according to VirusTotal.

**Debunked**

In a rebuttal of the research posted as a thread on Twitter, Bernardo Quintero, VirusTotal’s founder, said that the code executions are happening on third-party scanning systems that take and analyze samples obtained from VT rather than VirusTotal itself.

VirusTotal makes no use of the vulnerable version of the Exiftool and, furthermore, none of the affected machines were maintained by VT, according to Quintero.

Quintero said that he informed the researchers of this in response to their initial disclosure last May. He criticised their decision to publish what he argues are misleading findings regardless as “fake news”.

“None \[of the\] reported machine was from VT and the ‘researchers’ knew it,” according to Quintero.

The Daily Swig has contacted Cysource for a response to this criticism and will update this story as and when more information comes to hand.

YOU MAY ALSO LIKE Java encryption implementation error made it trivial to forge credentials

VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

**Conversation**

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

 jba mentioned this pull request

Apr 27, 2022

CVE-2022-29810: Redact SSH key from URL query parameter by macedogm · Pull Request #348 · hashicorp/go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Redact SSH key from URL query parameter #348**

Conversation 5 Commits 2 Checks 0 Files changed

Tag

#mac