IBM Sterling Secure Proxy 6.0.3 and IBM Secure External Authentication Server 6.0.3 does not properly ensure that a certificate is actually associated with the host due to improper validation of certificates. IBM X-Force ID: 201104.

  

**Summary**

IBM Sterling External Authentication Server does not properly ensure that a certificate is actually associated with the host due to improper validation of certificates.

**Vulnerability Details**

**CVEID:**   CVE-2021-29726  
**DESCRIPTION:**   IBM Sterling Secure Proxy does not properly ensure that a certificate is actually associated with the host due to improper validation of certificates.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201104 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Secure External Authentication Server

6.0.3

  

**Remediation/Fixes**

**Product**

**Version**

**iFix**

**Remediation Location**

IBM Sterling External Authentication Server

6.0.3.0

iFix 3

Fix Central

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

16 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS6PNW","label":"Sterling Secure Proxy"},"Component":"Sterling External Authentication Server","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}\],"Version":"6.0.3","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}\]

CVE-2021-29726: Security Bulletin: IBM Sterling External Authentication Server is vulnerable to improper validation of certificates

Most local leaders lack cybersecurity resources so they don't know where their weaknesses are and which areas threat actors are most likely to target, with little focus or understanding of risk.

Local governments remain prime targets for ransomware, as hackers lock up government systems and leave municipalities with few resources and long recovery times. Everything from emergency response systems to hospitals, schools, and the elections could be up for grabs as these threat actors wreak as much havoc as possible.

It's a scary time as the landscape grows to include new threats like "killware," which is exactly as dangerous as it sounds. As Homeland Security Secretary Alejandro Mayorkas said recently, "The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us."

Sadly, it's not.

Hackers are consistently breaching local government systems that have weak password policies, lack multifactor authentication, and lack proper data recovery processes and tools. Those most at risk are not properly managing even the most basic security tasks, such as solidifying data backup and recovery processes. Users often share credentials like it's a Netflix account and critical systems are at risk because of it. Most local governments lack proper information security and governance.

Local leaders often lack the resources, budget, and knowledge for cybersecurity. Most don't know where their weaknesses lie and which areas threat actors are most likely to target because there is not a focus on understanding information security risks.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wants them to step up. The National Association of State Chief Information Officers (NASCIO) adds further urgency with its top 10 priorities for 2022, in which risk management and cybersecurity top the list.

Here are a few steps that local and county governments can take to improve their cybersecurity posture and avoid a costly breach.

**Contact a Cybersecurity Professional  
**In many cases, IT teams advising on cybersecurity are punching above their weight. But the risk of a cyberattack can't be ignored. Local governments need to partner with an organization that can not only check compliance with cybersecurity standards but also technically assess their controls.

Even if local governments are subject to cybersecurity policies, policies do not equal security. Compliance audits should check against the 18 Center for Internet Security (CIS) critical security controls and the National Institute of Standards and Technology (NIST) cybersecurity framework and also include a technical control suitability and configuration review.

In other words, the assessment should dig into the technical weeds. It should identify how governments are orchestrating backups, which forms of remote access are in use, whether there is multifactor authentication on all of them, how strong the passwords must be, and email security.

Undoubtedly there is a lot of work involved here and some of it is costly. However, a proactive approach is far cheaper than paying recovery costs (even if ransom isn't paid) and trying to repair the integrity of a government's systems and its reputation. In 2020, ransomware attacks cost US government organizations nearly $19 billion.

**Use Available Funding  
**Many local governments cite a lack of funding as a reason that cybersecurity isn't taken more seriously. While funding circumstances vary greatly across the country, there are some resources available that, although not exclusively for that purpose, can be allocated to cybersecurity.

As part of the American Rescue Plan, the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program delivers $350 billion to state, local, and tribal governments across the country for a variety of uses, including cybersecurity. Hundreds, if not thousands, of local governments aren't spending those relief funds in that way.

According to a report by Deloitte and NASCIO, the majority of states spend only 1% to 2% of their IT budgets on cybersecurity, yet federal agencies and private sector businesses spend 5% to 20%. Attackers are targeting local governments just as disproportionately as they spend on security. One study in 2020 found that local governments are the most common target of cybercriminals, with 45% of ransomware attacks aimed at municipalities.

**Perform a Penetration Test  
**Once you've identified the right cybersecurity partner and some funding to help increase your security posture, you'll want to start with a technical control suitability and configuration assessment, including a penetration test. This is an eye-opener for a lot of local governments that never thought twice about sign-in credentials or the risk posed to systems that are often taken for granted, like emergency response or traffic lights.

Your cybersecurity partner should perform both internal and external pen testing in their assessment. The data points that come out of those studies should serve as priorities for the administration and basically provide the to-do list for the next 24 months to orchestrate and support a cybersecurity strategy.

There is no quick fix for cybersecurity, but there are plenty of reasons to make the investment outside of recovery costs or ransom payments.

Consider that the Washington, DC, police network was breached and hackers posted hundreds of pages of purported internal documents. In Cornelia, Georgia, a fourth ransomware attack in two years disabled the town's software network so it couldn't pay its outstanding bills or bill its own customers for water use. In fact, water treatment plants have been of particular interest to hackers. Public water systems were hacked in California, Florida, and Pennsylvania last year, although thankfully none of the attacks have resulted in poisoned water reaching residents.

Local governments have already been targeted heavily and their threat landscape has only increased since Russia's invasion of Ukraine. The US has been bracing for Russian cyberattacks to hit home as the conflict intensifies. Municipalities, particularly the ones that control utilities, can protect against hackers' disruptions by making the necessary investments in security. With proper protections, you can save yourself from those headaches and avoid the disastrous disruptions and costs of an attack.

Local Government's Guide to Minimizing the Risk of a Cyberattack

Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 
Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. 
NVIDIA graphics...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ 

Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. 

NVIDIA graphics drivers are software for NVIDIA Graphics GPU cards that are installed on PCs. The D3D10 driver communicates between the operating system and the GPU. It's required in most cases for the PC to function properly. 

An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. 

These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host. 

For more information on these issues, check out their advisories linked below: 

*   TALOS-2021-1435 (CVE-2022-28181) 
*   TALOS-2021-1436 (CVE-2022-28182) 
*   TALOS-2021-1437 (CVE-2022-28182) 
*   TALOS-2021-1438 (CVE-2022-28182) 

Cisco Talos worked with NVIDIA to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. 

Users are encouraged to update these affected products as soon as possible: NVIDIA D3D10 driver 496.76, version 30.0.14.9676. Talos tested and confirmed this driver could be exploited by these vulnerabilities. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 58880 - 58883, 58885, 58886, 58910 and 58911. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver 

The goal was Win32k Lockdown – a serious step up in Windows security

The goal was Win32k Lockdown – a serious step up in Windows security

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

**Process isolation**

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

**YOU MIGHT ALSO LIKE** ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

**Win32k Lockdown**

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s , an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

**Gradual expansion**

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Read more of the latest browser security news

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

_The Daily Swig_ has reached out to Mozilla and we will update when we hear back.

**RELATED** ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim

Firefox debuts improved process isolation to reduce browser attack surface

A vulnerability was found in HTC One/Sense 4.x. It has been rated as problematic. Affected by this issue is the certification validation of the mail client. An exploit has been disclosed to the public and may be used.

**HTC's E-Mail Client Fails to verify Server Certificates**

We decided not to release an official advisory, but to write this short and hopefully entertaining blogpost about a stupid, but severe bug we recently discovered.

Severity: medium to high  
Vendor: HTC  
Products we known to be affected:  

*   Mail Version 5.2.2222282614.528614.528614 on an HTC One SV with Android 4.0.4, HTC Sense 4.1, HTC SDK API 4.25
*   Mail Version 5.5.550363 running on an HTC One X with Android 4.1.1, HTC Sense 4+ HTC SDK API 4.63

**Short Summary**

modzero identified a vulnerability in HTC's default mail client. If the user chooses encrypted and authenticated communication to a mail server, the application does not verify the server's certificate and automatically accepts any certificate without asking or warning the user. Thus, an attacker is able to intercept a user's credential and e-mails, especially in rogue access point scenarios.

**Whole Story**

While analyzing a wireless infrastructure, we were testing station behaviour regarding rogue access-points. Using airbase-ng and some metasploit capture server modules, the set-up was painless and straight forward.

YEP, it works as expected; the phone connects to the rogue network and tries to pull the e-mails from the SSL protected POP3 or IMAP servers. The iPhone did properly show a certificate warning, because it could not verify the certificate while trying to get the e-mails. Lets check how the other phones behave. **Booom** - a username and password was captured!  

Wait a second? SSL was enabled on all the configs right? Let's check the config the HTC ONE X android phone again? YEP,**SSL enabled** -maybe something is broken or someone had accept the certificate already or ... whatever ... So we setup another fake e-mail account and gave it a go.  

Again, the password showed up and no certificate warning was visible on the HTC ONE X e-mail client at all. This happens for POP and IMAP accounts.  

Great!Everyone can man-in-the-middle your apparently SSL protected e-mail communication. FSCK ... impossible ...  

Lets compare the available settings of a HTC Android phone and a regular android phone:  

Did the guys at HTC wanted to make the user experience better? More options might just confuse their users? In fact the "SSL" setting on the HTC e-mail client does behave like the "SSL accept allcertificates" setting on other Android e-mail clients.

**Using SSL is completely pointless, if you don't verify the certificates at all.**  

We did not even bother to check what they precisely messed up in the E-Mail client code. HTC, please go and fix it. This is plain stupid. Other versions might be affected as well. Feel free to e-mail us regarding other affected versions.

Credits:

*   Max Moser
*   Martin Schobert

Posted by modzero | Permanent link | File under:

rant,

crypto

CVE-2013-10001: HTC's E-Mail Client Fails to verify Server Certificates

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

\-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-e56085ba31 2022-05-12 20:24:55.994298 -------------------------------------------------------------------------------- Name : pcre2 Product : Fedora 36 Version : 10.40 Release : 1.fc36 URL : https://www.pcre.org/ Summary : Perl-compatible regular expression library Description : PCRE2 is a re-working of the original PCRE (Perl-compatible regular expression) library to provide an entirely new API. PCRE2 is written in C, and it has its own API. There are three sets of functions, one for the 8-bit library, which processes strings of bytes, one for the 16-bit library, which processes strings of 16-bit values, and one for the 32-bit library, which processes strings of 32-bit values. There are no C++ wrappers. This package provides support for strings in 8-bit and UTF-8 encodings. Install pcre2-utf16 or pcre2-utf32 packages for the other ones. The distribution does contain a set of C wrapper functions for the 8-bit library that are based on the POSIX regular expression API (see the pcre2posix man page). These can be found in a library called libpcre2posix. Note that this just provides a POSIX calling interface to PCRE2; the regular expressions themselves still follow Perl syntax and semantics. The POSIX API is restricted, and does not give full access to all of PCRE2's facilities. -------------------------------------------------------------------------------- Update Information: Rebase to version 10.40 -------------------------------------------------------------------------------- ChangeLog: \* Mon Apr 25 2022 Lukas Javorsky <ljavorsk(a)redhat.com&gt; - 10.40-1 - Rebase to the 10.40 - Resolves multiple Out-of-bounds read errors -------------------------------------------------------------------------------- References: \[ 1 \] Bug #2075955 - pcre2-10.40 is available https://bugzilla.redhat.com/show\_bug.cgi?id=2075955 \[ 2 \] Bug #2077986 - CVE-2022-1587 pcre2: Out-of-bounds read in get\_recurse\_data\_length in pcre2\_jit\_compile.c \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=2077986 \[ 3 \] Bug #2077987 - CVE-2022-1586 pcre2: Out-of-bounds read in compile\_xclass\_matchingpath in pcre2\_jit\_compile.c \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=2077987 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-e56085ba31' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command\_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------

CVE-2022-1586: [SECURITY] Fedora 36 Update: pcre2-10.40-1.fc36 - package-announce

An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.

.NET C# package IpMatcher incorrectly validates input, leading to indeterminate SSRF, LFI, RFI, DoS vectors

A vulnerability in the .NET C# IpMatcher v1.0.4.1 and below NuGet package allows an attacker to submit invalid octal or hexadecimal IP addresses and netmasks, since IpMatcher does not properly validate them against the internal "Matcher" match list of IP addresses and subnets. Further, IpMatcher does not correctly reformat additions to the match list when these additions (IP address or netmask or both) are supplied in octal or hexadecimal notation. A remote, unauthenticated attacker can bypass allowlist or denylist validation based on use of IpMatcher as exemplified by WatsonWebserver, resulting in indeterminate SSRF, LFI, RFI, or DoS.

Patched (researchers notified 19 August) in commit and NuGet package version 1.0.4.2

    /* Author: Kelly Kaoudis
     * License: GPLv3
     *
     * Requires:
     * `dotnet add package IpMatcher --version 1.0.4.1`
     *
     * To run:
     * `dotnet run`
     */
    
    using System;
    using IpMatcher;
    
    namespace dotnet
    {
        class PoC
        {
            private static void checkExists(Matcher matcher, string ip, string mask)
            {
                if (matcher.Exists(ip, mask))
                {
                    Console.WriteLine("matches on " + ip + " / " + mask);
                }
                else
                {
                    Console.WriteLine("DOES NOT match on " + ip + " / " + mask);
                }
            }
    
            private static void checkMatchExists(Matcher matcher, string ip)
            {
                if (matcher.MatchExists(ip))
                {
                    Console.WriteLine("matches on " + ip);
                }
                else
                {
                    Console.WriteLine("DOES NOT match on " + ip);
                }
    
            }
    
            private static void dumpMatcher(Matcher matcher)
            {
                Console.WriteLine("\nWhat is actually in the matcher now (if nothing follows on the next line, nothing)?");
                foreach (string addr in matcher.All())
                {
                    Console.WriteLine("address from matcher: " + addr);
                }
                Console.WriteLine("");
            }
    
            static void Main(string[] args)
            {
                Console.WriteLine("Constructing a new IpMatcher#Matcher...");
                Matcher matcher = new Matcher();
                // nothing in the matcher yet
                dumpMatcher(matcher);
    
                Console.WriteLine("adding 192.31.196.0 / 0.0.0.0 (mask)");
                matcher.Add("192.31.196.0", "0.0.0.0");
    
                // contains 0.0.0.0 / 0.0.0.0 (incorrect)
                dumpMatcher(matcher);
    
                checkExists(matcher, "192.31.196.2", "0.0.0.0");
                checkExists(matcher, "192.31.196.1", "0.0.0.0");
                checkExists(matcher, "192.31.196.0", "0.0.0.0"); // should match but does not
                checkExists(matcher, "0.0.0.0", "255.0.0.0"); //should not match
                checkExists(matcher, "0.0.0.0", "0.0.0.0");
    
                checkMatchExists(matcher, "0.0.0.0");
                checkMatchExists(matcher, "192.31.196.0");
                checkMatchExists(matcher, "192.31.196.1");
                //checkMatchExists(matcher, "0192.031.0196.0"); throws parse exception and not sure why
                checkMatchExists(matcher, "0300.037.0304.0"); // octal for 192.31.196.0
                checkMatchExists(matcher, "0300.037.0304.01");
                checkMatchExists(matcher, "0300.036.0304.0"); // should not match but does
                checkMatchExists(matcher, "0100.0100.0100.0100"); // should not match but does
    
            //    checkMatchExists(matcher, "aaaaaaaaaa"); thankfully results in exception
    
                // results in invalid argument exception
               // if (matcher.MatchExists("0192.031.0196.02"))
               // {
               //     Console.WriteLine("gross! matches 0192.031.0196.02");
               // }
    
                Console.WriteLine("adding 192.168.0.0 / 255.0.0.0 (mask)");
                matcher.Add("192.168.0.0", "255.0.0.0");
    
                checkExists(matcher, "192.167.0.1", "255.0.0.0");
                checkExists(matcher, "192.168.0.0", "255.0.0.0");
                checkExists(matcher, "192.168.1.1", "255.0.0.0");
                checkMatchExists(matcher, "172.13.2.15");
                checkMatchExists(matcher, "010.1.1.1");
                checkMatchExists(matcher, "4.4.4.4");
    
                Console.WriteLine("adding 0300.055.0250.0 / 1.1.0.0 (mask)");
                matcher.Add("0300.055.0250.0", "1.1.0.0");
    
                checkExists(matcher, "192.45.168.0", "1.1.0.0");
                checkExists(matcher, "0300.055.0250.0", "0.0.0.0");
                checkExists(matcher, "0300.055.0250.0300", "1.1.0.0");
                checkExists(matcher, "0288.055.0250.0", "1.1.0.0");
    
                checkMatchExists(matcher, "2130706433");
                checkMatchExists(matcher, "017700000001");
                checkMatchExists(matcher, "3232235521");
                checkMatchExists(matcher, "3232235777");
                checkMatchExists(matcher, "0x7f.0x00.0x00.0x01");
                checkMatchExists(matcher, "0xc0.0xa8.0x00.0x14");
    
                Console.WriteLine("adding 0300.055.0250.0 / 0377.0.0.0 (mask)");
                matcher.Add("0300.055.0250.0", "0377.0.0.0");
    
                Console.WriteLine("adding 0250.0300.010.010 / 0.0.0.0 (mask)");
                matcher.Add("0250.0300.010.010", "0.0.0.0");
    
                Console.WriteLine("adding 0250.0300.010.010 / 010.010.010.0 (mask)");
                matcher.Add("0250.0300.010.010", "010.010.010.0");
    
                // anything ending in 8 or 9 doesn't work
                Console.WriteLine("adding 0172.057.0.0 / 0.0.0.0 (mask)");
                matcher.Add("0172.057.0.0", "0.0.0.0");
    
                Console.WriteLine("adding 0172.057.0.0 / 055.055.013.0 (mask)");
                matcher.Add("0172.057.0.0", "055.055.013.0");
    
             //   matcher.Add("08.09.0.0", "01.01.01.0"); fails as it should
    
                Console.WriteLine("adding 010.010.0172.0 / 0.0.0.0 (mask)");
                matcher.Add("010.010.0172.0", "0.0.0.0");
    
                Console.WriteLine("adding 010.010.0172.0 / 01.01.01.01 (mask)");
                matcher.Add("010.010.0172.0", "01.01.01.01");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0172.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0172.010");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0.010");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0255.010");
    
                Console.WriteLine("adding 0xaa.0xaa.0xaa.0xaa / 0xaa.0xfe.0xfe.0xfe (mask)");
                matcher.Add("0xaa.0xaa.0xaa.0xaa", "0xfe.0xfe.0xfe.0xfe");
    
              //  fails with exception as it should as 0xfff is tooooo biggggg
              //  matcher.Add("0xfff.0xfff.0xfff.0x0", "0x0.0x0.0x0.0x0");
    
                Console.WriteLine("adding 0xf0.0x0.0x0.0x0 / 0xff.0x0.0x0.0x0 (mask)");
                matcher.Add("0xf0.0x0.0x0.0x0", "0xff.0x0.0x0.0x0");
    
                // now contains the following:
                // 0.0.0.0/0.0.0.0
                // 192.0.0.0/255.0.0.0
                // 0.1.0.0/1.1.0.0
                // 192.0.0.0/0377.0.0.0
                // 8.0.8.0/010.010.010.0
                // 40.45.0.0/055.055.013.0
                // 8.8.122.0/010.010.0172.010
                // 8.8.0.0/010.010.0.010
                // 8.8.40.0/010.010.0255.010
                // 170.170.170.170/0xfe.0xfe.0xfe.0xfe
                // 240.0.0.0/0xff.0x0.0x0.0x0
                dumpMatcher(matcher);
            }
        }
    }

CVE-2021-33318: advisories/0-2021.md at main · kaoudis/advisories

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

CVE-2022-1409

The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users

CVE-2022-0867

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Skip to content

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

**Rootshell Discovered a Critical Vulnerability in Top WordPress Theme**

Rootshell Discovered a Critical Vulnerability in Top WordPress Theme

The Rootshell team discovered a critical vulnerability within Avada, the number one best-selling theme on WordPress.

Rootshell Security Consultant, Calum Elrick, identified a Server-Side Request Forgery (SSRF) issue by manipulating a parameter in the theme’s prebuilt contact form builders.

SSRF is a vulnerability that allows threat actors to create requests from the vulnerable server and access private IP addresses on the server’s local network.

This enables threat actors to target internal systems behind firewalls that are normally inaccessible, as well as access services from the same server that is listening on the loopback interface.

In summary, Server-Side Request Forgery attacks make it possible to:

*   Scan and attack systems from the internal network that are not normally accessible
*   Enumerate and attack services that are running on these hosts
*   Exploit host-based authentication services

On discovery of the issue, the Rootshell team quickly took action, and responsibly disclosed the vulnerability to Theme Fusion, the creators of Avada.

Theme Fusion addressed the issue promptly, and a patch has now been added in versions 7.6.2 (security update) and 7.7.

More details, including proof-of-concept code, will be available on our blog soon.

**This vulnerability affects Avada version 7.6.1 and below. We advise Avada users to update their version to the latest patch,** **available here****.**

**Share This Story, Choose Your Platform!**

**Related Posts**

*   Penetration Testing as a Service
*   Web Application Penetration Testing
*   Cloud Penetration Testing
*   Mobile Application Testing
*   Red Team as a Service
*   Cyber Threat Intelligence
*   Managed Vulnerability Scanning
*   Phishing Assessments

*   Prism Platform
*   Prism Plus+
*   Prism Features
*   Request a Demo

*   Tech Talks
*   Blog
*   Our Customers

*   Service Provider Partners
*   Penetration Testing Partners
*   About Us
*   Accreditations
*   Careers

© Copyright 2022 | Rootshell Security

Page load link

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

**Privacy Overview**

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie

Duration

Description

cookielawinfo-checkbox-analytics

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".

cookielawinfo-checkbox-functional

11 months

The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".

cookielawinfo-checkbox-necessary

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".

cookielawinfo-checkbox-others

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.

cookielawinfo-checkbox-performance

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

viewed\_cookie\_policy

11 months

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Tag

#perl