A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.
"Although air-gap computers have no wireless connectivity, we show that attackers can use

A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.

"Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6GHz frequency band," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, wrote in a paper published last week.

The technique, dubbed **SATAn**, takes advantage of the prevalence of the computer bus interface, making it "highly available to attackers in a wide range of computer systems and IT environments."

Put simply, the goal is to use the SATA cable as a covert channel to emanate electromagnetic signals and transfer a brief amount of sensitive information from highly secured, air-gapped computers wirelessly to a nearby receiver more than 1m away.

An air-gapped network is one that's physically isolated from any other networks in order to increase its security. Air-gapping is seen as an essential mechanism to safeguard high-value systems that are of huge interest to espionage-motivated threat actors.

That said, attacks targeting critical mission-control systems have grown in number and sophistication in recent years, as observed recently in the case of Industroyer 2 and PIPEDREAM (aka INCONTROLLER).

Dr. Guri is no stranger to coming up with novel techniques to extract sensitive data from offline networks, with the researcher concocting four different approaches since the start of 2020 that leverage various side-channels to surreptitiously siphon information.

These include BRIGHTNESS (LCD screen brightness), POWER-SUPPLaY (power supply unit), AIR-FI (Wi-Fi signals), and LANtenna (Ethernet cables). The latest approach is no different, wherein it takes advantage of the Serial ATA cable to achieve the same goals.

Serial ATA is a bus interface and an Integrated Drive Electronics (IDE) standard that's used to transfer data at higher rates to mass storage devices. One of its chief uses is to connect hard disk drives (HDD), solid-state drives (SSD), and optical drives (CD/DVD) to the computer's motherboard.

Unlike breaching a traditional network by means of spear-phishing or watering holes, compromising an air-gapped network requires more complex strategies such as a supply chain attack, using removable media (e.g., USBStealer and USBFerry), or rogue insiders to plant malware.

For an adversary whose aim is to steal confidential information, financial data, and intellectual property, the initial penetration is only the start of the attack chain that's followed by reconnaissance, data gathering, and data exfiltration through workstations that contain active SATA interfaces.

In the final data reception phase, the transmitted data is captured through a hidden receiver or relies on a malicious insider in an organization to carry a radio receiver near the air-gapped system. "The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker," Dr. Guri explained.

As countermeasures, it's recommended to take steps to prevent the threat actor from gaining an initial foothold, use an external Radio frequency (RF) monitoring system to detect anomalies in the 6GHz frequency band from the air-gapped system, or alternatively polluting the transmission with random read and write operations when a suspicious covert channel activity is detected.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals

IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  203440.

  

**Summary**

IBM Engineering Requirements Quality Assistant On-Premises affected by multiple vulnerabilites including OpenSSL, cross-site scripting, cross-site request forgery (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) which allowed an attacker or an unauthenticated user to execute malicious and unauthorized actions to obtain sensitive information. The fix also includes updated Node version 12.22.12.

**Vulnerability Details**

**CVEID:**   CVE-2021-29790  
**DESCRIPTION:**   IBM Engineering Requirements Quality Assistant is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203440 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2021-38868  
**DESCRIPTION:**   IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208310 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-29799  
**DESCRIPTION:**   IBM Engineering Requirements Quality Assistant could allow an authenticated user to obtain sensitive information due to improper client side validation.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203738 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-29788  
**DESCRIPTION:**   IBM Engineering Requirements Quality Assistant is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203310 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-0778  
**DESCRIPTION:**   OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN\_mod\_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Engineering Requirements Quality Assistant On-Premises

All

  

**Remediation/Fixes**

For all the IBM Engineering Quality Assistant On-Premises versions please go and follow the steps mentioned for **Upgrading RQA** to apply the remediation.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

07 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3UPN","label":"IBM Engineering Requirements Quality Assistant"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2021-29790: Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-297

In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

CVE-2022-32387: Hotfixes

Global Socket is a tool for moving data from here to there, securely, fast, and through NAT and firewalls. It uses the Global Socket Relay Network to connect TCP pipes, has end-to-end encryption (using OpenSSL's SRP / RFC-5054), AES-256 and key exchange using 4096-bit Prime, requires no PKI, has Perfect Forward Secrecy, and TOR support.

Global Socket 1.4.38

When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307

    From ff2047fb755d4415ec3c70ac799889371151796d Mon Sep 17 00:00:00 2001
    From: Jiri Slaby <jslaby@suse.cz>
    Date: Tue, 5 Jan 2021 13:02:35 +0100
    Subject: vt: drop old FONT ioctls
    
    From: Jiri Slaby <jslaby@suse.cz>
    
    commit ff2047fb755d4415ec3c70ac799889371151796d upstream.
    
    Drop support for these ioctls:
    * PIO_FONT, PIO_FONTX
    * GIO_FONT, GIO_FONTX
    * PIO_FONTRESET
    
    As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use
    the tty pointer they were actually passed), these ioctls are not used
    from userspace, as:
    1) they used to be broken (set up font on current console, not the open
       one) and racy (before the commit above)
    2) KDFONTOP ioctl is used for years instead
    
    Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set
    on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes
    PIO_FONTRESET just return an error.
    
    We are removing KD_FONT_FLAG_OLD here as it was used only by these
    removed ioctls. kd.h header exists both in kernel and uapi headers, so
    we can remove the kernel one completely. Everyone includeing kd.h will
    now automatically get the uapi one.
    
    There are now unused definitions of the ioctl numbers and "struct
    consolefontdesc" in kd.h, but as it is a uapi header, I am not touching
    these.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz
    Cc: guodaxing <guodaxing@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    ---
     drivers/tty/vt/vt.c       |   39 -----------
     drivers/tty/vt/vt_ioctl.c |  151 ----------------------------------------------
     include/linux/kd.h        |    8 --
     3 files changed, 3 insertions(+), 195 deletions(-)
     delete mode 100644 include/linux/kd.h
    
    --- a/drivers/tty/vt/vt.c
    +++ b/drivers/tty/vt/vt.c
    @@ -4625,16 +4625,8 @@ static int con_font_get(struct vc_data *
     
     	if (op->data && font.charcount > op->charcount)
     		rc = -ENOSPC;
    -	if (!(op->flags & KD_FONT_FLAG_OLD)) {
    -		if (font.width > op->width || font.height > op->height) 
    -			rc = -ENOSPC;
    -	} else {
    -		if (font.width != 8)
    -			rc = -EIO;
    -		else if ((op->height && font.height > op->height) ||
    -			 font.height > 32)
    -			rc = -ENOSPC;
    -	}
    +	if (font.width > op->width || font.height > op->height)
    +		rc = -ENOSPC;
     	if (rc)
     		goto out;
     
    @@ -4662,7 +4654,7 @@ static int con_font_set(struct vc_data *
     		return -EINVAL;
     	if (op->charcount > 512)
     		return -EINVAL;
    -	if (op->width <= 0 || op->width > 32 || op->height > 32)
    +	if (op->width <= 0 || op->width > 32 || !op->height || op->height > 32)
     		return -EINVAL;
     	size = (op->width+7)/8 * 32 * op->charcount;
     	if (size > max_font_size)
    @@ -4672,31 +4664,6 @@ static int con_font_set(struct vc_data *
     	if (IS_ERR(font.data))
     		return PTR_ERR(font.data);
     
    -	if (!op->height) {		/* Need to guess font height [compat] */
    -		int h, i;
    -		u8 *charmap = font.data;
    -
    -		/*
    -		 * If from KDFONTOP ioctl, don't allow things which can be done
    -		 * in userland,so that we can get rid of this soon
    -		 */
    -		if (!(op->flags & KD_FONT_FLAG_OLD)) {
    -			kfree(font.data);
    -			return -EINVAL;
    -		}
    -
    -		for (h = 32; h > 0; h--)
    -			for (i = 0; i < op->charcount; i++)
    -				if (charmap[32*i+h-1])
    -					goto nonzero;
    -
    -		kfree(font.data);
    -		return -EINVAL;
    -
    -	nonzero:
    -		op->height = h;
    -	}
    -
     	font.charcount = op->charcount;
     	font.width = op->width;
     	font.height = op->height;
    --- a/drivers/tty/vt/vt_ioctl.c
    +++ b/drivers/tty/vt/vt_ioctl.c
    @@ -486,70 +486,6 @@ static int vt_k_ioctl(struct tty_struct
     	return 0;
     }
     
    -static inline int do_fontx_ioctl(struct vc_data *vc, int cmd,
    -		struct consolefontdesc __user *user_cfd,
    -		struct console_font_op *op)
    -{
    -	struct consolefontdesc cfdarg;
    -	int i;
    -
    -	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
    -		return -EFAULT;
    -
    -	switch (cmd) {
    -	case PIO_FONTX:
    -		op->op = KD_FONT_OP_SET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = cfdarg.chardata;
    -		return con_font_op(vc, op);
    -
    -	case GIO_FONTX:
    -		op->op = KD_FONT_OP_GET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = cfdarg.chardata;
    -		i = con_font_op(vc, op);
    -		if (i)
    -			return i;
    -		cfdarg.charheight = op->height;
    -		cfdarg.charcount = op->charcount;
    -		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
    -			return -EFAULT;
    -		return 0;
    -	}
    -	return -EINVAL;
    -}
    -
    -static int vt_io_fontreset(struct vc_data *vc, struct console_font_op *op)
    -{
    -	int ret;
    -
    -	if (__is_defined(BROKEN_GRAPHICS_PROGRAMS)) {
    -		/*
    -		 * With BROKEN_GRAPHICS_PROGRAMS defined, the default font is
    -		 * not saved.
    -		 */
    -		return -ENOSYS;
    -	}
    -
    -	op->op = KD_FONT_OP_SET_DEFAULT;
    -	op->data = NULL;
    -	ret = con_font_op(vc, op);
    -	if (ret)
    -		return ret;
    -
    -	console_lock();
    -	con_set_default_unimap(vc);
    -	console_unlock();
    -
    -	return 0;
    -}
    -
     static inline int do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud,
     		bool perm, struct vc_data *vc)
     {
    @@ -574,29 +510,7 @@ static inline int do_unimap_ioctl(int cm
     static int vt_io_ioctl(struct vc_data *vc, unsigned int cmd, void __user *up,
     		bool perm)
     {
    -	struct console_font_op op;	/* used in multiple places here */
    -
     	switch (cmd) {
    -	case PIO_FONT:
    -		if (!perm)
    -			return -EPERM;
    -		op.op = KD_FONT_OP_SET;
    -		op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;	/* Compatibility */
    -		op.width = 8;
    -		op.height = 0;
    -		op.charcount = 256;
    -		op.data = up;
    -		return con_font_op(vc, &op);
    -
    -	case GIO_FONT:
    -		op.op = KD_FONT_OP_GET;
    -		op.flags = KD_FONT_FLAG_OLD;
    -		op.width = 8;
    -		op.height = 32;
    -		op.charcount = 256;
    -		op.data = up;
    -		return con_font_op(vc, &op);
    -
     	case PIO_CMAP:
                     if (!perm)
     			return -EPERM;
    @@ -605,20 +519,6 @@ static int vt_io_ioctl(struct vc_data *v
     	case GIO_CMAP:
                     return con_get_cmap(up);
     
    -	case PIO_FONTX:
    -		if (!perm)
    -			return -EPERM;
    -
    -		fallthrough;
    -	case GIO_FONTX:
    -		return do_fontx_ioctl(vc, cmd, up, &op);
    -
    -	case PIO_FONTRESET:
    -		if (!perm)
    -			return -EPERM;
    -
    -		return vt_io_fontreset(vc, &op);
    -
     	case PIO_SCRNMAP:
     		if (!perm)
     			return -EPERM;
    @@ -1099,54 +999,6 @@ void vc_SAK(struct work_struct *work)
     
     #ifdef CONFIG_COMPAT
     
    -struct compat_consolefontdesc {
    -	unsigned short charcount;       /* characters in font (256 or 512) */
    -	unsigned short charheight;      /* scan lines per character (1-32) */
    -	compat_caddr_t chardata;	/* font data in expanded form */
    -};
    -
    -static inline int
    -compat_fontx_ioctl(struct vc_data *vc, int cmd,
    -		   struct compat_consolefontdesc __user *user_cfd,
    -		   int perm, struct console_font_op *op)
    -{
    -	struct compat_consolefontdesc cfdarg;
    -	int i;
    -
    -	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
    -		return -EFAULT;
    -
    -	switch (cmd) {
    -	case PIO_FONTX:
    -		if (!perm)
    -			return -EPERM;
    -		op->op = KD_FONT_OP_SET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = compat_ptr(cfdarg.chardata);
    -		return con_font_op(vc, op);
    -
    -	case GIO_FONTX:
    -		op->op = KD_FONT_OP_GET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = compat_ptr(cfdarg.chardata);
    -		i = con_font_op(vc, op);
    -		if (i)
    -			return i;
    -		cfdarg.charheight = op->height;
    -		cfdarg.charcount = op->charcount;
    -		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
    -			return -EFAULT;
    -		return 0;
    -	}
    -	return -EINVAL;
    -}
    -
     struct compat_console_font_op {
     	compat_uint_t op;        /* operation code KD_FONT_OP_* */
     	compat_uint_t flags;     /* KD_FONT_FLAG_* */
    @@ -1223,9 +1075,6 @@ long vt_compat_ioctl(struct tty_struct *
     	/*
     	 * these need special handlers for incompatible data structures
     	 */
    -	case PIO_FONTX:
    -	case GIO_FONTX:
    -		return compat_fontx_ioctl(vc, cmd, up, perm, &op);
     
     	case KDFONTOP:
     		return compat_kdfontop_ioctl(up, perm, &op, vc);
    --- a/include/linux/kd.h
    +++ /dev/null
    @@ -1,8 +0,0 @@
    -/* SPDX-License-Identifier: GPL-2.0 */
    -#ifndef _LINUX_KD_H
    -#define _LINUX_KD_H
    -
    -#include <uapi/linux/kd.h>
    -
    -#define KD_FONT_FLAG_OLD		0x80000000	/* Invoked via old interface [compat] */
    -#endif /* _LINUX_KD_H */

CVE-2021-33656: vt-drop-old-font-ioctls.patch « 5.10.127 « releases - kernel/git/stable/stable-queue.git

IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ShowPlugInSaveOptions_W+0x0000000000002cba.

**Please always use the current IrfanView and PlugIn version.**

  
**How to install IrfanView PlugIns?**

1.  Download all PlugIns, see below
2.  Click on the PlugIn file (irfanview\_plugins\_XYZ\_setup.exe)
3.  PlugIns will be installed into IrfanView "PlugIns" directory 

**Note:** Install 32-bit PlugIns to IrfanView-32 and 64-bit PlugIns to IrfanView-64 folder. **DO NOT** mix the PlugIns and IrfanView bit versions. 

**The current PlugIns version is: 4.60** 

**Note:** A normal IrfanView version includes the following (most important) PlugIns: **Effects, Paint, Icons, Slideshow-EXE, RegionCapture, JPG-Transform, Video, Metadata, Tools.**

  **Check the 64-bit page for 64-bit PlugIns.**  

1.  **You can download ALL (32-bit) PlugIns as one large EXE (recommended):**  **FossHub - download IrfanView plugins Installer**
    
    Alternative download site: iview460\_plugins\_setup.exe (20.2 MB, installer)  
    (SHA-256 checksum: 0a967a007c296944575962e66586bfada7c32012675dc1a0ae1cec982bb755f8)
    
  
3.  **You can download ALL (32-bit) PlugIns as one large ZIP (for experienced users!):**  **FossHub - download IrfanView plugins ZIP**
    
    Alternative download site: iview460\_plugins.zip (18.4 MB)  
    (SHA-256 checksum: 628a088067c0e4baf02ab87698fc0bf66b2b59cb1eee9ff08c95535e741cd654)
    

**Special PlugIn: "IrfanView Shell Extension":**

This PlugIn shows a **Context menu for some IrfanView operations in Windows Explorer or other file managers.**   
You can select several files and: Play slideshow, Load files in Thumbnails window, Start JPG Lossless Rotation, Convert images to another format, Save filenames as TXT, Create multipage TIF or PDF, Create panorama image. (current version: 1.06)

Download: https://www.irfanview.net/plugins/irfanview\_shell\_extension\_plugin.exe (Installer)  
(SHA-256 checksum: b9828e236b26626b46fe20ad31208140fc572819ba86c2cba75cbd2c7724ebef)

or 

https://www.irfanview.net/plugins/irfanview\_shell\_extension.zip (ZIP, for experienced users!)  
(SHA-256 checksum: 2112f85a917b2eca90eaa047a8c3b22e0157f13e83971aee679d955b2ff1047d)

**You can download the (32-bit) PlugIns as 4 separate ZIP files (for experienced users!):**

1.  iv\_mmedia.zip. Contains these PlugIns: IV\_Player, Med, Mp3, Burning, Nero, Quicktime, Real Audio, SoundPlayer.
2.  iv\_formats.zip.  Contains these PlugIns: Awd, B3d, BabaCAD4Image, CamRAW, Crw, CADImage, Dicom, DjVu, Dpx, Ecw, Exr, Flash, Flif, Formats, Fpx, Hdp, Ics, ImPDF, ImPDN, JPEG2000, Jpeg\_LS, Jpm, Mng, MrSID, PDF, PhotoCD, OptiPNG, Postscript, Sff, Svg, Wbz, WebP, Wsq, Xcf.
3.  iv\_effects.zip.   Contains these PlugIns: Filter Sandbox, Film Simulation, Filter Factory, Filters Unlimited.
4.  iv\_misc.zip.      Contains these PlugIns: Email, FaceDetect, Ftp, Lcms.

**PlugIns updated after the version 4.60:**

*   CamRAW Plugin (4.60) - ZIP (32 bit) or ZIP (64 bit) - Support for Olympus OM-1 RAW format

**Available PlugIns and current versions:**

*   **AltaLux** - (version **1.08**): allows IrfanView to use AltaLux image effect
*   **AWD** - (version **2.0.0.0**): allows IrfanView to read Artweaver files
*   **B3D** - (version **4.56**): allows IrfanView to read BodyPaint 3D files
*   **BabaCAD4Image** - (version **1.3.2**): allows IrfanView to to read DXF and DWG CAD files
*   **BURNING** - (version **4.51**): allows IrfanView to burn slideshow to a CD/DVD/BD (Windows XP SP3 or later required)
*   **BURNINGOLD** - (version **4.36**): allows IrfanView (32-bit) to burn slideshow to a CD (Windows XP or later required, Nero option can burn Data DVD and VCD)
*   **CADImage** - (version **14.0.0.1**): allows IrfanView to read DXF/DWG/HPGL/CGM/SVG files (Shareware, third party plugin)  
    Newest 32-bit versions under: https://www.cadsofttools.com/download/irfanviewplugins.zip , newest 64-bit versions: https://www.cadsofttools.com/download/irfanviewplugins\_x64.zip
*   **CamRAW** - (version **4.58**): allows IrfanView to to read Digital Camera RAW files  
    (formats: DNG, EEF, NEF, ORF, RAF, MRW, DCR, SRF/ARW, PEF, X3F)
*   **CRW** - (version **4.58**): allows IrfanView (32-bit) to read Canon CRW/CR2 files (high resolution image version) **  
    Note:** this PlugIn requires additional Canon DLLs. You can download these DLLs with the Canon ZoomBrowser program: https://www.canon.com/ or try here: https://www.irfanview.info/plugins/canon\_crw.zip (check "Readme.txt" for instructions and install!)
*   **DICOM** - (version **4.60**): allows IrfanView to read Dicom formats (DCM, ACR, IMA)
*   **DJVU** - (version **4.56**): allows IrfanView to read DJVU format
*   **DPX** - (version **4.56**): allows IrfanView to read DPX/CIN (Digital Picture Exchange/Cineon) format
*   **ECW** - (version **4.56**): allows IrfanView to read/write ECW files (Enhanced Compressed Wavelet)
*   **EFFECTS** - (version **4.59**): contains image effects and allows IrfanView to load Adobe Photoshop 8BF filters **Note:** some nice (fixed menu) Adobe 8BF Plugins/effects can be downloaded/installed from: https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_adobe\_8bf\_plugins.zip **  
    Note:** some older/special 8BFs may require additional system DLLs: Msvcrt10.dll and/or Plugin.dll. You can download these DLLs here: https://www.irfanview.info/plugins/8bf\_tools.zip (check "Readme.txt" for instructions and install!)
*   **EMAIL** - (version **4.59**): allows IrfanView to send images as emails
*   **EXR** - (version **4.56**): allows IrfanView to read EXR files
*   **FACEDETECT** - (version **2.00**): allows IrfanView to use the Face Detection feature from Thumbnails window  
    If you have a modern graphic card which can be used for additional calculations, you can try the GPU version of the plugin: https://www.irfanview.info/plugins/facedetect\_gpu.zip
*   **FILM\_SIMULATION** - (version **1.0.0.0**): allows IrfanView to apply some Film Simulation effects **  
    Note:** this PlugIn needs additional CLUT files, download/install from: https://www.irfanview.net/plugins/irfanview\_film\_sim\_plugin.zip
*   **FILTER\_FACTORY** - (version **4.53**): allows IrfanView to use Filter Factory 8BF files (Photoshop PlugIns)
*   **FLASH** - (version **2.2.0.1**): allows IrfanView to read Flash/Shockwave/FLV format
*   **FLIF** - (version **4.56**): allows IrfanView to read FLIF (Free Lossless Image) format
*   **FORMATS** - (version **4.60**): allows IrfanView to read some rare image formats  
    (formats: PCX, QOI, PSP, DDS, G3, RAS, IFF/LBM, BioRAD, Mosaic, XBM, XPM, GEM-IMG, SGI, RLE, WBMP, TTF, FITS, PIC, MAG, WAD, WAL, CAM, SFW, YUV, PVR, SIF and old/retro formats from Amiga, Atari, C64, ZX Spectrum etc.)
*   **FPX** - (version **4.56**): allows IrfanView (32-bit) to read FlashPix files
*   **FTP** - (version **4.50**): allows IrfanView to transfer files from Thumbnails window using FTP
*   **FILTERS\_UNLIMITED** - (version **3.20**): allows IrfanView (32-bit) to use Filters Unlimited files (Photoshop PlugIns and filters)
*   **HDP** - (version **4.56**): allows IrfanView to read Jpeg-XR/HDP/WDP (Microsoft HD Photo) files
*   **ICONS** - (version **4.30**): additional icons for IrfanView file associations
*   **ICS** - (version **4.56**): allows IrfanView (32-bit) to read ICS files (Image Cytometry Standard)
*   **IMPDF** - (version **0.90**): allows IrfanView (32-bit) to write PDF files (Portable Document Format)
*   **IMPDN** - (version **1.16**): allows IrfanView to read PDN files (Paint.NET File Format)
*   **IRFANVIEW\_SANDBOX** - (version **1.3.0.14**): allows IrfanView to use JewelScript Effects/Filters
*   **IV\_PLAYER** - (version **4.54**): allows IrfanView to play video/sound/audio-cd files using Windows Media Player
*   **JPEG2000** - (version **4.56**): allows IrfanView to read/write JPEG 2000 files
*   **JPEG\_LS** - (version **4.56**): allows IrfanView to read/write JPEG-LS files
*   **JPEG\_XL** - (version **4.59.1**): allows IrfanView to read/write JPEG-XL files
*   **JPEGQS** - (version **2020-05-17**): allows IrfanView to read JPG files using QuantSmooth method
*   **JPG\_TRANSFORM** - (version **4.59**): allows IrfanView to support lossless JPG operations (rotation/crop/cleaning, EXIF date editing, EXIF thumb update)
*   **JPM** - (version **4.56**): allows IrfanView to read/write JPM files
*   **LCMS** - (version **4.58**): allows IrfanView to use color management
*   **MED** - (version **3.31**): allows IrfanView (32-bit) to play MED/OctaMED audio files
*   **METADATA** - (version **4.60**): allows IrfanView to handle EXIF/IPTC/Comment information from compatible files
*   **MNG** - (version **4.57**): allows IrfanView to read/play MNG/JNG files
*   **MP3** - (version **4.52**): allows IrfanView to play MP3/MP2/MP1 files
*   **MRC** - (version **3.70**): allows IrfanView (32-bit) to read MRC files
*   **MR-SID** - (version **4.56**): allows IrfanView to read LizardTech's SID files **  
    Note:** this PlugIn needs additional DLLs (for IrfanView 32-bit only), download/install from: https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.exe (Installer) or https://www.irfanview.net/plugins/irfanview\_mrsid\_plugin.zip
*   **NERO** - (version **4.20**): allows IrfanView (32-bit) to burn slideshow to data or Video CD, using Nero Burning ROM software
*   **OCR\_KADMOS** - (version **4.4y**): adds OCR features to IrfanView PlugIn download: https://www.irfanview.info/plugins/kadmos/**  
    Note: the OCR PlugIn works only with IrfanView 32-bit.**
*   **OPTIPNG** - (version **4.59**): this PlugIn allows optimized PNG saving
*   **PAINT** - (version **0.4.13.57**): allows IrfanView to to paint lines, circles, arrows, straighten image etc.
*   **PDF** - (version **4.58**): allows IrfanView to read/save PDF files (Portable Document Format)
*   **PHOTO-CD** - (version **3.00**): allows IrfanView to read Kodak PCD files (high resolutions)
*   **POSTSCRIPT** - (version **4.59**): allows IrfanView to read EPS/PS/PDF files (using Ghostscript, take the **32-bit (!) EXE installer**, like "gs926w32.exe") or Ghostscript **64-bit for IrfanView 64-bit** (like "gs926w64.exe").
*   **QUICKTIME** - (version **4.56**): allows IrfanView to play/read Apple Quicktime files
*   **REAL-AUDIO** - (version **3.37**): allows IrfanView (32-bit) to play Real-Audio RA files
*   **REGIONCAPTURE** - (version **2.4.3**): allows IrfanView to capture a rectangle area of the screen
*   **SFF** - (version **4.56**): allows IrfanView to read SFF (Structured Fax) Files
*   **SLIDESHOW** - (version **4.57**): allows IrfanView to create presentations in EXE or SCR format (standalone executable/screen saver)
*   **SOUND\_PLAYER** - (version **4.39**): allows IrfanView to play OGG files (Ogg Vorbis)
*   **STUB\_LOADER** - (version **1.2.5**): allows loading of old (32 bit) PlugIns in IrfanView 64 bit (used also for scanning in IrfanView-64)
*   **SVG** - (version **0.85**): allows IrfanView to read SVG (Scalable Vector Graphic) files
*   **TOOLS** - (version **4.58**): contains some additional functions/features for IrfanView  
    (and some special formats, like: HEIC, AVIF; with installed codecs/extensions)
*   **VIDEO** - (version **4.57**): allows IrfanView to play many video/sound formats
*   **WBZ** - (version **1.01**): allows IrfanView to read WebShots (WBZ/WBC/WB1) files
*   **WEBP** - (version **4.57**): allows IrfanView to read/write WEBP (Weppy Format) files
*   **WPG** - (version **3.1.2**): allows IrfanView to read WPG (version 1) files
*   **WSQ** - (version **2019.10.15**): allows IrfanView to read WSQ (Wavelet Scaler Quantization) files
*   **XCF** - (version **0.1.4**): allows IrfanView to read XCF files

**For developers:** If you want to write your own plugins for IrfanView (support for new image formats or effects (please no private formats)), please send me an email for details.

CVE-2020-23563: IrfanView PlugIns

In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.

**Full AAA protection**

LemonLDAP::NG provides **authentication** (LDAP, Active Directory, Kerberos, Database, SSL, Social Networks, CAS, SAML, OpenID Connect, ...), **authorization** (access rules for applications based on attributes and groups) and **accounting** (user identity in logs).

*   Authentication
*   Authorization
*   Accounting

**Components**

LemonLDAP::NG relies on backends (files, databases, NoSQL) to store **configuration** and **sessions**. The **Portal** is the visible part, it displays the authentication screen and the menu, implements the standard protocols (CAS, SAML and OpenID Connect). The **Manager** is the administration interface. For applications working with HTTP headers for SSO, the **Handler** can be configured.

Read full presentation

**Identity Federation**

LemonLDAP::NG implements main SSO standards and can be used as gateway between these protocols

*   **CAS**
    
    CAS v1, v2 and v3  
    Attributes sharing  
    Access rules
    
*   **SAML**
    
    SSO, SLO and AA  
    Metadata import and export  
    Discovery Protocol (WAYF)
    
*   **OpenID Connect**
    
    Authorization Code, Implicit and Hybrid flows  
    ID Token HS and RS signatures  
    Extra claims definition
    

**Certifications and awards**

CVE-2020-16093: LemonLDAP::NG - Web Single Sign On and Access Management Free Software

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

All industrial managed FTTO GigaSwitch series from Nexans S.A. are affected by multiple vulnerabilities resulting from outdated software components embedded in the firmware. Hardcoded password hashes were also found in the firmware. Four known vulnerabilities (CVE-2017-16544, CVE-2015-0235, CVE-2015-7547 and CVE-2015-9261) were verified by emulating the device with the MEDUSA scalable firmware runtime.

**Vendor description**

"_As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments._"

Source: https://www.nexans.com/company/What-we-do.html

**Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  products conducted by security professionals to identify and resolve all security issues.

**Vulnerability overview/description****1) Outdated Vulnerable Software Components**

A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime.

**2) Hardcoded Backdoor User (CVE-2022-32985)**

A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx\_apl.so library, it can be used on port 50201 and 50200 to login on a system shell.

**Proof of concept****1) Outdated Vulnerable Software Components**

Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated:

    Firmware version 6.02L:
    BusyBox       1.20.2 
    Dropbear SSH  2012.55
    GNU glibc     2.17
    lighttpd      1.4.48
    OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

****CVE-2015-9261 (Unzip)****

The crafted ZIP archive "x\_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3

Execution inside the firmware emulation:

    bash-4.2# unzip x_6170921383890712452.bin 
    Archive:  x_6170921383890712452.bin
      inflating: ]3j½r«IK-%Ix
    do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
    epc = 0044bb28 in busybox[400000+99000]
    ra  = 0044b968 in busybox[400000+99000]
    Segmentation fault

****CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)****

PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c

****CVE-2015-7547 (getaddrinfo buffer overflow)****

PoC code was taken from: https://github.com/fjserna/CVE-2015-7547

    -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
    [1] 259
    -bash-4.4# chroot /medusa_rootfs/ bin/bash
    bash-4.2# cd /medusa_exploits/
    bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
    [UDP] Total Data len recv 36
    [UDP] Total Data len recv 36
    Connected with 127.0.0.1:34356
    [TCP] Total Data len recv 76
    [TCP] Request1 len recv 36
    [TCP] Request2 len recv 36
    Segmentation fault

****CVE-2017-16544 (shell autocompletion vulnerability)****

A file with the name "\\ectest\\n\\e\]55;test.txt\\a" was created to trigger the vulnerability.

    # ls "pressing <TAB>"
    test
    ]55;test.txt
    #

**2) Hardcoded Backdoor User (CVE-2022-32985)**

The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file:  

Content of the file "/etc/passwd".

    root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
    [...]

Update: The password for the root user is: !Nexans\_

A suspicious port for the SSH daemon was chosen in the config file of dropbear: 

Content of the file "/etc/init.d/dropbear":

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/dropbear
    NAME=dropbear
    DESC="Dropbear SSH server"
    PIDFILE=/var/run/dropbear.pid
    
    DROPBEAR_PORT="50200 -p 50201"
    [...]

This is invoked from "/usr/lib/libnx\_apl.so.0.0.0", which can be seen in the  following pseudo-code:

    void dropbear_server_init(char param_1)
    
    {
      __pid_t __pid;
      char *pcVar1;
      int aiStack16 [2];
      
      __pid = fork();
      if (__pid == 0) {
        __pid = fork();
        if (__pid != 0) {
                        /* WARNING: Subroutine does not return */
          exit(0);
        }
        if (param_1 == '\0') {
          pcVar1 = "/etc/init.d/dropbear stop";
        }
        else {
          pcVar1 = "/etc/init.d/dropbear start";                               <---
        }
        execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
      }
      else {
        waitpid(__pid,aiStack16,0);
      }
      return;
    }

This function is called if a specific command is issued in the CLI interface:

    [...]
      iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
      if (iVar6 != 0) {
        if (param_2 < 4) {
          netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
          iVar6 = shared_mem_get_addr(&var_shm);
          iVar7 = shared_mem_get_addr(&var_shm);
          uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
          shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
        if (iVar6 != 0) {
          dropbear_server_init('\x01');                                        <---
          netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
        if (iVar6 != 0) {
          dropbear_server_init('\0');                                          <---
          netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");
          return;
        }
        netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");
        return;
    [...]

The mentioned library is used in the CLI program that is running on the device.

**Vulnerable / tested versions**

The following firmware versions have been tested:

*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

**Vendor contact timeline**

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

Tag

#ssl