Red Hat Security Advisory 2022-5152-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5152-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5152  
Issue date:        2022-06-22  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016  
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036  
====================================================================  
1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.5.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allows a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrLob9zjgjWX9erEAQhsxw/9EbM8BdLUASvR5jVTtZeDXjOavkH9ob65  
/W+vtrpycWaOGKLm0sVZDnH9Y/iNy5io1vbTp3qseFXzCJVSnOrBmPc21VLHpCnJ  
mZ/apMKfS4HONdDqEOlwxFXPyZfp4M8ms7XdEKxEyabBdL5deL/ZhOzg1nbUWXwy  
JdDrll9oGk9HsUFqaVyM7+tOsT+a0g7SliFoXFDDF684W3JI6uL3y6ejKEEiBXOd  
649AoBnIaGyNT37BK/JaItpJj3EhmhavBs5OILDdrIzvBsjIBtVfyPNMfRjrzCEB  
qAa9CRfUT3daBK9bdx3P5X8MDXGlXEUKOOJGTwlCSk6d/mshET9AWKaJNyOdRxHJ  
U1MPlspWjb+ADXqCNB3zaQgmOaPj4lYsT9dT738JHtW+VIUAGs+KVsslizIAV9uF  
KZkJIrPqL5g9hQN4lt2uB3iLC0e1prSSZsXZLXCLFcxXObLUYV83ChFBJxaEGmMl  
VeFmgasL0LkhbH/9O4taHdwRRqMCOTshQE4N8jfqyo2jA2clPAua0vE840qSNz03  
2aEi/5J7oGV/z1wuZtklTTJGBVs2qGkhdYvqAF2wKkXPEhaoWyqhUn1dqnjGIrk+  
JJ43POziAdewPlIKN4OBkPgfTjfGWW5wy/RkMnTLtamObkF5AANQF7a8D4TcCdod  
UfPGO4T/krI=jReJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5152-01

A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.
In a paper titled "MEGA: Malleable Encryption Goes Awry," the researchers point out how MEGA's system does not protect its users against a malicious server, thereby enabling a

A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.

In a paper titled "MEGA: Malleable Encryption Goes Awry," the researchers point out how MEGA's system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files.

"Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client," ETH Zurich's Matilda Backendal, Miro Haller, and Kenneth G. Paterson said in an analysis of the service's cryptographic architecture.

MEGA, which advertises itself as the "privacy company" and claims to provide user-controlled end-to-end encrypted cloud storage, has more than 10 million daily active users, with over 122 billion files uploaded to the platform to date.

Chief among the weaknesses is an RSA Key Recovery Attack that makes it possible for MEGA (itself acting maliciously) or a resourceful nation-state adversary in control of its API infrastructure to recover a user's RSA private key by tampering with 512 login attempts and decrypt the stored content.

"Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable," Mathias Ortmann, MEGA's chief architect, said in response to the findings. "Files in the cloud drive could have been successively decrypted during subsequent logins."

The recovered RSA key can then be extended to make way for four other attacks -

*   **Plaintext Recovery Attack**, which allows MEGA to decrypt node keys — an encryption key associated with every uploaded file and are encrypted with a user's master key — and use them to decrypt all user communication and files.

*   **Framing Attack**, wherein MEGA can insert arbitrary files into the user's file storage that are indistinguishable from genuinely uploaded ones.

*   **Integrity Attack**, a less stealthy variant of the Framing Attack that can be exploited to forge a file in the name of the victim and place it in the target's cloud storage, and

*   **Guess-and-Purge (GaP) Bleichenbacher attack**, a variant of the Adaptive chosen-ciphertext attack devised by Swiss cryptographer Daniel Bleichenbacher in 1998 that could be exploited to decrypt RSA ciphertexts.

"Each user has a public RSA key used by other users or MEGA to encrypt data for the owner, and a private key used by the user themselves to decrypt data shared with them," the researchers explained. "With this \[GaP Bleichenbacher attack\], MEGA can decrypt these RSA ciphertexts, albeit requiring an impractical number of login attempts."

In a nutshell, the attacks could be weaponized by MEGA or any entity controlling its core infrastructure to upload lookalike files and decrypt all files and folders owned by or shared with the victim as well as the chat messages exchanged.

The shortcomings are severe as they undermine MEGA's supposed security guarantees, prompting the company to issue updates to address the first three of the five issues. The fourth vulnerability related to the breach of integrity is expected to be addressed in an upcoming release.

As for the Bleichenbacher-style attack against MEGA's RSA encryption mechanism, the company noted the attack is "challenging to perform in practice as it would require approximately 122,000 client interactions on average" and that it would remove the legacy code from all of its clients.

MEGA further emphasized that it's not aware of any user accounts that may have been compromised by the aforementioned attack methods.

"The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA's API servers or TLS connections without being noticed," Ortmann pointed out.

"The attacks \[...\] arise from unexpected interactions between seemingly independent components of MEGA's cryptographic architecture," the researchers elaborated. "They hint at the difficulty of maintaining large-scale systems employing cryptography, especially when the system has an evolving set of features and is deployed across multiple platforms."

"The attacks presented here show that it is possible for a motivated party to find and exploit vulnerabilities in real world cryptographic architectures, with devastating results for security. It is conceivable that systems in this category attract adversaries who are willing to invest significant resources to compromise the service itself, increasing the plausibility of high-complexity attacks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service

After the Raccoon Stealer Trojan disappeared, the RIG Exploit Kit seamlessly adopted Dridex for credential theft.

The cybercriminals behind the RIG Exploit Kit earlier this year traded out the credential-stealer Trojan Raccoon Stealer after its lead developer was killed in the Russian invasion of Ukraine.

According to analysts with Bitdefender, the cybercrime group behind the RIG Exploit Kit was able to quickly substitute in the tried-and-true financial Trojan Dridex, which has a range of functions, including keylogging and the ability to steal screenshots. 

"The move to Dridex was a strategic decision to save the operation," Bogdan Botezatu, director, Threat Research and Reporting at Bitdefender, tells Dark Reading. "Cybercriminals running this campaign had to move to a different option or lose the money they had already invested in renting out access to the RIG EK panel. Dridex is a powerful information-stealer that, to some extent, provides similar functionality to Raccoon. Unlike Raccoon, it is still operational and can offer 'business continuity' to the cybercriminals behind this campaign."

The RIG Exploit Kit lets cybercriminals quickly swap out payloads to avoid detection or in case of compromise, according to researchers at Bitdefender, making adaptability part of its product. 

"This once again demonstrates that threat actors are agile and quick to adapt to change," the analysts wrote in their report on the malware campaign. 

"In order to be prepared, defenders should patch the known vulnerabilities in software used across the organization and monitor for the indicators of compromise (IOCs), Botezatu counsels. "A security solution with machine-learning capabilities can detect and block the payload at various execution stages as well."

It's also worth noting that Racoon is likely to make a reappearance, Botezatu notes.

"The Raccoon group has hit a temporary stop with the death of one of its operators, but we believe the team will regroup," he says. "Usually, such groups suspend their operations when teams get arrested or when they voluntarily decide to shift to a more lucrative business. Loss of a team member is a temporary road block and we presume that they will get back online as soon as they manage to recruit a replacement."

RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex

Ubuntu Security Notice 5488-1 - Chancen and Daniel Fiala discovered that OpenSSL incorrectly handled the c_rehash script. A local attacker could possibly use this issue to execute arbitrary commands when c_rehash is run.

==========================================================================  
Ubuntu Security Notice USN-5488-1  
June 21, 2022

openssl, openssl1.0 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

OpenSSL could be made to crash or run programs when the c_rehash script is  
used.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools  
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Chancen and Daniel Fiala discovered that OpenSSL incorrectly handled the  
c_rehash script. A local attacker could possibly use this issue to execute  
arbitrary commands when c_rehash is run.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  openssl                         3.0.2-0ubuntu1.5

Ubuntu 21.10:  
  openssl                         1.1.1l-1ubuntu1.5

Ubuntu 20.04 LTS:  
  openssl                         1.1.1f-1ubuntu2.15

Ubuntu 18.04 LTS:  
  openssl                         1.1.1-1ubuntu2.1~18.04.19  
  openssl1.0                      1.0.2n-1ubuntu5.10

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5488-1  
  CVE-2022-2068

Package Information:  
  https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.5  
  https://launchpad.net/ubuntu/+source/openssl/1.1.1l-1ubuntu1.5  
  https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.15  
  https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.19  
  https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.10

Ubuntu Security Notice USN-5488-1

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.

OpenSSL Toolkit 1.1.1p

While there's an immediate need to improve MFA adoption, it's also critical to move to more advanced and secure passwordless frameworks, including biometrics. (Part 1 of 2)

The fact that we continue to rely on passwords this deep into the digital age is more than a bit jarring. These alphanumeric scraps, the equivalent of digital skeleton keys, once served as a valuable tool. Unfortunately, passwords are now far more trouble than they're worth. They provide little protection against identity theft, breaches, and myriad other problems.

Yet completely ditching passwords is out of the question — at least for now. While they may rank as an almost total security fail and a bane for everyone, they remain an entrenched standard. Consequently, multifactor authentication (MFA) has become a necessity, but it too presents challenges bordering on outright problems.

This is the first of a two-part series about how businesses can adopt stronger and better authentication methods. While there's an immediate need to boost MFA adoption, it's also critical to move to more advanced and secure passwordless frameworks, including those that use biometrics.

**Embarrassment of Riches**

As with every technology, an accumulation of solutions eventually becomes a new problem. Most organizations and many consumers recognize the need to move beyond password-only authentication. Yet two-factor authentication (2FA) and even many MFA techniques were never designed for today's sophisticated digital frameworks.

"When you log into six different systems during the day and each of them uses a different method ... you wind up with two-factor authentication PTSD," says Michael Engle, co-founder and chief security officer at 1Kosmos. "You spend a significant time fetching codes and launching apps."

The mix of methods — including time-based one-time password (TOTP), SMS and email 2FA, push-based 2FA, universal second factor (U2F) tokens, WebAuthn, and desktop agents — introduce an often-confusing array of options for both companies and consumers. Making matters worse, they deliver varying levels of protection, and most people aren't equipped to understand the pros and cons. For instance, widely used SMS and email codes are easily intercepted or breached when a crook has access to a device. Toolkits that facilitate man-in-the-middle attacks and other password exploits are now widely available on sites such as GitHub.

Consumer and enterprise fatigue is at a breaking point. And while significantly better MFA and passwordless systems are taking shape — Apple, Google, and Microsoft have announced they are moving to passwordless sign-ins built on the FIDO2 standard — organizations continue to struggle with adoption.

Design, usability, and functionality are all critical. There's a need to convince people to move beyond a basic password and adopt MFA, but it's also critical to deploy higher grade MFA methods while moving to passwordless. 

"This requires improved UX and education. There's a need for the process to be seamless," says Don Tait, a senior analyst at Omdia Consulting.

**Risky Business**

It's a startling and entirely disturbing fact: Despite a seemingly endless string of hacks, attacks, breaches, and breakdowns — 81% of hacking-related breaches are caused by password issues — only 29% of consumers believe that the inconvenience of 2FA is always worth the security trade-off. About 36% are willing to use 2FA in some cases, depending on the importance of the account.

The reasons for this reticence are at least partly rooted in the nature of today's online world. For better or worse, people expect Web pages to load instantaneously, and they seek access to accounts without any latency — even when dozens of APIs and servers around the world are required for a transaction. Remarkably, one study conducted by Microsoft found that the average person only has an attention span of approximately eight seconds.

Yet it's also clear that MFA frameworks can be a big hassle. Oftentimes, it's necessary to request a text code or pull out a phone and open an authenticator app from Google or Microsoft and type in a code. Meanwhile, physical tokens, such as YubiKey, offer stellar security — but they can be difficult to set up and use.

MFA participation is ticking up due to the pandemic and ominous warnings about the risks of relying on a password only; Okta found that MFA adoption rose by about 80% during the early stages of the pandemic. However, attacks are escalating and becoming more sophisticated. The net result is a relative move backward.

"There are too many companies giving too little thought to how to implement more advanced MFA and passwordless systems," says Jasson Casey, CTO for authentication vendor Beyond Identity. "You can't build a security architecture without considering design and usability. As the level of friction goes up, participation goes down."

These issues unfold in several ways. Design elements may hide MFA options or deliver confusing instructions for how to set it up. They sometimes provide confusing or ominous warnings that frighten users, or a site or service doesn't communicate the value of using MFA. Frequently, users don't see any compelling reason to adopt this additional layer of security.

"People turn to digital services because they're looking for ease of use and convenience," says Kalev Rundu, senior product manager at authentication firm Veriff. MFA must not be any different. It must fit seamlessly with the broader digital interaction and deliver a clear advantage or other forms of authentication.

**Designs on Security**

Gaining buy-in is critical. Researchers from the Max Planck Institute for Security and Privacy; the University of California, San Diego; and Facebook found that one of the keys to convincing people to turn on MFA is to present the decision as a personal empowerment choice. This might include a message like, "You can increase your protection against account hacking" or "Protect your account, pages and friends."

When researchers tested this personal responsibility approach with accompanying buttons on Facebook, it led to an uptick in MFA adoption by 33% among 622,419 participants. When users viewed a message about the advantages of being protected, they were 28% more likely to adopt MFA. On the other hand, the corporate responsibility button didn't prompt any change in behavior.

Another technique that boosts adoption revolves around an incentive or a reward — an approach that has already gained traction within gaming platforms like Fortnight and World of Warcraft. In 2019, a group of researchers from the University of Bonn and Leibniz University Hannover in Germany found that even a small incentive, such as an upgraded avatar or another small gift, can push numbers up.

Colors, placement, and design elements also matter. Delivering the request at the right moment — without interrupting the flow of an interaction or transaction — is crucial. 

"It must be so easy that doing it for the first time has nearly no friction," 1Kosmos' Engle says. QR codes and push-to-app authentications can help, especially when a user can authorize the sign-in from a separate authorized device.

Still, none of these approaches are seamless — and they aren't bulletproof. The future of MFA and full passwordless systems lies in biometrics, FIDO2, and emerging systems that not only authenticate to an account on a device, but also verify a person's identity. 

"A new era of authentication is emerging," Omdia's Tait says.

_In part 2, Dark Reading takes a look at the rapidly evolving passwordless space and what companies need to do to stamp out passwords once and for all._

Evolving Beyond the Password: It's Time to Up the Ante

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

CVE-2022-2068

An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TNS-2022-11

Credit

Tudor Enache (CVE-2022-32974)

Phil Castellanos (CVE-2022-32973)

CVSSv3 Base / Temporal Score

7.5 / 6.7 (CVE-2018-25032)

6.5 / 5.7 (CVE-2022-25313)

7.5 / 6.5 (CVE-2022-25314)

9.8 / 8.5 (CVE-2022-25315)

9.8 / 8.5 (CVE-2022-25235)

9.8 / 8.5 (CVE-2022-25236)

9.8 / 8.5 (CVE-2022-23990)

9.8 / 8.5 (CVE-2022-23852)

6.1 / 5.3 (CVE-2021-41182)

6.1 / 5.3 (CVE-2021-41183)

6.1 / 5.3 (CVE-2021-41184)

8.4 / 7.6 (CVE-2022-32973)

4.2 / 3.8 (CVE-2022-32974)

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C (CVE-2018-25032)

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25313)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2022-25314)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25315)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25235)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-25236)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23990)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C (CVE-2022-23852)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41182)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41183)

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C (CVE-2021-41184)

AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H (CVE-2022-32973)

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:N/MA:N (CVE-2022-32974)

****FREE FOR 30 DAYS****

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

**Buy Tenable.cs**

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

CVE-2022-32973: [R2] Nessus Version 10.2.0 Fixes Multiple Vulnerabilities

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

SEC Consult Vulnerability Lab Security Advisory < 20220615-0 >  
=======================================================================  
               title: Hardcoded Backdoor User and Outdated Software Components  
             product: Nexans FTTO GigaSwitch industrial/office switches HW version 5  
  vulnerable version: See "Vulnerable / tested versions"  
       fixed version: V6.02N, V7.02  
          CVE number: CVE-2022-32985  
              impact: High  
            homepage: https://www.nexans.com/  
               found: 2020-05-25  
                  by: T. Weber (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"As a global player in the cable industry, Nexans is behind the scenes  
delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions  
of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they  
face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the  
most complex cable applications in the most demanding environments."

Source: https://www.nexans.com/company/What-we-do.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Outdated Vulnerable Software Components  
A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that  
are used in the devices' firmware. Four of them were verified by using the  
MEDUSA scalable firmware runtime.

2) Hardcoded Backdoor User (CVE-2022-32985)  
A hardcoded root user was found in "/etc/passwd". In combination with the  
invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port  
50201 and 50200 to login on a system shell.

Proof of concept:  
-----------------  
1) Outdated Vulnerable Software Components  
Based on an automated scan with the IoT Inspector (ONEKEY) the following third party  
software packages were found to be outdated:

Firmware version 6.02L:  
BusyBox       1.20.2  
Dropbear SSH  2012.55  
GNU glibc     2.17  
lighttpd      1.4.48  
OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

* CVE-2015-9261 (Unzip)  
The crafted ZIP archive "x_6170921383890712452.bin" was taken from:  
https://www.openwall.com/lists/oss-security/2015/10/25/3  
Execution inside the firmware emulation:

bash-4.2# unzip x_6170921383890712452.bin  
Archive:  x_6170921383890712452.bin  
   inflating: ]3j½r«IK-%Ix  
do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc  
epc = 0044bb28 in busybox[400000+99000]  
ra  = 0044b968 in busybox[400000+99000]  
Segmentation fault

* CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)

PoC code was taken from:  
https://gist.github.com/dweinstein/66e6a088191ac0e8105c

* CVE-2015-7547 (getaddrinfo buffer overflow)

PoC code was taken from:  
https://github.com/fjserna/CVE-2015-7547

-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &  
[1] 259  
-bash-4.4# chroot /medusa_rootfs/ bin/bash  
bash-4.2# cd /medusa_exploits/  
bash-4.2# ./cve-2015-7547_glibc_getaddrinfo  
[UDP] Total Data len recv 36  
[UDP] Total Data len recv 36  
Connected with 127.0.0.1:34356  
[TCP] Total Data len recv 76  
[TCP] Request1 len recv 36  
[TCP] Request2 len recv 36  
Segmentation fault

* CVE-2017-16544 (shell autocompletion vulnerability)

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the  
vulnerability.  
-------------------------------------------------------------------------------  
# ls "pressing <TAB>"  
test  
]55;test.txt  
#  
-------------------------------------------------------------------------------

2) Hardcoded Backdoor User (CVE-2022-32985)  
The hardcoded system user, reachable via the dropbear SSH daemon was found due  
to multiple indications on the system. The undocumented root user itself was  
contained in the "passwd" file:

Content of the file "/etc/passwd".  
-------------------------------------------------------------------------------  
root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh  
[...]  
-------------------------------------------------------------------------------

A suspicious port for the SSH daemon was chosen in the config file of dropbear:

Content of the file "/etc/init.d/dropbear":  
-------------------------------------------------------------------------------  
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  
DAEMON=/usr/sbin/dropbear  
NAME=dropbear  
DESC="Dropbear SSH server"  
PIDFILE=/var/run/dropbear.pid

DROPBEAR_PORT="50200 -p 50201"  
[...]  
-------------------------------------------------------------------------------

This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the  
following pseudo-code:  
-------------------------------------------------------------------------------  
void dropbear_server_init(char param_1)

{  
   __pid_t __pid;  
   char *pcVar1;  
   int aiStack16 [2];

   __pid = fork();  
   if (__pid == 0) {  
     __pid = fork();  
     if (__pid != 0) {  
                     /* WARNING: Subroutine does not return */  
       exit(0);  
     }  
     if (param_1 == '\0') {  
       pcVar1 = "/etc/init.d/dropbear stop";  
     }  
     else {  
       pcVar1 = "/etc/init.d/dropbear start";                               <---  
     }  
     execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);  
   }  
   else {  
     waitpid(__pid,aiStack16,0);  
   }  
   return;  
}  
-------------------------------------------------------------------------------

This function is called if a specific command is issued in the CLI interface:  
-------------------------------------------------------------------------------  
[...]  
   iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);  
   if (iVar6 != 0) {  
     if (param_2 < 4) {  
       netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");  
       iVar6 = shared_mem_get_addr(&var_shm);  
       iVar7 = shared_mem_get_addr(&var_shm);  
       uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);  
       shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\x01');                                        <---  
       netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\0');                                          <---  
       netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");  
       return;  
     }  
     netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");  
     return;  
[...]  
-------------------------------------------------------------------------------  
The mentioned library is used in the CLI program that is running on the device.

Vulnerable / tested versions:  
-----------------------------  
The following firmware versions have been tested:

* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L  
* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

Vendor contact timeline:  
------------------------  
2020-05-28: Contacting the vendor's PSIRT under the following link:  
             http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail  
      No answer.  
2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended  
             deadline by 11 days.  
2020-06-16: Telephone call with Nexans representative. Security advisory was  
             received. It will be reviewed to confirm the found issues.  
2020-06-26: Telephone call with Nexans representative. Nexans is working on the  
             reported issues and will remove the dropbear daemon as first  
             measure.  
2020-08-04: Vendor stated that a fix for the outdated software components will  
             be available in November.  
2020-11-12: Asked for status update.  
2020-11-16: Contact stated, that firmware test will need more time. Updates are  
             estimated to be ready in Q1 of 2020.  
2020-11-20: Vendor confirmed Q1 as estimated disclosure date.  
2021-01-21: Asked for status update; Vendor stated that the release with all  
             fixes is aimed to be published end of Q1.  
2021-03-09: Asked for status update.  
2021-03-17: Vendor stated that the firmware is in testing stage. The fixed  
             firmware will be released in May.  
2021-06-10: Asked for status update.  
2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and  
             homeschooling. The fixed firmware will be released end of August.  
2021-08-31: Asked for status update.  
2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.  
2022-05-23: Informed vendor that the advisory will be released mid of June 2022.  
2022-05-24: Firmware V7.02 is available for download which fixes most outdated  
             components issues.  
2022-06-15: Release of security advisory.

Solution:  
---------  
The vendor provides an updated firmware here:  
https://www.nexans-ans.de/support/firmware/

Firmware version V6.02N has the backdoor removed and was already published a while ago.  
Version V7.02 also has the backdoor removed and most of the outdated software issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2022

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.

Tag

#ssl