Author Archives: CERT

Overview

The Technicolor TG670 DSL Gateway Router includes a hard-coded service account that allows for authentication over services on the WAN interface, using HTTP, SSH, or TELNET. The authenticated user can use it to gain full administrative control of the router.

Description

A hard-coded password refers to an unchangeable password that is stored within a device or an application. This type of password carries a significant risk as it can be exploited by malware or hackers to gain unauthorized access to devices and systems, enabling them to engage in malicious activities. In certain cases, a hard-coded account may possess administrative privileges, granting complete control over a device through an account that cannot be modified or deactivated.

Recently, it was uncovered that the Technicolor TG670 DSL Gateway Router with firmware version 10.5.N.9. contains more than one hard-coded service account. These particular accounts allow full administrative access to the device via the WAN interface. If Remote Administration is enabled, the device can be remotely accessed from an external network interface, such as the Internet. This account seems to have full administrative access to modify the device settings. Additionally, it appears that this account is not documented and cannot be disabled or removed from the device.

Impact

A remote attacker can use the default username and password to login as the administrator to the router device. This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways. This requires Remote Administration is enabled on the router, which is the default settings as observed by the CODE WHITE security researcher Florian Hauser.

Solution

It is recommended that you check with your service provider for appropriate patches and updates are available to resolve the hard-coded credentials stored on the devices. As a precaution, it is also recommended that you disable Remote Administration (WAN side administration), when not needed to reduce the risk of abuse of this service account.

Acknowledgements

Thanks to Florian Hauser from CODE WHITE for reporting this vulnerability.

This document was written by Timur Snoke.

Continue reading VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router→

Overview

Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities. This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).

Description

Trusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to the operating systems on modern computers, making it resistant to tampering. As cloud computing and virtualization have become more popular in recent years, software-based TPM implementations have also gained popularity. TPM can be implemented in the form of Discrete, Integrated or Firmware TPM in its hardware form. The virtual TPM’s exists in Hypervisor form or in a purely software-based TPM implementation e.g., swtpm. The Trusted Computing Group (TCG) is responsible for maintaining the TPM specifications, which are actively contributed to by both hardware and software manufacturers. The TCG released the TPM 2.0 specifications in October 2014 and has since revised them multiple times. The latest version, Revision 01.59, was released in November 2019. Many TPM hardware and software manufacturers use these specifications to build firmware that complies with standards and provides a secure interface to sensitive cryptographic data. TPM is employed in a variety of devices, from specialized enterprise-grade hardware to Internet of Things (IoT) appliances.

The TPM Library Specification Architecture documents “Session-based encryption” that allows a cryptographic client application to perform various operations, including those that provide Parameter Encryption capabilities. Session-based encryption may be used to ensure confidentiality of these parameters. The operating system or the client software relies on the TPM to securely provide capabilities such as Cipher Feedback (CFB) for block cipher or streaming hash-based XOR obfuscation of the intended parameter payloads.

Quarkslab security researchers found two vulnerabilities in the way the TPM reference specification processes some of these parameters that are part of TPM commands. An Out Of Bound (OOB) read vulnerability in the CryptParameterDecryption() routine allowed a 2-byte read access to data that was not part of the current session. It was also possible to write 2-bytes past the end of the current command buffer resulting in corruption of memory.

An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM. The vulnerable TPM can thus be tricked to access data that is not part of the intended operation. As the OS relies on the TPM firmware for these functions, it may be difficult to detect or prevent such access using traditional host-based security capabilities.

Impact

An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device.

Solution

Apply an update
The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities. To ensure the security of their systems, users should apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible. Updating the firmware of TPM chips may be necessary, and this can be done through an OS vendor or the original equipment manufacturer (OEM). In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process.

Users in high-assurance computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper proofed. As these attacks involve TPM-based software, mechanisms such as user-password or PIN protection and tpm-totp do not protect against attacks leveraging the vulnerabilities discussed in this article.

Note: the TCG’s Errata covers a larger scope and addresses additional security issues beyond the two vulnerabilities discussed in this advisory.

Acknowledgements

Thanks to Francisco Falcon and Ivan Arce of Quarkslab who researched and reported these vulnerabilities, respectively. The TCG and their members worked closely with us and other vendors to coordinate the disclosure of these vulnerabilities. Note that the Immune Gmbh’s https://github.com/immune-gmbh/tpm-vuln-checker software has added support for detecting this vulnerability.

This document was written by Vijay Sarvepalli.

Continue reading VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption→

Overview

TP-Link router WR710N-V1-151022 running firmware published 2015-10-22 and Archer-C5-V2-160201 running firmware published 2016-02-01 are susceptible to two vulnerabilities:

1. A buffer overflow during HTTP Basic Authentication allowing a remote attacker to corrupt memory allocated on a heap causing denial of service or arbitrary code execution;
2. A side-channel attack via a strcmp() function in the HTTP daemon allowing deterministic guessing of each byte of a username and password input during authentication.

Description

TP-Link device WR710N-V1-151022 is a 150Mbps Wireless N Mini Pocket router, and Archer-C5-V2-160201 is a Wireless Dual Band Gigabit router. These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities.

CVE-2022-4498
When receiving user input during HTTP Basic Authentication mode, a crafted packet may cause a heap overflow in the httpd daemon. This can lead to denial of service (DoS) if the httpd process crashes or arbitrary remote code execution (RCE).

CVE-2022-4499
A strcmp() function in httpd, is susceptible to a side-channel attack when used to verify usename and password credentials. By measuring the response time of the vulnerable process, each byte of the username and password strings may be easier to guess.

Impact

The two different vulnerabilities have unrelated impacts. The first vulnerability is a heap-based buffer overflow that can cause a crash or allow for arbitrary remote code execution. The second vulnerability is an information disclosure issue where the function used by the httpd process may allow an attacker to guess each byte of a username and password deterministically.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thanks to the reporter, Jonathan Bar of Microsoft, for responsibly disclosing these issues.

This document was written by Timur Snoke.

Continue reading VU#572615: Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2→

Overview

Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 contain two vulnerabilities. The first is an authentication bypass vulnerability that allows an unauthenticated user to access content from both inside and outside the network. The second is a stack-based buffer overflow that allows an instruction pointer to be overwritten on the stack, thereby crashing the application at a known location. The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code.

Description

Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 may contain two vulnerabilities:

CVE-2022-4873
A stack based buffer overflow affects the sessionKey parameter. By providing a specific number of bytes, the instruction pointer is able to be overwritten on the stack and crashes the application at a known location.

CVE-2022-4874
Authentication bypass allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a “fake login” to give the request an active session to load the file and not redirect to the login page.

The tested models that were impacted are Netcomm routers using a Broadcom chipset that had third-party code added by Shenzhen Gongjin Electronics. The third-party code introduced the vulnerabilities. These routers are deployed by residential internet service providers.

Impact

The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code. The attacker can first gain unauthorized access to affected devices, and then use those entry points to gain access to other networks or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network. The reporter has produced a github PoC that shows how to combine both vulnerabilities to achieve unauthenticated remote code execution.

Solution

Update the router firmware to version R6B035 from the vendor website at https://support.netcommwireless.com/products/NF20#Firmware.

Acknowledgements

Thanks to the reporter Brendan Scarvell for reporting this vulnerability.

This document was written by Timur Snoke.

Continue reading VU#986018: New Netcomm router models NF20MESH, NF20, and NL1902 vulnerabilities→

Overview

There are six new vulnerabilities in the latest release of Netatalk (3.1.12) that could allow for Remote Code Execution as well as Out-of-bounds Read.

Description

Below are the new CVEs. Per ZDI:

CVE-2022-0194
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2022-23121
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2022-23122
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2022-23124
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.

CVE-2022-23125
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2022-23123
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.

For more detailed information, please review the Netatalk announcement. Also available for reference are releases detailing the information from ZDI & Western Digital.

Netatalk does not regularly receive security updates, is receiving security research attention, and is difficlut to get right because reverse engineering a proprietary protocol. WD has removed Netatalk code from NAS firmware. We suggest Samba+vfs_fruit for longer term use (more likely to get security updates in a timely way).
(see samba vfs_fruit vuls).

Impact

An unauthenticated, remote attacker can execute arbitrary code on affected installations of Netatalk.

Solution

Netatalk has released version 3.1.13.

Acknowledgements

Thanks to ZDI, Western Digital, and Netatalk for researching and coordinating these vulnerabilities.

This document was written by James Stanley and Art Manion.

Continue reading VU#709991: Netatalk contains multiple error and memory management vulnerabilities→

Overview

Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.

Description

The UEFI standard provides an open specification that defines a software interface between an operating system (OS) and the device hardware on the system. UEFI can interface directly with hardware below the OS using SMM, a high-privilege CPU mode. SMM operations are closely managed by the CPU using a dedicated portion of memory called the SMRAM. The SMM can only be entered through System Management Interrupt (SMI) Handlers using a communication buffer. SMI Handlers are essentially a system-call to access the CPU’s SMRAM from its current operating mode, typically Protected Mode.

A race condition involving the access and validation of the SMRAM can be achieved using DMA timing attacks that rely on time-of-use (TOCTOU) conditions. An attacker can use well-timed probing to try and overwrite the contents of SMRAM with arbitrary data, leading to attacker code being executed with the same elevated-privileges available to the CPU (i.e., Ring -2 mode). The asynchronous nature of SMRAM access via DMA controllers enables the attacker to perform such unauthorized access and bypass the verifications normally provided by the SMI Handler API.

The Intel-VT and Intel VT-d technologies provide some protection against DMA attacks using Input-Output Memory Management Unit (IOMMU) to address DMA threats. Although IOMMU can protect from DMA hardware attacks, SMI Handlers vulnerable to RingHopper may still be abused. SMRAM verification involving validation of nested pointers adds even more complexity when analyzing how various SMI Handlers are used in UEFI.

Impact

An attacker with either local or remote administrative privileges can exploit DMA timing attacks to elevate privileges beyond the operating system and execute arbitrary code in SMM mode (Ring -2). These attacks can be invoked from the OS using vulnerable SMI Handlers. In some cases, the vulnerabilities can be triggered in the UEFI early boot phases (as well as sleep and recovery) before the operating system is fully initialized.

A successful attack enables any of the following impacts:

• Invalidation or bypass of UEFI security features (SecureBoot, Intel BootGuard).
• Installation of persistent software that cannot be easily detected or erased.
• Creation of backdoors and back communications channels to exfiltrate sensitive data
• Interruption of system execution leading to permanent shutdown.

Because these attacks are against UEFI supported firmware, OS and EDR solutions may have diminished visibility into unauthorized access.

Solution

Install the latest stable version of UEFI firmware provided by your PC vendor or by the reseller of your computing environments. See the links below for resources and updates provided by specific vendors to address these issues.

If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), check (fwupdmgr get-updates) and apply the firmware updates provided by LVFS using fwupdmgr update as appropriate.

Acknowledgements

Thanks to the Intel iStare researchers Jonathan Lusky and Benny Zeltser who discovered and reported this vulnerability.

This document was written by Vijay Sarvepalli and Jeffrey S. Havrilla.

Continue reading VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations→

Overview

Two buffer overflow vulnerabilities were discovered in OpenSSL versions 3.0.0 through 3.0.6. These vulnerabilities were introduced in version 3.0.0 with the inclusion of support for punycode email address parsing for X.509 certificates. OpenSSL’s assessment of the severity of the vulnerabilities has reduced from CRITICAL to HIGH, and OpenSSL 3.0.7 addresses the issues.

Description

Two buffer overflows have been reported in the OpenSSL 3.0.x branch prior to version 3.0.7 that, when exploited, may lead to denial of services or, in some cases, remote code execution in the vulnerable target environment. OpenSSL client and server implementations that use the vulnerable libraries are affected. The server implementation also requires that TLS client authentication is enabled in order to attack, and potentially exploit, a vulnerable target. OpenSSL provides details:

* Fixed two buffer overflows in punycode decoding functions.

   A buffer overrun can be triggered in X.509 certificate verification,
   specifically in name constraint checking. Note that this occurs after
   certificate chain signature verification and requires either a CA to
   have signed the malicious certificate or for the application to continue
   certificate verification despite failure to construct a path to a trusted
   issuer.

   In a TLS client, this can be triggered by connecting to a malicious
   server.  In a TLS server, this can be triggered if the server requests
   client authentication and a malicious client connects.

   An attacker can craft a malicious email address to overflow
   an arbitrary number of bytes containing the `.`  character (decimal 46)
   on the stack.  This buffer overflow could result in a crash (causing a
   denial of service).
   ([CVE-2022-3786])

   An attacker can craft a malicious email address to overflow four
   attacker-controlled bytes on the stack.  This buffer overflow could
   result in a crash (causing a denial of service) or potentially remote code
   execution depending on stack layout for any given platform/compiler.
   ([CVE-2022-3602])

OpenSSL versions 1.1.1 and 1.0.2 are not affected.

CERT/CC is unaware of any exploitation of this vulnerability at this time.

Impact

Successful exploitation could lead to denial of service or remote execution of arbitrary code in the target environment.

Solution

Any services depending on versions of OpenSSL 3.0.x prior to OpenSSL 3.0.7 should be upgraded to version 3.0.7 or later. Operators may also consider temporarily disabling TLS client authentication until applying an update.

Acknowledgements

Thanks to OpenSSL for coordinating and remediating the vulnerability. Polar Bear is credited as having discovered CVE–2022-3602. Viktor Dukhovni is reported as the source of CVE-2022-3786.

This document was written by Kevin Stephens, Eric Hatleback, Vijay Sarvepalli, and Jeffrey S. Havrilla.

Continue reading VU#794340: OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly→

Overview

The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.

Description

A flawed logical condition allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.

Impact

An attacker can use a specially crafted network packet to cause a vulnerable application to crash.

Solution

The latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix.

Acknowledgements

Thanks to the International Continence Society for reporting this issue.

This document was written by Kevin Stephens.

Continue reading VU#730793: Heimdal Kerbos vulnerable to remotely triggered NULL pointer dereference→

Overview

The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.

Description

A flawed logical condition allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.

Impact

An attacker can use a specially crafted network packet to cause a vulnerable application to crash.

Solution

The latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix.

Acknowledgements

Thanks to the International Continence Society for reporting this issue.

This document was written by Kevin Stephens.

Continue reading VU#730793: Heimdal Kerbos vulnerable to remotely triggered NULL pointer dereference→

Overview

The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.

Description

CVE-2022-3116
A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.

Impact

An attacker can use a specially crafted network packet to cause a vulnerable application to crash.

Solution

The latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix.

Acknowledgements

Thanks to Internet Systems Consortium for reporting the vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#730793: Heimdal Kerberos vulnerable to remotely triggered NULL pointer dereference→