Author Archives: CERT

Overview

Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device.

Description

The muhttpd, hosted at SourceForge as an opensource project, is a lightweight webserver. This software is commonly used in customer premise equipment (CPE), such as home routers and small office routers, to provide device management capability through a web interface. The muhttpd supports the use of CGI scripts that enable remote management of CPE devices.

A path traversal vulnerability in muhttpd (version 1.1.5 and earlier) could allow an unauthenticated attacker to read arbitrary content on the target device, including usernames and passwords, Wireless SSID configurations, ISP connection information, and private keys. If remote management is enabled on a device running vulnerable version of muhttpd, this attack is possible from a remote network. Even in cases with restricted Local Area Network access, a vulnerable version of muhttpd can be accessed using other attack methods such as DNS Rebinding.

Impact

An unauthenticated attacker can use crafted HTTP request to download arbitrary files or gather sensitive information from a vulnerable target device. In cases where remote management is enabled on a vulnerable device, a remote unauthenticated attacker can perform these attacks.

Solution

Apply Updates

Update to the latest version of firmware/software provided by your vendor; see Vendor Information section for details. Downstream developers of embedded systems should update muhttpd software (to version 1.1.7 or later) from SourceForget git repository.

Disable remote management

Disabling remote management access, which thereby limits access strictly to local area network, can minimize the exposure introduced by the vulnerable software. Use access control to limit remote management if remote management is desired from specific IP network locations. Additional mitigations are described in the security researcher’s advisory.

Acknowledgements

Thanks to Derek Abdine for reporting this vulnerability.

This document was written by Brad Runyon, Vijay Sarvepalli, and Eric Hatleback.

Continue reading VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal→

Overview

SMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent updates. An attacker with access to the private key can gain root access on affected systems.

Description

During OpCon UNIX agent installation and updates, an SSH public key is added to the root account’s authorized_keys file. The corresponding private key titled sma_id_rsa is included with the installation files and is not encrypted with a passphrase. Removal of the OpCon software does not remove the entry from the authorized_keys file.

Impact

An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems.

Solution

Remove private key

SMA Technologies has provided a tool to address the issue.

Another option is to manually remove the SSH key entry from root’s authorized_keys file. The key can be identified by its fingerprints:

SHA256:qbgTVNkLGI5G7erZqDhte63Vpw+9g88jYCxMuh8cLeg
MD5:f1:6c:c9:ba:21:66:ce:7c:5a:55:e2:4d:07:72:cc:31

Depending on the shell and operating system there are various ways to generate fingerprints for public keys listed in authorized_keys.

Upgrade

SMA Technologies reports that “We have updated our UNIX agent version 21.2 package to no longer include (and also remove) any existing vulnerability.”

Acknowledgements

Thanks to Nick Holland at Holland Consulting for researching and reporting this vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations→

Overview

The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

Description

The uClibc and the Uclibc-ng software are lightweight C standard libraries intended for use in embedded systems and mobile devices. The uClibc library has not been updated since May of 2012. The newer uClibc-ng is the currently maintained fork of uClibc, as announced on the OpenWRT mailing list in July 2014.

Researchers at the Nozomi Networks Security Research Team discovered that all existing versions of uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning. These libraries do not employ any randomization in the DNS Transaction ID (DNS TXID) field when creating a new DNS request. This can allow an attacker to send maliciously crafted DNS packets to corrupt the DNS cache with invalid entries and redirect users to arbitrary sites. As uClibc and uClibc-ng are used in devices such as home routers and firewalls, an attacker can perform attacks against multiple users in a shared network environment that relies on DNS responses from the vulnerable device.

The DNS cache poisoning scenarios and defenses are discussed in IETF RFC5452.

Impact

The lack of DNS response validation can allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to malicious sites.

Solution

Apply a patch

If your vendor has developed a patched version of uClibc or uClibc-ng to address this issue, apply the updates provided by your vendor. uClibc-ng was updated to 1.0.41 on 05/20/2022.

Product Developers

If you have a forked or customized version of uClibc or uClibc-ng, develop or adopt a patch to ensure the dns_lookup function provides adequate randomization of DNS TXID’s while making DNS requests. Review and consider applying the patch has been made available in patchwork repository of uClibc-ng with VU#638879 tag.

Follow security best practices

Consider the following security best-practices to protect DNS infrastructure:

• Prevent direct exposure of IoT devices and lightweight devices over the Internet to minimize attacks against a caching DNS server.
• Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS recursion services where applicable.
• Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).

Acknowledgements

Thanks to the Nozomi Networks Security Research Team for this report

This document was written by Vijay Sarvepalli and Timur Snoke.

Continue reading VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID→

Overview

Tychon contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files.

Description

Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.

Impact

By placing a specially-crafted openssl.cnf in a location used by Tychon, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Tychon software installed.

Solution

Apply an update

This issue is addressed in Tychon 1.7.857.82

Acknowledgements

This document was written by Will Dormann.

Continue reading VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location→

Overview

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.

Description

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:\Qt\, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C:\ drive location.

In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath value from Qt5Core.dll. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.

Impact

By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.

Solution

Apply an update

This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath value in Qt5Core.dll.

Run windeployqt to prepare Windows Qt software for deployment

The windeployqt utility will replace the qt_prfxpath value in the Qt core DLL with the value of ., which helps prevent this path from being used to achieve privilege escalation.

Acknowledgements

This document was written by Will Dormann.

Continue reading VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value→

Overview

The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.

Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.

NCSC-NL has a list of products and their statuses with respect to this vulnerability.

Impact

By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.

Solution

Apply an update

This issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the Spring Framework RCE Early Announcement for more details.

Acknowledgements

This issue was publicly disclosed by heige.

This document was written by Will Dormann

Continue reading VU#970766: Spring Framework insecurely handles PropertyDescriptor objects with data binding→

Overview

Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS. An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.

Description

VVM is specified by Open Mobile Terminal Platform-OMPT and is implemented with SMS and IMAP (and other protocols). VVM IMAP credentials are sent unencrypted in SMS messages. From vvm-disclosure:

When a client sends any sort of STATUS SMS (activate, deactivate, status), the carrier will respond with all credentials needed to log into the IMAP server (i.e. username, password, server host-name).

From section 2.1.1.2 AUTHENTICATE of the OMTP VISUAL VOICEMAIL INTERFACE SPECIFICATION v1.3: “The IMAP4 password is sent in the STATUS SMS message.”

To intercept an SMS message, an attacker would need, for example:
* temporary physical access to the SIM card,
* to operate a spoofed a base station (cell tower), or
* to convince a user to install a malicious application that has SMS access.

VVM IMAP services may be widely accessible over the internet or carrier networks.

From vvm-disclosure:

There is no indication on to a victim that someone else has access to their VVM. Android leaves their VVMs on the IMAP server until the client deletes it, so any VVMs on the client are accessible to a malicious actor.

Impact

An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.

Solution

We are not aware of a practical solution to this vulnerability.

Take general precautions against SMS interception.

If supported, change your VMM password on some basis.

Delete VMM data quickly.

Acknowledgements

Thanks to Chris Talbot for researching and reporting this vulnerability.

This document was written by Brad Runyon.

Continue reading VU#383864: Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS→

Overview

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called “stalkerware.” An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

Description

IDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below.

For more information and a detailed account of the flaw and investigation, please see “Behind the stalkerware network spilling the private phone data of hundreds of thousands.”

Impact

An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

Solution

We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability.

For advice on detecting and removing stalkerware apps, see “Your Android phone could have stalkerware, here’s how to remove it.” As noted by TechCrunch:

Before you proceed, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.

Acknowledgements

Thanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.

This document was written by James Stanley and Art Manion.

Continue reading VU#229438: Mobile device monitoring services do not authenticate API requests→

Overview

The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).

Description

UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM’s privileges, also referred to as “Ring -2,” exceed the privileges of the operating system’s kernel (“Ring-0”). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as “SMM Comm Buffers.” The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.

UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software’s lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.

Insyde’s H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.

Impact

The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.

In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:

• Invalidate many hardware security features (SecureBoot, Intel BootGuard)
• Install persistent software that cannot be easily erased
• Create backdoors and back communications channels to exfiltrate sensitive data

Solution

Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.

If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.

Acknowledgements

The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.

This document was written by Vijay Sarvepalli.

Continue reading VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM→

Overview

The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.

Description

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide “…enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.” Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.

For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.

Impact

A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

From the Samba annoucement for CVE-2021-44142:

Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

Solution

Apply an update

Samba has released versions 4.13.17, 4.14.12, and 4.15.5.

Disable vfs_fruit

As a workaround, remove ‘fruit’ from ‘vfs objects’ lines in Samba configuration files (e.g., smb.conf).

Acknowledgements

Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.

This document was written by James Stanley and Art Manion.

Continue reading VU#119678: Samba vfs_fruit module insecurely handles extended file attributes→