SB18-365: Vulnerability Summary for the Week of December 24, 2018

This post was originally published on this site

Original release date: December 31, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
orange — arv7519rw22_livebox_2.1_firmware Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. 2018-12-23 10.0 CVE-2018-20377
MISC
MISC
MISC
MISC
s-cms — s-cms An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field. 2018-12-25 7.5 CVE-2018-20477
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
audiocoding — freeware_advanced_audio_decoder_2 A NULL pointer dereference was discovered in sbr_process_channel of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash. 2018-12-22 4.3 CVE-2018-20357
MISC
audiocoding — freeware_advanced_audio_decoder_2 An invalid memory address dereference was discovered in the lt_prediction function of libfaad/lt_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-12-22 4.3 CVE-2018-20358
MISC
audiocoding — freeware_advanced_audio_decoder_2 An invalid memory address dereference was discovered in the sbrDecodeSingleFramePS function of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-12-22 4.3 CVE-2018-20359
MISC
audiocoding — freeware_advanced_audio_decoder_2 An invalid memory address dereference was discovered in the sbr_process_channel function of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-12-22 4.3 CVE-2018-20360
MISC
audiocoding — freeware_advanced_audio_decoder_2 An invalid memory address dereference was discovered in the hf_assembly function of libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-12-22 4.3 CVE-2018-20361
MISC
audiocoding — freeware_advanced_audio_decoder_2 A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash because adding to windowed output is mishandled in the EIGHT_SHORT_SEQUENCE case. 2018-12-22 4.3 CVE-2018-20362
MISC
s-cms — s-cms An issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo.php T_id parameter. 2018-12-25 4.3 CVE-2018-20476
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
frogcms_project — frogcms Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI. 2018-12-25 3.5 CVE-2018-20448
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
74cms — 74cms
 
An issue was discovered in 74cms v4.2.111. It allows remote authenticated users to read or modify arbitrary resumes by changing a job-search intention, as demonstrated by the index.php?c=Personal&a=ajax_save_basic pid parameter. 2018-12-27 not yet calculated CVE-2018-20519
MISC
74cms — 74cms
 
An issue was discovered in 74cms v4.2.111. upload/index.php?c=resume&a=resume_list has XSS via the key parameter. 2018-12-25 not yet calculated CVE-2018-20454
MISC
advisto — peel_shopping
 
Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the “Site Name EN” parameter. This attack appears to be exploitable if the malicious user has access to the administration account. 2018-12-28 not yet calculated CVE-2018-1000887
MISC
amalen — mxq_tv_box_android_device The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that contains an exported broadcast receiver application component that, when called, will make the device inoperable. The vulnerable component named com.android.server.SystemRestoreReceiver will write a value of –restore_systemn–locale=<localeto the /cache/recovery/command file and boot into recovery mode. During this process, it appears that when booting into recovery mode, the system partition gets formatted or modified and will be unable to boot properly thereafter. After the device wouldn’t boot properly, a factory reset of the device in recovery mode does not regain properly functionality of the device. The com.android.server.SystemRestoreReceiver broadcast receiver app component is accessible to any app co-located on the device and does not require any permission to access. The user can most likely recover the device by flashing clean firmware images placed on an SD card. 2018-12-28 not yet calculated CVE-2018-14988
MISC
MISC
amalen — mxq_tv_box_android_device The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that dynamically registers a broadcast receiver app component named com.android.server.MasterClearReceiver instead of statically registering it in the AndroidManifest.xml file of the core Android package, as done in Android Open Source Project (AOSP) code for Android 4.4.2. The dynamic-registration of the MasterClearReceiver broadcast receiver app component is not protected with the android.permission.MASTER_CLEAR permission during registration, so any app co-located on the device, even those without any permissions, can programmatically initiate a factory reset of the device. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of core Android process. 2018-12-28 not yet calculated CVE-2018-14987
MISC
MISC
ambit — multiple_devices Ambit DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, and U10C019 5.66.1026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20380
MISC
MISC
apache — tika A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika’s SQLite3Parser in versions 1.8-1.19.1 of Apache Tika. 2018-12-24 not yet calculated CVE-2018-17197
BID
MISC
arris — multiple_devices ARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20383
MISC
MISC
arris — multiple_devices
 
ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20386
MISC
MISC
asus — aura_sync The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. 2018-12-26 not yet calculated CVE-2018-18535
MISC
FULLDISC
BID
MISC
asus — aura_sync The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address. 2018-12-26 not yet calculated CVE-2018-18537
MISC
FULLDISC
BID
MISC
asus — aura_sync The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. 2018-12-26 not yet calculated CVE-2018-18536
MISC
FULLDISC
BID
MISC
asus — zenfone_3_max_android_device The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user’s stored wireless network credentials. 2018-12-28 not yet calculated CVE-2018-14979
MISC
MISC
asus — zenfone_3_max_android_device The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. Any app on the device can send an intent with specific embedded data that will cause the com.asus.dm app to programmatically download and install the app. For the app to be downloaded and installed, certain data needs to be provided: download URL, package name, version name from the app’s AndroidManifest.xml file, and the MD5 hash of the app. Moreover, any app that is installed using this method can also be programmatically uninstalled using the same unprotected component named com.asus.dm.installer.DMInstallerService. 2018-12-28 not yet calculated CVE-2018-14992
MISC
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP’s GET global variable array using PHP’s strcmp() function. By adding “[]” to the end of “key” in the URL when accessing API functions, an attacker could exploit this vulnerability to execute API functions. 2018-12-28 not yet calculated CVE-2018-1000628
MISC
battelle — v2i_hub Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database. 2018-12-28 not yet calculated CVE-2018-1000631
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by the failure to restrict access to a sensitive functionality. By visiting http://V2I_HUB/UI/powerdown.php, a remote attacker could exploit this vulnerability to shut down the system. 2018-12-28 not yet calculated CVE-2018-1000624
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the lack of requirement to change the default API key. An attacker could exploit this vulnerability using all available API functions containing an unchanged API key to gain unauthorized access to the system. 2018-12-28 not yet calculated CVE-2018-1000626
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 contains hard-coded credentials for the administrative account. An attacker could exploit this vulnerability to log in as an admin on any installation and gain unauthorized access to the system. 2018-12-28 not yet calculated CVE-2018-1000625
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by api/SystemConfigActions.php?action=add and the index.php script. A remote attacker could exploit this vulnerability using the parameterName or _login_username parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. 2018-12-28 not yet calculated CVE-2018-1000629
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to the API key file. An attacker could exploit this vulnerability to obtain the current API key to gain unauthorized access to the system. 2018-12-28 not yet calculated CVE-2018-1000627
MISC
battelle — v2i_hub Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. 2018-12-28 not yet calculated CVE-2018-1000630
MISC
bento4 — bento4 An issue was discovered in Bento4 1.5.1-627. There is an attempt at excessive memory allocation in the AP4_DataBuffer class when called from AP4_HvccAtom::Create in Core/Ap4HvccAtom.cpp. 2018-12-26 not yet calculated CVE-2018-20502
MISC
bento4 — bento4 An issue was discovered in Bento4 1.5.1-627. There is a heap-based buffer over-read in AP4_AvccAtom::Create in Core/Ap4AvccAtom.cpp, as demonstrated by mp42hls. 2018-12-23 not yet calculated CVE-2018-20409
MISC
bento4 — bento4 An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_StdcFileByteStream::Create in System/StdC/Ap4StdCFileByteStream.cpp, as demonstrated by mp42hls. 2018-12-23 not yet calculated CVE-2018-20408
MISC
bento4 — bento4
 
An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp, as demonstrated by mp42hls. 2018-12-23 not yet calculated CVE-2018-20407
MISC
bigtree — bigtree
 
BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. 2018-12-23 not yet calculated CVE-2018-20405
MISC
bnmux — multiple_devices Bnmux BCW700J 5.20.7, BCW710J 5.30.6a, and BCW710J2 5.30.16 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20387
MISC
MISC
c3p0 — c3p0
 
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. 2018-12-24 not yet calculated CVE-2018-20433
MISC
MLIST
carl_burch — logisim_evolution
 
Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4. 2018-12-28 not yet calculated CVE-2018-1000889
MISC
MISC
castlenet — multiple_devices CastleNet CBV38Z4EC 125.553mp1.39219mp1.899.007, CBV38Z4ECNIT 125.553mp1.39219mp1.899.005ITT, CBW383G4J 37.556mp5.008, and CBW38G4J 37.553mp1.008 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20385
MISC
MISC
cisco — adaptive_security_appliance_software A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device. 2018-12-24 not yet calculated CVE-2018-15465
BID
CISCO
MISC
cms_made_simple — cms_made_simple There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 admin/myaccount.php. This vulnerability is triggered upon an attempt to modify a user’s mailbox with the wrong format. The response contains the user’s previously entered email address. 2018-12-25 not yet calculated CVE-2018-20464
MISC
comtrend — multiple_devices
 
Comtrend CM-6200un 123.447.007 and CM-6300n 123.553mp1.005 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20388
MISC
MISC
contiki-ng — contiki-ng
 
Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an ‘{‘ or ‘[‘ character. 2018-12-28 not yet calculated CVE-2018-20579
MISC
coolpad — canvas_device The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files. 2018-12-28 not yet calculated CVE-2018-15004
MISC
MISC
craft_cms — craft_cms Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. 2018-12-25 not yet calculated CVE-2018-20465
MISC
MISC
craft_cms — craft_cms
 
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab. 2018-12-23 not yet calculated CVE-2018-20418
MISC
MISC
EXPLOIT-DB
crashfix — crashfix
 
CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protectedmodelsUser.php search() function. 2018-12-27 not yet calculated CVE-2018-20508
MISC
d-link — dir-140l_and_dir-640l_devices dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials. 2018-12-21 not yet calculated CVE-2018-18009
FULLDISC
BID
d-link — dsl-2770l_devices atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials. 2018-12-21 not yet calculated CVE-2018-18007
FULLDISC
BID
d-link — dsl_and_dir_and_dwr_devices spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials. 2018-12-21 not yet calculated CVE-2018-18008
FULLDISC
BID
d-link — multiple_devices D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20389
MISC
MISC
d-link — multiple_devices D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 and iso.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20445
MISC
damicms — damicms
 
DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.PublicConfigconfig.ini.php to read the global configuration file. 2018-12-28 not yet calculated CVE-2018-20571
MISC
dextsolution — dextuploadx5 DEXTUploadX5 version Between 1.0.0.0 and 2.2.0.0 contains a vulnerability that could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. this can be leveraged for code execution. 2018-12-28 not yet calculated CVE-2018-5203
MISC
discuz! — discuzx Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass a “disabled registration” setting by adding a non-existing wxopenid value to the plugin.php ac=wxregister query string. 2018-12-23 not yet calculated CVE-2018-20423
MISC
discuz! — discuzx Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to delete the common_member_wechatmp data structure via an ac=unbindmp request to plugin.php. 2018-12-23 not yet calculated CVE-2018-20424
MISC
discuz! — discuzx Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass authentication by leveraging a non-empty #wechat#common_member_wechatmp to gain login access to an account via a plugin.php ac=wxregister request (the attacker does not have control over which account will be accessed). 2018-12-23 not yet calculated CVE-2018-20422
MISC
dolibarr — erp_and_crm
 
Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. 2018-12-26 not yet calculated CVE-2018-19799
MISC
MISC
EXPLOIT-DB
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.php?rec=update has XSS via the title parameter. 2018-12-28 not yet calculated CVE-2018-20561
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_category.php?rec=update has XSS via the cat_name parameter. 2018-12-28 not yet calculated CVE-2018-20562
MISC
douco — douphp_cms DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account. 2018-12-23 not yet calculated CVE-2018-20419
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter. 2018-12-28 not yet calculated CVE-2018-20559
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter. 2018-12-28 not yet calculated CVE-2018-20564
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?rec=update has XSS via the show_name parameter. 2018-12-28 not yet calculated CVE-2018-20560
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. It allows full path disclosure in “Smarty error: unable to read resource” error messages for a crafted installation page. 2018-12-28 not yet calculated CVE-2018-20566
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter. 2018-12-28 not yet calculated CVE-2018-20565
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. installindex.php allows a reload of the product in opportunistic circumstances in which install.lock cannot be read. 2018-12-28 not yet calculated CVE-2018-20567
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter. 2018-12-28 not yet calculated CVE-2018-20563
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter. 2018-12-28 not yet calculated CVE-2018-20557
MISC
douco — douphp_cms An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter. 2018-12-28 not yet calculated CVE-2018-20558
MISC
engelsystem — engelsystem
 
Engelsystem before commit hash 2e28336 allows CSRF. 2018-12-26 not yet calculated CVE-2018-19182
CONFIRM
CONFIRM
epson — workforce_wf-2861_printers The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI. 2018-12-24 not yet calculated CVE-2018-19248
MISC
epson — workforce_wf-2861_printers An issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51.LQ20I6 and 10.52.LQ17IA devices. They use SNMP to find certain devices on the network, but the default version is v2c, allowing an amplification attack. 2018-12-24 not yet calculated CVE-2018-18960
MISC
epson — workforce_wf-2861_printers An issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51.LQ20I6 and 10.52.LQ17IA devices. On the ‘Air Print Setting’ web page, if the data for ‘Bonjour Service Location’ at /PRESENTATION/BONJOUR is more than 251 bytes when sending data for Air Print Setting, then the device no longer functions until a reboot. 2018-12-24 not yet calculated CVE-2018-18959
MISC
epson — workforce_wf-2861_printers The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to cause a denial of service via a FIRMWAREUPDATE GET request, as demonstrated by the /DOWN/FIRMWAREUPDATE/ROM1 URI. 2018-12-24 not yet calculated CVE-2018-19232
MISC
ethereum — go-ethereum Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of “assembly { mstore }” followed by a “c[0xC800000] = 0xFF” assignment. 2018-12-23 not yet calculated CVE-2018-20421
MISC
ethereum — hashheroes_tiles
 
The determineWinner function of a smart contract implementation for HashHeroes Tiles, an Ethereum game, uses a certain blockhash value in an attempt to generate a random number for the case where NUM_TILES equals the number of people who purchased a tile, which allows an attacker to control the awarding of the prize by being the last person to purchase a tile. 2018-12-26 not yet calculated CVE-2018-17987
MISC
ethereum — nexxustoken The mintToken function of Nexxus (NXX) aka NexxusToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. 2018-12-28 not yet calculated CVE-2018-18665
MISC
MISC
MISC
ethereum — pylontoken The mintToken function of Pylon (PYLNT) aka PylonToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value, a related issue to CVE-2018-11812. 2018-12-28 not yet calculated CVE-2018-18667
MISC
MISC
MISC
ethereum — swftcoin_token The mintToken function of SwftCoin (SWFTC) aka SwftCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. 2018-12-28 not yet calculated CVE-2018-18666
MISC
MISC
MISC
evolution_cms — evolution_cms Evolution CMS 1.4.x allows XSS via the manager/ search parameter. 2018-12-28 not yet calculated CVE-2018-16638
MISC
evolution_cms — evolution_cms Evolution CMS 1.4.x allows XSS via the page weblink title parameter to the manager/ URI. 2018-12-28 not yet calculated CVE-2018-16637
MISC
f5 — big-ip On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system’s user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps. 2018-12-28 not yet calculated CVE-2018-15333
CONFIRM
f5 — big-ip_apm When APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM becomes a client application to an external OAuth authorization server. In certain cases when communication between the BIG-IP APM and the OAuth authorization server is lost, APM may not display the intended message in the failure response 2018-12-28 not yet calculated CVE-2018-15335
CONFIRM
f5 — big-ip_apm A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication. 2018-12-28 not yet calculated CVE-2018-15334
CONFIRM
f5 — ip_infusion_zebos_and_ocnos The BGP daemon (bgpd) in all IP Infusion ZebOS versions to 7.10.6 and all OcNOS versions to 1.3.3.145 allow remote attackers to cause a denial of service attack via an autonomous system (AS) path containing 8 or more autonomous system number (ASN) elements. 2018-12-28 not yet calculated CVE-2018-17539
CONFIRM
foxit — quick_pdf_library In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref entries using the DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access. 2018-12-24 not yet calculated CVE-2018-20249
BID
CONFIRM
foxit — quick_pdf_library In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref table pointers or invalid xref table data using the LoadFromFile, LoadFromString, LoadFromStream, DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access. 2018-12-24 not yet calculated CVE-2018-20248
BID
CONFIRM
foxit — quick_pdf_library In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing a recursive page tree structure using the LoadFromFile, LoadFromString or LoadFromStream functions results in a stack overflow. 2018-12-24 not yet calculated CVE-2018-20247
BID
CONFIRM
frontaccounting_team — frontaccounting FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter “filterType” in /attachments.php that can allow the attacker to grab the entire database of the application. 2018-12-28 not yet calculated CVE-2018-1000890
MISC
EXPLOIT-DB
gnu — gnu_tar GNU Tar through 1.30, when –sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user’s process (e.g., a system backup running as root). 2018-12-26 not yet calculated CVE-2018-20482
MISC
MISC
MISC
MISC
gnu — gnu_wget set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file’s origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. 2018-12-26 not yet calculated CVE-2018-20483
MISC
MISC
gnu — libextractor GNU Libextractor through 1.8 has an out-of-bounds read vulnerability in the function history_extract() in plugins/ole2_extractor.c, related to EXTRACTOR_common_convert_to_utf8 in common/convert.c. 2018-12-24 not yet calculated CVE-2018-20430
BID
MISC
MISC
MISC
MLIST
DEBIAN
gnu — libextractor GNU Libextractor through 1.8 has a NULL Pointer Dereference vulnerability in the function process_metadata() in plugins/ole2_extractor.c. 2018-12-24 not yet calculated CVE-2018-20431
BID
MISC
MISC
MISC
MLIST
DEBIAN
google — chrome
 
The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of <<a> in a message, because a danmuWrapper DIV element in chatbox-onlydanmu.js is outside the scope of a Content Security Policy (CSP). 2018-12-27 not yet calculated CVE-2018-20524
MISC
imagemagick — imagemagick In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. 2018-12-25 not yet calculated CVE-2018-20467
BID
MISC
MISC
inovo — broadband_devices iNovo Broadband IB-8120-W21 139.4410mp1.004200.002 and IB-8120-W21E1 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20384
MISC
MISC
ivan_cordoba — generic_cms user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. 2018-12-28 not yet calculated CVE-2018-20569
MISC
ivan_cordoba — generic_cms Administrator/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. 2018-12-28 not yet calculated CVE-2018-20568
MISC
jasper — jasper
 
jp2_encode in jp2/jp2_enc.c in JasPer 2.0.14 has a heap-based buffer over-read. 2018-12-28 not yet calculated CVE-2018-20570
MISC
jeecms — jeecms
 
JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter. 2018-12-28 not yet calculated CVE-2018-20528
MISC
jiuzhou — bcm93383wrg_devices Jiuzhou BCM93383WRG 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20382
MISC
MISC
kaonmedia — cg2001_devices Kaonmedia CG2001-AN22A 1.2.1, CG2001-UDBNA 3.0.8, and CG2001-UN2NA 3.0.8 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20390
MISC
MISC
kirby_cms — kirby_cms
 
Kirby v2.5.12 allows XSS by using the “site files” Add option to upload an SVG file. 2018-12-28 not yet calculated CVE-2018-16630
MISC
leagoo — p1_android_device The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB. 2018-12-28 not yet calculated CVE-2018-14998
MISC
MISC
leagoo — z5c_android_device The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) containing an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. Any app co-located on the device can read the most recent text message from each conversation. That is, for each phone number where the user has either sent or received a text message from, a zero-permission third-party app can obtain the body of the text message, phone number, name of the contact (if it exists), and a timestamp for the most recent text message of each conversation. As the querying of the vulnerable content provider app component can be performed silently in the background, a malicious app can continuously monitor the content provider to see if the current message in each conversation has changed to obtain new text messages. 2018-12-28 not yet calculated CVE-2018-14986
MISC
MISC
leagoo — z5c_android_device The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.android.settings (versionCode=23, versionName=6.0-android.20170630.092853) that contains an exported broadcast receiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. 2018-12-28 not yet calculated CVE-2018-14985
MISC
MISC
leagoo — z5c_android_device The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) with an exported broadcast receiver app component named com.android.messaging.trackersender.TrackerSender. Any app co-located on the device, even one with no permissions, can send a broadcast intent with certain embedded data to the exported broadcast receiver application component that will result in the programmatic sending of a text message where the phone number and body of the text message is controlled by the attacker. 2018-12-28 not yet calculated CVE-2018-14984
MISC
MISC
libcaca — libcaca There is an illegal READ memory access at caca/dither.c (function get_rgba_default) in libcaca 0.99.beta19 for 24bpp data. 2018-12-28 not yet calculated CVE-2018-20547
MISC
libcaca — libcaca There is an illegal WRITE memory access at caca/file.c (function caca_file_read) in libcaca 0.99.beta19. 2018-12-28 not yet calculated CVE-2018-20549
MISC
libcaca — libcaca There is an illegal WRITE memory access at common-image.c (function load_image) in libcaca 0.99.beta19 for 4bpp data. 2018-12-28 not yet calculated CVE-2018-20545
MISC
libcaca — libcaca There is an illegal WRITE memory access at common-image.c (function load_image) in libcaca 0.99.beta19 for 1bpp data. 2018-12-28 not yet calculated CVE-2018-20548
MISC
libcaca — libcaca There is an illegal READ memory access at caca/dither.c (function get_rgba_default) in libcaca 0.99.beta19 for the default bpp case. 2018-12-28 not yet calculated CVE-2018-20546
MISC
libcaca — libcaca
 
There is floating point exception at caca/dither.c (function caca_dither_bitmap) in libcaca 0.99.beta19. 2018-12-28 not yet calculated CVE-2018-20544
MISC
libdoc — libdoc The getlong function in numutils.c in libdoc through 2017-10-23 has a heap-based buffer over-read that allows attackers to cause a denial of service (application crash) via a crafted file. 2018-12-25 not yet calculated CVE-2018-20453
MISC
libdoc — libdoc
 
The process_file function in reader.c in libdoc through 2017-10-23 has a heap-based buffer over-read that allows attackers to cause a denial of service (application crash) via a crafted file. 2018-12-25 not yet calculated CVE-2018-20451
MISC
liblas — liblas There is a Segmentation fault triggered by illegal address access at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20539
MISC
liblas — liblas There is memory leak at liblas::Open (liblas/liblas.hpp) in libLAS 1.8.1. 2018-12-28 not yet calculated CVE-2018-20540
MISC
liblas — liblas There is a NULL pointer dereference at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20537
MISC
liblas — liblas
 
There is a heap-based buffer over-read at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20536
MISC
libming — libming libming 0.4.8 has a NULL pointer dereference in the strlenext function of the decompile.c file, a different vulnerability than CVE-2018-7874. 2018-12-24 not yet calculated CVE-2018-20428
MISC
libming — libming libming 0.4.8 has a NULL pointer dereference in the getName function of the decompile.c file, a different vulnerability than CVE-2018-7872 and CVE-2018-9165. 2018-12-24 not yet calculated CVE-2018-20429
MISC
libming — libming libming 0.4.8 has a NULL pointer dereference in the newVar3 function of the decompile.c file, a different vulnerability than CVE-2018-7866. 2018-12-24 not yet calculated CVE-2018-20426
MISC
libming — libming libming 0.4.8 has a NULL pointer dereference in the getInt function of the decompile.c file, a different vulnerability than CVE-2018-9132. 2018-12-24 not yet calculated CVE-2018-20427
MISC
libming — libming
 
libming 0.4.8 has a NULL pointer dereference in the pushdup function of the decompile.c file. 2018-12-24 not yet calculated CVE-2018-20425
MISC
libraw — libraw LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference. 2018-12-22 not yet calculated CVE-2018-20364
BID
MISC
libraw — libraw LibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow. 2018-12-22 not yet calculated CVE-2018-20365
BID
MISC
libraw — libraw
 
LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference. 2018-12-22 not yet calculated CVE-2018-20363
BID
MISC
libsolv — libsolv There is an illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20534
MISC
MISC
libsolv — libsolv There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20533
MISC
MISC
libsolv — libsolv
 
There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20532
MISC
MISC
libxls — libxls
 
The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid free that allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, because of inconsistent memory management (new versus free) in ole2_read_header in ole.c. 2018-12-25 not yet calculated CVE-2018-20452
MISC
libxls — libxls
 
The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2017-2897. 2018-12-25 not yet calculated CVE-2018-20450
MISC
libxsmm — libxsmm There is a heap-based buffer-overflow at generator_spgemm_csc_reader.c (function libxsmm_sparse_csc_reader) in LIBXSMM 1.10, a different vulnerability than CVE-2018-20541 (which is in a different part of the source code and is seen at a different address). 2018-12-28 not yet calculated CVE-2018-20542
MISC
MISC
MISC
MISC
libxsmm — libxsmm There is an attempted excessive memory allocation at libxsmm_sparse_csc_reader in generator_spgemm_csc_reader.c in LIBXSMM 1.10 that will cause a denial of service. 2018-12-28 not yet calculated CVE-2018-20543
MISC
libxsmm — libxsmm
 
There is a heap-based buffer overflow in libxsmm_sparse_csc_reader at generator_spgemm_csc_reader.c in LIBXSMM 1.10, a different vulnerability than CVE-2018-20542 (which is in a different part of the source code and is seen at different addresses). 2018-12-28 not yet calculated CVE-2018-20541
MISC
MISC
MISC
linux — linux_kernel An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call. 2018-12-27 not yet calculated CVE-2018-20511
MISC
BID
MISC
MISC
MISC
metinfo — metinfo
 
MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php url_array[] parameter. 2018-12-26 not yet calculated CVE-2018-20486
MISC
MISC
mezzanine_cms — mezzanine_cms Mezzanine CMS v4.3.1 allows XSS via the /admin/blog/blogcategory/add/?_to_field=id&_popup=1 title parameter at admin/blog/blogpost/add/. 2018-12-28 not yet calculated CVE-2018-16632
MISC
microstrategy — microstrategy_web main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. 2018-12-28 not yet calculated CVE-2018-18696
MISC
BUGTRAQ
minicms — minicms
 
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233. 2018-12-27 not yet calculated CVE-2018-20520
MISC
mit — kerberos A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request. 2018-12-26 not yet calculated CVE-2018-20217
CONFIRM
CONFIRM
FEDORA
ml_report — ml_report_enterprise ML Report version Between 2.00.000.0000 and 2.18.628.5980 contains a vulnerability that could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. this can be leveraged for code execution. 2018-12-28 not yet calculated CVE-2018-5204
MISC
motorola_multiple_devices Motorola SBG901 SBG901-2.10.1.1-GA-00-581-NOSH, SBG941 SBG941-2.11.0.0-GA-07-624-NOSH, and SVG1202 SVG1202-2.1.0.0-GA-14-LTSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20399
BID
MISC
MISC
mplus — cbc383z_devices
 
mplus CBC383Z CBC383Z_mplus_MDr026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20397
MISC
MISC
nec_corporation_of_america — nec_univerge_sv9100_webpro NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI. 2018-12-26 not yet calculated CVE-2018-11742
MISC
MISC
FULLDISC
EXPLOIT-DB
nec_corporation_of_america — nec_univerge_sv9100_webpro NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs. 2018-12-26 not yet calculated CVE-2018-11741
MISC
MISC
FULLDISC
EXPLOIT-DB
net&sys — multiple_devices NET&SYS MNG2120J 5.76.1006c and MNG6300 5.83.6305jrc2 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20396
MISC
MISC
netwave — mng6200_devices
 
NETWAVE MNG6200 C4835805jrc12FU121413.cpr devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20395
MISC
MISC
netwide_assembler — netwide_assembler There is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during a line-number increment attempt. 2018-12-28 not yet calculated CVE-2018-20535
MISC
netwide_assembler — netwide_assembler There is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during certain finishes tests. 2018-12-28 not yet calculated CVE-2018-20538
MISC
nuttx — nuttx
 
An issue was discovered in NuttX before 7.27. The function netlib_parsehttpurl() in apps/netutils/netlib/netlib_parsehttpurl.c mishandles URLs longer than hostlen bytes (in the webclient, this is set by default to 40), leading to an Infinite Loop. The attack vector is the Location header of an HTTP 3xx response. 2018-12-28 not yet calculated CVE-2018-20578
MISC
MISC
orange — livebox Orange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/firewall_SPI.exe, cgi-bin/setup_remote_mgmt.exe, cgi-bin/setup_pass.exe, and cgi-bin/upgradep.exe CSRF. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. 2018-12-28 not yet calculated CVE-2018-20577
MISC
orange — livebox Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. 2018-12-28 not yet calculated CVE-2018-20576
MISC
MISC
orange — livebox
 
Orange Livebox 00.96.320S devices have an undocumented /system_firmwarel.stm URI for manual firmware update. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. 2018-12-28 not yet calculated CVE-2018-20575
MISC
php_group — pear
 
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[‘filename’]` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4. 2018-12-28 not yet calculated CVE-2018-1000888
MISC
MISC
CONFIRM
CONFIRM
phpscriptsmall.com — website_seller_script
 
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896. 2018-12-28 not yet calculated CVE-2018-20530
MISC
poppler — poppler
 
A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c. 2018-12-28 not yet calculated CVE-2018-20551
MISC
MISC
poppler — poppler
 
XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. 2018-12-25 not yet calculated CVE-2018-20481
BID
MISC
MISC
pulse_secure — secure_access_sa_series_ssl_vpn_products Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed. Specifically, it is possible for a readonly user to change the administrator user password by making a local copy of the /dana-admin/user/update.cgi page, changing the “user” value, and saving the changes. 2018-12-21 not yet calculated CVE-2018-20193
FULLDISC
BID
python — python
 
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a “resize to twice the size” attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. 2018-12-23 not yet calculated CVE-2018-20406
MISC
MISC
q’center — virtual_appliance Cross-site scripting (XSS) vulnerability in Q’center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0723. 2018-12-26 not yet calculated CVE-2018-0724
CONFIRM
q’center — virtual_appliance Cross-site scripting (XSS) vulnerability in Q’center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0724. 2018-12-26 not yet calculated CVE-2018-0723
CONFIRM
radare2 — radare2 In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/mach0/dyldcache.c may allow attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting an input file. 2018-12-25 not yet calculated CVE-2018-20458
MISC
MISC
radare2 — radare2 In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20457. 2018-12-25 not yet calculated CVE-2018-20459
MISC
MISC
radare2 — radare2 In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c allows attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting a binary file. 2018-12-25 not yet calculated CVE-2018-20461
MISC
MISC
radare2 — radare2 In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash in libr/util/strbuf.c via a stack-based buffer over-read) by crafting an input file, a related issue to CVE-2018-20455. 2018-12-25 not yet calculated CVE-2018-20456
MISC
MISC
radare2 — radare2 In radare2 through 3.1.3, the assemble function inside libr/asm/p/asm_arm_cs.c allows attackers to cause a denial-of-service (application crash via an r_num_calc out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20459. 2018-12-25 not yet calculated CVE-2018-20457
MISC
MISC
radare2 — radare2 In radare2 prior to 3.1.2, the parseOperands function in libr/asm/arch/arm/armass64.c allows attackers to cause a denial-of-service (application crash caused by stack-based buffer overflow) by crafting an input file. 2018-12-25 not yet calculated CVE-2018-20460
MISC
MISC
radare2 — radare2
 
In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p/asm_x86_nz.c may allow attackers to cause a denial of service (application crash via a stack-based buffer overflow) by crafting an input file, a related issue to CVE-2018-20456. 2018-12-25 not yet calculated CVE-2018-20455
MISC
MISC
rockwell_automation_allen-bradley — powermonitor_1000 An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element. 2018-12-26 not yet calculated CVE-2018-19616
MISC
EXPLOIT-DB
rockwell_automation_allen-bradley — powermonitor_1000 An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. /Security/Security.shtm has stored XSS via a /Security/cgi-bin/security URI. 2018-12-26 not yet calculated CVE-2018-19615
MISC
EXPLOIT-DB
s-cms — s-cms An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. 2018-12-25 not yet calculated CVE-2018-20479
MISC
s-cms — s-cms An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. 2018-12-25 not yet calculated CVE-2018-20480
MISC
s-cms — s-cms
 
An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value. 2018-12-25 not yet calculated CVE-2018-20478
MISC
safe_software — fme_server
 
Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts. 2018-12-23 not yet calculated CVE-2018-20402
MISC
schneider_electric — evlink_parking A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed. 2018-12-24 not yet calculated CVE-2018-7801
CONFIRM
schneider_electric — evlink_parking A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device. 2018-12-24 not yet calculated CVE-2018-7800
CONFIRM
schneider_electric — evlink_parking A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges. 2018-12-24 not yet calculated CVE-2018-7802
CONFIRM

schneider_electric — foxview_hmi_scada

 

A Credential Management vulnerability exists in FoxView HMI SCADA (All Foxboro DCS, Foxboro Evo, and IA Series versions prior to Foxboro DCS Control Core Services 9.4 (CCS 9.4) and FoxView 10.5.) which could cause unauthorized disclosure, modification, or disruption in service when the password is modified without permission. 2018-12-24 not yet calculated CVE-2018-7793
CONFIRM
schneider_electric — gp-pro_ex An Improper Input Validation vulnerability exists in Pro-Face GP-Pro EX v4.08 and previous versions which could cause the execution arbitrary executable when GP-Pro EX is launched. 2018-12-24 not yet calculated CVE-2018-7832
CONFIRM
schneider_electric — iiot_monitor An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user. 2018-12-24 not yet calculated CVE-2018-7835
CONFIRM
schneider_electric — iiot_monitor An unrestricted Upload of File with Dangerous Type vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow upload and execution of malicious files. 2018-12-24 not yet calculated CVE-2018-7836
CONFIRM
schneider_electric — iiot_monitor An Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information. 2018-12-24 not yet calculated CVE-2018-7837
CONFIRM
schneider_electric — powersuite2 A Buffer Error vulnerability exists in PowerSuite 2, all released versions (VW3A8104 & Patches), which could cause an overflow in the memcpy function, leading to corruption of data and program instability. 2018-12-24 not yet calculated CVE-2018-7796
CONFIRM
scientific_atlanta_webstar — dpc2100_devices S-A WebSTAR DPC2100 v2.0.2r1256-060303 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20392
MISC
MISC
sky_elite — 6.0l+_android_device The Sky Elite 6.0L+ Android device with a build fingerprint of SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys contains a pre-installed platform app with a package name of com.fw.upgrade.sysoper (versionCode=238, versionName=2.3.8) that contains an exported broadcast receiver app component named com.adups.fota.sysoper.WriteCommandReceiver that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. The com.fw.upgrade.sysoper app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user’s text messages, and more. 2018-12-28 not yet calculated CVE-2018-15007
MISC
MISC
skyworth — multiple_cm5100_devices Skyworth CM5100 V1.1.0, CM5100-440 V1.2.1, CM5100-511 4.1.0.14, CM5100-GHD00 V1.2.2, and CM5100.g2 4.1.0.17 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20398
MISC
MISC
sqlite — sqlite
 
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. 2018-12-21 not yet calculated CVE-2018-20346
BID
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MLIST
MISC
MISC
MISC
MISC
MISC
MISC
CONFIRM
suse — repository_mirroring_tool The YaST2 RMT module for configuring the SUSE Repository Mirroring Tool (RMT) before 1.1.2 exposed MySQL database passwords on process commandline, allowing local attackers to access or corrupt the RMT database. 2018-12-26 not yet calculated CVE-2018-17957
CONFIRM
CONFIRM
synology — diskstation_manager Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. 2018-12-24 not yet calculated CVE-2018-8917
CONFIRM
synology — diskstation_manager Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors. 2018-12-24 not yet calculated CVE-2018-8919
CONFIRM
synology — diskstation_manager Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. 2018-12-24 not yet calculated CVE-2018-8920
CONFIRM
synology — router_manager Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter. 2018-12-24 not yet calculated CVE-2018-8918
CONFIRM
tcpreplay — tcpreplay Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len in common/get.c. 2018-12-28 not yet calculated CVE-2018-20553
MISC
MISC
tcpreplay — tcpreplay
 
Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree in tree.c. 2018-12-28 not yet calculated CVE-2018-20552
MISC
MISC
technicolor — multiple_devices Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU, CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC, DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a, TC7110.AR STD3.38.03, TC7110.B STC8.62.02, TC7110.D STDB.79.02, TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT, and TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20393
MISC
MISC
technicolor — multiple_devices Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20439
MISC
technicolor — multiple_devices Technicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20381
MISC
MISC
technicolor — multiple_devices Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-160428a devices allow XSS via a Cross Protocol Injection attack with setSSID of 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.1.1.3.10001. 2018-12-23 not yet calculated CVE-2018-20379
MISC
technicolor — multiple_devices Technicolor TC7110.AR STD3.38.03 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20438
MISC
technicolor — multiple_devices Technicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20440
MISC
technicolor — multiple_devices Technicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20441
MISC
technicolor — multiple_devices Technicolor TC7110.B STC8.62.02 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20442
MISC
technicolor — multiple_devices Technicolor TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20443
MISC
technicolor — multiple_devices Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests. 2018-12-25 not yet calculated CVE-2018-20444
MISC
teknotel — cbw700n_devices TEKNOTEL CBW700N 81.447.392110.729.024 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20391
MISC
MISC
telegram — telegram
 
The “secret chat” feature in Telegram 4.9.1 for Android has a “side channel” in which Telegram servers send GET requests for URLs typed while composing a chat message, before that chat message is sent. There are also GET requests to other URLs on the same web server. This also affects one or more other Telegram products, such as Telegram Web-version 0.7.0. In addition, it can be interpreted as an SSRF issue. 2018-12-24 not yet calculated CVE-2018-20436
MISC
MISC
the_qt_company — qt An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. 2018-12-26 not yet calculated CVE-2018-19873
SUSE
CONFIRM
CONFIRM

the_qt_company — qt

QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. 2018-12-26 not yet calculated CVE-2018-15518
SUSE
CONFIRM
CONFIRM
the_qt_company — qt An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. 2018-12-26 not yet calculated CVE-2018-19871
CONFIRM
CONFIRM
the_qt_company — qt An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. 2018-12-26 not yet calculated CVE-2018-19870
CONFIRM
CONFIRM
the_qt_company — qt An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. 2018-12-26 not yet calculated CVE-2018-19869
CONFIRM
CONFIRM
thomson — multiple_devices
 
Thomson DWG849 STC0.01.16, DWG850-4 ST9C.05.25, DWG855 ST80.20.26, and TWG870 STB2.01.36 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20394
MISC
MISC
tiny_c_compiler — tiny_c_compiler An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the sym_pop function in tccgen.c. 2018-12-23 not yet calculated CVE-2018-20375
MISC
tiny_c_compiler — tiny_c_compiler An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the asm_parse_directive function in tccasm.c. 2018-12-23 not yet calculated CVE-2018-20376
MISC
tiny_c_compiler — tiny_c_compiler
 
An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. Compiling a crafted source file leads to an 8 byte out of bounds write in the use_section1 function in tccasm.c. 2018-12-23 not yet calculated CVE-2018-20374
MISC
ubee — multiple_devices Ubee DVW2108 6.28.1017 and DVW2110 6.28.2012 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20400
MISC
MISC
via_technologies — epia-e900_system_board ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD. 2018-12-26 not yet calculated CVE-2018-20404
MISC
vivo — v7_android_device The Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.bsptest (versionCode=1, versionName=1.0) containing an exported activity app component named com.vivo.bsptest.BSPTestActivity that allows any app co-located on the device to initiate the writing of the logcat log, bluetooth log, and kernel log to external storage. When logging is enabled, there is a notification in the status bar, so it is not completely transparent to the user. The user can cancel the logging, but it can be re-enabled since the app with a package name of com.vivo.bsptest cannot be disabled. The writing of these logs can be initiated by an app co-located on the device, although the READ_EXTERNAL_STORAGE permission is necessary to for an app to access the log files. 2018-12-28 not yet calculated CVE-2018-15001
MISC
MISC
vivo — v7_android_device The Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys allows any app co-located on the device to set system properties as the com.android.phone user. The com.qualcomm.qti.modemtestmode app (versionCode=25, versionName=7.1.2) that contains an exported service named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app co-located on the device to provide key-value pairs to set certain system properties. Notably, system properties with the persist.* prefix can be set which will survive a reboot. On the Vivo V7 device, when the persist.sys.input.log property is set to have a value of yes, the user’s screen touches be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage via a different known vulnerability on the device. The READ_EXTERNAL_STORAGE permission is necessary to access the log files containing the user’s touch coordinates. With some effort, the user’s touch coordinates can be mapped to key presses on a keyboard. 2018-12-28 not yet calculated CVE-2018-15002
MISC
MISC
weberp — weberp
 
In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the TemplateName parameter. 2018-12-23 not yet calculated CVE-2018-20420
MISC
wellintech — kingscada WellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer overflow. The vulnerability is triggered when sending a specially crafted packet to the AlarmServer (AEserver.exe) service listening on TCP port 12401. 2018-12-23 not yet calculated CVE-2018-20410
MISC
MISC
wordpress — wordpress An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF. 2018-12-25 not yet calculated CVE-2018-20463
MISC
wordpress — wordpress
 
An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter. 2018-12-25 not yet calculated CVE-2018-20462
MISC
wuzhi_cms — wuzhi_cms
 
WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. 2018-12-28 not yet calculated CVE-2018-20572
MISC

xiaomi — mi_a1_devices

An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot. 2018-12-24 not yet calculated CVE-2018-18698
MISC
xmplay — xmplay
 
XMPlay 3.8.3 allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted http:// URL in a .m3u file. 2018-12-24 not yet calculated CVE-2018-19357
EXPLOIT-DB
yaml-cpp — yaml-cpp The SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. 2018-12-28 not yet calculated CVE-2018-20574
MISC
yaml-cpp — yaml-cpp
 
The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. 2018-12-28 not yet calculated CVE-2018-20573
MISC
zoho — manageengine_adselfservice_plus Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. 2018-12-26 not yet calculated CVE-2018-20485
MISC
zoho — manageengine_adselfservice_plus Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. 2018-12-26 not yet calculated CVE-2018-20484
MISC
zoho — manageengine_opmanager Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section. 2018-12-21 not yet calculated CVE-2018-20338
BID
MISC
zoho — manageengine_opmanager Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section. 2018-12-21 not yet calculated CVE-2018-20339
BID
MISC
zoom — 5352_devices
 
Zoom 5352 v5.5.8.6Y devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. 2018-12-23 not yet calculated CVE-2018-20401
MISC
MISC
zte — blade_vantage_android_device The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys, the ZTE ZMAX Pro Android device with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contain a pre-installed platform app with a package name of com.android.modem.service (versionCode=25, versionName=7.1.1; versionCode=23, versionName=6.0.1) that exports an interface to any app on co-located on the device. Using the exported interface of the com.android.modem.service app, any app can enable and obtain certain log files (modem and logcat) without the appropriate corresponding access permissions. The modem logs contain the phone number and full text body of incoming and outgoing text messages in binary format. In addition, the modem log contains the phone numbers for both incoming and outgoing phone calls. The system-wide logcat logs (those obtained via the logcat binary) tend to contain sensitive user data. Third-party apps are prevented from directly reading the system-wide logcat logs. The capability to read from the system-wide logcat logs is only available to pre-installed system apps and platform apps. The modem log and/or logcat log, once activated, get written to external storage (SD card). An app aware of this vulnerability can enable the logs, parse them for relevant data, and exfiltrate them from the device. The modem log and logcat log are inactive by default, but a third-party app with no permissions can activate them, although the app will need to be granted the READ_EXTERNAL_STORAGE permission to access them. 2018-12-28 not yet calculated CVE-2018-14995
MISC
MISC
zte — zmax_champ_android_device The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts. 2018-12-28 not yet calculated CVE-2018-15006
MISC
MISC
zte — zmax_champ_android_device The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3) that contains an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. 2018-12-28 not yet calculated CVE-2018-15005
MISC
MISC
zte — zxv10_b860av2.1_chinamobile ZTE ZXV10 B860AV2.1 product ChinaMobile branch with the ICNT versions up to V1.3.3, the BESTV versions up to V1.2.2, the WASU versions up to V1.1.7 and the MGTV versions up to V1.4.6 have an authentication bypass vulnerability, which may allows an unauthorized user to perform unauthorized operations. 2018-12-28 not yet calculated CVE-2018-7366
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Securing New Devices

This post was originally published on this site

Original release date: December 28, 2018

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.


This product is provided subject to this Notification and this Privacy & Use policy.

Chinese Malicious Cyber Activity

This post was originally published on this site

Original release date: December 20, 2018

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure and Security Agency (CISA) released information on Chinese government malicious cyber activity targeting global information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers. These threat actors are actively exploiting trust relationships between IT service providers and their customers.

NCCIC, part of CISA, encourages users and administrators to review the page on Chinese Malicious Cyber Activity for more information.


This product is provided subject to this Notification and this Privacy & Use policy.

I have two DL380 server with esxi 5.5 running on the top of both servers. I have connected these servers via cross cables with primary and secondary nic cards. I have made a vswitch and adaptor to connect to VM hosted on the respective servers. when i reb

This post was originally published on this site

I have two DL380 server with esxi 5.5 running on the top of both servers. I have connected these servers via cross cables with primary and secondary nic cards. I have made a vswitch and adaptor to connect to VM hosted on the respective servers. when i reboot the machine i can see that i will not be able to ping each other , in order to ping i need to disconnect and connect the adaptor towards the VM. my nic teaming is in active standby . please suggest a way to avoid this issue

Cisco Releases Security Updates

This post was originally published on this site

Original release date: December 19, 2018

Cisco has released security updates to address a vulnerability in Adaptive Security Appliance. A remote attacker could exploit this vulnerability to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the [Cisco Security Advisory] and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Security Updates

This post was originally published on this site

Original release date: December 19, 2018

Microsoft has released security updates to address a vulnerability in Internet Explorer 9, 10, and 11. An attacker could exploit this vulnerability to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Microsoft Security Update Guide and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

AR18-352A: Quasar Open-Source Remote Administration Tool

This post was originally published on this site

Original release date: December 18, 2018

Summary

Quasar, a legitimate open-source remote administration tool (RAT), has been observed being used maliciously by Advanced Persistent Threat (APT) actors to facilitate network exploitation.

This Analysis Report provides information on Quasar’s functions and features, along with recommendations for preventing and mitigating Quasar activity.

Description

Quasar is a publically available, open-source RAT for Microsoft Windows operating systems (OSs) written in the C# programming language. Quasar is authored by GitHub user MaxXor and publicly hosted as a GitHub repository. While the tool can be used for legitimate purposes (e.g., an organization’s helpdesk technician remotely accessing an employee’s laptop), the Cybersecurity and Infrastructure Security Agency (CISA), is aware of APT actors using Quasar for cybercrime and cyber-espionage campaigns.

Quasar was first released in July 2014 as “xRAT 2.0.” In August 2015, xRAT was renamed “Quasar” and released as v1.0.0.0. For this report, the National Cybersecurity and Communications Integration Center (NCCIC), part of CISA, analyzed Quasar version 1.3.0.0, which was released on September 28, 2016, and is the latest stable version available on GitHub. This report does not reflect any changes Quasar’s author has made to the tool’s source code since the release of v1.3.0.0.

Open-source reports state that some APT actors have adapted Quasar and created modified minor (1.3.4.0) and major (2.0.0.0 and 2.0.0.1) versions.[1],[2] NCCIC has not determined the exact difference between these versions and v1.3.0.0. Therefore, NCCIC cannot definitively say whether the detection and mitigation recommendations provided in this report will work effectively against APT actor-modified versions of Quasar.

High Level Architecture

Quasar uses a client-server architecture that enables one user to remotely access many clients. The server is responsible for creating client binaries and managing client connections. Users then interact with connected clients through the server’s graphical user interface (GUI).

Note: Quasar does not contain software vulnerability exploits. Threat actors must leverage other tools or methods to gain access to a target host before they can use Quasar.

Requirements

Quasar requires a Microsoft .NET Framework 4.0 (or higher) Client Profile. The Quasar client and server will run on the following OSs (32- and 64-bit):

  • Windows XP Service Pack 3,
  • Windows Server 2003,
  • Windows Vista,
  • Windows Server 2008,
  • Windows 7,
  • Windows Server 2012,
  • Windows 8/8.1, and
  • Windows 10.

Quasar Server

The Quasar server component is responsible for

  • Listening for and handling client connections (e.g., catching new connections, terminating connections);
  • Managing connected clients (e.g., retrieving files, showing the screen, killing processes); and
  • Configuring and building client executables.

Figure 1 shows the Quasar server component GUI. Quasar users interact with the server and, in turn, its clients, through the GUI. Each client’s entry is listed individually and includes the client’s Internet Protocol (IP) address, username, Quasar client version, connection status, user status, country, OS, and account type. The Quasar user initiates client interactions by right-clicking an individual client row, which opens a pop-up menu with available commands.

Figure 1: Quasar screenshot – example of a Quasar server with a connected client

The server component builds client executables that the Quasar user can run on target hosts. The client builder feature allows the Quasar user to select from different options and attributes (see table 1).

Table 1: Quasar client builder feature options and attributes

Option Default Option Description
Basic Settings
Client tag None Represents the name for the client instance. This value is displayed in the connection table (see figure 1) of the Quasar server GUI once the client connects
Mutex QSR_MUTEX_[18 character alphanumeric upper and lowercase string] Sets the file mutual exclusion object (mutex) to prevent the same host being infected multiple times
Connection Settings
Callback IP None Sets the server IP for the client connection
Callback domain None Sets the domain for the client connection
Callback port 4782 Sets the Transmission Control Protocol (TCP) port callback to “on”
Password 1234 Sets the password for Advanced Encryption Standard (AES) encryption
Connection retry 300ms Sets how often the client will attempt to callback if they are not connected
Installation Settings
Install client Off Sets the default for whether or not the client will install on a host
Base installation paths
  • %AppData%
  • Program Files*
  • WindowsSysWOW64*
The location where the client file will be installed on a host. This field is limited to the options listed. Starred items (*) require administrator privileges
Install subdirectory SubDir Makes a customizable subdirectory within the base installation path
Install name Client The name of the client file. This file must be .exe
Run client when the computer starts Off A checkbox that, if checked, will add the Quasar client as an AutoRun via Registry Key or Scheduled Task
Startup name Quasar Client Startup Customizable free text field

The Quasar user can also set metadata to be embedded in the executable, such as the author, organization, copyright, year, and version.

Quasar Client

Quasar client instances are built by the server component. Based on multiple client builds, each with different configurations, the client size is consistently 349KB. Once it is distributed to a target host, the client needs to be executed before it can call back to the server. Client execution is invisible to the target host user and does not generate any visible windows or notifications on the target host, except in cases where the client becomes unresponsive. Once running on a target host, the client  process is visible to the target host user via Windows Task Manager or a similar process management program.

Network Traffic

Quasar encrypts communications using the AES algorithm. The client builder hardcodes a Quasar user-chosen, pre-shared key to be used in command and control (C2) communications. The server must be configured to listen on the callback port and use the pre-shared key. (Quasar’s author has stated [via GitHub] that they would like to update Quasar to use Transport Layer Security for C2 encryption in the future.)

After the TCP handshake is completed, all traffic between the server and client is encrypted. The entropy of AES ciphertext makes it impossible to write a pattern to detect this content. Quasar uses the first 4 bytes of the TCP payload to track the payload’s total size in little-endian format. This size-tracking pattern is distinctive to Quasar network traffic. As shown in figure 2, the first 4 bytes of the TCP payload contain 0x40000000 or 64 decimal in hexadecimal notation. Subtracting the tracking bytes (4 bytes) from the total TCP payload (68 bytes) results in an actual payload size of 64 bytes.

Figure 2: Quasar screenshot – C2 traffic

The distinctive first 4 bytes of the payload can be used to identify Quasar traffic. Specifically, the first 4 bytes can identify the first packet sent from the server to the client following the TCP handshake. This packet is used to initiate the server/client authentication process. See table 2 for a description of the attributes of the first packet from the server to the client following the TCP handshake. This information can be used to identify potential Quasar activity on a network.

Table 2: Quasar packet attributes

Type Attribute
TCP Flag PSH and ACK
Total Size 122 bytes
TCP payload size 68 bytes
First 4 bytes of payload 0x40000000

Client Network Traffic

Quasar allows the user to gather host system information. As part of the client connection setup, the client attempts to discover its geolocation—including its Wide Area Network (WAN) IP address—by sending an HTTP GET request to the Uniform Resource Locator (URL) ip-api[.]com/json/ with User-Agent string:

Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0.

This User-Agent string mimics a Mozilla Firefox 48 browser running on Windows 8.1. This User-Agent string would likely stand out as unique in a corporate network environment, and its presence could be a high-confidence indication of Quasar activity.

If the client does not receive a response from this lookup, the client attempts to retrieve WAN IP information from freegeoip[.]net and api[.]ipify[.]org, respectively. The User-Agent string remains consistent across all attempts.

Quasar users can also direct the client to access websites. These requests can be set as visible to the host user via a browser window that opens or invisible to the host user via the C# WebRequest class. Requests that are visible to the host user use the User Agent string from the Quasar user’s browser. Requests that are marked as invisible to the host user are sent with User-Agent string:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A.

This User-Agent string mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3. The use of Mac OS X as the operating system is interesting because Quasar can only be run on Windows. NCCIC has leveraged Quasar’s use of Mac OS X to limit false positives in the Snort signatures for this activity.

The User-Agent strings listed in this section are set by the server component when the client file is built. The strings can only be changed by altering the User-Agent string in the server source code. All clients built with a server component compiled from unaltered Quasar v1.3.0.0 source code contain these User-Agents.

Client Installation

Quasar’s client builder limits the base directories in which the client may be placed. The three base directories in which the Quasar client builder can place itself are

  • Program Files (requires administrator privileges),
  • WindowsSysWOW64 (requires administrator privileges), and
  • %APPDATA%.

Figure 3: Quasar sceenshot – client installation settings

Quasar users can specify which subdirectory within the base directory to place the client executable (as shown in figure 3). Quasar users can also specify the name of the executable. Both the client executable and the subdirectory can be hidden from the target host user during installation by a Windows application programming interface call that sets one of the file’s attributes to “hidden.” The “hidden” setting only hides files from the target host user’s view in Windows File Explorer.

Persistence

Quasar achieves persistence by executing on startup, as seen in the source code shown in figure 4. To achieve persistence, Quasar uses two methods: scheduled tasks and registry keys. If the client process has administrator privileges, the client will generate a scheduled task via schtasks. The scheduled task is generated using the task name created in the client builder. The schedule task runs after the host user logs on, executes with the highest run level (i.e., the highest level of privilege), and suppresses any errors related to creating the task. If the process does not have administrator privileges, the scheduled task will only add a registry value. That registry value is added to the following key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

The value name is then configured in the client builder, and the client adds its current path as the startup program.

if (WindowsAccountHelper.GetAccountType() == “Admin”)

            {

                try

                {

                    ProcessStartInfo startInfo = new ProcessStartInfo(“schtasks”)

                    {

                        Arguments = “/create /tn “” + Settings.STARTUPKEY + “” /sc ONLOGON /tr “” + ClientData.CurrentPath + “” /rl HIGHEST /f”,

                        UseShellExecute = false,

                        CreateNoWindow = true

                    };

 

                    Process p = Process.Start(startInfo);

                    p.WaitForExit(1000);

                    if (p.ExitCode == 0) return true;

                }

                catch (Exception)

                {

                }

 

                return RegistryKeyHelper.AddRegistryKeyValue(RegistryHive.CurrentUser,

                    “SoftwareMicrosoftWindowsCurrentVersionRun”, Settings.STARTUPKEY, ClientData.CurrentPath,

                    true);

            }

            else

            {

                return RegistryKeyHelper.AddRegistryKeyValue(RegistryHive.CurrentUser,

                    “SoftwareMicrosoftWindowsCurrentVersionRun”, Settings.STARTUPKEY, ClientData.CurrentPath,

                    true);

Figure 4: Source code from Quasar/Client/Core/Installation/Startup.cs

Privilege Escalation

Quasar allows the tool user to escalate the client’s running privileges, as seen in the source code shown in figure 5. To escalate the client’s running privileges, Quasar attempts to launch a command prompt (cmd.exe) as an administrator. The elevated command prompt then relaunches the client. The client inherits the parent process’ now-elevated privileges. If the Window’s User Account Control (UAC) is configured, this method generates a UAC pop-up window on the target host, which asks the target host user to confirm the process of running the command prompt as the administrator. 

if (WindowsAccountHelper.GetAccountType() != “Admin”)

            {

                ProcessStartInfo processStartInfo = new ProcessStartInfo

                {

                    FileName = “cmd”,

                    Verb = “runas”,

                    Arguments = “/k START “” “” + ClientData.CurrentPath + “” & EXIT”,

                    WindowStyle = ProcessWindowStyle.Hidden,

                    UseShellExecute = true

};

Figure 5: Source code from Quasar/Client/Core/Commands/SystemHandler.cs

Solution

Network defenders can detect Quasar activity by monitoring network traffic for its unique pattern, the registry key it edits for persistence, mutexes for strings that follow the default Quasar pattern, and the directories where Quasar installs itself. Commercial antivirus programs detect most Quasar client binary builds as malicious.

Snort Signatures

Signature 1: TCP Payload Size Tracking

This signature matches on a server-to-client packet with a TCP payload length of 68 bytes and the first 4 bytes matching the size tracking sequence. NCCIC observed this packet as the first packet after the TCP handshake. Network defenders can create and implement additional signatures to detect differing TCP payload sizes and the packet’s respective size tracking sequences. The following Snort signature can be used to detect unmodified Quasar v1.3.0.0; however, it is unknown if this signature can be used to detect modified versions.

alert tcp $EXTERNAL_NET :1024 -> $HOME_NET any (msg:”Non-Std TCP Server Traffic contains ‘|40 00 00 00|’ (Quasar RAT Initial Packet)”; sid:10000; rev:1; flow:established,from_server; dsize:68; content:”|40 00 00 00|”; depth:4; fast_pattern;

Quasar uses a TCP payload of 68 bytes at the beginning of each of its sessions. Quasar’s distinctive 68-byte TCP payload presents the best opportunity for network defenders to identify Quasar activity.

It is likely that the Quasar TCP payload server packet will originate from TCP port 80 or 443 to traverse network firewalls and attempt to blend in with normal web browsing traffic. Network defenders may want to further limit this Snort signature to only TCP ports 80 or 443.

When reviewing alerts generated by this Snort signature, network defenders should look for server-to-client TCP PSH/ACK packets following the alert packet. True positive alerts will likely have a 4-byte tracking sequence equal to the size of the TCP payload minus 4 bytes, with what appears to be ciphertext in the remaining payload.

NCCIC recommends applying this Snort signature to a network sensor located on an organization’s perimeter to limit the false positives generated by internal organization traffic.

Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”HTTP Client Header contains ‘Host|3a 20|ip-api com’, URI ‘/json/’ (Quasar RAT)”; sid:10002; rev:1; flow:established,to_server; content:”Host|3a 20|ip-api|2e|com|0d 0a|”; http_header; fast_pattern:only; content:”User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b| rv|3a|48.0) Gecko/20100101 Firefox/48.0|0d 0a|”; http_header; content:”/json/”; http_uri; depth:6; urilen:6,norm; classtype:http-header; priority:2;)

This Snort signature alerts on the WAN IP lookup initiated by the Quasar client. The User-Agent string, Hypertext Transfer Protocol (HTTP) header host, and HTTP header URI values are set by the server component when the client is built. The server component is configured with these values at compile time. The User-Agent string mimics Windows 8.1 running Firefox 48, both of which are considerably dated. It is possible to see this User-Agent string used legitimately; however, organizations with information technology baselines should know if this User-Agent string legitimately exists in their network environment.

Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A’, TTL 65-128 (Quasar RAT)”; sid:10001; rev:1; flow:established,to_server; ttl:65-128; content:”User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A|0d 0a|”; http_header; fast_pattern:only; classtype:http-header; priority:2;)

This Snort signature alerts on a client-generated hidden HTTP request. The Quasar user can direct the target host to visit a URL and retrieve the content. If the request is set to “hidden,” the client uses this User-Agent string to mimic Mac OS X 10.9.3 and Safari 7. Mac OS X 10.9.3 and Safari 7 are not only dated, but also do not match the OS on which Quasar operates (i.e., Windows). NCCIC added a match on Time-to-Live values of between 65 and 128 to identify likely Windows OSs generating this User-Agent string.

References

Revisions

  • December 18, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Bomb Threats Emailed Around the World

This post was originally published on this site

Original release date: December 13, 2018

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Agency (CISA), is aware of a worldwide email campaign targeting businesses and organizations with bomb threats. The emails claim that a device will detonate unless a ransom in Bitcoin is paid.

If you receive a bomb threat email, NCCIC recommends the following actions:


This product is provided subject to this Notification and this Privacy & Use policy.

WordPress Releases Security Update

This post was originally published on this site

Original release date: December 13, 2018

WordPress 5.0 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Agency (CISA), encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.0.1.


This product is provided subject to this Notification and this Privacy & Use policy.