CERT/CC

VU#347067: Multiple BGP implementations are vulnerable to improperly formatted BGP updates
Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router.
This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. RFC 7606 Introduction
DescriptionThe Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.
Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).
This vulnerability was first announced as affecting OpenBSD based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:
- CVE-2023-4481 (Juniper)
- CVE-2023-38802 (FRR)
- CVE-2023-38283 (OpenBGPd)
- CVE-2023-40457 (EXOS)
A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.
SolutionThe CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:
(Juniper)
set protocols bgp bgp-error-tolerance
(Nokia)
[router bgp group]
error-handling update-fault-tolerance
Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.
VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router
An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.
DescriptionCVE-2023-4498 is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).
ImpactSuccessful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.
SolutionThere is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.
AcknowledgementsThanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.
VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account
Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.
DescriptionEvery five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it's possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.
ImpactAn attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.
SolutionThe CERT/CC is currently unaware of a practical solution to this problem.
AcknowledgementsThank you to Dan Revah for reporting this issue.
This document was written by Kevin Stephens.
VU#287122: Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process
Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.
DescriptionThe vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main.
By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.
CVE-2023-37250 The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.
ImpactBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.
SolutionThe vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.
AcknowledgementsThanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.
VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329
urllib.parse is a very basic and widely used basic URL parsing function in various applications.
DescriptionAn issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.
URL Parsing Security *
The urlsplit() and urlparse() APIs do not perform validation of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.
Instead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.
We recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that scheme make sense? Is that a sensible path? Is there anything strange about thathostname? etc.
What constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living WHATWG spec describes what user facing web clients such as a web browser require. While RFC 3986 is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.
*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508
ImpactDue to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.
Because this vulnerability exists in the most basic parsing library, more advanced issues are possible.
SolutionThe fixes are in the following releases:
fixed in >= 3.12
fixed in 3.11.x >= 3.11.4
fixed in 3.10.x >= 3.10.12
fixed in 3.9.x >= 3.9.17
fixed in 3.8.x >= 3.8.17
fixed in 3.7.x >= 3.7.17
Thanks to the reporter, Yebo Cao for researching and reporting this vulnerability.
This document was written by Ben Koo.
VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution
Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host.
DescriptionFreewill Solutions IFIS new trading web application passes a user controlled variable directly to a shell_exec function call on a specific report page. To exploit the vulnerability, an attacker can add shell meta characters to the user controlled variable so that the application executes attacker specified commands.
ImpactAn attacker with access to the applications web interface can execute code on the remote host. This level of access allows for complete compromise of the affected machine.
SolutionThe CERT/CC is currently unaware of a practical solution to this problem.
AcknowledgementsThanks to Sameer Mohite (Mandiant) for reporting the vulnerability.
This document was written by Kevin Stephens.
VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation
The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.
DescriptionD-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.
The following conditions are required to trigger this bug * The software is installed in a directory with a space in it. (The default settings for directory will work) * An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)
ImpactAn attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.
SolutionD-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.
AcknowledgementsThanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.
This document was written by Kevin Stephens.
VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities
A command injection vulnerability can be used in the Perimeter81 macOS application to run arbitrary commands with administrative privileges.
DescriptionAt the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc.
By combining insufficient checks of an XPC connection and creating a dictionary with the key "usingCAPath" a command can be appended within that value to be run with administrative privileges.
ImpactBy exploiting the vulnerability, attackers can run arbitrary commands with administrative privileges.
SolutionThe CERT/CC is currently unaware of a practical solution to this problem.
AcknowledgementsThanks to Erhad Husovic who also published vulnerability details via https://www.ns-echo.com/posts/cve_2023_33298.html
This document was written by Ben Koo.
VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router
The Technicolor TG670 Router DSL Gateway Router includes a hard-coded service account that allows for authentication over services on the WAN interface, using HTTP, SSH, or TELNET. The authenticated user can use it to gain full administrative control of the router.
DescriptionA hard-coded password refers to an unchangeable password that is stored within a device or an application. This type of password carries a significant risk as it can be exploited by malware or hackers to gain unauthorized access to devices and systems, enabling them to engage in malicious activities. In certain cases, a hard-coded account may possess administrative privileges, granting complete control over a device through an account that cannot be modified or deactivated.
Recently, it was uncovered that the Technicolor TG670 Router DSL Gateway Router with firmware version 10.5.N.9. contains more than one hard-coded service account. These particular accounts allow full administrative access to the device via the WAN interface. If Remote Administration is enabled, the device can be remotely accessed from an external network interface, such as the Internet. This account seems to have full administrative access to modify the device settings. Additionally, it appears that this account is not documented and cannot be disabled or removed from the device.
ImpactA remote attacker can use the default username and password to login as the administrator to the router device. This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways. This requires Remote Administration is enabled on the router, which is the default settings as observed by the CODE WHITE security researcher Florian Hauser.
SolutionIt is recommended that you check with your service provider for appropriate patches and updates are available to resolve the hard-coded credentials stored on the devices. As a precaution, it is also recommended that you disable Remote Administration (WAN side administration), when not needed to reduce the risk of abuse of this service account.
AcknowledgementsThanks to Florian Hauser from CODE WHITE for reporting this vulnerability.
This document was written by Timur Snoke.