Security News

RoyalTS SSH Tunnel - Authentication Bypass

Full Disclosure - 9 June, 2020 - 11:42

Posted by michele on Jun 09

RoyalTS SSH Tunnel - Authentication Bypass
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13872

CVSSv3 score
-------------------------------------------------
8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1
)

Vendor...

WebUntis: Stored XSS (Filter Bypass)

Full Disclosure - 9 June, 2020 - 11:38

Posted by Robin Meis via Fulldisclosure on Jun 09

I. VULNERABILITY
-------------------------
WebUntis 2020.12.1 - (Authenticated) Cross Site Scripting

II. BACKGROUND
-------------------------
WebUntis is a tool for schools and universities to deliver electronic timetables to their students. Depending from the
activated modules it does also contain sensitive information within the integrated class-register and grade-book.
Furthermore it supports private messaging.

III. DESCRIPTION...

CVE-2020-13432 - HFS HTTP File Server / Remote Buffer Overflow DoS

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.rejetto.com

[Product]
HFS Http File Server v2.3m Build 300

[Vulnerability Type]
Remote Buffer Overflow (DoS)

[CVE Reference]
CVE-2020-13432

[Security Issue]
rejetto HFS (aka HTTP File Server)...

Avaya IP Office v9.1.8.0 - 11 Insecure Transit Password Disclosure CVE-2020-7030

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]www.avaya.com

[Product]
Avaya IP Office v9.1.8.0 - 11

IP Office Platform provides a single, stackable, scalable small
business communications system that grows with your business easily
and...

WinGate v9.4.1.5998 Insecure Permissions EoP CVE-2020-13866

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]wingate.com

[Product]
WinGate v9.4.1.5998

WinGate is a sophisticated integrated Internet gateway and
communications server designed to meet the control,
security and email needs of...

Defense in depth -- the Microsoft way (part 69): security remarks are as futile as the qUACkery!

Full Disclosure - 5 June, 2020 - 11:31

Posted by Stefan Kanthak on Jun 05

Hi @ll,

the MSDN article "Security Considerations: Microsoft Windows Shell"
<https://msdn.microsoft.com/en-us/library/bb776776.aspx#shellexecute-shellexecuteex-and-related-functions>
provides since MANY years the following advice for calls of ShellExecute():

| Make sure you provide an unambiguous definition of the application that is to
| be executed.
|
| * When providing the executable file's path, provide the fully...

Defense in depth -- the Microsoft way (part 68): qUACkery is futile!

Full Disclosure - 5 June, 2020 - 11:31

Posted by Stefan Kanthak on Jun 05

Hi @ll,

the help text displayed by the command line "%COMSPEC% /?" as well as the
documentation <https://msdn.microsoft.com/en-us/library/cc771320.aspx> of
Windows' command processor CMD.EXE both state:

| * Executing registry subkeys
|
| If you do not specify /d in String, Cmd.exe looks for the following
| registry subkeys:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ
|
|...

Castel NextGen DVR multiple CVEs

Full Disclosure - 5 June, 2020 - 11:22

Posted by Aaron Bishop on Jun 05

All issues are associated with *Castel NextGen DVR v1.0.0 *and have been
resolved in v1.0.1*.*

-------------------------------
*CVE-2020-11679
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>*

*Original Disclosure*
https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

*Description*
A low privileged user can call functionality reserved for an Administrator
which promotes a low privileged account...

Sabberworm PHP CSS parser - Code injection vulnerability

Full Disclosure - 3 June, 2020 - 01:04

Posted by Eldar Marcussen on Jun 02

Sabberworm PHP CSS parser - Code injection
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13756

CVSSv3 score
-------------------------------------------------
8.6 - [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L&version=3.1
)

Vendor...

[CVE-2020-9484] Apache Tomcat RCE via PersistentManager

Full Disclosure - 3 June, 2020 - 01:03

Posted by Red Timmy Security on Jun 02

Original post:
https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/

SUMMARY

Apache Tomcat is affected by a Java deserialization vulnerability, if
the PersistentManager is configured as session manager. Successful
exploitation requires the attacker to be able to upload an arbitrary
file to the server.

AFFECTED VERSIONS

- Apache Tomcat 10.x < 10.0.0-M5
- Apache Tomcat 9.x <...

BIAS (Bluetooth Impersonation Attack) CVE 2020-10135 reproduction

Full Disclosure - 3 June, 2020 - 01:03

Posted by Marcin Kozlowski on Jun 02

Hi list,

Managed to reproduce BIAS (Bluetooth Impersonation Attack) CVE 2020-10135.
Impersonation of any previously paired and connected Bluetooth device in
vulnerable setup. Reproduction on Linux host and Samsung S3 Neo+ mobile.

More info in the repo:
https://github.com/marcinguy/CVE-2020-10135-BIAS

Link to original PoC author(s) is also there.

Thanks,
Marcin

APPLE-SA-2020-06-01-4 watchOS 6.2.6

Full Disclosure - 3 June, 2020 - 01:03

Posted by Apple Product Security via Fulldisclosure on Jun 02

APPLE-SA-2020-06-01-4 watchOS 6.2.6

watchOS 6.2.6 is now available and addresses the following:

Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-9859: unc0ver

Installation note:

Instructions on how to update your Apple Watch software are
available at...

APPLE-SA-2020-06-01-3 tvOS 13.4.6

Full Disclosure - 3 June, 2020 - 01:03

Posted by Apple Product Security via Fulldisclosure on Jun 02

APPLE-SA-2020-06-01-3 tvOS 13.4.6

tvOS 13.4.6 is now available and addresses the following:

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-9859: unc0ver

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check...

APPLE-SA-2020-06-01-2 macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra

Full Disclosure - 3 June, 2020 - 01:03

Posted by Apple Product Security via Fulldisclosure on Jun 02

APPLE-SA-2020-06-01-2 macOS Catalina 10.15.5 Supplemental Update,
Security Update 2020-003 High Sierra

macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003
High Sierra are now available and address the following:

Kernel
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.5
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory consumption issue was addressed with...

APPLE-SA-2020-06-01-1 iOS 13.5.1 and iPadOS 13.5.1

Full Disclosure - 3 June, 2020 - 01:03

Posted by Apple Product Security via Fulldisclosure on Jun 02

APPLE-SA-2020-06-01-1 iOS 13.5.1 and iPadOS 13.5.1

iOS 13.5.1 and iPadOS 13.5.1 are now available and address the
following:

Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-9859: unc0ver

Installation...

[Bug] Firefox privacy leakage: search term is sent to ISP without user's consent.

Full Disclosure - 3 June, 2020 - 01:03

Posted by duykham on Jun 02

### Credit:
#### Author: duykham
#### Date: 2020-Apr-13

### Affected version:
Firefox 75.0 (64-bit), latest version as of 2020-Apr-13.
Google Chrome v81.0.4044.92 (64-bit) latest version as of 2020-Apr-13.
Platform: Windows 10

(As of my knowledge, until today 2020/05/31, there is no fix yet, later
versions are most likely affected, too).

### Title:
User's search term is accidentally sent to ISP without user's consent.

### Category:...

[CDPWE-0001] - RocketReach

Full Disclosure - 29 May, 2020 - 12:25

Posted by Thierry Zoller on May 29

Adapting the Mechanics of Vulnerability Disclosure to an area where
Privacy Rights need to be scrutinized and where transparency becomes
paramount.

APPLE-SA-2020-05-26-4 tvOS 13.4.5

Full Disclosure - 29 May, 2020 - 12:21

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2020-05-26-4 tvOS 13.4.5

tvOS 13.4.5 addresses the following:

Accounts
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
input validation.
CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

AppleMobileFileIntegrity
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to use...

APPLE-SA-2020-05-26-11 Windows Migration Assistant 2.2.0.0 (v. 1A11)

Full Disclosure - 29 May, 2020 - 12:21

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2020-05-26-11 Windows Migration Assistant 2.2.0.0 (v. 1A11)

Windows Migration Assistant 2.2.0.0 (v. 1A11) is now available and
addresses the following:

Windows Installer
Available for: macOS Catalina
Impact: Running the installer in an untrusted directory may result in
arbitrary code execution
Description: A dynamic library loading issue was addressed with
improved path searching.
CVE-2020-9858: Csaba Fitzl (@theevilbit) of Offensive...

APPLE-SA-2020-05-26-10 iCloud for Windows 7.19

Full Disclosure - 29 May, 2020 - 12:21

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2020-05-26-10 iCloud for Windows 7.19

iCloud for Windows 7.19 is now available and addresses the following:

ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9789: Wenchao Li of VARAS@IIE
CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

ImageIO...
Syndicate content