Releases

CodiMD Unauthorised Image Access

This advisory details a missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. Due to the insecure random filename generation functionality in the underlying Formidable library, filenames for uploaded images could be determined and the likelihood of this issue being exploited was increased.


Slack Web Hook Message Injection Advisory

Slack integrations such as webhook APIs are often used to alert on user actions to internal teams. A vulnerability was noted when user supplied data containing a large amount of white space was included in a request to the Slack webhook API. By including enough white space in this data, the messages would be split and truncated. As a result, the malicious payload after the whitespace would appear as a standalone message from the Slack bot. An attacker could exploit this to forge messages containing Slack message markup to perform social engineering and other attacks if an integration, such as a website or other software, included unvalidated user input in the message to the Slack webhook.


Bypassing USBGuard on Linux

Configuring USBGuard without explicitly specifying vendor and product IDs allows an attacker to bypass some USB authorisation policies on Linux. A device may claim to belong to one USB class (e.g. say it’s a keyboard), but actually act as a network adapter, mass storage or other more exotic device. The Gnome desktop’s USB protection policies are vulnerable by default.


HDF5 - Multiple Memory Corruption Vulnerabilities

Pulse Security briefly assessed the HDF5 library (hdf5-1.14.1-2) for memory corruption vulnerabilities as part of a client engagement where the HDF5 library was used to parse potentially untrusted data. Multiple memory corruption issues were found in the HDF5 library by fuzz testing the h5stat and h5dump helper utilities.


Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required.


Istio outboundTrafficPolicy Egress Control Bypass

Istio can be used to control egress traffic from Istio enabled Kubernetes workloads. When combined with the meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY flag, this can be an attractive option for restricting what outbound connections a pod can make. An attacker who has compromised an Istio enabled pod configured in this way, and can set their processes user ID to 1337, can bypass the egress control.


Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking

This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials.


ASP.NET Boilerplate Multiple Vulnerabilities

Multiple vulnerabilities were discovered in the ASP.NET Boilerplate (ABP) framework, including issues which allow an unauthenticated attacker to gain unauthorized administrative access to an ABP site. These issues also affect the ASP.Net Zero framework.


Zerotier - Multiple Vulnerabilities

An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorised access to private Zerotier networks.


GoCD Multiple Vulnerabilities

Multiple vulnerabilities were discovered within GoCD. These issues allowed for retrieval of the master secret key from a compromised agent, impersonation of arbitrary agents and remote code execution through deserialization. All vulnerabilities in this advisory are presented from the perspective of an attacker who has either compromised an existing GoCD agent (or its network traffic) or has access to view the GoCD configuration XML (either through the web ui or via a configuration backup).


id.atlassian.com Username Enumeration

The authentication platform responsible for authenticating cloud-based Jira, Bitbucket and Confluence users (id.atlassian.com) exposes a username enumeration vulnerability via the https://id.atlassian.com/rest/marketing-consent/config API endpoint. Pulse Security has leveraged this vulnerability on multiple engagements to build a list of valid target email addresses for further attacks, such as social engineering and credential stuffing. Atlassian have elected to mitigate this vulnerability by implementing a request rate limit, and as such this vulnerability may continue to be used to enumerate users.


FF4J - Insecure YAML Deserialisation

The FF4J v1.8.7 web administration console did not protect against YAML deserialisation vulnerabilities in the configuration import function. An attacker with access to the administration interface could remotely execute arbitrary Java code.


Amazon AWS Bastion - Logger Bypass

The AWS bastion host (https://github.com/aws-quickstart/quickstart-linux-bastion) is intended to provide command logging for all users. These command logs are stored both on the bastion host itself, and forwarded to Cloudwatch. The command auditing implementation allowed a user to bypass the logging, execute an interactive shell and issue commands that were not captured by the AWS bastion’s logging mechanisms.


Adyen Magento2 Plugin - Multiple Vulnerabilities

The Adyen Magento 2 plugin did not securely implement authentication for the POS callback which allows an attacker to approve or cancel arbitrary orders. The only authentication required was a checksum that an attacker can recreate. Additionally, the /adyen/process/json endpoint did not implement any authentication brute force protection and was vulnerable to timing attacks. An attacker who can successfully brute force these credentials may submit fraudulent payment notifications and fabricate payment information.


Wiki.js - Template Injection Stored Cross-Site Scripting (CVE-2020-4052)

Wiki.js >2.4.17 was vulnerable to stored cross-site scripting through template injection. This vulnerability existed due to a malicious payload in a top-level text element bypassing the intended protection mechanisms.


Untitled Goose Game - Insecure Deserialization

Untitled Goose Game was vulnerable to a code execution vulnerability due to unsafe deserialization in the save game loader. An attacker capable of controlling a target user’s save game can leverage this vulnerability to execute malicious code when the save game is loaded.


MicroK8s - Privilege Escalation (CVE-2019-15789)

MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.


Linux Kernel 4.9 - TCP Socket Handling Use-After-Free (CVE-2019-15239)

A use-after-free condition was present in the Linux 4.9 kernel TCP socket handling code, triggerable by a low privilege local user. The included POC triggers multiple read and write UAF conditions. Additionally, the POC causes a kernel crash on a vanilla Debian build.


Linux Kernel 4.9 - inet_csk_listen_stop GPF (CVE-2017-18509)

By setting a specific socket option, an attacker can control a pointer in kernel land and cause a general protection fault, or potentially execute arbitrary code. The issue can be triggered by running the included POC as root, inside a default LXC container or with CAP_NET_ADMIN privileges. This issue was confirmed on Debian Stretch (kernel 4.9.168), however Debian have advised that this issue also affects older kernel versions. This issue may also be triggered by a low privileged user that can unshare their user and network namespaces.


atftpd - Multiple Memory Corruption Vulnerabilities (CVE-2019-11365, CVE-2019-11366)

atftpd contained multiple vulnerabilities, including stack buffer overflow, concurrency issues and heap-based read overflow.


Kanboard 1.2.7 Multiple Vulnerabilities

Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA deactivation, allowing an unauthenticated attacker to disable an account’s 2FA configuration. A lack of integrity checking or transport layer encryption enforced on plugins enables remote code execution by a malicious admin. Other vulnerabilities include: session privilege retention, 2FA bypass, database user_id and pre-2FA information disclosure.


Go-pandoc - LUA filter remote code execution

Go-pandoc is vulnerable to remote code execution through a user included LUA filter. An attacker can upload a LUA file to a known location on the file system due to a predictable temporary directory being used when handling certain file type includes. The uploaded LUA file can then be used as a filter in a subsequent request, allowing for the execution of arbitrary LUA code.


Rsync Daemon - parse_arguments Out-Of-Bounds read

An attacker may send the rsync daemon a crafted packet, triggering an out-of-bound memory read in the argument handling code.


Microsoft DirectX Memory Corruption (CVE-2018-8563)

A memory corruption vulnerability exists in Microsoft DirectX. The corruption happens as a result of the incorrect handling of text, while running CSS tranformations, resulting in an out-of-bounds-read. It is possible to trigger this vulnerability remotely via Internet Explorer. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.


Network Manager VPNC - Privilege Escalation (CVE-2018-10900)

The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.


Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)

Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.


Manage Engine OpManager Multiple Authenticated RCE Vulnerabilities

Pulse Security has identified two vulnerabilities in the ManageEngine OpManager software currently being exploited in the wild, and one observational note. This document details the vulnerabilities and the indicators of compromise that may be used to identify these exploits.


Microsoft Internet Explorer EnterBlock Memory Corruption (CVE-2018-8249)

A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens due to the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine. Microsoft fixed this vulnerability in the June 2018 patch cycle. Pulse Security recommends applying the latest updates to mitigate this vulnerability.


Phusion Passenger chown() race privilege escalation (CVE-2018-12029)

Phusion Passenger’s Nginx module is vulnerable to a privilege escalation vulnerability when run with a non-standard passenger_instance_registry_dir configuration. A vulnerability exists when creating the control_process.pid file, specifically when the file’s owner is changed from root. An attacker can use this behavior to escalate privileges from the www-data user to the root user when Nginx is restarted.


Microsoft Internet Explorer Hyperlink Memory Corruption (CVE-2018-8118)

A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens as a result of the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine.


Pi-hole < v3.3 Multiple Vulnerabilities

Multiple vulnerabilities were discovered in Pi-Hole, a DNS blocker solution. Vulnerabilities included remote code execution, cross-site scripting, sql injection, privilege escalation and stack-based buffer overflow.


Microsoft Edge / Internet Explorer SVG Memory Corruption (CVE-2018-0932)

A memory corruption vulnerability exists in Microsoft Edge and Internet Explorer. The corruption happens as a result of incorrect handling of SVG attributes. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.