Multiple vulnerabilities in QNAP TS-464 NAS devices

The advisories from ZDI-24-470 to ZDI-24-475 detail a series of vulnerabilities affecting QNAP TS-464 NAS devices, ranging from CRLF injection and SQL injection to improper certificate validation and file upload directory traversal. These vulnerabilities could allow remote attackers to make arbitrary configuration changes, execute code, escalate privileges, and create or delete files on affected devices. QNAP has issued updates to correct these vulnerabilities, highlighting the importance of applying security patches promptly to protect against potential exploits.

Read more Multiple vulnerabilities in QNAP TS-464 NAS devices

Multiple vulnerabilities in Cisco

Here’s a summary of the Cisco Security Advisories:

  1. Cisco AppDynamics Network Visibility Service DoS Vulnerability: An unauthenticated, local attacker could cause a denial of service (DoS) condition due to improper handling of unexpected input.
  2. Cisco Crosswork NSO Open Redirect Vulnerability: An unauthenticated, remote attacker could redirect a user to a malicious web page due to improper input validation of a parameter in an HTTP request.
  3. Cisco Crosswork NSO Privilege Escalation Vulnerability: An authenticated, local attacker could elevate privileges to root on an affected device because of a user-controlled search path used to locate executable files.
  4. Cisco Secure Client NAM Privilege Escalation Vulnerability: An unauthenticated attacker with physical access could elevate privileges to SYSTEM due to a lack of authentication on a specific function.
  5. Cisco Secure Email and Web Manager XSS Vulnerabilities: Multiple vulnerabilities could allow a remote attacker to conduct XSS attacks against users of the interface due to insufficient input validation.
  6. Cisco Secure Email Gateway HTTP Response Splitting Vulnerability: An unauthenticated, remote attacker could conduct an HTTP response splitting attack due to insufficient input validation of some parameters.
  7. Cisco Unified Communications Products API DoS Vulnerability: An unauthenticated, remote attacker could cause high CPU utilization and potentially impact access and call processing due to improper API authentication and incomplete validation of the API request.
Read more Multiple vulnerabilities in Cisco

D-Link – multiple vulnerabilities, some are 0-days

Here’s a summary of the vulnerabilities reported:

  • Remote Code Execution (RCE) Vulnerabilities:
    • D-Link D-View: Two vulnerabilities (ZDI-24-448, ZDI-24-450) allow remote code execution due to command injection and exposed dangerous methods. Both require authentication, which can be bypassed. CVSS rating: 8.8.
    • D-Link G416: Attackers can execute code on G416 routers without authentication (ZDI-24-446). CVSS rating: 8.8.
    • D-Link DIR-2150: The GetDeviceSettings feature in DIR-2150 routers is vulnerable to command injection by network-adjacent attackers without authentication (ZDI-24-442). CVSS rating: 8.8.
    • D-Link DIR-2640: A stack-based buffer overflow in DIR-2640-US routers allows RCE without authentication (ZDI-24-444). CVSS rating: 8.8.
    • D-Link D-View: Another vulnerability (ZDI-24-449) allows RCE through an exposed dangerous method with bypassable authentication. CVSS rating: 8.8.
  • Local Privilege Escalation:
    • D-Link Network Assistant: A vulnerability (ZDI-24-443) allows local attackers to escalate privileges by exploiting an uncontrolled search path element. Requires execution of low-privileged code. CVSS rating: 7.3.
  • Denial-of-Service (DoS):
    • D-Link DIR-3040: A memory leak in prog.cgi websSecurityHandler can be exploited by network-adjacent attackers to cause a DoS condition (ZDI-24-445). No authentication needed. CVSS rating: 4.3.
  • Authentication Bypass:
    • D-Link D-View: A vulnerability (ZDI-24-447) allows bypassing authentication using a hard-coded cryptographic key. No authentication needed for exploitation. CVSS rating: 9.8.

All vulnerabilities are marked as “0Day,” indicating they are previously unknown and unpatched. The CVSS ratings range from 4.3 to 9.8, reflecting the severity of the vulnerabilities. The higher the CVSS score, the more severe the vulnerability. It’s important for organizations using these D-Link products to be aware of these vulnerabilities and apply any available patches or mitigations provided by the vendor.

Read more D-Link – multiple vulnerabilities, some are 0-days

ZDI-24-439: Microsoft Windows Bluetooth AVDTP Protocol Integer Underflow Remote Code Execution Vulnerability

Vulnerability

ZDI-24-439
ZDI-CAN-20464

CVE ID CVE-2023-24948
CVSS SCORE 7.6,
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Windows

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must connect a malicious Bluetooth device. The ZDI has assigned a CVSS rating of 7.6. The following CVEs are assigned: CVE-2023-24948.

Microsoft FAQ:

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

In order to exploit this vulnerability, the victim must pair with the attacker’s Bluetooth device.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?

Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.

How could an attacker exploit this vulnerability?

An authorized attacker could exploit the Windows Bluetooth driver vulnerability by programmatically running certain functions that could lead to elevation of privilege on the Bluetooth component.

Source:

http://www.zerodayinitiative.com/advisories/ZDI-24-439/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24948

Vulnerabilities in Adobe Readed DC Software

Consolidated summary:

  • ZDI-24-424 & ZDI-24-425: Both vulnerabilities, identified as CVE-2024-30305 and CVE-2024-30303 respectively, have a CVSS score of 7.8 and affect Adobe Acrobat Reader DC. They allow remote code execution due to improper handling of AcroForms. Users must interact with a malicious page or file to trigger the flaw.
  • ZDI-24-427: Identified as CVE-2024-30306 with a CVSS score of 7.8, this vulnerability in Adobe Acrobat Reader DC allows remote code execution through an out-of-bounds read in AcroForms. User interaction is required.
Read more Vulnerabilities in Adobe Readed DC Software

Security flaws in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)Security flaws in Cisco

We have three new vulnerabilities in Cisco.

  • One could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
  • One that could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.
  • And another one which could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.
Read more Security flaws in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)Security flaws in Cisco

Vulnerabilities in Google Chrome, Microsoft Edge, Windows Installer, Microsoft Smart Screen and Azure

This time we have a few vulnerabilities from Google and Microsoft:

  • Google Chrome V8 Enum Cache Out-Of-Bounds Read Remote Code Execution Vulnerability
  • Microsoft Edge DOMArrayBuffer Use-After-Free Remote Code Execution Vulnerability
  • Google Chrome WASM Improper Input Validation Remote Code Execution Vulnerability
  • Microsoft Windows Installer Service Link Following Local Privilege Escalation Vulnerability
  • Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability
  • Microsoft Azure Private 5G Core InitialUEMessage Improper Input Validation Denial-of-Service Vulnerability
Read more Vulnerabilities in Google Chrome, Microsoft Edge, Windows Installer, Microsoft Smart Screen and Azure

Electrolink FM/DAB/TV Transmitter

1. EXECUTIVE SUMMARY

  • CVSS v3 8.8
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
  • Vendor: Electrolink
  • Equipment: FM/DAB/TV Transmitter
  • Vulnerabilities: Authentication Bypass by Assumed-Immutable Data, Reliance on Cookies without Validation and Integrity Checking, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain full system access, keep the device from transmitting, escalate privileges, change credentials, and execute arbitrary code.

Read more Electrolink FM/DAB/TV Transmitter

Cisco IOS Software for Catalyst 6000 Series Switches Denial of Service Vulnerability

A vulnerability in Cisco IOS Software for Cisco Catalyst 6000 Series Switches could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly.

This vulnerability is due to improper handling of process-switched traffic. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition.

Read more Cisco IOS Software for Catalyst 6000 Series Switches Denial of Service Vulnerability