Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal

Overview

CERT/CC researchers examined the satcom terminal Cobham EXPLORER 710 as an expansion of work from IOActive’s findings in 2014. They discovered multiple new vulnerabilities affecting the device and the firmware, some of which could allow an unauthenticated, local attacker to gain access to sensitive information or complete control of the device.

Description

The Cobham EXPLORER 710 is a portable satellite terminal used to provide satellite telecommunications and internet access. For consistency, “device” mentioned in the following section is defined as the Cobham EXPLORER 710. The affected firmware version is 1.07 for all of the vulnerabilities listed below unless otherwise noted.

CVE-2019-9529
The web application portal has no authentication by default. This could allow an unauthenticated, local attacker connected to the device to access the portal and to make any change to the device.

CVE-2019-9530
The web root directory has no access restrictions on downloading and reading all files. This could allow an unauthenticated, local attacker connected to the device to access and download any file found in the web root directory.

CVE-2019-9531
The web application portal allows unauthenticated access to port 5454 on the device. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.

CVE-2019-9532
The web application portal sends the login password in cleartext. This could allow an unauthenticated, local attacker to intercept the password and gain access to the portal.

CVE-2019-9533
The root password for the device is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device.

CVE-2019-9534
The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated, local attacker to upload their own firmware that could be used to intercept or modify traffic, spoof or intercept GPS traffic, exfiltrate private data, hide a backdoor, or cause a denial-of-service. The CVSS score below reflects the score for this CVE in particular.

In addition to the findings above, we have found some configuration issues within the device that can leave it vulnerable to attackers. The default WiFi password is publicly documented as the serial number of the device and can be easily brute forced. Additionally, important security headers are missing, which leaves the device vulnerable to cross-site scripting and clickjacking.

Impact

The impacts of these vulnerabilities are that an unauthenticated, local attacker could intercept traffic that may include passwords or sensitive data, remotely execute commands on the device, access files that should be restricted, and make changes to the device that could include uploading custom firmware for control over it.

Solution

The CERT/CC is currently unaware of a practical solution to these problems.

References

Acknowledgements

This document was written by Kyle O’Meara and David Belasco of the CERT Coordination Center of the Carnegie Mellon Software Engineering Institute.

Other Information

CVE IDs:CVE-2019-9529 , CVE-2019-9530, CVE-2019-9531, CVE-2019-9532, CVE-2019-9533, CVE-2019-9534
Date Public:2019-10-09
Date First Published:2019-10-09
Date Last Updated:2019-10-11 16:25 UTC
Document Revision:44

iTerm2 with tmux integration is vulnerable to remote command execution

Overview

iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution.

Description

iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux’s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Impact

This vulnerability may allow an attacker to execute arbitrary commands on their victim’s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content. Potential attack vectors include connecting via ssh to a malicious server, using curl to fetch a malicious website, or using tail -f to follow a logfile containing some malicious content.

Solution

Apply an update

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability. The latest version is available as an update within the program itself, or can be downloaded here. As the tmux integration cannot be disabled through configuration, a complete resolution is not yet available. We recommend that users of tmux integration follow the best practices outlined by iTerm2.

References

Acknowledgements

Thanks to Stefan Grönke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability.

This document was written by Madison Oliver.

Other Information

CVE IDs:CVE-2019-9535
Date Public:2019-10-09
Date First Published:2019-10-09
Date Last Updated:2019-10-25 13:48 UTC
Document Revision:35

Pulse Secure VPN contains multiple vulnerabilities

Overview

Pulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients.

Description

Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The CVE-2019-11510 has a CVSS score of 10.

The CVEs listed in the advisory are:

CVE-2019-11510 – Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.
CVE-2019-11509 – Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance.
CVE-2019-11508 – A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system.
CVE-2019-11507 – A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3.
CVE-2019-11543 – A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.
CVE-2019-11542 – Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow.
CVE-2019-11541 – Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks
CVE-2019-11540 – A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack.
CVE-2019-11539 – Authenticated attacker via the admin web interface allow attacker to inject and execute command injection
CVE-2019-11538 – A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system.

Exploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510, as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication (2FA) to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication, CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in /data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker, attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering (EOE) and End of Life (EOL), we highly recommend replacement of the VPN appliance entirely without any delay – please check Pulse Secure advisory for this information.

Timelines of specific events:
March 22, 2019 – Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure
April 24, 2019 – Initial advisory posted and software updates posted by Pulse Secure to the Download Center
April 25, 2019 – Assignment of CVE-2019-11510CVE-2019-11509CVE-2019-11508CVE-2019-11507CVE-2019-11543CVE-2019-11542CVE-2019-11541CVE-2019-11540CVE-2019-11539CVE-2019-11538
April 26, 2019 – Workaround provided for CVE-2019-11508 about disabling file sharing as a mitigation
May 28 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne
July 31 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell
August 8 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation
August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade
October 7, 2019 – NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors

Impact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Solution

There is no viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent CVE-2019-11510 RCE pre-auth vulnerability. Updates are available from Pulse Secure Advisory.
CVE-2019-11508 and CVE-2019-11538 can be mitigated by disabling File Sharing on the Pulse Secure VPN appliance.

There are no workarounds that address the other vulnerabilities.

References

Acknowledgements

This vulnerability was reported by Pulse Secure, who in turn credit Orange Tsai and Meh Chang from DEVCORE research team, and Jake Valletta from FireEye

This document was written by Vijay S Sarvepalli.

Other Information

CVE IDs:CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538
Date Public:2019-04-28
Date First Published:2019-10-16
Date Last Updated:2019-10-23 02:35 UTC
Document Revision:33

Multiple D-Link routers vulnerable to remote command execution

Overview

Multiple D-Link routers are vulnerable to unauthenticated remote command execution.

Description

Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
  1. The /apply_sec.cgi code is exposed to unauthenticated users.
  2. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.

Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:

    • DIR-655
    • DIR-866L
    • DIR-652
    • DHP-1565
    • DIR-855L
    • DAP-1533
    • DIR-862L
    • DIR-615
    • DIR-835
              DIR-825

We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.

Impact

By performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.
Replace affected devices

Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.

References

Acknowledgements

This vulnerability was coordinated and publicly disclosed by Fortinet’s FortiGuard Labs.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2019-16920
Date Public:2019-10-03
Date First Published:2019-10-23
Date Last Updated:2019-10-25 11:45 UTC
Document Revision:12

Microsoft Office for Mac cannot properly disable XLM macros

Overview

The Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

XLM macros

Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros.

SYLK and XLM macros

XLM macros can be incorporated into SYLK files, as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet.

SYLK and XLM macros with Microsoft Office for Mac

It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post, Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files.

The Problem

If Office for the Mac has been configured to use the “Disable all macros without notification” feature, XLM macros in SYLK files are executed without prompting the user.

Impact

By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel.

Solution

Apply an update

This issue is addressed for Office 2016 for Mac build 16.16.16 (19111100) and Office 2019 for Mac build 16.31 (19111002), as described in the Microsoft Security update for CVE-2019-1457.

Block SYLK files at email and web gateways

SYLK files, which have the file extension SLK, should be blocked at email and web gateways to help prevent exploitation of this vulnerability.

References

  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457
  • https://support.office.com/en-us/article/working-with-excel-4-0-macros-ba8924d4-e157-4bb2-8d76-2c07ff02e0b8
  • https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/
  • https://support.office.com/en-us/article/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
  • https://outflank.nl/blog/2018/10/12/sylk-xlm-code-execution-on-office-2011-for-mac/
  • https://objective-see.com/blog/blog_0x50.html

Acknowledgements

This issue was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2019-1457
Date Public:2019-10-31
Date First Published:2019-11-01
Date Last Updated:2019-11-15 12:51 UTC
Document Revision:37