Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
ManageEngine OpManager directory traversal vulnerability
Discovered by Marcin “Icewall” Noga.
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager, a network management solution.
TALOS-2023-1851 (CVE-2023-47211) can be exploited if an adversary sends a target a specially crafted HTTP request, which could allow them to create a file in any location outside of the default MiBs file’s location directory. This vulnerability has a critical severity score of 9.1 out of 10.
This vulnerability arises if the adversary uses OpManager and navigates to Settings -> Tools -> MiB Browser and selects “Upload MiB.” The arbitrary file they could eventually create can only be one of a few file extensions, however, including .txt, .mib and .mi2.
Multiple vulnerabilities in GTKWave
Discovered by Claudio Bozzato.
Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine.
GTKwave is a wave viewer used to run different FPGA simulations. It includes multiple versions to run on macOS, Linux, Unix and Microsoft machines. The open-source software analyzes trace files to look at the results of simulations run across different design implementations, or to analyze protocols captured with logic analyzers.
Talos researchers found a wide array of security issues across this software that affect different functions in GTKwave, many of which are triggered if an attacker can trick the targeted user into opening a specially crafted malicious file. In all, Talos recently released 33 advisories that cover more than 80 CVEs. Many of these issues are caused by the reuse of vulnerable code across the software. Other vulnerabilities are often duplicated by the adversary sending different file types as the initial infection document.
There are eight integer overflow vulnerabilities that could result in memory corruption, and eventually, arbitrary code execution: TALOS-2023-1812 (CVE-2023-38618, CVE-2023-38621, CVE-2023-38620, CVE-2023-38619, CVE-2023-38623, CVE-2023-38622), TALOS-2023-1816 (CVE-2023-35004), TALOS-2023-1822 (CVE-2023-35989), TALOS-2023-1798 (CVE-2023-36915, CVE-2023-36916), TALOS-2023-1777 (CVE-2023-32650), TALOS-2023-1824 (CVE-2023-39413, CVE-2023-39414), TALOS-2023-1790 (CVE-2023-35992) and TALOS-2023-1792 (CVE-2023-35128).
The most common vulnerability type Talos researchers found in GTKWave were out-of-bounds write issues that could lead to arbitrary code execution. All the following vulnerabilities could be exploited if a target opened an attacker-created file:
- TALOS-2023-1804 (CVE-2023-37416, CVE-2023-37419, CVE-2023-37420, CVE-2023-37418, CVE-2023-37417)
- TALOS-2023-1805 (CVE-2023-37447, CVE-2023-37446, CVE-2023-37445, CVE-2023-37444, CVE-2023-37442, CVE-2023-37443)
- TALOS-2023-1810 (CVE-2023-37282)
- TALOS-2023-1811 (CVE-2023-36861)
- TALOS-2023-1813 (CVE-2023-38649, CVE-2023-38648)
- TALOS-2023-1817 (CVE-2023-39235, CVE-2023-39234)
- TALOS-2023-1819 (CVE-2023-34436)
- TALOS-2023-1823 (CVE-2023-38657)
- TALOS-2023-1826 (CVE-2023-39443, CVE-2023-39444)
TALOS-2023-1807 (CVE-2023-37921, CVE-2023-37923, CVE-2023-37922) can also lead to remote code execution, but in this case, is caused by an arbitrary write issue.
For a complete list of all the vulnerabilities Talos discovered in GTKWave, refer to our Vulnerability Reports page here.
DuoUniversalKeycloakAuthenticator for Keycloak
Discovered by Benjamin Taylor of Cisco ASIG.
An information disclosure vulnerability exists in the instipod DuoUniversalKeycloakAuthenticator for Keycloak. Keycloak is an open-source identity and access management solution, and DuoUniversalKeyAuthenticator allows Keycloak to push a Cisco Duo notification to the Duo app, asking the user to authenticate in.
The Keycloak extension for Duo, after it detects that initial authentication has succeeded with Keycloak, redirects the user’s browser to the configured duosecurity.com endpoint, sending the username and password in question each time.
TALOS-2023-1907 (CVE-2023-49594) indicates that this is unnecessary exposure of this data, potentially allowing an attacker to steal or view this information.
Multiple vulnerabilities in WWBN AVideo
Discovered by Claudio Bozzato.
WWBN AVideo contains multiple vulnerabilities that an attacker could exploit to carry out a range of malicious actions, including brute-forcing user credentials and forcing a targeted user to reset their password to something the attacker knows.
AVideo is a web application, mostly written in PHP, that allows users to create audio and video sharing websites. Users can import videos from other sources, like YouTube, encode the videos and then make them shareable in various ways.
An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted web page.
There are three other vulnerabilities — TALOS-2023-1869 (CVE-2023-47171), TALOS-2023-1881 (CVE-2023-49738) and TALOS-2023-1880 (CVE-2023-49864, CVE-2023-49863, CVE-2023-49862) — that could allow adversaries to read arbitrary files with an HTTP request targeting different parameters in AVideo’s “objects/aVideoEncoderReceiveImage.json.php” file.
Talos researchers also discovered TALOS-2023-1896 (CVE-2023-49589), an insufficient entropy vulnerability that can allow an attacker to forge a password reset for an administrator account. This could allow an adversary to reset a user’s account, set a new password that only the adversary knows, and then log in with that account information. An adversary could also exploit TALOS-2023-1897 (CVE-2023-50172) to prevent AVideo from sending an email to the associated account’s email address alerting them of the password reset process, so exploitation becomes less evident.
Similarly, TALOS-2023-1900 (CVE-2023-49599) can also be exploited using this method, but this vulnerability targets administrator accounts.
The most serious vulnerability Talos discovered in AVideo is TALOS-2023-1886 (CVE-2023-47862), a local file inclusion vulnerability that could eventually lead to arbitrary code execution. This vulnerability has a severity score of 9.8 out of 10. TALOS-2023-1885 (CVE-2023-49715) is an unrestricted php file upload vulnerability that can also lead to code execution, but only when used in conjunction with a local file inclusion vulnerability like TALOS-2023-1886.
TALOS-2023-1898 (CVE-2023-49810) could be exploited in AVideo by sending a specially crafted HTTP request. An adversary could exploit this vulnerability to bypass the CAPTCHA process when trying to log into the service, therefore making it easier for an attacker to attempt to brute force login credentials or password-guessing attacks.