Multiple Vulnerabilities in Siemens SCALANCE Products 

Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: HIGH

Systems Affected

SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0)

SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0)

SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0)

Overview

Multiple vulnerabilities have been reported in Siemens SCALANCE products which could allow an attacker to inject commands or exploit buffer overflow to execute arbitrary code, perform Cross Site Scripting attacks and cause denial of service condition on the targeted system.

Description

These vulnerabilities exist in Siemens SCALANCE Products due to uncontrolled resource consumption, buffer overflow errors, improper neutralization of input during web page generation, improper neutralization of special elements used in a command and improper input validation.

Successful exploitation of these vulnerabilities could allow an attacker to inject commands or exploit buffer overflow to execute arbitrary code, perform Cross Site Scripting attacks and cause denial of service condition on the targeted system.

Workaround

CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022-37889: Enable CPSec via the cluster-security command.

CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37895, CVE-2022-37896: Restrict the web-based management interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above.

CVE-2022-37893: Restrict the command line interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above.

Vendor Information

Siemens

References

Siemens

CVE Name

CVE-2002-20001

CVE-2022-37885

CVE-2022-37886

CVE-2022-37887

CVE-2022-37888

CVE-2022-37889

CVE-2022-37890

CVE-2022-37891

CVE-2022-37892

CVE-2022-37893

CVE-2022-37894

CVE-2022-37895

CVE-2022-37896

Remote Code Execution Vulnerability in F5 Products 

Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: HIGH

Software Affected

F5 BIG-IP (all modules) versions (17.0.0, 16.1.0 - 16.1.3, 15.1.0 - 15.1.8, 14.1.0 - 14.1.5, 13.1.0 - 13.1.5.

Overview

A vulnerability has been reported in F5 Products which could allow a remote attacker to execute arbitrary code on the targeted system.

Description

This vulnerability exists in F5 Products due to improper validation of user-supplied input and a flaw when running in Appliance mode. A remote attacker could exploit this vulnerability by sending a specially-crafted request using an iControl REST endpoint.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate upgrade as mentioned security advisory:

Vendor Information

F5 Products

References

F5 Products

CVE Name

CVE-2022-41622

CVE-2022-41800

Multiple Vulnerabilities in Red Hat JBoss Data Grid 

Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

Red Hat JBoss Data Grid Text-Only Advisories x86_64

Overview

Multiple vulnerabilities have been reported in Red Hat JBoss which could be exploited by a remote attacker to execute arbitrary code, gain access to sensitive information or perform Denial of Service (DoS) condition on the targeted system.

Description

These vulnerabilities exit in Red Hat JBoss due to a flaw when fetching a remote url with Cookie, temporary storing uploads on the disk is enabled; improper validation of user-supplied input by the Command line plugin, missing to nested depth limitation for collections and stack-overflow in parsing YAML files. A remote attacker could exploit these vulnerabilities by sending specially crafted request to the application or by manipulating the processed input stream.

Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code, gain access to sensitive information or perform Denial of Service (DoS) condition on the targeted system.

Solution

Apply appropriate fix/patches as mentioned in the following link

Vendor Information

RedHat

References

RedHat

CVE Name

CVE-2022-23647

CVE-2022-24823

CVE-2022-25857

CVE-2022-38749

CVE-2022-38750

CVE-2022-38751

CVE-2022-38752

CVE-2022-0235

Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: MEDIUM

Component Affected

Cisco Identity Services Engine (ISE)

Overview

Multiple Vulnerabilities have been reported in web-based management interface of Cisco Identity Services Engine (ISE) which could allow a remote attacker to make unauthorized changes to the file system and conduct a cross-site scripting (XSS) attack on the targeted System.

Description

1. Path Traversal Vulnerability ( CVE-2022-20962   )

This vulnerability exists in Localdisk Management feature of Cisco Identity Services Engine (ISE) due to insufficient input validation. A remote attacker could exploit this vulnerability by sending a crafted HTTP request with absolute path sequences.

Successful exploitation of this vulnerability could allow a remote attacker to upload malicious files to arbitrary locations within the file system and execute commands with system privileges.

2. Cross-Site Scripting Vulnerability ( CVE-2022-20963   )

This Vulnerability exists in web-based management interface of Cisco Identity Services Engine (ISE) due to insufficient validation of user-supplied input by the web-based management interface. A remote attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Solution

Apply appropriate updates as mentioned in:

Vendor Information

CISCO

References

CISCO

CVE Name

CVE-2022-20962

CVE-2022-20963

Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: HIGH

Software Affected

Google Chrome versions prior to 107.0.5304.121 for Mac and Linux

Google Chrome versions prior to 107.0.5304.121/.122 for Windows

Overview

A Vulnerability has been reported in Google Chrome, which could allow a remote attacker to execute arbitrary code on the targeted system.

Description

This vulnerability exists in Google Chrome due to Heap buffer overflow in GPU. A remote attacker could exploit this vulnerability by sending a specially crafted request on the targeted system.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the targeted system.

Note: This vulnerability (CVE-2022-4135) is being exploited in the wild. Users are advised to apply patches urgently.

Solution

Apply appropriate updates as mentioned by the vendor.

Vendor Information

Google Chrome

References

Google Chrome

CVE Name

CVE-2022-4135

Current Activity

Threat actors exploiting discontinued Boa web servers to target IoT devices

Indian - Computer Emergency Response Team (cert-in.org.in)

It has been reported that implementations of "Boa web server" by different vendors across a variety of IoT devices and popular software development kits (SDKs) can pose a supply chain risk that may affect large number of organizations and devices.

Boa is an open-source small-footprint web server that is suitable for embedded applications which is discontinued since 2005. Boa web server is implemented across devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. Boa web servers are still used in software development kits (SDKs), routers, and security cameras.

Boa web servers are affected by several known vulnerabilities including CVE-2017-9833 (arbitrary file access) and CVE-2021-33559 (information disclosure). These vulnerabilities may allow unauthenticated attackers to execute code remotely after gaining device access by reading the "passwd" file from the device or accessing sensitive URIs in the web server to extract a user's credentials.

Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known vulnerabilities impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials.

Indicators of Compromise

The following IP addresses were reportedly used for implementing vulnerable Boa servers:

122[.]117[.]212[.]65

103[.]58[.]93[.]133

125[.]141[.]38[.]53

14[.]45[.]33[.]239

14[.]55[.]86[.]138

183[.]108[.]133[.]29

183[.]99[.]53[.]180

220[.]94[.]133[.]121

58[.]76[.]177[.]166

Recommendations:

Patch vulnerable devices whenever possible to reduce exposure risks across your organization.

Utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes.

Extend vulnerability and risk detection beyond the firewall. Organizations can identify internet-exposed infrastructure running Boa web server components in their inventory.

Reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.

Use proactive antivirus scanning to identify malicious payloads on devices.

Adopt a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure.

References