A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices.
This issue affects:
Wyze Cam Pan v2
versions prior to 4.49.1.47.
Wyze Cam v2
versions prior to 4.9.8.1002.
Wyze Cam v3
versions prior to 4.36.8.32.
Monthly Archives: March 2022
CVE-2019-12266
Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.
Shutterfly, hit by Conti ransomware group, warns staff their data has been stolen
Online photography printing service Shutterfly has disclosed that it has suffered a security breach at the hands of a ransomware gang that exposed the personal information of some employees.
buildah-1.23.3-2.fc35
FEDORA-2022-224a93852c
Packages in this update:
buildah-1.23.3-2.fc35
Update description:
Security fix for CVE-2022-27651
buildah-1.25.1-1.fc36
FEDORA-2022-1a15fe81f0
Packages in this update:
buildah-1.25.1-1.fc36
Update description:
Security fix for CVE-2022-27651
Gating tests: include more package versions
Automatic update for buildah-1.24.2-1.fc36.
Changelog
* Thu Feb 17 2022 Lokesh Mandvekar <lsm5@fedoraproject.org> 1.24.2-1
– bump to v1.24.2
* Fri Feb 4 2022 Lokesh Mandvekar <lsm5@fedoraproject.org> 1.24.1-1
– bump to v1.24.1
Automatic update for buildah-1.24.1-1.fc36.
Changelog
* Fri Feb 4 2022 Lokesh Mandvekar <lsm5@fedoraproject.org> 1.24.1-1
– bump to v1.24.1
Forcepoint ONE helps firms simplify their security
Graham Cluley Security News is sponsored this week by the folks at Forcepoint. Thanks to the great team there for their support! Remember when you thought an antivirus was all you needed to keep safe from cybercriminals? Of course, cybersecurity has never truly been that simple. As threats and business operations have grown more complex, … Continue reading “Forcepoint ONE helps firms simplify their security”
FBI Investigating More than 100 Ransomware Variants
Cyber Division’s assistant director says impact of ransomware has “grown to dangerous proportions”
CVE-2022-22948: VMware vCenter Server Sensitive Information Disclosure Vulnerability
Researchers disclose a moderate severity vulnerability in VMware vCenter Server that can be used in an exploit chain with other vCenter Server flaws to take over servers.
Background
On March 29, VMware published an advisory (VMSA-2022-0009) for a moderate severity vulnerability in VMware vCenter Server, its centralized management software for VMware vSphere cloud computing virtualization systems.
CVE
Description
CVSSv3
VPR*
CVE-2022-22948
VMware vCenter Server Information Disclosure Vulnerability
5.5
6.9
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 30 and reflects VPR at that time.
The vulnerability is credited to Yuval Lazar, a security researcher at Pentera. Lazar was also credited with discovering and disclosing CVE-2021-22015, a local privilege escalation vulnerability in vCenter Server.
Analysis
CVE-2022-22948 is a local information disclosure vulnerability in vCenter Server. An authenticated, local attacker with non-administrative (low-privileged user) access to the vulnerable vCenter Server instance could exploit this vulnerability to obtain sensitive information from the server, such as credentials for a high-privileged user.
For complete analysis of this vulnerability, please refer to Lazar’s blog.
This isn’t the first information disclosure bug in vCenter Server to warrant attention. In 2020, VMware addressed CVE-2020-3952, an information disclosure vulnerability in vCenter Server that was assigned the maximum CVSSv3 score of 10.0.
Chaining exploits to achieve full server takeover
By itself, CVE-2022-22948 is a moderately severe vulnerability. However, Lazar’s research found that by chaining this vulnerability with previously disclosed VMware vCenter vulnerabilities, including CVE-2021-21972, an unauthorized file upload vulnerability and CVE-2021-22015, a local privilege escalation vulnerability that Lazar also discovered, an attacker could potentially take full control of an organization’s ESXi servers.
Image Source: Pentera
VMware vCenter Flaws popular amongst attackers in 2021
Earlier this year, we featured CVE-2021-21985, a critical remote execution flaw in VMware vCenter and vSphere as one of the top five vulnerabilities exploited by attackers in our 2021 Threat Landscape Retrospective. While we highlighted CVE-2021-21985 specifically in the top five, it reflects a general trend of attackers targeting vCenter and vSphere using multiple flaws including CVE-2021-22005 and the aforementioned CVE-2021-21972.
Most of the VMware vulnerabilities referenced in this blog (with the exception of CVE-2021-22015) are included in the Cyber Security and Infrastructure Agency (CISA)’s catalog of known exploited vulnerabilities.
Ransomware groups in particular favor VMware vulnerabilities in the last few years. For instance, the Conti ransomware group and its affiliates have exploited multiple VMware vulnerabilities as part of their attacks to gain initial access into organizations. Since 2020, researchers have discovered that a number of ransomware groups like RansomEXX/Defray777, HelloKitty, REvil, BlackMatter and Hive have also targeted ESXi. There are also reports of an unknown ransomware group encrypting virtual machines in VMware ESXi servers.
Attack chains like the one identified by Lazar could prove to be valuable for ransomware groups and affiliates.
No in-the-wild exploitation observed
Presently, there are no indications that CVE-2022-22948 has been exploited in the wild. Because it is a local, post-authentication vulnerability, it isn’t feasible to identify exploitation attempts. However, an uptick in attempts to exploit CVE-2021-21972 might be indicative of attackers looking to leverage this exploit chain in the wild.
Because an attacker would need to exploit an initial access vulnerability like CVE-2021-21972 before being able to exploit CVE-2022-22948, we believe it’s important for organizations to ensure their VMware systems are patched and up-to-date to prevent exploitation of legacy vulnerabilities. Based on a previously shared Shodan search query for CVE-2021-21972, we’ve found that there are still nearly 3,400 publicly accessible instances of vCenter Server on the internet. While it is unclear what percentage of these instances are vulnerable to CVE-2021-21972, a cursory search of the Shodan results shows more than a few vCenter Server instances running affected versions that are six to eight years old.
Proof of concept
At the time this blog post was published, no public proof-of-concept exploit existed for CVE-2022-22948. However, Lazar’s blog post includes an example of a Python script successfully decrypting the password for a high-privileged user within the vCenter Server that can be used to take over the ESXi.
Image Source: Pentera
Solution
According to VMware’s advisory, Windows 6.5 and 6.7 versions of vCenter Server are not affected. However, the Windows 7.0 version of vCenter Server and the Virtual Appliance versions of vCenter Server are affected.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability can be found here.
For Nessus plugin ID 159306, “VMware vCenter Server 6.5 / 6.7 / 7.0 Information Disclosure (VMSA-2022-0009),” users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan.
We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.
Enabling Paranoid Mode
To enable this setting for Nessus and Tenable.io users:
Click Assessment > General > Accuracy
Enable the “Show potential false alarms” option
To enable this setting for Tenable.sc (formerly SecurityCenter) users:
Click Assessment > Accuracy
Click the drop-down box and select “Paranoid (more false alarms)”
Get more information
VMware Security Advisory VMSA-2022-0009
Pentera Blog Post for CVE-2022-22948
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
New Research Claims Biden’s Disclosure Deadlines Are Unrealistic
New research shows organizations unprepared for strict new cyber incident reporting requirements
USN-5355-2: zlib vulnerability
USN-5355-1 fixed a vulnerability in zlib. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Danilo Ramos discovered that zlib incorrectly handled memory when
performing certain deflating operations. An attacker could use this issue
to cause zlib to crash, resulting in a denial of service, or possibly
execute arbitrary code.