This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825/EE routers. Authentication is not required to exploit this vulnerability.
Yearly Archives: 2022
ZDI-22-1705: D-Link DIR-825/EE xupnpd Vimeo Plugin Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825/EE routers. Authentication is not required to exploit this vulnerability.
ZDI-22-1706: D-Link DIR-825/EE xupnpd Upload Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825/EE routers. Authentication is not required to exploit this vulnerability.
IcedID Abuses Google Search for Distribution
FortiGuard Labs is aware of a report that the IcedID threat actor started to abuse Google pay per click (PPC) to distribute malware. Malicious ads displayed above search results lead to fake Web sites that mimic Web sites of the legitimate services. The fake Web sites offer a download link that leads to malicious installers that install IcedID to victims’ machines.Why is this Significant?This is significant because Google offers the largest search engine and ads in search results are seen by billions of people every day. The IcedID threat actor reportedly started to abuse Google search, which provides them a prominent platform for malware distribution. Also, the threat actor created fake Web sites that mimic Web sites of legitimate and popular services and applications to trick users into downloading and running malicious installers. How Does the Attack Work?When a search is made on Google, ads from the threat actor are displayed above an actual search result. Clicking the malicious ads redirect users to Web sites that that mimic Web sites of legitimate and popular services and applications. The fake Web sites have a link to download malicious installers that install IcedID to victims’ machines.What else?On December 21st, 2022, Federal Bureau of Investigation (FBI) released an advisory that cyber criminals are leveraging search engine advertisement services for malicious purposes. The advisory specifically calls out threat actors created fake crypto exchange platforms that users are lured into from ads on search results. The fake crypto exchange Web sites are designed to trick users into enter login credentials.What is the Status of Protection?FortiGuard Labs detect the Iced ID and relevant samples in the report with the following AV signature:W64/IcedId.F!trIcedID Command-and-Control servers and fake Web sites that distribute IcedID malware are blocked by Webfiltering.
New Zerobot Variant Exploits Additional Vulnerabilities for Propagation
FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.Why is this Significant?This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this – patches should be applied to vulnerable devices as soon as possible.What is Zerobot?Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines. For more information on Zerobot, see the Appendix for a link to “Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities”.What Vulnerabilities does Zerobot Exploit?
The following vulnerabilities are exploited by Zerobot.
Additional vulnerabilities exploited by a new Zerobot
variant:
Vulnerability
Affected Product
CVE-2017-17105
Zivif
PR115-204-P-RS
CVE-2019-10655
Grandstream
CVE-2020-25223
WebAdmin of
Sophos SG UTM
CVE-2021-42013
Apache
CVE-2022-31137
Roxy-WI
CVE-2022-33891
Apache Spark
ZSL-2022-5717
MiniDVBLinux
Vulnerabilities exploited by previously reported variant of
Zerobot
Vulnerability
Affected Product
CVE-2014-8361
miniigd SOAP
service in Realtek SDK
CVE-2017-17106
Zivif
PR115-204-P-RS V2.3.4.2103 Webcams
CVE-2017-17215
Huawei HG532
Router
CVE-2018-12613
phpMyAdmin
CVE-2020-10987
Tenda AC15
AC1900 Router
CVE-2020-25506
D-Link
DNS-320 NAS
CVE-2021-35395
Realtek
Jungle SDK
CVE-2021-36260
Hikvision
product
CVE-2021-46422
Telesquare
SDT-CW3B1 Router
CVE-2022-01388
F5 BIG-IP
CVE-2022-22965
Spring MVC or
Spring WebFlux application (Spring4Shell)
CVE-2022-25075
TOTOLink
A3000RU Router
CVE-2022-26186
TOTOLINK
N600R Router
CVE-2022-26210
Totolink
A830R Router
CVE-2022-30525
Zyxel USG
FLEX 100(W) Firewall
CVE-2022-34538
Digital
Watchdog DW MEGApix IP camera
CVE-2022-37061
FLIR AX8
thermal sensor cameras
Other vulnerabilities that may be associated with Zerobot:
Vulnerability
Affected
Product
CVE-2016-20017
D-Link
DSL-2750B
CVE-2018-10561
Dasan GPON
CVE-2018-20057
D-Link
DIR-605L/DIR-619L
CVE-2020-7209
HP LinuxKI
CVE-2022-30023
Tenda ONT
GPON AC1200 Dual band WiFi HG9
ZERO-36290
What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the samples called out in the report:W32/ZeroBot.A!trW64/ZeroBot.A!trELF/Zerobot.A!trBASH/ZeroBot.A!tr.dldrW32/Agent.JL!trLinux/Agent.SE!trW32/Malicious_Behavior.VEXMalicious_Behavior.SBW32/PossibleThreatPossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Zerobot:D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)All network IOCs are blocked by Webfiltering.
GLSA 202212-06: OpenSSH: Multiple Vulnerabilities
GLSA 202212-07: libksba: Remote Code Execution
binwalk-2.3.3-1.fc36
FEDORA-2022-3727f00e4b
Packages in this update:
binwalk-2.3.3-1.fc36
Update description:
Security fix for CVE-2021-4287
binwalk-2.3.3-1.fc37
FEDORA-2022-a36ba48049
Packages in this update:
binwalk-2.3.3-1.fc37
Update description:
Security fix for CVE-2021-4287
CVE-2018-25046
Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.