This week we have six vendor disclosures from Advantech, Aruba
Networks (2), Bosch, Carestream, and VMware. We have researcher a report for
products from Secomea (and B&R automation). Finally, there are two remote
access exploits for products from ASUS and

Advantech Advisory

Advantech published an advisory discussing the DNSpooq vulnerabilities
in their industrial cellular routers. Advantech notes that their routers are
only vulnerable to the three ‘cache poisoning’ vulnerabilities. Advantech has
new firmware that mitigates the vulnerabilities.

Aruba Advisories

Aruba published an
advisory
discussing the DNSpooq vulnerabilities
in their products. Aruba reports that their products are only vulnerable to the
three ‘cache poisoning’ vulnerabilities. Aruba will update the dnsmasq in “future
routine maintenance patches”.

 

Aruba published an
advisory
describing twelve vulnerabilities in their AirWave Management
Platform. The vulnerabilities were reported by multiple researchers via the BugCrowd platform. Aruba has a new version
that mitigates the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Cross-site request forgery (2) – CVE-2021-29960
and CVE-2021-29961,

• Command injection (2) – CVE-2021-29962
and CVE-2021-29963,

• Improper access control – CVE-2021-29964,

• SQL injection (2) – CVE-2021-29965
and CVE-2021-29966,

• Reflected cross-site scripting – CVE-2021-29967,

• Authenticated stored cross-site
scripting – CVE-2021-29968,

• Authenticated XML external entity
– CVE-2021-29969, and

• Authenticated remote command
injection (2) – (CVE-2021-29970 and CVE-2021-29971

Bosch Advisory

Bosch published an
advisory
describing three vulnerabilities in their ctrlX CORE and the IoT
Gateway. These are third-party (Linux kernel and sudo) vulnerabilities. Bosch
reports that the next updates for the affected products would include updates
for both the kernel and sudo.

The three reported vulnerabilities are:

• Improper locking and use after
free – CVE-2020-29661,

• Out-of-bounds write – CVE-2021-3156
(multiple exploits
publicly available), and

• Use after free – CVE-2021-3347 (exploit
publicly available)

Carestream Advisory

Carestream published an
advisory
[.PDF download link] describing a heap-based buffer overflow
vulnerability in a number of their products. This is a third-party (Chrome)
vulnerability. Carestream reports that Chrome will be updated with the next
software release for most of the affected products. This vulnerability has been
exploited in the wild, but not yet in Carestream products.

VMware Advisory

VMware published an
advisory
describing three vulnerabilities in their VMware ESXi and vCenter
Server. The vulnerabilities were reported by Mikhail Klyuchnikov of Positive
Technologies, and Lucas Leong via
the Zero Day Initiative. VMware has new versions that mitigate the
vulnerabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Remote code execution – CVE-2021-21972,

• Heap-based buffer overflow – CVE-2021-21974,

• Server-side request forgery – CVE-2021-21973

Tenable has published a
report
on the vulnerabilities noting that these vulnerabilities have been
exploited in the wild. NebulabdSec has published
proof-of-concept code for the RCE vulnerability.

Secomea Report

Tenable published a report (including proof-of-concept code)
describing three vulnerabilities in the Secomea GateManager (also applies to
B&R GateManager). The report was coordinated with both Secomea and B&R;
Secomea has a new version that mitigates the vulnerability. B&R’s response
is pending.

The three reported vulnerabilities include:

• Reflected cross-site scripting – CVE-2020-29028,

• Authentication token exposed in
URL path – CVE-2020-29030, and

• Authenticated malicious firmware
upload – CVE-2020-29029

NOTE: This is likely to be a third-party vulnerability in
products from vendors other than B&R.

Remote Access Exploits

H4rk3nz0 published an exploit for a remote
code execution vulnerability in the ASUS Remote Link. There is no CVE# listed
and no indication that ASUS had been contacted. This may be a 0-day exploit.

MATTHEW DUNN published a Metasploit module for an
authentication timing vulnerability for Remote Desktop Web Access. The is no
CVE# and no indication that Microsoft has been contacted. This may be a 0-day
exploit.

By admin