SigDev weekly Report(Nov 27th Dec 3rd)
Sig Dev Labs Weekly Report (Nov 27th – Dec 3rd)
Summary Total 13 Zero-Day Vulnerabilities were discovered in 5 Categories last week. • • • • •
Cross Site Scripting – 4 SQL Injection – 1 Command Injection – 6 HTML Injection – 1 Local File Inclusion – 1
No of Zero Day Vulnerabilities Protected through CRS
:
No of Zero Day Vulnerabilities Protected through Custom Rules
:
No of Zero Day Vulnerabilities for which protection cannot be determined
:
12 1* 0**
* To enable custom rules please contact [email protected] ** Since attack vectors are not known, Indusface cannot determine if these vulnerabilities are protected
88%
Of Zero-Day Vulnerabilities were protected by CRS in last 3 months
8%
Of Zero-Day Vulnerabilities were protected by custom rule in last 3 months
Vulnerability Trend
From the “Top Five Vulnerability Categories” we can infer that a moderate number of Cross Site Scripting vulnerabilities are detected. Multiple SQL Injection vulnerabilities were discovered in September and November compared to October and compared to other categories as well.
Note: Our Sig-Dev team constantly monitors the security landscape and leading security websites to identify any new vulnerabilities identified/published and monitors/updates rules to ensure around the clock protection for customer sites.
1
Details:
SNO
TYPE
1. Cross Site Scripting
CVE ID
TBA
Affected Component/Versi on CommuniGatePro 6.1.16
TBA
OpenEMR 5.0.0
CVE-201714186
FortiGate SSL VPN Portal 5.x
CVE-201716884
MistServer 2.12
2. SQL Injection
TBA
Jobs2Careers / Coroflot Clone
3. Command Injection
TBA
pfSense 2.3.1_1
Description
Action
CommuniGatePro 6.1.16 webmails (crystal, pronto and pronto4) suffer from multiple stored Cross Site Scripting vulnerabilities. Exploiting same may prone to execute some arbitrary script on server.
Protected by Default rules.
By exploiting the vulnerability documented in this advisory, an attacker can fully compromise the web server which has OpenEMR installed. Potentially sensitive health care and medical data might get exposed through this attack. A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2&2C; 5.4.0 to 5.4.6&2C; 5.2.0 to 5.2.12&2C; 5.0 and below versions under SSL VPN web portal allows an authenticated user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter. Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code. Jobs2Careers / Coroflot Clone is vulnerable to SQL injectoin. Exploiting same may prone to expose DB chunk.
Protected by Default rules.
pfSense User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with privileges for system_groupmanager.php to execute commands in the context of the root user.
Protected by Default rules.
Protected by Default rules.
Protected by Default rules.
Protected by Default rules.
2
TBA
Synology StorageManager 5.2
Successful exploitation of this vulnerability enables a remote unauthenticated user to run commands as root on the machine.
Protected by Default rules.
TBA
WAGO PFC 200 series
WAGO PFC 200 Series is vulnerable to command injection/ authentication bypass vulnerability. Exploiting same may prone to complete compromise of system.
Protected by Default rules.
CVE-20175816
HP iMC Plat 7.2
HP iMAC Plat 7.2 is vulnerable to command injection and exploiting same may prone to leak user information.
Protected by Default rules.
CVE-201717055
Artica Web Proxy 3.06.112216
Protected by Default rules.
TBA
Axis Communications MPQT/PACS
4. HTML Injection
TBA
pfSense 2.4.1
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. Exploiting same vulnerability may prone to full compromise of server. Axis Communications MPQT/PACS is vulnerable to information Leakage vulnerability using command injection. Exploiting same may prone to leak sensitive information. pfSense version 2.4.1 suffers from a clickjacking vulnerability in the cross site request forgery error page. Exploiting same may prone to execute some arbitrary command.
5. Local File Inclusion
TBA
WinduCMS 3.1
Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1.
Protected by Default Rules.
Protected by Default rules.
Protected from Custom Rule.
3
Summary Total 13 Zero-Day Vulnerabilities were discovered in 5 Categories last week. • • • • •
Cross Site Scripting – 4 SQL Injection – 1 Command Injection – 6 HTML Injection – 1 Local File Inclusion – 1
No of Zero Day Vulnerabilities Protected through CRS
:
No of Zero Day Vulnerabilities Protected through Custom Rules
:
No of Zero Day Vulnerabilities for which protection cannot be determined
:
12 1* 0**
* To enable custom rules please contact [email protected] ** Since attack vectors are not known, Indusface cannot determine if these vulnerabilities are protected
88%
Of Zero-Day Vulnerabilities were protected by CRS in last 3 months
8%
Of Zero-Day Vulnerabilities were protected by custom rule in last 3 months
Vulnerability Trend
From the “Top Five Vulnerability Categories” we can infer that a moderate number of Cross Site Scripting vulnerabilities are detected. Multiple SQL Injection vulnerabilities were discovered in September and November compared to October and compared to other categories as well.
Note: Our Sig-Dev team constantly monitors the security landscape and leading security websites to identify any new vulnerabilities identified/published and monitors/updates rules to ensure around the clock protection for customer sites.
1
Details:
SNO
TYPE
1. Cross Site Scripting
CVE ID
TBA
Affected Component/Versi on CommuniGatePro 6.1.16
TBA
OpenEMR 5.0.0
CVE-201714186
FortiGate SSL VPN Portal 5.x
CVE-201716884
MistServer 2.12
2. SQL Injection
TBA
Jobs2Careers / Coroflot Clone
3. Command Injection
TBA
pfSense 2.3.1_1
Description
Action
CommuniGatePro 6.1.16 webmails (crystal, pronto and pronto4) suffer from multiple stored Cross Site Scripting vulnerabilities. Exploiting same may prone to execute some arbitrary script on server.
Protected by Default rules.
By exploiting the vulnerability documented in this advisory, an attacker can fully compromise the web server which has OpenEMR installed. Potentially sensitive health care and medical data might get exposed through this attack. A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2&2C; 5.4.0 to 5.4.6&2C; 5.2.0 to 5.2.12&2C; 5.0 and below versions under SSL VPN web portal allows an authenticated user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter. Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code. Jobs2Careers / Coroflot Clone is vulnerable to SQL injectoin. Exploiting same may prone to expose DB chunk.
Protected by Default rules.
pfSense User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with privileges for system_groupmanager.php to execute commands in the context of the root user.
Protected by Default rules.
Protected by Default rules.
Protected by Default rules.
Protected by Default rules.
2
TBA
Synology StorageManager 5.2
Successful exploitation of this vulnerability enables a remote unauthenticated user to run commands as root on the machine.
Protected by Default rules.
TBA
WAGO PFC 200 series
WAGO PFC 200 Series is vulnerable to command injection/ authentication bypass vulnerability. Exploiting same may prone to complete compromise of system.
Protected by Default rules.
CVE-20175816
HP iMC Plat 7.2
HP iMAC Plat 7.2 is vulnerable to command injection and exploiting same may prone to leak user information.
Protected by Default rules.
CVE-201717055
Artica Web Proxy 3.06.112216
Protected by Default rules.
TBA
Axis Communications MPQT/PACS
4. HTML Injection
TBA
pfSense 2.4.1
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. Exploiting same vulnerability may prone to full compromise of server. Axis Communications MPQT/PACS is vulnerable to information Leakage vulnerability using command injection. Exploiting same may prone to leak sensitive information. pfSense version 2.4.1 suffers from a clickjacking vulnerability in the cross site request forgery error page. Exploiting same may prone to execute some arbitrary command.
5. Local File Inclusion
TBA
WinduCMS 3.1
Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1.
Protected by Default Rules.
Protected by Default rules.
Protected from Custom Rule.
3
