VULNERA Pulse

ZK Framework — AuUploader

CVE-2022-36537 / Added: Feb. 27, 2023

HIGH CVSS 7.50

ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.

Headlines

• March 3, 2023 - This Week In Security: OpenEMR, Bing Chat, And Alien Kills Pixels
• March 2, 2023 - Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
• March 1, 2023 - CISA: ZK Java Framework RCE Flaw Under Active Exploit
• Feb. 28, 2023 - CISA warns of hackers exploiting ZK Java Framework RCE flaw
• Feb. 28, 2023 - CISA adds ZK Java Web Framework bug to Known Exploited Vulnerabilities Catalog
• Feb. 28, 2023 - CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability
• Feb. 22, 2023 - R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor
• Nov. 1, 2022 - Experts warn of critical RCE in ConnectWise Server Backup Solution
• Nov. 1, 2022 - Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

Back to top ↑

CVE-2023-20079

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 3, 2023

Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.

Quotes

• A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges
• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device
• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface
• A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device

Headlines

• March 2, 2023 - Cisco fixed a critical command injection bug in IP Phone Series
• March 2, 2023 - Cisco Patches Critical Vulnerability in IP Phones
• March 2, 2023 - Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
• March 2, 2023 - Cisco ships critical fix for IP phones
• March 1, 2023 - Cisco patches critical Web UI RCE flaw in multiple IP phones

CVE-2023-20078

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 3, 2023

Multiple vulnerabilities in the web-based management interface of certain Cisco IP Phones could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.

Quotes

• A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges
• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device
• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface
• A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device

Headlines

• March 2, 2023 - Cisco fixed a critical command injection bug in IP Phone Series
• March 2, 2023 - Cisco Patches Critical Vulnerability in IP Phones
• March 2, 2023 - Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
• March 2, 2023 - Cisco ships critical fix for IP phones
• March 1, 2023 - Cisco patches critical Web UI RCE flaw in multiple IP phones

CVE-2023-22752

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 1, 2023

There are stack-based buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Quotes

• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface

Headlines

• March 2, 2023 - Aruba says it has patched a number of critical security flaws, so update now
• March 2, 2023 - Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
• March 1, 2023 - Aruba Networks fixes six critical vulnerabilities in ArubaOS
• March 1, 2023 - Aruba fixes protocol vulnerabilities

CVE-2023-22747

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 1, 2023

There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Quotes

• An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface

Headlines

• March 2, 2023 - Aruba says it has patched a number of critical security flaws, so update now
• March 2, 2023 - Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack
• March 1, 2023 - Aruba Networks fixes six critical vulnerabilities in ArubaOS
• March 1, 2023 - Aruba fixes protocol vulnerabilities

CVE-2022-36537

HIGH CVSS 7.50

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Aug. 26, 2022

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Vendors Impacted: Zkoss, Zk Framework

Products Impacted: Auuploader, Zk Framework

Quotes

• The pivot that we have made to a posture where we’re on our front foot. We’re focusing on making sure we’re doing everything to prevent the attacks in the first place
• To retrieve the content of a file located in the Web context
• ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context
• ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework
• The ZK Framework is an open source Java framework

Headlines

• March 3, 2023 - This Week In Security: OpenEMR, Bing Chat, And Alien Kills Pixels
• March 2, 2023 - Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
• March 1, 2023 - CISA: ZK Java Framework RCE Flaw Under Active Exploit
• Feb. 28, 2023 - CISA warns of hackers exploiting ZK Java Framework RCE flaw
• Feb. 28, 2023 - CISA adds ZK Java Web Framework bug to Known Exploited Vulnerabilities Catalog
• Feb. 28, 2023 - CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

CVE-2022-21894

MEDIUM CVSS 4.40

Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Jan. 11, 2022

Secure Boot Security Feature Bypass Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Windows 8.1, Windows Server 2019, Windows 10, Windows 11, Windows Server, Windows Server 2016, Windows Server 2012

Quotes

• Directly from the Microsoft symbol store
• Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability
• We can now present evidence that the bootkit is real, and the advertisement is not merely a scam
• Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022. After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware
• Is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled
• Detections are blocked from running before they can attack or infect the system specification
• This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled

Headlines

• March 2, 2023 - BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11
• March 2, 2023 - BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems
• March 2, 2023 - This dangerous UEFI bootkit can hijack your Windows PC with ease
• March 2, 2023 - BlackLotus UEFI bootkit disables Windows security mechanisms - Help Net Security
• March 1, 2023 - It's official: BlackLotus malware can bypass secure boot
• March 1, 2023 - BlackLotus is the first bootkit bypassing UEFI Secure Boot on Windows 11
• March 1, 2023 - BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET
• March 1, 2023 - BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
• March 1, 2023 - BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity

CVE-2023-1017

CVSS Not Assigned

Risk Context N/A

Published: Feb. 28, 2023

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

Quotes

• An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM
• These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation
• An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device

Headlines

• March 3, 2023 - Trusted Platform Module (TPM) 2.0 flaws could impact billions of devices
• March 3, 2023 - New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices
• Feb. 28, 2023 - Security Defects in TPM 2.0 Spec Raise Alarm

CVE-2023-1018

CVSS Not Assigned

Risk Context N/A

Published: Feb. 28, 2023

An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.

Quotes

• An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM
• These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation
• An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device

Headlines

• March 3, 2023 - Trusted Platform Module (TPM) 2.0 flaws could impact billions of devices
• March 3, 2023 - New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices
• Feb. 28, 2023 - Security Defects in TPM 2.0 Spec Raise Alarm