Security Advisories Notices Update on March 31, 2022

Two advisories for 3CX published and a hotfix from 3CX for a separate issue

Emanuel Duss from Compass Security reported 2 medium severity security issues in 3CX phone system components:

In the first case, the subject of the advisory explains everything. The Windows (legacy), Android or iOS clients simply do not verify the TLS certificate of the 3CX server. This allows man-in-the-middle attackers to get the provisioning data which would typically include credentials and so on.

As for mitigation, the advisory says:

According to the 3CX, the vulnerability will be tackled in future redesigns of the mobile apps.
Users of the legacy Windows client can switch to the new Electron based 3CX
Desktop App which is not affected.

The second issue has been well known since a few years according to the references to German 3CX forums but does not appear to be addressed yet.

The advisory says that:

There is no security update for this vulnerability at the moment. According to the 3CX, the vulnerability will be tackled in future redesigns of the
management console.

3CX also published a hotfix with the following basic information in their changelog:

Fix for a security vulnerability
Fix of memory leak affecting business systems in particular conditions
Fix for application crash of the call manager if under DDOS attack.

If you use 3CX’s software, do upgrade as we’re told these are high or critical severity vulnerabilities. See their post here: Security & Memory Hotfix Available for V18 Update 3.

Kerbit blog posts about Pascom and VoIPmonitor

Security researchers at Kerbit released two interesting blog posts:

In the case of Pascom’s phone system, they essentially chained three different vulnerabilities to get remote code execution. The first vulnerability was a path traversal in the Nginx proxy. This allowed them to reach any application on a Tomcat server behind Nginx. This in turn, exposed an Openfire (XMPP) server that had an SSRF vulnerability – this being the second vulnerability in the chain. This SSRF issue was then used to reach a localhost web service that exposes a (random) password for the user moby. These credentials could then be used to schedule a task that is executed by a Perl script that runs as root.

The second post is about the VoIPmonitor GUI where they found multiple vulnerabilities, such as authentication bypass, SQL injection and remote code execution.

CVE-2022-26143: Mitel MiCollab and MiVoice Business Express used to launch DDoS attacks

Mitel MiCollab phone system has a vulnerability that may be abused in UDP amplification attacks, i.e. be used to launch DDoS attacks. The impressive thing about this issue is the amplification factor of 220 billion percent.

To abuse this issue, attackers need to find Mitel equipment that runs tp240dvr (“TP-240 driver”) on UDP port 10074 that happens to be exposed to the Internet. Then the attacker needs to be able to send a debugging command startblast from a spoofed IP address which belongs to the target victim organisation. When this is done on a wide scale, attackers get to do bandwidth saturation DDoS attacks for free.

The vulnerable TP-240 driver can also be used for other purposes, such as toll fraud.

This issue was abused in the wild by booter DDoS services which is why it is such a great deal.

More on PJSIP’s vulnerabilities fixed last month

The original reporters from JFrog have now issued technical details about the PJSIP vulnerabilities on their blog: JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

The vulnerabilities are tracked under the following CVEs:

CVE-2021-43299 – Stack overflow in PJSUA API when calling pjsua_player_create
CVE-2021-43300 – Stack overflow in PJSUA API when calling pjsua_recorder_create
CVE-2021-43301 – Stack overflow in PJSUA API when calling pjsua_playlist_create
CVE-2021-43302 – Read out-of-bounds in PJSUA API when calling pjsua_recorder_create
CVE-2021-43303 – Buffer overflow in PJSUA API when calling pjsua_call_dump

It looks like by mentioning 3rd party software such as Asterisk, WhatsApp and BlueJeans, journalists covering this might have assumed that these third-party applications are necessarily vulnerable. In their blog post, the JFrog security team tried to clarify that they did not actually test software that relies on the PJSIP library and only tested the library itself.

Asterisk Advisories

With regards to the multipart issue, the Asterisk developers are not sure if it really a problem but they issued an advisory anyway. Then, the STUN issue is relevant when ICE/WebRTC support is switched on (not default). Finally, the “use after free of dialog set” is marked as a major vulnerability too.

Apple Security Advisory

Safari 15.4 Security Content
iOS 15.4 and iPadOS 15.4 Security Content
watchOS 8.5 Security Content
tvOS 15.4 Security Content
macOS Monterey 12.3 Security Content
macOS Big Sur 11.6.5 Security Content
Security Update 2022-003 Catalina Security Content
Xcode 13.3 Security Content
Logic Pro X 10.7.3 Security Content
GarageBand 10.4.6 Security Content

Adobe Security Bulletins and Advisories

Security Updates Available for Adobe Illustrator | APSB21-12 APSB22-15
Security updates available for Adobe Photoshop | APSB21-28 APSB22-14

Mozilla Security Advisories

Security Vulnerabilities fixed in Thunderbird 91.7 mfsa2022-12
Security Vulnerabilities fixed in Firefox 98 mfsa2022-10
Security Vulnerabilities fixed in Firefox ESR 91.7 mfsa2022-11
Security Vulnerabilities fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 mfsa2022-09

Ubuntu Security Notices

Red Hat Security Advisory

Cisco Security Advisory

Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability
Cisco StarOS Command Injection Vulnerability
Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure Privilege Escalation Vulnerability

Microsoft Security

Github Security Advisories

[GHSA-gcx2-gvj7-pxv3] Insufficient Protection against HTTP Request Smuggling in mitmproxy
[GHSA-3p22-ghq8-v749] Renderers can obtain access to random bluetooth device without permission in Electron
[GHSA-4fc4-4p5g-6w89] HTML processing vulnerability allowing to execute JavaScript code
[GHSA-6x2m-w449-qwx7] Code Injection in CRI-O
[GHSA-w2j5-3rcx-vx7x] Sysctls applied to containers with host IPC or host network namespaces can affect the host
[GHSA-2xmm-g482-4439] DQL injection through sorting parameters blocked
[GHSA-rjmq-6v55-4rjv] Improper Authorization in org.cometd.oort
[GHSA-7j52-6fjp-58gr] Inconsistent storage layout for ERC2771ContextUpgradeable
[GHSA-gw5h-h6hj-f56g] Improper Authorization in Gogs
[GHSA-q347-cg56-pcq4] SSRF in repository migration
[GHSA-32gv-6cf3-wcmq] HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods
[GHSA-4vvg-x86p-mvqc] Leaking of user information on Cross-Domain communication in sysend
[GHSA-4qrp-27r3-66fj] Improper sanitize of SVG files during content upload (‘Cross-site Scripting’) in sylius/sylius
[GHSA-mf3v-f2qq-pf9g] Insufficient Session Expiration in Sylius
[GHSA-7563-75j9-6h5p] Sensitive Information Exposure in Sylius
[GHSA-cfhh-xgwq-5r67] Sudden swap of user auth tokens
[GHSA-4jp3-q2qm-9fmw] Improper Restriction of Rendered UI Layers or Frames in Sylius
[GHSA-p6h4-93qp-jhcm] Command Injection in Parse server
[GHSA-mcg6-h362-cmq5] Improper Authorization in cobbler
[GHSA-6h3m-36w8-hv68] Arbitrary file write in nats-server
[GHSA-4cx6-fj7j-pjx9] Code injection in Stripe CLI on windows
[GHSA-83vp-6jqg-6cmr] Incorrect Authentication in shopware
[GHSA-6wrh-279j-6hvw] HTTP caching is marking private HTTP headers as public in Shopware
[GHSA-952p-fqcp-g8pc] HTML injection possibility in voucher code form in Shopware
[GHSA-w267-m9c4-8555] Shopware user session is not logged out if the password is reset via password recovery
[GHSA-jp6h-mxhx-pgqh] Shopware guest session is shared between customers
[GHSA-75p7-527p-w8wp] Server-Side Request Forgery and Open Redirect in AllTube Download
[GHSA-m5pq-gvj9-9vr8] Regular expression denial of service in Rust’s regex crate
[GHSA-9w4w-cpc8-h2fq] Exposure of Sensitive Information to an Unauthorized Actor in httpie
[GHSA-5jgq-x857-p8xw] Account compromise in Evmos
[GHSA-6cp7-g972-w9m9] Use of a Key Past its Expiration Date in Maddy Mail Server
[GHSA-fmx4-26r3-wxpf] Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption
[GHSA-446w-rrm4-r47f] Exposure of home directory through shescape on Unix with Bash
[GHSA-gmv4-r438-p67f] Leading white space bypasses protocol validation
[GHSA-rv6r-3f5q-9rgx] Twisted SSH client and server deny of service during SSH handshake.
[GHSA-cm9w-c4rj-r2cf] Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in view_component
[GHSA-crp2-qrr5-8pq7] containerd CRI plugin: Insecure handling of image volumes
[GHSA-xvm2-9xvc-hx7f] Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer
[GHSA-cxf7-qrc5-9446] Remote shell execution vulnerability when applying commands from user input
[GHSA-32×6-qvw6-mxj4] Forwarding of confidentials headers to third parties in fluture-node
[GHSA-mfjm-vh54-3f96] Cookie-setting is not restricted based on the public suffix list
[GHSA-cjvr-mfj7-j4j8] User-set cookies are kept on redirect requests regardless of the target domain
[GHSA-7f63-h6g3-7cwm] Cross Site Scripting (XSS) in @finastra/ssr-pages
[GHSA-w6cx-qg2q-rvq8] Path Traversal in @finastra/ssr-pages
[GHSA-mj6m-246h-9w56] Improper regex in htaccess file
[GHSA-j34v-3552-5r7j] Multiple security issues in Pomerium’s embedded envoy
[GHSA-r5hc-wm3g-hjw6] Server-Side Request Forgery (SSRF) in rudloff/alltube
[GHSA-4v37-24gm-h554] Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
[GHSA-xjp4-6w75-qrj7] Remote CLI Command Execution Vulnerability in CodeIgniter4
[GHSA-p93v-m2r2-4387] Denial of service via insufficient metadata validation
[GHSA-w4f8-fxq2-j35v] Possible privilege escalation via bash completion script
[GHSA-chxf-fjcf-7fwp] Possible filesystem space exhaustion by local users
[GHSA-gv9j-4w24-q7vx] Improper random number generation in github.com/coredns/coredns
[GHSA-2j6v-xpf3-xvrv] Use of Externally-Controlled Format String in wire-avs

Node.js Security Advisories

OpenSSL security releases may require Node.js security releases

Amazon AWS Security Advisories

CVE-2022-0778 awareness