SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

Vulnerabilities Summary
An ASUSTOR NAS or network attached storage is “a computer appliance built from the ground up for storing and serving files. It attaches directly to a network, allowing those on the network to access and share files from a central location”. In the following advisory we will discuss a vulnerability found inside ASUSTOR NAS which lets anonymous attackers bypass authentication requirement of the product.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
ASUSTOR NAS devices running ADM version 3.0.5.RDU1 and prior
Continue reading SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

Vulnerabilities Summary

The following advisory describes two vulnerabilities found in ElastiCenter,
ElastiStor’s management console, File Injection that leads to unauthenticated remote code execution.

ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor.
ElastiCenter lets you:

  • Use the Graphical User Interface to manage the storage environment
  • Generate statistical and configuration reports to help troubleshoot
  • Delegate administration tasks
  • Track events
  • Globally control various settings

CVE
CVE-2018-15675

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Vulnerability Summary
VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS IP address.

The VRDP server is composted of two parts: a high level, which is open source and residing in the VirtualBox source tree, and is responsible for the display management, and a low level shipped with Extension Pack which is the RDP server which conforms to RDP specifications.

The vulnerability is in the high level part. The vulnerability can be triggered when a connection to a Windows guest OS is closed, i.e. when we close the window of the RDP client application like rdesktop or Microsoft Remote Desktop.

While the crashing bug was reported to the VirtualBox tracker (https://www.virtualbox.org/ticket/16444), it was never considered a security vulnerability, and is not marked as one. This ticket is 15 months old at the time of writing this post and still marked as unresolved.

Prerequisites to exploit the vulnerability:

  • VirtualBox Extension Pack installed on a host. It’s required to enable VRDP server
  • VRDP server enabled
  • 3D acceleration enabled
  • Windows 10 as a guest

The vulnerability can probably be triggered from other guest OS due to the fact the the vulnerable code resides inside the Guest Additions driver.

Credit
An independent security researcher, Sergey Zelenyuk, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

SSD Advisory – Linux Kernel AF_PACKET Use After Free (packet_sock)

Vulnerability Summary
UAF vulnerability in Linux Kernel’s implementation of AF_PACKET leads to privilege escalation. AF_PACKET sockets allow users to send or receive packets on the device driver level, which lets them implement their own protocol on top of the physical layer or sniffing packets including Ethernet and higher levels protocol and higher levels of the OSI model.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Ubuntu Desktop versions 14.04, 16.04, 17.10, and other Linux distributions with older kernel versions. The vulnerability has been resolved in the latest Linux Kernel version 4.17.11.
Continue reading SSD Advisory – Linux Kernel AF_PACKET Use After Free (packet_sock)