Jan 09, 2024NewsroomNetwork Security / Data Protection

A security flaw has been disclosed in Kyocera’s Device Manager product that could be exploited by bad actors to carry out malicious activities on affected systems.

“This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the ‘Restrict NTLM: Outgoing NTLM traffic to remote servers’ security policy is not enabled,” Trustwave said.

Tracked as CVE-2023-50916, Kyocera, in an advisory released late last month, described it as a path traversal issue that enables an attacker to intercept and alter a local path pointing to the backup location of the database to a universal naming convention (UNC) path.

This, in turn, causes the web application to attempt to authenticate the rogue UNC path, resulting in unauthorized access to clients’ accounts and data theft. Furthermore, depending on the configuration of the environment, it could be exploited to pull off NTLM relay attacks.

The shortcoming has been addressed in Kyocera Device Manager version 3.1.1213.0.

QNAP Releases Fixes for Several Flaws

The development comes as QNAP released fixes for several flaws, including high-severity vulnerabilities impacting QTS and QuTS hero, QuMagie, Netatalk and Video Station.

This comprises CVE-2023-39296, a prototype pollution vulnerability that could allow remote attackers to “override existing attributes with ones that have an incompatible type, which may cause the system to crash.”

The shortcoming has been addressed in versions QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110.

A brief description of the other notable flaws is as follows –

• CVE-2023-47559 – A cross-site scripting (XSS) vulnerability in QuMagie that could allow authenticated users to inject malicious code via a network (Addressed in QuMagie 2.2.1 and later)
• CVE-2023-47560 – An operating system command injection vulnerability in QuMagie that could allow authenticated users to execute commands via a network (Addressed in QuMagie 2.2.1 and later)
• CVE-2023-41287 – An SQL injection vulnerability in Video Station that could allow users to inject malicious code via a network (Addressed in Video Station 5.7.2 and later)
• CVE-2023-41288 – An operating system command injection vulnerability in Video Station that could allow users to execute commands via a network (Addressed in Video Station 5.7.2 and later)
• CVE-2022-43634 – An unauthenticated remote code execution vulnerability in Netatalk that could allow attackers to execute arbitrary code (Addressed in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110)

While there is no evidence that the flaws have been exploited in the wild, it’s recommended that users take steps to update their installations to the latest version to mitigate potential risks.

Jan 05, 2024NewsroomVulnerability / Network Security

Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers.

Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti said in an advisory.

“This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.”

The disclosure arrived weeks after the company resolved nearly two dozen security flaws in its Avalanche enterprise mobile device management (MDM) solution.

Of the 21 issues, 13 are rated critical (CVSS scores: 9.8) and have been characterized as unauthenticated buffer overflows. They have been patched in Avalanche 6.4.2.

“An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result in a denial-of-service (DoS) or code execution,” Ivanti said.

While there is no evidence that these aforementioned weaknesses have been exploited in the wild, state-backed actors have, in the past, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Manager Mobile (EPMM) to infiltrate the networks of multiple Norwegian government organizations.

A month later, another critical vulnerability in the Ivanti Sentry product (CVE-2023-38035, CVSS score: 9.8) came under active exploitation as a zero-day.