Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bug Hunter. Show all posts

Multiple Flaws Detected in GOautodial

 

Several vulnerabilities have been uncovered in an open-source call centre software suite that is used all around the world, as per a cybersecurity researcher. 

The Synopsys Cybersecurity Research Center (CyRC) issued a warning disclosing two GOautodial API vulnerabilities. While GOautodial is sold as a paid cloud service by a variety of providers, it is available as a free download. 

Researchers in the GOautodial advisory stated, "The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via an unrestricted file upload." 

One of the vulnerabilities discovered by Synopsys is the broken authentication issue CVE-2021-43175, which enables attackers with access to the internal network hosting GOautodial to obtain sensitive configuration information, such as default passwords, from the GOautodial server without credentials. A threat actor could use this information to link to other systems on the network, such as VoIP phones. 

CVE-2021-43176 is another recently discovered flaw that lets any authorised user at any level conduct remote code execution. 

CyRC alerted, "This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behaviour such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else)." 

Vulnerable versions of the GOautodial API comprises the latest publicly available ISO installer, GOautodial-4-x86 64-Final-20191010-0150.iso, which was created before September 27, 2021. 

The vulnerabilities were discovered by Scott Tolley of the Synopsys Cybersecurity Research Center using the interactive application security testing (IAST) tool Seeker, which automatically tests for security vulnerabilities throughout the software development life cycle (SDLC). 

On September 22, Tolley revealed the vulnerabilities to GOautodial for the first time. On October 20, the firm responded, claiming that the flaws had been addressed. Synopsys validated the patch by November 17 and issued a security advisory about the flaws. 

CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI, respectively, identified by bug-hunter Tolley.

Mozilla Patches Critical Security Bug in Cross-Platform Cryptography library

 

Mozilla has patched a critical bug present in the NSS (Network Security Services) cross-platform cryptographic library that could be potentially abused by threat actors to crash a susceptible device and even implement arbitrary code. 

The vulnerability tracked as CVE-2021-43527, was discovered by Tavis Ormandy, a renowned bug-hunter with Google Project Zero who named the flaw “BigSig.” 

“I've discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project's cross-platform cryptography library. In 2021, all good bugs need a catchy name, so I'm calling this one "BigSig",” Ormandy explained in a blog post.

According to Ormandy, the flaw could have directed to a heap-based buffer overflow while verifying DER-encoded DSA or RSA-PSS signatures in multiple email users and PDF viewers that use the NSS versions prior to 3.73 or 3.68.1 ESR. 

All applications that depend on NSS for managing signatures encoded within CMS, PKCS #7, PKCS #12, and S/MIME are likely to be impacted, Mozilla said in an advisory. Additionally, the vulnerability may also affect applications that employ NSS for validating certificates, or for additional CRL, OCSP, TLS, or X.509 functionality, depending on how NSS is configured. The exploitation of the flaw could allow an attacker to crash an application or potentially achieve arbitrary code execution.

“This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted,” Mozilla says. 

The vulnerability exists because a VFYContext structure that NSS manufactures to store data when verifying a digital signature could only accommodate maximum signature sizes of 16384 bits (RSA at 2048 bytes). Thus, signatures larger than that would lead to a buffer overflow, Ormandy explained. 

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data,” Ormandy said. The security researcher also observed that the security bug can be easily reproduced and that multiple algorithms are affected.

“The bug is that there are simply no bounds checking at all; sig and key are arbitrary-length, attacker-controlled blobs, and cx->u is a fixed-size buffer. The hashobj member contains function pointers, so redirecting execution is trivial,” Ormandy concluded.