Vulnerabilities - CERT and

SANS

1.VU#811862: Image files in UEFI can be abused to modify boot behavior

Overview
Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a
way to customize logo image displayed during the early boot phase. Binarly has
uncovered vulnerabilities in the image parsing libraries that provide this
capability. An attacker with local privileged access can exploit these
vulnerability to modify UEFI settings.

Description
UEFI firmware provides an extensible interface between an operating system and
hardware platform. UEFI software stores a number of settings and files in a
customized Extensible Firmware Interface (EFI) partition known as EFI system
partition (ESP). ESP is a special privileged file system that is independent of the
OS and essentially acts as the storage place for the UEFI boot loaders,
applications, hardware drivers and customizable settings to be launched by the UEFI
firmware. The ESP partition is mandatory for UEFI boot and is protected from
unprivileged access. The information stored in ESP is probed and processed during
the early phases of an UEFI based OS. One such information stored in the ESP is a
personalizable boot logo.

Binarly has discovered a number of vulnerabilities in the image parsing libraries

that read and process these image files. As these files are processed by
executables that run under a high privilege, it is possible to exploit these
vulnerabilities in order to access and modify high-privileged UEFI settings of a
device. UEFI supply-chain allows for many of these shared libraries to be
integrated in various ways, including compiled from source, licensed for
modification and reuse and finally as a dynamic or static linked executable.
Binarly has also observed that in some cases an attacker can create a bundled
firmware update that contains a corrupt or malicious image to trigger these
vulnerabilities. This can also allow an attacker to exploit vulnerability while
flashing the PCI with a firmware update. Due to the complex nature of these
vulnerabilities and their potential wide impact, Binarly would like to use the
label LogoFAIL to track and support coordination and mitigation of these
vulnerabilities.

2.VU#347067: Multiple BGP implementations are vulnerable to improperly formatted

BGP updates
Overview
Multiple BGP implementations have been identified as vulnerable to specially
crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they
reset the underlying TCP connection for the BGP session and de-peer the router.

This is undesirable because a session reset impacts not only routes with the BGP
UPDATE but also the other valid routes exchanged over the session. RFC 7606
Introduction

Description
The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous
System routing protocol. BGP communication among peer routers is critical to the
stable operation of the Internet. A number of known BGP security issues were
addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.

Recent reports indicate that multiple BGP implementations do not properly handle
specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a
valid, configured BGP session could inject a specially crafted packet into an
existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP
implementation could drop sessions when processing crafted UPDATE messages. A
persistent attack could lead to routing instability (route flapping).

This vulnerability was first announced as affecting OpenBSD based routers. Further
investigation indicates that other vendors are affected by the same or similar
issues. Please see the Systems Affected section below. Here are the CVE IDs that
were reserved by the reporter for different vendors that were tested:

CVE-2023-4481 (Juniper)
CVE-2023-38802 (FRR)
CVE-2023-38283 (OpenBGPd)
CVE-2023-40457 (EXOS)
Impact
A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes,
causing vulnerable routers to de-peer from any link from which such an update were
received. Unaffected routers might also pass the crafted updates across the
network, potentially leading to the update arriving at an affected router from
multiple sources, causing multiple links to fail.

Solution
The CERT/CC is currently unaware of a practical solutions for every vendor but some
of the vendors allow you to change the response to errors in BGP path updates.
Networks using appliances from Juniper and Nokia can mitigate this behavior by
enabling:

3.VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router

Overview
An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem
Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated
user to access sensitive information.

Description
CVE-2023-4498 is an authentication bypass vulnerability that enables an
unauthenticated attacker who has access to the web console, either locally or
remotely, to access resources that would normally be protected. The attacker can
construct a web request that includes a white-listed keyword in the path, causing
the URL to be served directly (rather than blocked or challenged with an
authentication prompt).

Impact
Successful exploitation of this vulnerability could grant the attacker access to
pages that would otherwise require authentication. An unauthenticated attacker
could thereby gain access to sensitive information, such as the Administrative
password, which could be used to launch additional attacks.

Solution
There is no known solution to the vulnerability. Always update your router to the
latest available firmware version. Disabling both the remote (WAN-side)
administration services and the web interface on the WAN on any SoHo router is also
recommended.

SANS/FBI Top 20 Vulnerabilities

CWE-119: Memory Buffer Error

CWE-79: Cross-site Scripting
CWE-20: Unvalidated Input Error
CWE-200: Sensitive Information Exposure Error
CWE-125: Out-of-bounds Read Error
CWE-89: SQL Injection
CWE-416: Free Memory Error
CWE-190: Integer Overflow Error
CWE-352: Cross-Site Request Forgery
CWE-22: Directory Traversal
CWE-78: OS Command Injection
CWE-787: Out-of-bounds Write Error
CWE-287: Improper Authentication Error
CWE-476: Dereferencing NULL Pointer
CWE-732: Incorrect Permission Assignment
CWE-434: Unrestricted File Upload
CWE-611: Information Exposure through XML Entities
CWE-94: Code Injection
CWE-798: Hard-coded Access Key
CWE-400: Uncontrolled Resource Consumption

CWE-119: Memory Buffer Error

Buffer errors are common for software that performs operations on a memory
buffer. Due to absence or improper validation of input data, an attacker might be
able to read or write data outside the intended buffer. This weakness is often
referred to as memory corruption. Certain languages allow direct memory addressing
and do not automatically ensure that the addressed locations are valid for buffer
that is being referenced. As a result, read and write operations might be performed
on memory locations associated with another buffer, variables, data structures,
etc.