Security vulnerability in the Fortinet FortiExtender Application
The security researcher Thomas Bicking, from TÜV Rheinland i-sec GmbH has discovered a security vulnerability in the Fortinet FortiExtender Application. The Versions affect by this vulnerability are: FortiExtender version 7.0.0 through 7.0.3, FortiExtender version 4.2.0 through 4.2.4, FortiExtender version 4.1.1 through 4.1.8, FortiExtender version 4.0.0 through 4.0.2, FortiExtender version 3.3.0 through 3.3.2, FortiExtender version 3.2.1 through 3.2.3, FortiExtender 5.3 all versions.
Fortinet was informed about the vulnerability on 02/22/2022. A security update and advisory were provided on 07/07/2023 which fixes this vulnerability.
The vulnerability has been assigned the identifier CVE-2022-23447 and has high CVSS severity score of 7.3 out of 10.
The vulnerability is found in an improper limitation of a pathname to a restricted directory ('Path Traversal'). The vulnerability [CWE-22] in the FortiExtender management interface may allow an unauthenticated remote attacker to retrieve arbitrary files from the underlying filesystem by sending specially crafted web requests.
The researchers at TÜV Rheinland i-sec GmbH would like to thank Fortinet for their professional cooperation and their commitment to providing the security update in a timely manner.
Security vulnerability in the applicant portal "Datev Personal-Managementsystem comfort/comfort plus" of the company DATEV eG
The security researcher Max Bäumler, from TÜV Rheinland i-sec GmbH has discovered a security vulnerability in the applicant portal "Datev Personal-Managementsystem comfort/comfort plus" of the company DATEV eG. The versions affected are 15.1.0 P6 (presumably from 15.1.0) - 16.1.1 P1 (presumably up to 16.1.1 P3).
DATEV eG was informed about the vulnerability on 04/25/2023. A security update with the version number 16.1.1 P4 was provided on 04/28/2023 which fixes this vulnerability. This patch is available for download at the following URL: https://support.veda.net/datev.php It is recommended that affected users apply this patch as soon as possible.
The vulnerability has been assigned the identifier CVE-2023-33387 and has medium CVSS severity score of 6.1 out of 10.
It is possible for a potential attacker, if a user clicks on a link manipulated by the attacker, to access the user's credentials when the user logs in. This could give him access to the user's personal data, such as application documents.
The researchers at TÜV Rheinland i-sec GmbH would like to thank DATEV eG for their professional cooperation and their commitment to providing the security update in a timely manner.
ENOVIA V6 - Multiple Vulnerabilities Allow Remote Code Execution
Security researcher, Shadi Habbal of TÜV Rheinland i-sec GmbH, has discovered two vulnerabilities in “ENOVIA V6”, a product of Dassault Systèmes. The discovered vulnerabilities are XSLT and XXE injections, which can be chained to obtain remote code execution on affected systems. The vulnerabilities were discovered during a red team engagement.
Affected version of ENOVIA is V6R2013xE.
Dassault Systèmes was notified of this vulnerability on August 10, 2022, and a fix was released on November 28, 2022. The patch addresses the vulnerabilities in the supported version. It is important for users of affected versions of ENOVIA to install the patch as soon as possible.
TÜV Rheinland i-sec GmbH would like to thank Dassault Systèmes for their commitment to addressing these vulnerabilities.
baramundi Management Agent - From Buffer Overflow to Remote Code Execution
Security researcher, Shadi Habbal, of TÜV Rheinland i-sec GmbH has discovered a buffer overflow vulnerability in “baramundi Management Agent” (bMA), a module of “baramundi Management Suite” (bMS). An attacker could potentially exploit the vulnerability to crash the affected module, or achieve remote code execution when a certain condition, e.g. CVE-2022-44654, is met. In both scenarios, the attacker must be able to trick the user into visiting a prepared web page that is hosted on the Internet/Intranet.
Affected products are all versions of baramundi, including bMS 2022 R1, bMS 2021 R2, bMS 2021 R1, and earlier.
baramundi AG was notified of this vulnerability on August 04, 2022, and security update "S-2022-01" was released on September 27, 2022. The security update addresses the vulnerability in all supported versions. It is important for users of affected versions of baramundi to install the patch as soon as possible.
The vulnerability has been assigned the identifier CVE-2022-43747 and has a high severity.
The researcher and TÜV Rheinland i-sec GmbH would like to thank baramundi’s Product Security Incident Response Team for their professional communication and for baramundi’s commitment to addressing this vulnerability.
Trend Micro Apex One - A Security Flaw in UMH Monitoring Engine Module
Security researcher, Shadi Habbal, of TÜV Rheinland i-sec GmbH has discovered a weakness in the User-Mode Hooking (UMH) Monitoring Engine module of Trend Micro Apex One and Apex One as a Service. This module, which helps to monitor for malicious payloads on Windows by injecting itself into each user-mode process and hooking certain Windows APIs, is missing an important security feature called "SafeSEH".
The lack of "SafeSEH" protection leaves the module open to attack. An attacker could potentially abuse this weakness while exploiting a SEH-based buffer overflow to bypass security measures and cause harm to the affected software or the device running it. This weakness affects Apex One 2019 (on-premises) and Apex One as a Service.
Trend Micro was notified of this weakness on August 8, 2022 and a fix was released on October 25, 2022. It is important for users of affected versions of Apex One to install this patch or the latest available cumulative one as soon as possible. The vulnerability has been assigned the identifier CVE-2022-44654 and has a severity of 7.5 out of 10.
TÜV Rheinland i-sec GmbH would like to thank Trend Micro’s Product Security Incident Response Team for their professional communication and for Trend Micro’s commitment to addressing this weakness.
Local Privilege Escalation Vulnerability in otris "Update Manager"
“Update Manager” v188.8.131.52 (and possibly earlier), a software component from otris software AG used by multiple otris applications, e.g. otris Privacy, to facilitate updating otris products; allows attackers, to escalate their privileges on Windows systems to SYSTEM (highest permissions on Windows), by exploiting a vulnerability in the aforementioned software.
Known affected otris products include otris Privacy < v7.0.7. Other otris products that use the affected software could also be affected.
Companies are advised to check if the aforementioned software is in use on their systems and reach out to otris software AG for latest versions.
Security researcher, Shadi Habbal, of TÜV Rheinland i-sec GmbH discovered the vulnerability during an active penetration test and successfully exploited the vulnerability as a proof-of-concept.
The vulnerability was reported responsibly to otris software AG on 01.09.2021. otris software AG were given 90 days to release a fix. An additional 60 days were given to help companies updating their systems.
According to otris, the vulnerability was fixed and the product was subsequently subjected to a penetration test.
The vulnerability was assigned CVE-2021-40376. Further technical details are provided in the accompanying PDF document.