Todas as vulnerabilidades
- Megvii Koala 2.9.1-c3s architectural vulnerability on network relays
Schweregrad: :
Data de publicação: 19 agosto 2020Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3sallows attackers to grant physical access to anyone by sending packet data to UDP port 5000 of any network relays connected to doors.
The vulnerability has been submitted to ZDI on March 20, 2020 as ZDI-CAN-10793.
The vendor has acknowledged and confirmed the vulnerability and said the production has reached end-of-line while a patch is available in newer products. We are not able to confirm the vendor's statement.The vendor has published a public advisory and asks the customers to upgrade the software when it is available. Product lines impacted by similar vulnerability will have patches in August 2020.Details
Megvii Koala is a facial recognition system sold by Megvii. It is marketed towards factory, company concierge, apartment complex, etc. There are several hardware configurations, depending on the system integrator.
The weakness is in the architecture of the Megvii Koala system. The weakest link is the network relay, which has to be either HHT-NET2D or TCP-KP-I404. When an adversary has access to the internal network, one has only to send the string "on1" to UDP port 5000 of all the devices in the network to open all the doors.
The architecture, according to the instruction manual provided by the vendor, is like,
---------------------------- UDP 5000 COM/ON/OFF | --------- ------ | --------------> HHT-NET2D ------------> Door | | Backend | <---> | Edge | | | --------- ------ | <--- HTTP ----> Samsung Tablet ---------------------------- USB-C CableTo our best knowledge, no firewall is recommended in user instruction manuals.
Vulnerability Type
CWE-862: Missing AuthorizationAttack Type: Remote
Attack Vectors
To exploit vulnerability, attackers have to have access to LAN of the facial recognition access controller.Mitigation
Deploy a firewall in front of network relays and allow UDP 5000 from Megvii edge server only.
Deny all other connections.Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer
Reference
Public advisory from the vendor: http://techsupport.megvii.com/hc/kb/article/1401343/ - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
ActiveMQ OpenWire
1010428* - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
Plex Media Server
1010434 - Plex Media Server Remote Code Execution Vulnerability (CVE-2020-5741)
SSL Client
1010437 - Python SSL 'DistributionPoint Extension' NULL Pointer Dereference Vulnerability (CVE-2019-5010)
Suspicious Server Application Activity
1003593* - Detected SSH Server Traffic (ATT&CK T1021)
1010462 - Malware Drovorub
Web Application Common
1010368 - Dolibarr ERP And CRM Cross Site Scripting Vulnerability (CVE-2020-13094)
1010391* - Expat XML Parsing Buffer Overflow Vulnerability (CVE-2016-0718) - Server
Web Application Tomcat
1010457 - Apache Tomcat WebSocket Infinite Loop Denial Of Service Vulnerability (CVE-2020-13935)
1010444 - Identified Too Many Incoming HTTP/2 Requests
Web Client Common
1010456 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 1
1010452 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 2
1010451 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 3
1010460 - Google Chrome 'BlobRegistryImpl' Use-After-Free Vulnerability (CVE-2020-6461)
1010453 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1574)
1010454 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1585)
1010455 - Microsoft Windows DirectWrite Information Disclosure Vulnerability (CVE-2020-1577)
Web Server Apache
1010461 - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010418* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1147)
1010416 - Pandora FMS Events Remote Command Execution Vulnerability (CVE-2020-13851)
1010443* - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
1010459 - vBulletin 'subwidgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2020-17496)
Web Server Miscellaneous
1010346* - Identified HTTP Request With HTTP/0.9 In Request Line
Web Server Oracle
1010447 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14645)
ZohoCorp ManageEngine Desktop Central
1010407* - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008852* - Auditd - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
ActiveMQ OpenWire
1010428 - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)
DCERPC Services
1010426 - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087)
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069)
1010430 - Identified Remote System Discovery Over SMB (ATT&CK T1018)
Directory Server LDAP
1010433 - Identified Remote System Discovery Over LDAP (ATT&CK T1018)
1010350* - VMware vCenter Server Access Control Bypass Vulnerability (CVE-2020-3952)
HP Intelligent Management Center (IMC)
1010425* - Apache OFBiz Cross-Site Scripting Vulnerability (CVE-2020-1943)
1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities
Port Mapper Windows
1001033* - Windows Port Mapper Decoder
Suspicious Server Ransomware Activity
1010438 - Ransomware Foxware
Unix SSH
1005748* - Multiple SSH Connections Detected (ATT&CK T1498.001, T1110)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1005402* - Identified Suspicious User Agent In HTTP Request
1010199* - Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability (CVE-2020-0618)
1010423* - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)
Web Client Common
1010435 - FFmpeg Heap-based Buffer Overflow Vulnerability (CVE-2020-12284)
1004715* - HTTP Web Client Decoding
1010436 - LibTIFF LZWDecode Null Pointer Dereference Vulnerability (CVE-2018-18661)
1010446 - Microsoft Windows 'hevcdecoder_store' HEIC File Parsing Out-Of-Bounds Read Vulnerability (ZDI-20-906)
Web Client Internet Explorer/Edge
1010442 - Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2020-1567)
1010441 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
1010439 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)
Web Server Common
1010178* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15981)
1010443 - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
Windows Services RPC Server DCERPC
1010431 - Identified Remote System Discovery Over LSARPC (ATT&CK T1018)
ZohoCorp ManageEngine Desktop Central
1010407 - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
1010197* - Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189)
Integrity Monitoring Rules:
1003019* - Trend Micro Deep Security Agent / Relay
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1002815* - Authentication Module - Unix Pluggable Authentication Module - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services - Client
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
DNS Client
1010406* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Client
DNS Server
1010293* - ISC BIND TSIG Denial-of-Service Vulnerability (CVE-2020-8617)
1010401* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Server
Directory Server LDAP
1010321* - OpenLDAP slapd Nested Filter Stack Overflow Vulnerability (CVE-2020-12243)
MQTT Server
1010357* - Eclipse Mosquitto Improper Authentication Vulnerability (CVE-2017-7650)
Oracle E-Business Suite Web Interface
1010360* - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367* - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383* - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SAP NetWeaver Java Application Server
1010409* - Identified SAP NetWeaver AS JAVA Authentication Attempt
1010417 - SAP NetWeaver AS JAVA Authentication Bypass Vulnerability (CVE-2020-6287)
1010413* - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)
SSL Client
1010410 - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)
Web Application Common
1010377* - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010345 - Kentico CMS Staging SyncServer Unserialize Remote Command Execution Vulnerability (CVE-2019-10068)
1010372* - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354* - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010423 - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)
1010252* - Sonatype Nexus Repository Manager Stored Cross-Site Scripting Vulnerability (CVE-2020-10203)
Web Application PHP Based
1010359* - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341* - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384* - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010261* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-24) - 1
1010420 - Microsoft .NET And Visual Studio Remote Code Execution Vulnerability (CVE-2020-1147)
1010424 - Microsoft Windows LNK Remote Code Execution Vulnerability Over HTTP (CVE-2020-1421)
1010395* - Microsoft Windows LNK Remote Code Execution Vulnerability Over WebDAV (CVE-2020-1421)
1010414 - Oracle Java Runtime Environment HTML Rendering Out-Of-Bounds Write Vulnerability (CVE-2020-14664)
1010419 - Oracle Java SE Ligature Substitution Glyph Storage Out Of Bounds Memory Access (CVE-2015-0469)
Web Server Common
1010374* - Cayin CMS NTP Server Remote Code Execution Vulnerability (CVE-2020-7357)
1010175* - Cross-Site Scripting (XSS) Decoder
1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010418 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1147)
1010376* - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010362* - VMware Cloud Director Code Injection Vulnerability (CVE-2020-3956)
1010342* - Zoho ManageEngine OpManager Cachestart Directory Traversal Vulnerability (CVE-2020-13818)
1010387* - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10547)
1010386* - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10549)
1010378* - rConfig SQL Injection Vulnerability (CVE-2020-10546)
1010366* - vBulletin 'widgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2019-16759)
Web Server Oracle
1010415 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
Web Server SharePoint
1010398* - Microsoft SharePoint Scorecards Remote Code Execution Vulnerability (CVE-2020-1439)
Integrity Monitoring Rules:
1003020* - Trend Micro Deep Security Manager
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1010352 - Data Exfiltration Over DNS (Response) Protocol (ATT&CK T1048)
LDAP Client
1009112 - PHP LDAP 'ldap_get_dn' Denial Of Service Vulnerability (CVE-2018-10548)
SAP NetWeaver Java Application Server
1010409 - Identified SAP NetWeaver AS JAVA Authentication Attempt
1010413 - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)
Web Application Common
1010344 - ThinkPHP Remote Code Exection Vulnerability (CVE-2019-9082)
Web Application PHP Based
1010375 - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability
Web Application Ruby Based
1010411 - Ruby On Rails Remote Code Execution Vulnerability (CVE-2020-8163)
Web Server Apache
1010400 - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1000473* - Parameter Name Length Restriction
Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1028)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1028)
ZeroMQ Message Transport Protocol (ZMTP)
1010265* - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)
Integrity Monitoring Rules:
1008271* - Application - Docker
Log Inspection Rules:
1008852* - Auditd
1010390 - Microsoft Windows User Logon Events - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services - Client
1010394 - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
DNS Client
1010406 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Client
DNS Server
1010293* - ISC BIND TSIG Denial-of-Service Vulnerability (CVE-2020-8617)
1010401 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Server
Directory Server LDAP
1010350 - VMware vCenter Server Access Control Bypass Vulnerability (CVE-2020-3952)
Remote Desktop Protocol Client
1010402 - Microsoft Windows Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-1374)
Web Application Common
1010391 - Expat XML Parsing Buffer Overflow Vulnerability (CVE-2016-0718) - Server
Web Client Common
1010392 - Expat XML Parsing Buffer Overflow Vulnerability (CVE-2016-0718) - Client
1010403 - Microsoft Windows Font Parsing Remote Code Execution Vulnerability (CVE-2020-1355)
1010397 - Microsoft Windows JET Database Engine Remote Code Execution Vulnerability (CVE-2020-1400)
1010395 - Microsoft Windows LNK Remote Code Execution Vulnerability Over WebDAV (CVE-2020-1421)
1010404 - Microsoft Windows PFB Font File Out-Of-Bounds Write Privilege Escalation Vulnerability (CVE-2020-1436)
Web Client Internet Explorer/Edge
1010393 - Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2020-1403)
Web Server Apache
1009963* - Apache httpd 'mod_remoteip' Buffer Overflow Vulnerability (CVE-2019-10097)
Web Server Common
1010374 - Cayin CMS NTP Server Remote Code Execution Vulnerability (CVE-2020-7357)
1010405 - JAWS Remote Code Execution Vulnerability
1010044* - PHP Unauthenticated Remote Code Execution Vulnerability (CVE-2019-11043)
1010342 - Zoho ManageEngine OpManager Cachestart Directory Traversal Vulnerability (CVE-2020-13818)
1010387 - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10547)
1010386 - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10549)
1010378 - rConfig SQL Injection Vulnerability (CVE-2020-10546)
Web Server SharePoint
1010398 - Microsoft SharePoint Scorecards Remote Code Execution Vulnerability (CVE-2020-1439)
1010399 - Microsoft SharePoint Scorecards Remote Code Execution Vulnerability (CVE-2020-1439) - 1
Integrity Monitoring Rules:
1010389* - Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)
Log Inspection Rules:
1003631 - DNS Server - Microsoft Windows - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
There are no new or updated Deep Packet Inspection Rules in this Security Update.
Integrity Monitoring Rules:
1002779* - Microsoft Windows - System File Modified
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Directory Server LDAP
1008555 - Microsoft Windows Active Directory Denial Of Service Vulnerability (CVE-2008-1445)
Elasticsearch Java API Protocol
1008685 - Elastic Elasticsearch ThrowableObjectInputStream Insecure Deserialization (CVE-2015-5377)
HP Intelligent Management Center (IMC)
1008969 - HPE Intelligent Management Center Multiple Expression Language Injection Vulnerability
Trend Micro Control Manager
1008721 - Trend Micro Control Manager cmdHandlerStatusMonitor SQL Injection Vulnerability (CVE-2017-11385)
Web Application Common
1009041 - ImageMagick 'ReadDCMImage' Denial Of Service Vulnerability (CVE-2018-6405) - 1
1009038 - ImageMagick 'ReadMATImage' Denial Of Service Vulnerability (CVE-2017-13658) - 1
1008974 - ImageMagick 'ReadMATImage' Denial Of Service Vulnerability (CVE-2017-18029) - 1
1008990 - ImageMagick 'ReadMATImage' Information Disclosure Vulnerability (CVE-2017-13143) - 1
1008992 - ImageMagick 'ReadOneJNGImage' Denial Of Service Vulnerability (CVE-2017-11750) - 1
1008996 - ImageMagick 'ReadPSDImage' Denial Of Service Vulnerability (CVE-2017-13061) - 1
1008994 - ImageMagick ReadOnePNGImage Memory Leak Vulnerability (CVE-2017-13141) - 1
1008980 - ImageMagick Use-After-Free Vulnerability (CVE-2017-17499) - 1
Web Client Common
1009097* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB18-09) - 7
1008987 - ImageMagick 'ReadDCMImage' Denial Of Service Vulnerability (CVE-2018-6405)
1008988 - ImageMagick 'ReadMATImage' Denial Of Service Vulnerability (CVE-2017-13658)
1008973 - ImageMagick 'ReadMATImage' Denial Of Service Vulnerability (CVE-2017-18029)
1008989 - ImageMagick 'ReadMATImage' Information Disclosure Vulnerability (CVE-2017-13143)
1008991 - ImageMagick 'ReadOneJNGImage' Denial Of Service Vulnerability (CVE-2017-11750)
1008995 - ImageMagick 'ReadPSDImage' Denial Of Service Vulnerability (CVE-2017-13061)
1008993 - ImageMagick ReadOnePNGImage Memory Leak Vulnerability (CVE-2017-13141)
1008979 - ImageMagick Use-After-Free Vulnerability (CVE-2017-17499)
1009029 - PHP 'http_fopen_wrapper' Stack Buffer Overflow Vulnerability (CVE-2018-7584)
1008828* - Speculative Execution Information Disclosure Vulnerabilities (Spectre)
Web Proxy Squid
1008101* - Squid HTTP Proxy ESI Response Processing Denial Of Service Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.