David Wells

**Name of the Vulnerable Software and Affected Versions** ManageEngine AssetExplorer (affected versions not specified) **Description** The issue is related to the Asset Explorer agent not validating HTTPS certificates, allowing an attacker on the network to send a NEWSCAN request to a listening agent and receive the agent's HTTP request verifying its authtoken. In the AEAgent.cpp file, the agent is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using the `vswprintf` function and written to a buffer that is only 0x2000 bytes big. If the POST payload is larger, a heap overflow will occur. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Manage Engine Asset Explorer Agent version 1.0.34 **Description** The issue is related to a memory leak in the Manage Engine Asset Explorer Agent. The agent listens on port 9000 for incoming commands over HTTPS from the Manage Engine Server, but it does not verify HTTPS certificates, allowing any user on the network to send commands. Although these commands may not be executed due to authtoken validation, the agent will still reach out to the Manage Engine server for an HTTP request. During this process, the program allocates memory using `malloc` but never frees it, causing a memory leak. Additionally, the instruction sent to the agent is converted to a unicode string but is never freed. This allows a remote attacker to exploit a Denial of Service scenario by repeatedly sending commands to the agent, eventually crashing it due to an out-of-memory condition. **Recommendations** For Manage Engine Asset Explorer Agent version 1.0.34, consider disabling the agent's ability to listen on port 9000 until a patch is available. As a temporary workaround, restrict access to the agent to minimize the risk of exploitation. Avoid sending repetitive commands to the agent to prevent the out-of-memory condition. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Manage Engine Asset Explorer Agent version 1.0.34 **Description** The issue is related to the Manage Engine Asset Explorer Agent not validating HTTPS certificates, allowing an attacker on the network to send a NEWSCAN request to a listening agent and receive the agent's HTTP request verifying its authtoken. This can lead to an Integer Overflow, which can be turned into a Heap Overflow, allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving a POST response from the Manage Engine server, and the agent calls `HttpQueryInfoW` to get the `Content-Length` size from the incoming POST request. If an attacker specifies a `Content-Length` size of 1073741823 or larger, this integer arithmetic will wrap the value back around to a smaller integer, then calls `calloc` with this size to allocate memory. The following API `InternetReadFile` will copy the POST data into this buffer, which will be too small for the contents, and cause a heap overflow. **Recommendations** As a temporary workaround, consider disabling the `HttpQueryInfoW` function until a patch is available. Restrict access to the `httphandler.cpp` module to minimize the risk of exploitation. Avoid using the `Content-Length` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sysinternals PsExec (affected versions not specified) Description: The issue is related to errors in privilege management in the PsExec utility for remote command execution. Exploitation of this issue may allow an attacker to elevate their privileges. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grandstream GWN7000 firmware version 1.0.9.4 and below **Description** The issue allows authenticated remote users to modify the system's crontab via an undocumented API, enabling the execution of arbitrary OS commands on the router. **Recommendations** For Grandstream GWN7000 firmware version 1.0.9.4 and below, update to a version above 1.0.9.4 to resolve the issue. As a temporary workaround, consider restricting access to the undocumented API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MX Player Android App versions prior to v1.24.5 **Description** The issue allows an attacker to exploit a directory traversal vulnerability when the user is using the MX Transfer feature in "Receive" mode. This can be achieved by sending a MessageType of "FILE LIST" with a `name` field containing directory traversal characters (../), resulting in files being saved outside of the intended "/sdcard/MXshare" directory. In some cases, an attacker can achieve remote code execution by writing ".odex" and ".vdex" files in the "oat" directory of the MX Player application. **Recommendations** For MX Player Android App versions prior to v1.24.5, update to version v1.24.5 or later to resolve the issue. As a temporary workaround, consider disabling the MX Transfer feature in "Receive" mode until a patch is available. Restrict access to the MX Transfer session to minimize the risk of exploitation. Avoid using the `name` field in the FILE LIST MessageType until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Signal Private Messenger Android versions 4.59.0 and up Signal Private Messenger iOS versions 3.8.1.5 and up **Description** The issue allows a remote non-contact to ring a victim's Signal phone and disclose the currently used DNS server due to ICE Candidate handling before the call is answered or declined. This occurs because of improper handling of ICE candidates, which can lead to information disclosure about the victim's network setup. **Recommendations** For Signal Private Messenger Android versions 4.59.0 and up, consider disabling call functionality until a patch is available. For Signal Private Messenger iOS versions 3.8.1.5 and up, restrict access to call features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus versions up to 12.0.0.6810 **Description** The issue arises from the handling of Comodo's Antivirus database by Cavwp.exe, which loads the Comodo antivirus definition database into unsecured global section objects. This allows a local low-privileged process to directly modify the data and change virus signatures, resulting in an Arbitrary File Write issue. **Recommendations** For Comodo Antivirus versions up to 12.0.0.6810, consider restricting access to the Cavwp.exe process until a patch is available, or apply configuration changes that secure the handling of the antivirus definition database. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus versions 12.0.0.6810 and below **Description** The issue affects the CmdAgent.exe component through an unprotected section object, allowing a low-privileged process to modify the object data and cause the application to crash. This can be achieved by accessing the `<GUID> CisSharedMemBuff` section object exposed by CmdAgent, which contains a SharedMemoryDictionary object. **Recommendations** For Comodo Antivirus versions 12.0.0.6810 and below, consider restricting access to the SharedMemoryDictionary object within the `<GUID> CisSharedMemBuff` section to prevent low-privileged processes from modifying its data. As a temporary workaround, limiting interactions with the CmdAgent.exe component may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus versions up to 12.0.0.6810 **Description** The issue is a local Denial of Service that affects CmdVirth.exe via its LPC port "cmdvrtLPCServerPort". A low-privileged local process can connect to this port and send an LPC DATAGRAM, triggering an Access Violation due to hardcoded NULLs used for the `Source` parameter in a `memcpy` operation. This results in CmdVirth.exe and its child svchost.exe instances terminating. **Recommendations** For Comodo Antivirus versions up to 12.0.0.6810, as a temporary workaround, consider restricting access to the "cmdvrtLPCServerPort" LPC port to minimize the risk of exploitation.