Matthias Deeg

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper user input validation, allowing the upload of dangerous files, such as PHP code, to the system. The upload functionality for backup files permits an authenticated user to upload arbitrary files if the filename contains a .cbkf string. Uploaded files are stored in the "/srv/www/backups" directory and can be accessed via the URL https://<HOST>/backup/upload <FILENAME>. Low-privileged authenticated users can also exploit this file upload functionality due to broken access control. **Recommendations** For version 5.2401, consider disabling the file upload functionality for backup files until a patch is available. Restrict access to the "/srv/www/backups" directory to minimize the risk of exploitation. Avoid using filenames with the .cbkf string in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper user input validation, making it possible to download arbitrary files from the system via a path traversal attack. Different functionalities are vulnerable to path traversal attacks, including the download functionality for backups provided by the script `download-bkf.pml` via the parameter `bkf`, and the script `show-movies.pml` via the parameter `cam`. This enables an authenticated user to download arbitrary files as Linux user `www-data` from the system. **Recommendations** For version 5.2401, consider disabling the `download-bkf.pml` and `show-movies.pml` scripts until a patch is available to prevent path traversal attacks. Restrict access to the `bkf` and `cam` parameters in the affected scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper input validation, making the C-MOR web interface vulnerable to reflected cross-site scripting (XSS) attacks. Different functions are prone to reflected cross-site scripting attacks due to insufficient user input validation. **Recommendations** For version 5.2401, consider disabling the web interface temporarily until a patch is available to prevent exploitation of the reflected cross-site scripting vulnerability. Restrict access to the C-MOR web interface to minimize the risk of exploitation. Avoid using the web interface for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered where sensitive information, such as login credentials of cameras, is stored in cleartext. This allows an attacker with filesystem access, potentially gained through exploiting a path traversal attack, to access the login data of all configured cameras or the configured FTP server. **Recommendations** For za-internet C-MOR Video Surveillance version 5.2401, consider restricting filesystem access to minimize the risk of exploitation. As a temporary workaround, restrict access to sensitive information storage until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper privilege management concerning sudo privileges, making C-MOR vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands include `cp`, `chown`, and `chmod`, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges. **Recommendations** For version 5.2401, consider restricting the sudo privileges of the www-data user to prevent the execution of sensitive commands like `cp`, `chown`, and `chmod` until a patch is available. As a temporary workaround, consider disabling the sudo access for the www-data user to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper or missing access control, allowing low privileged users to use administrative functions of the C-MOR web interface. Although different functions are only available to administrative users through the web application user interface, access to those functions is not checked on the server side. This allows low privileged users to send corresponding HTTP requests to the web server and use administrative functionality, such as downloading backup files or changing configuration settings. **Recommendations** For version 5.2401, consider restricting access to administrative functions until a proper fix is applied, by implementing server-side checks to ensure that only authorized users can access these features. As a temporary workaround, restrict low-privileged users from sending HTTP requests to the web server that could exploit this issue.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered in the C-MOR web interface, which is vulnerable to cross-site request forgery (CSRF) attacks due to missing protection mechanisms. The C-MOR web interface offers no protection against CSRF attacks. **Recommendations** For versions 5.2401 through 6.00PL01, consider disabling access to the C-MOR web interface until a patch is available to prevent potential CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered due to improper validation of user-supplied data, making different functionalities of the C-MOR web interface vulnerable to SQL injection attacks. This allows an authenticated user to execute arbitrary SQL commands in the context of the corresponding MySQL database. **Recommendations** For versions 5.2401 through 6.00PL01, as a temporary workaround, consider restricting access to the C-MOR web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** The issue is related to improper input validation in the C-MOR web interface, making it vulnerable to persistent cross-site scripting (XSS) attacks. This allows an attacker to inject malicious scripts remotely. The camera configuration is specifically vulnerable due to insufficient user input validation. **Recommendations** For versions 5.2401 and 6.00PL01, update the system with a patch as soon as possible and validate input/output to mitigate the risk. As a temporary workaround, consider restricting access to the C-MOR web interface until a patch is available.

Name of the Vulnerable Software and Affected Versions: CA Client Automation (ITCM) (affected versions not specified) Description: The issue is related to insecure privilege management in the CA Client Automation software, which allows non-admin or non-root users to encrypt strings using the CAF CLI and SD ACMD CLI. This could enable a non-admin user to access critical encryption keys, potentially leading to the exploitation of stored credentials. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Recommendations: As a temporary workaround, consider disabling the `caf encrypt` and `sd acmd encrypt` commands until a patch is available. Restrict access to the CAF CLI and SD ACMD CLI to minimize the risk of exploitation. Avoid using the `caf encrypt` and `sd acmd encrypt` commands in the affected software until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered due to insufficient input validation, making the C-MOR web interface vulnerable to OS command injection attacks. The vulnerability can be exploited by a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data, for example, the `city` parameter. Additionally, an administrative user can exploit the OS command injection vulnerability in the script settimezone.pml or setdatetime.pml, for instance, via the `year` parameter. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges. **Recommendations** For versions 5.2401 through 6.00PL01, consider disabling the generatesslreq.pml script and restricting access to the settimezone.pml and setdatetime.pml scripts until a patch is available. As a temporary workaround, avoid using the `city` and `year` parameters in the affected HTTP POST requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AudioCodes VoIP desk phones versions through 3.4.4.1000 **Description** An issue was discovered where the validation of firmware images only consists of simple checksum checks for different firmware components. This allows an attacker, by knowing how to calculate and where to store the required checksums for the flasher tool, to store malicious firmware. **Recommendations** For versions through 3.4.4.1000, as a temporary workaround, consider restricting access to the flasher tool until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Omnis Studio version 10.22.00 **Description** The issue is related to incorrect access control in Omnis Studio. It has a feature to make Omnis libraries "always private", which is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks, violating the expected behavior of an "irreversible operation". **Recommendations** For Omnis Studio version 10.22.00, as a temporary workaround, consider restricting access to the Omnis Studio browser to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Omnis Studio version 10.22.00 **Description** The issue is related to incorrect access control in Omnis Studio. It has a feature for locking classes within Omnis libraries, which should make it impossible to delete, view, change, copy, rename, duplicate, or print a locked class. However, due to implementation issues, locked classes can be unlocked and further analyzed or modified. This allows for actions such as deleting, viewing, changing, copying, renaming, duplicating, or printing previously locked Omnis classes, violating the expected behavior of an "irreversible operation." **Recommendations** For Omnis Studio version 10.22.00, consider restricting access to the locking feature until a proper fix is implemented to ensure the irreversible nature of the lock operation. As a temporary workaround, avoid relying solely on the locking mechanism for security and implement additional access controls to minimize the risk of unauthorized modifications or analyses of locked classes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lepin EP-KP001 versions through KP001 V19 **Description** The issue is due to an insecure design, allowing an authentication bypass attack. This enables an attacker to gain access to stored encrypted data by replacing the microcontroller on a target device with one from an attacker-controlled device whose passcode is known. Normally, the encrypted disk partition is unlocked by entering a correct passcode via the keypad and pressing the Unlock button, with authentication performed by an unknown microcontroller. This vulnerability allows an attacker to unlock the target device and read stored data in cleartext. **Recommendations** For Lepin EP-KP001 versions through KP001 V19, consider replacing the microcontroller with a secure one or implementing additional security measures to prevent unauthorized access. As a temporary workaround, restrict physical access to the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verbatim Keypad Secure USB 3.2 Gen 1 Drive versions through 2022-03-31 Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0 **Description** An issue was discovered in certain Verbatim drives due to an insecure design, allowing an offline brute-force attack for determining the correct passcode and thus gaining unauthorized access to the stored encrypted data. **Recommendations** For Verbatim Keypad Secure USB 3.2 Gen 1 Drive versions through 2022-03-31, consider disabling the keypad functionality until a secure update is available. For Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0, restrict access to the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verbatim Keypad Secure USB 3.2 Gen 1 Drive versions through 2022-03-31 Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C versions through VER4.0 Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C versions through VER1.1 Verbatim Fingerprint Secure Portable Hard Drive versions through 2022-03-31 **Description** An issue was discovered in certain Verbatim drives due to the use of an insecure encryption AES mode, Electronic Codebook (ECB). This allows an attacker to extract information from encrypted data by observing repeating byte patterns. The firmware of the USB-to-SATA bridge controller INIC-3637EN uses AES-256 with the ECB mode, which always encrypts identical plaintext data to identical ciphertext data. For some data, such as bitmap images, the lack of diffusion within ECB can leak sensitive information even in encrypted data. **Recommendations** For Verbatim Keypad Secure USB 3.2 Gen 1 Drive, consider disabling the use of AES-256 with ECB mode until a secure alternative is implemented. For Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C, restrict access to sensitive data stored on the device until a patch or update is available. For Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C, avoid storing sensitive information, such as bitmap images, on the device until the issue is resolved. For Verbatim Fingerprint Secure Portable Hard Drive, as a temporary workaround, consider using alternative encryption methods or storing sensitive data on a different device until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Verbatim drives (affected versions not specified) **Description** An issue was discovered in certain Verbatim drives due to insufficient firmware validation. An attacker can store malicious firmware code for the USB-to-SATA bridge controller on the USB drive, which is then executed. This affects various Verbatim drive models, including Keypad Secure USB 3.2 Gen 1 Drive, Store 'n' Go Secure Portable HDD, Executive Fingerprint Secure SSD, and Fingerprint Secure Portable Hard Drive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1 Verbatim Fingerprint Secure Portable Hard Drive Part Number #53650 **Description** An issue was discovered in certain Verbatim drives due to missing integrity checks, allowing an attacker to manipulate the content of the emulated CD-ROM drive. The content is stored as an ISO-9660 image in the hidden sectors of the USB drive, accessible using special IOCTL commands or when installed in an external disk enclosure. By manipulating this image, an attacker can store malicious software on the emulated CD-ROM drive, which may be executed by an unsuspecting victim. An attacker with temporary physical access could program a modified ISO-9660 image, allowing them to decrypt user data or store other malicious software. **Recommendations** For Verbatim Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1, consider disabling access to the emulated CD-ROM drive until a patch is available. For Verbatim Fingerprint Secure Portable Hard Drive Part Number #53650, restrict access to the hidden sectors of the USB drive to minimize the risk of exploitation. As a temporary workaround, avoid using the device until a fix is provided, to prevent potential execution of malicious software. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verbatim Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0 **Description** An issue was discovered in certain Verbatim drives where the security feature for lockout does not work as specified, allowing more than 20 unlock attempts without requiring a reformat of the drive. **Recommendations** For Verbatim Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428, consider implementing additional security measures to prevent unauthorized access until a fix is available. For Verbatim Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0, restrict access to sensitive data stored on the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.