Sven Hebrok

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions through 2.4.63 Description: In certain mod ssl configurations, a man-in-the-middle attacker can hijack an HTTP session through a TLS upgrade attack. This issue affects configurations utilizing “SSLEngine optional” to enable TLS upgrades. The attack is related to HTTP desynchronization. Recommendations: Upgrade to version 2.4.64, which removes support for TLS upgrade.

**Name of the Vulnerable Software and Affected Versions** nginx versions 1.11.4 through 1.27.31 nginx version 1.26.3 nginx version 1.27.4 **Description** When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This issue arises when TLS Session Tickets and/or the SSL session cache are used in the default server and the default server is performing client certificate authentication. **Recommendations** For versions 1.11.4 through 1.27.31, update to version 1.26.3 or 1.27.4 to resolve the issue. For version 1.26.3, no further action is required as this version includes the fix. For version 1.27.4, no further action is required as this version includes the fix. As a temporary workaround, consider disabling the use of TLS Session Tickets and the SSL session cache in the default server until a patch is available.

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.35 through 2.4.63 Description: In certain mod ssl configurations, an access control bypass is possible for trusted clients using TLS 1.3 session resumption. This occurs when mod ssl is configured for multiple virtual hosts, each restricted to a different set of trusted client certificates, and `SSLStrictSNIVHostCheck` is not enabled in either virtual host. Recommendations: Apache HTTP Server versions 2.4.35 through 2.4.63: Enable `SSLStrictSNIVHostCheck` in all virtual host configurations.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4-rc-6 **Description** The moderators-only webcams lock setting in BigBlueButton is not enforced on the backend. This allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied, by exploiting the fact that the required `streamId` is sent to all users, regardless of the lock setting. **Recommendations** For versions prior to 2.4-rc-6, update to version 2.4-rc-6 to resolve the issue. As a temporary workaround, consider restricting access to the webcam feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4.0 **Description** The issue affects meetings with polls in BigBlueButton, an open source web conferencing system, where an attacker who is a meeting participant can gain access to sensitive information. Specifically, subscribing to the current-poll collection does not update the client UI but gives the attacker access to the contents of the collection, including individual poll responses. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 to resolve the issue. As a temporary workaround, consider restricting access to meetings with polls until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4-rc-6 **Description** The issue concerns ineffective user bans in BigBlueButton, an open source web conferencing system. An attacker could register multiple users and join a meeting with one of them. If that user is banned, they could still join the meeting with the remaining registered users from the same extId. This is resolved by improving permissions so that banning a user removes all related users, including those who have not joined the meeting. **Recommendations** For versions prior to 2.4-rc-6, update to version 2.4-rc-6 or 2.5-alpha-1 to fix the issue. As a temporary workaround, consider manually removing all users related to the extId of a banned user to prevent them from joining the meeting. Restrict access to the meeting for users with the same extId as a banned user until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4-rc-6 BigBlueButton versions prior to 2.5-alpha-1 **Description** BigBlueButton is an open source web conferencing system. The issue concerns Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. However, moderators should only be able to set none as the status of other users. **Recommendations** For versions prior to 2.4-rc-6, update to version 2.4-rc-6 or later to resolve the issue. For versions prior to 2.5-alpha-1, update to version 2.5-alpha-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4.3 **Description** BigBlueButton is an open source web conferencing system. The system contains a whiteboard grace period to handle delayed messages, but this period can be exploited by attackers to perform actions in the few seconds after their access is revoked. The attacker must be a meeting participant. **Recommendations** For versions prior to 2.4.3, update to version 2.4.3 or 2.5-alpha-1 to resolve the issue. As a temporary workaround, consider restricting access to the whiteboard feature for meeting participants until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4.0 **Description** The issue affects BigBlueButton, an open source web conferencing system, and allows an attacker who is a meeting presenter to start a subscription for poll results before starting an anonymous poll. This subscription can then be used to see individual responses in the anonymous poll. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 to resolve the issue. As a temporary workaround, consider restricting the ability to start subscriptions for poll results before starting an anonymous poll, or limiting the role of meeting presenter to trusted individuals.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.4.3 **Description** The issue is related to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's `userId`, `meetingId`, and an invalid `authToken`. This forces the victim to leave the conference because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. **Recommendations** For versions prior to 2.4.3, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the `validateAuthToken` function until the update is applied. Additionally, restrict the ability for participants to make Meteor calls with invalid `authToken` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel GS1900 series firmware versions prior to V2.70 **Description** An insufficient entropy issue, caused by the improper use of randomness sources with low entropy for RSA key pair generation, affects the web administration interface. This could allow an unauthenticated attacker to retrieve a private key by factoring the RSA modulus N in the certificate. **Recommendations** For Zyxel GS1900 series firmware versions prior to V2.70, update to version V2.70 or later to resolve the issue. As a temporary workaround, consider restricting access to the web administration interface until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 2.2 through 2.3.8 BigBlueButton versions 2.4-beta before 2.4-beta-1 **Description** BigBlueButton is an open source web conferencing system. An attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server, provided they are a participant in a meeting on the server. **Recommendations** For BigBlueButton versions 2.2 through 2.3.8, update to version 2.3.9 to resolve the issue. For BigBlueButton versions 2.4-beta before 2.4-beta-1, update to version 2.4-beta-1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 2.2 through 2.3.17 BigBlueButton versions 2.4.0 **Description** BigBlueButton is an open source web conferencing system. An attacker, who needs to be a participant in the meeting, could send messages to a locked chat within a 5-second grace period after the lock setting was changed. **Recommendations** For BigBlueButton versions 2.2 through 2.3.17, update to version 2.3.18 to resolve the issue. For BigBlueButton version 2.4.0, update to version 2.4.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 2.2 through 2.3.17 BigBlueButton versions 2.4-rc-1 through 2.4-rc-5 **Description** BigBlueButton is an open source web conferencing system. An attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. **Recommendations** For BigBlueButton versions 2.2 through 2.3.17, update to version 2.3.18 to resolve the issue. For BigBlueButton versions 2.4-rc-1 through 2.4-rc-5, update to version 2.4-rc-6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 2.2 through 2.3.17 BigBlueButton versions 2.4-rc-1 through 2.4-rc-5 **Description** BigBlueButton is an open source web conferencing system. An attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched by modifying the stream to send the data only for users in the meeting. **Recommendations** For BigBlueButton versions 2.2 through 2.3.17, update to version 2.3.18 or later. For BigBlueButton versions 2.4-rc-1 through 2.4-rc-5, update to version 2.4-rc-6 or later.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 2.2 through 2.3.17 BigBlueButton versions 2.4-rc-1 and earlier **Description** BigBlueButton is an open source web conferencing system. An attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. **Recommendations** For BigBlueButton versions 2.2 through 2.3.17, update to version 2.3.18 or later to resolve the issue. For BigBlueButton versions 2.4-rc-1 and earlier, update to version 2.4-rc-1 or later to resolve the issue.