News


  • CHT Security Discovered a Pre-Auth Cross-Site Scripting in Well-known Japanese Email System

    CHTSecurityRedTeamdiscoveredaPre-AuthCross-SiteScriptingvulnerability(CVE-2020-11734)inawell-knownJapaneseemailsystem.Morethan10organizationsincludinggovernment,educationandfinancialsectorsareaffected.Thevulnerabilitiesarebrieflydescribedasfollows:CVE-2020-11734:Anattackercanperformcross-sitescriptingattackspriortoauthentication.Thisvulnerabilityexistsinmultipleversionsoftheemailsystem.Thevulnerablepageis/cgi-bin/go.ThisvulnerabilityisclassifiedinA7-Cross-SiteScripting(XSS)ofOWASPTOP102017.ImpactEmailsystemisoneofthecoresystemsofanenterprise.Oncehacked,emailswhichmaycontainpersonaldataandorganizationinformationcanbeleaked.Enterprisesoftenoverlookthecriticalityofemailsystemsincetheyusuallyusepackagedsoftwareorsubscribetoservices.KnownAffectedSoftwareversion5orlaterIfyourorganizationorenterpriseisusingtheaffectede-mailsystem,itisrecommendedtocontactthevendorforpatchingandupdatingassoonaspossible.RecommendationsCHTSecurityalsorecommendthefollowingmeasures:1.Enterprise:Contactthevendortoinstallthepatchupdateassoonaspossible.2.Emailsystemvendor:Addsalttohashinginsteadofstoringpasswordsinplaintext.Implementinputvalidationintheapplications.ItisrecommendedtoadoptSecureSoftwareDevelopmentLifeCycle(SSDLC),providesecurecodingtraining,andregularlyconductsecuritytests,suchasSourceCodeSecurityAnalysisandPenetrationTesting,toeffectivelyensureproductsecurityfortheclients.

    更多
  • CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Learning System

    SummaryVulnerabilityList1.[CVE-2020-10508]SensitiveDataExposure2.[CVE-2020-10509]Cross-SiteScripting(ReflectedXSS)3.[CVE-2020-10510]BrokenAccessControlDetails1.SensitiveDataExposureDescriptionImproperlystoressystemfiles.AttackerscanuseaspecificURLandcaptureconfidentialinformation.ImpactTheleakedpersonalinformationandloginaccountsofthesystemcanbetakenforfurtherattack.KnownAffectedSoftwareversion8andversion9.2.Cross-SiteScripting(ReflectedXSS)DescriptionThereareseveralparametersthatwereaffectedbyreflectedXSS.ImpactIfanattackercancontrolascriptthatisexecutedinthevictimsbrowser,personalinformationmaybeleakedtoattackersviathevulnerability.KnownAffectedSoftwareversion8andversion9.3.BrokenAccessControlDescriptionAfterlogin,attackerscanuseaspecificURL,accessunauthorizedfunctionalityanddata.ImpactAttackerscanconductverticalprivilegeescalationviaunauthorizedpageaccess.KnownAffectedSoftwareversion8andversion9.CreditsJalongChen(CHTSecurity)

    更多
  • CHT Security Discovered Vulnerabilities in Firmware of Well-Known DVR

    CHTSecurityDigitalForensicsandInformationSecurityTestingCenterdiscoveredtwovulnerabilitiesinawell-knownDVR.Thefirstoneisarbitraryread/writevulnerability(CVE-2020-10513)andthesecondiscommandinjection(CVE-2020-10514).Morethan10millionsofdevicesareinfectedinTaiwan.CVE-2020-10513:Attackercanreadormodifyanyfileinfilesystemofthedevice.Withchangingtheconfigurationfileofsystem,attackercancauseDenialofServiceorcommandinjection.CVE-2020-10514:AttackercanmodifytheparameterofRPCfunctionandinjectmaliciouscommand.Itallowsattackertoexecutecommandsonthedeviceswhentheattackerhasownedthepassword.Wealsodiscoveredthatthedevicedoesnotforceusertochangepasswordandthatalotofdevicesmightuseafixeddefaultpasswordfromvendorordealer.ImpactAttackercancontroltheinfecteddeviceandperformDDoSattack.KnownAffectedDeviceFirmwareversionbefore2020/02Thevendorhasreleasedrelatedpatchesafterreceivingourreport.Itisrecommendedtocontactthevendorforpatchingandupdatingassoonaspossible.RecommendationsUser:Updatefirmwaretothenewestversionassoonaspossible.Vendor:Checkallinputfromtheuserside.ItisrecommendedtoadoptSecureSoftwareDevelopmentLifeCycle(SSDLC),providesecurecodingtraining,andregularlyconductsecuritytests,suchasSourceCodeSecurityAnalysisandPenetrationTesting,toeffectivelyensureproductsecurityfortheclients.

    更多
  • CHT Security Discovered a Pre-Auth SQL Injection in Well-known Email System

    CHTSecurityRedTeamdiscoveredaPre-AuthSQLInjectionvulnerability(CVE-2020-3922)inawell-knownemailsystem.Morethan20organizationsincludinggovernment,educationandfinancialsectorsareaffected.Thevulnerabilitiesarebrieflydescribedasfollows:CVE-2020-3922:ItallowsremoteattackerstoexecutearbitrarySQLcommandsviabkimageparameterwithoutauthentication.Remoteattackerscangainunauthorizeddatalikeusersaccountandpasswordforloginintowebmail.Whenaccessingavictimsaccount,remoteattackerscanmodifythepassword.Remoteattackersalsocanwritearbitraryfileslikewebshellontargetsystem.Itcompromisedtheconfidentiality,integrityandavailabilityofdataandsystem.ThisvulnerabilityisclassifiedinA1-InjectionofOWASPTOP102017.ImpactEmailsystemisoneofthecoresystemsofanenterprise.Oncehacked,emailswhichmaycontainpersonaldataandorganizationinformationcanbeleaked.Enterprisesoftenoverlookthecriticalityofemailsystemsincetheyusuallyusepackagesoftwareorsubscribetoservices.KnownAffectedSoftwareversionsbefore2017Thevendorhasreleasedrelatedpatchesafterreceivingourreport.Ifyourorganizationorenterpriseisusingtheaffectede-mailsystem,itisrecommendedtocontactthevendorforpatchingandupdatingassoonaspossible.RecommendationsCHTSecurityalsorecommendthefollowingmeasures:Enterprise:Contactthevendortoinstallthepatchassoonaspossible.Inadditiontoregularlyupdatingthesystem,itisrecommendedthatadministratorscanconfiguretwo-factorauthenticationtoenhanceloginsecurityandrequireenoughstrengthforuserpasswords.Emailsystemvendor:Addsalttohashinginsteadofstoringpasswordsinplaintext.Implementinputvalidationintheapplications.ItisrecommendedtoadoptSecureSoftwareDevelopmentLifeCycle(SSDLC),providesecurecodingtraining,andregularlyconductsecuritytests,suchasSourceCodeSecurityAnalysisandPenetrationTesting,toeffectivelyensureproductsecurityfortheclients.

    更多
  • CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Stock Selection System

    TheVulnerabilityReportofStockSelectionSystemSummaryVulnerabilityList1.[CVE-2020-3937]SQLInjection2.[CVE-2020-3938]Server-SideRequestForgery3.[CVE-2020-3939]Cross-SiteScripting(ReflectedXSS)Details1.SQLInjectionDescriptionThereareseveralparametersthatwereaffectedbySQLInjection.ImpactThisvulnerabilityallowsattackerstoperformunwantedSQLqueriesandaccessarbitraryfileinthedatabase.KnownAffectedSoftwareversionsbefore201912232.Server-SideRequestForgeryDescriptionThereareseveralparametersthatwereaffectedbyServer-SideRequestForgery.ImpactThisvulnerabilityallowsattackerstolaunchinquiriesintonetworkarchitectureorsystemfilesoftheserverviaforgedinquests.KnownAffectedSoftwareversionsbefore201912233.Cross-SiteScripting(ReflectedXSS)DescriptionThereareseveralparametersthatwereaffectedbyreflectedXSS.ImpactIfanattackercancontrolascriptthatisexecutedinthevictimsbrowser,personalinformationmaybeleakedtoattackersviathevulnerability.KnownAffectedSoftwareversionsbefore20191223CreditsJalongChen(CHTSecurity)

    更多
  • CHT Security Forensics Lab Discovered Vulnerabilities in Firmware of Well-Known DVR

    TheVulnerabilityReportofTonnetDVRSummary1.[CVE-2020-3923]ImproperAccessControlThefirmwaredoesnotproperlyhandlepasswords.Attackercouldanalyzethefirmwareandthealgorithmofciphertogetsystempermissionofdevices.2.[CVE-2020-3924]CommandInjectionThereisacommandinjectioninfirmwareupdateprocedure.Attackercaneasilymanipulateafakefirmwaretoopenthetelnetservicetogetsystempermission.Details1.[CVE-2020-3923]ImproperAccessControlThefirmwarecontainsanexecutablefilethatopenstcp/9530portlistening,whichisaserviceforengineerstomaintaindevice.Theauthenticationprocedureofthisserviceisvulnerable.Itusessymmetricalgorithm(3DES)andfixedkeystoverifypasscode.Thisvulnerabilityallowsattackerstoretrievesystempermissionafterreversingthefirmware.ImpactAttackercouldgainrootpermission.ThedevicemightbeinfectedasbotnetandexecuteDDoSattack.2.[CVE-2020-3924]CommandInjectionThemainreasonthisvulnerabilityexistedisaninsecureupgradeprocedure.Besides,thereisamoreinsecurecommandintheconfigurationscriptparser.Withbothvulnerabilities,theattackercaneasilymakemaliciousfirmwaretoturnontelnetserviceandgetsystempermission.ImpactAttackercouldgainrootpermission.ThedevicemightbeinfectedasbotnetandexecuteDDoSattack.KnownAffectedDevicesTAT-77104G1Firmwareversion=TAT-77104G1_20190107TAT-70432NFirmwareversion=TAT-77208G1_20181225TAT-71416G1Firmwareversion=TAT-71416G1_20181225TAT-71832G1Firmwareversion=TAT-71832G1_20190510TAT-76104G3Firmwareversion=20181220_76104G3TAT-76108G3Firmwareversion=20181221_76208G3TAT-76116G3Firmwareversion=20181221_76216G3TAT-76132G3Firmwareversion=TAT-70832G3_20181221-1CreditWeberTsai(CHTSecurity)KeniverWang(CHTSecurity)RedhungChen(CHTSecurityIntern)

    更多
  • CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Door Access Control and Personnel Attendance Management System

    TheVulnerabilityReportofDoorAccessControlandPersonnelAttendanceManagementSystemAttackerscouldusebelowvulnerabilitiestoinfiltrateenterprisenetworksandcollectemployeeaccountandpasswords.Summary1.[CVE-2020-3933]CurrentDescriptionADoorAccessControlandPersonnelAttendanceManagementsystem,allowsattackerstoenumerateandexamuseraccountinthesystem.2.[CVE-2020-3934]CurrentDescriptionADoorAccessControlandPersonnelAttendanceManagementsystem,containsavulnerabilityofPre-authSQLInjection,allowingattackerstoinjectaspecificSQLcommand.Source:MITRE3.[CVE-2020-3935]CurrentDescriptionADoorAccessControlandPersonnelAttendanceManagementsystem,storesusersinformationbycleartextinthecookie,whichdivulgespasswordtoattackers.Source:MITREUpdateto門禁(Accesscontrol)Ver3.5.4考勤(Attendance)Ver3.4.0.0.3.05_20191112ReferenceNIST(CVE-2020-3933)NIST(CVE-2020-3934)NIST(CVE-2020-3935)CreditHans(CHTSecurity)

    更多
  • CHT Security Financial Security Assessment Team Discovered Insecure API in Well-Known Domestic Cross-Platform Digital Signature Plugin

    VulnerabilitiesofServiSignComponentsAbstractofSoftwareServiSignisasystemdevelopedbyChangingtecinTaiwan.Itprovidescross-platformsolutionsondigitalsignatureandverification.TheofficialintroductionofServiSign:https://www.changingtec.com/EN/servisign.htmlSummaryVulnerabilitiesList1.[CVE-2020-3925]RemoteCodeExecutionviaLoadLibrary2.[CVE-2020-3926]ArbitraryFileRead3.[CVE-2020-3927]ArbitraryFileDeleteDetails1.RemoteCodeExecutionviaLoadLibraryDescriptionThereisaninsecurefunctioncallLoadLibraryAintheDLLfileofServiSign.SincethereisnofilterorrestrictionofparametertoreadDLLfilesinhigh-privilegedirectory,attackerscancontrolthepathparametertoexecuteamaliciousDLL.ImpactWithoutanypathfilteroraccesscontrolatthisfunction,attackerscanexecutethemaliciousDLLfilesonthecomputerthroughtheseweakfunctionswithoutanyauthentication,byinjectingmaliciousJavascriptcodebyXSSpayloadsinphishingwebsites.KnownAffectedSoftwareServiSignforWindowsver.=1.0.19.06172.ArbitraryFileReadDescriptionAlso,inthecalledDLLfileintheServiSignsystem,thereareinsecureAPIsinseveralversions.Attackercanassignanypathparametertoreadthecontentsoffilesontheuserscomputer,throughtheAPIfunctionwithoutanyauthentication.ImpactWithoutanypathfilteroraccesscontrolatthisfunction,attackercandeployattackcodeinphishingoradvertisementwebsites.AndifuserbrowsesthesewebsitesinanenvironmentwithServiSigninstalled,itcanreadthecontentsofthespecificfilepathinthewebpageincludingattackcode,anduploadtotheattackerwithoutauthentication.KnownAffectedSoftwareServiSignforWindowsver.=1.0.19.06173.ArbitraryFileDeleteDescriptionInthesameDLLfile,italsocontainsaninsecureAPIassociatedwithreadingfile.Itallowsattackerstodeleteanyfilewithoutauthentication.ImpactWithoutanypathfilteroraccesscontrolatthisfunction,attackercandeployattackcodeinphishingoradvertisementwebsites.AndifauserbrowsesthesewebsitesinanenvironmentwithServiSigninstalled,itcandeletethefileofthespecificpathinthewebpageincludeattackcodewithoutauthentication.KnownAffectedSoftwareServiSignforWindowsver.=1.0.19.0617CreditsWeberTsai(CHTSecurity)KeniverWang(CHTSecurity)

    更多
  • CHT Security Discovered Multiple CVEs in Well-known Email System

    CHTSecurityRedTeamdiscoveredmultiplevulnerabilities(CVE-2019-15071、CVE-2019-15072、CVE-2019-15073)inawell-knownemailsystem.TheemailsystemhasCross-SiteScripting(XSS)andOpenRedirectvulnerabilities.Morethan40organizationsincludinggovernment,educationandfinancialsectorareaffected.Thvulnerabilitiesarebrieflydescribedasfollows:CVE-2019-15071:Anattackercanperformcross-sitescriptingattackspriortoauthentication.Thisvulnerabilityexistsinmultipleversionsoftheemailsystem.Thevulnerablepageis/cgi-bin/go.ThisvulnerabilityisclassifiedinA7-Cross-SiteScripting(XSS)ofOWASPTOP102017.CVE-2019-15072:Attackerscanperformcross-sitescriptingattacksagainstarbitraryparameters.Thisvulnerabilityexistsinmultipleversionsofthemessagingsystem.Thevulnerablepageis/cgi-bin/portal.ThisvulnerabilityisalsoclassifiedinA7-Cross-SiteScripting(XSS)ofOWASPTOP102017.CVE-2019-15073:Attackerscanperformunverifiedforwardingandredirectionpriortoverification.Thisvulnerabilityexistsinmultipleversionsoftheemailsystem.Thevulnerablepageis/cgi-bin/go.ThisvulnerabilityisclassifiedinCWE-601:URLRedirectiontoUntrustedSite(OpenRedirect).Emailsystemisoneofthecoresystemsofanenterprise.Oncehacked,allmailwhichmayincludeidentificationandorganizationinformationcanbeleaked.Enterprisesoftenoverlookthecriticalityofemailsystemsincetheyusuallyusepackagesoftwareorsubscribetoservices.Pertheexperienceofourpenetrationtestteam,vulnerabilitiesinweb-basedemailsystemsareoftenfound.TheXSSandOpenRedirectinthiscasearecommonvulnerabilitiesthatenablehackerstolaunchphishingoridentitytheft.Oncehackerscangrasptheemailcontentsandthekeypersons,theycanlaunchpreciseattackslikeBusinessEmailCompromise(BEC).AccordingtoFBIsreportin2018,BECscamshadbroughtmorethan$12billionlossesglobally.Thevendorhasreleasedrelatedpatchesafterreceivingourreport.Ifyourorganizationorenterpriseisusingtheaffectede-mailsystem,itisrecommendedtocontactthevendorforpatchingandupdatingassoonaspossible.CHTSecurityalsorecommendthefollowingmeasures:Enterprise:Contactthevendortoinstallthepatchassoonaspossible.Inadditiontoregularlyupdatingthesystem,itisrecommendedthatadministratorscanconfiguretwo-factorauthenticationtoenhanceloginsecurityandrequireenoughstrengthforuserpasswords.Emailsystemvendor:Implementinputvalidationintheapplications.ItisrecommendedtoadoptSecureSoftwareDevelopmentLifeCycle(SSDLC),providesecurecodingtraining,andregularlyconductsecuritytests,suchasSourceCodeSecurityAnalysisandPenetrationTesting,toeffectivelyensureproductsecurityfortheclients.

    更多
  • (108/9/9) Reporting High Risk CVE in SWIFT Alliance Web Platform that Enables Log Injection

    CHTSecuritysredteamdiscoveredahighriskloginjectionvulnerability(CVE-2018-16386)inSWIFTAllianceWebPlatformwhenperformingFinancialServiceSystemSecurityAssessmentlastyear.SWIFT(SocietyforWorldwideInterbankFinancialTelecommunication)isaglobaltransactiondataexchangesystemforfinancialservicesthatmorethan11,000banksandsecuritiesdealersinmorethan200countriesareusing.SWIFTisoneimportanttargetforhackers.Overthepastthreeyears,manybanks,includingTaiwan,havelostmorethan2.5billionTWDduetothehackingofSWIFTrelatedsystems.ThisvulnerabilitydoesnotrequireloginforloginjectionandtheCVSSv3.0riskscoreis7.5High.Thedetailsaredescribedasfollows:CVE-2018-16386:OurwhitehathackerdiscoveredaloginjectionvulnerabilityinSWIFTAllianceWebPlatform7.1.23.Anattackercanabusethesystemserrorlogfunctiontowritearbitrarycontenttoanylogfile.Whencombinedwithotherfileinclusionvulnerability,itispossibletoachievecommandinjection.Forexample:anattackercanwriteexploitationcommandintothelog,andthenloadthelogcontenttoachievecommandinjectionattack.Oncesuccessfullyattacked,theattackerwillhavefullcontrolofthevictimhost.Thevendorhasreleasedrelatedupdatesassoonaspossibleafterreceivingthereporting.SincetheSWIFTsystemishighlysensitive,thevulnerabilitywasnotpubliclyreleaseduntilthisyeareventhoughitwasreportedlastyear.ItisrecommendedthatfinancialinstitutionsorenterprisesthatarestillusingSWIFTpriortoversion7.1.23(inclusive),contactthevendorforsystemupdatesassoonaspossible.Ifyoucannotupdateimmediately,werecommendthefollowingmitigations:Regularlycheckthecontentoflogsifanyunexpectedinformationiswritten.Ensurepermissioncheckingforaccesstoanyfunctioninsoftwareimplementation.Denytheaccesswithoutproperprivilege.Developersshallintroducewhitelistingorregularexpressionforparametercheckandavoidinjectionofmaliciousinput.ItisrecommendedthatenterprisesshouldadoptSecureSoftwareDevelopmentLifeCycle(SSDLC),providesecurecodingtraining,andregularlyconductsecuritytests,suchasSourceCodeSecurityAnalysisandPenetrationTesting,toensuretheeffectivenessofenterprisecybersecurity.

    更多

For Financial Institutions

Security Assessment, ATM Drills for Offense & Defense, DDoS Drills, GDPR Consultant.

For Enterprises

Large Enterprises: Gateway Protection, Endpoint Protection, Data Security, Regular assessment, ISMS, In-depth Defense with ISPs.
SMB & Soho: Anti-virus, Anti-hacking, Internet Protection.

For Government Departments

Regulation Compliance, Regional Joint Defense, SOC, ISAC, Common Supply Contract.