A security flaw has been disclosed in Kyocera’s Product Supervisor item that could be exploited by bad actors to carry out destructive pursuits on impacted techniques.
“This vulnerability permits attackers to coerce authentication tries to their have assets, these kinds of as a malicious SMB share, to capture or relay Energetic Listing hashed credentials if the ‘Restrict NTLM: Outgoing NTLM targeted visitors to remote servers’ security policy is not enabled,” Trustwave said.
Tracked as CVE-2023-50916, Kyocera, in an advisory launched late last thirty day period, described it as a route traversal issue that permits an attacker to intercept and alter a local path pointing to the backup area of the database to a universal naming conference (UNC) route.
This, in transform, results in the web application to try to authenticate the rogue UNC route, ensuing in unauthorized accessibility to clients’ accounts and data theft. On top of that, depending on the configuration of the setting, it could be exploited to pull off NTLM relay attacks.
The shortcoming has been dealt with in Kyocera Product Supervisor model 3.1.1213..
QNAP Releases Fixes for Numerous Flaws
The progress comes as QNAP produced fixes for numerous flaws, which includes higher-severity vulnerabilities impacting QTS and QuTS hero, QuMagie, Netatalk and Movie Station.
This contains CVE-2023-39296, a prototype air pollution vulnerability that could make it possible for remote attackers to “override current characteristics with ones that have an incompatible style, which may lead to the process to crash.”
The shortcoming has been dealt with in versions QTS 126.96.36.19978 create 20231110 and QuTS hero h188.8.131.5278 build 20231110.
A brief description of the other notable flaws is as follows –
- CVE-2023-47559 – A cross-site scripting (XSS) vulnerability in QuMagie that could permit authenticated end users to inject malicious code through a network (Dealt with in QuMagie 2.2.1 and later on)
- CVE-2023-47560 – An working method command injection vulnerability in QuMagie that could let authenticated users to execute commands by means of a network (Resolved in QuMagie 2.2.1 and afterwards)
- CVE-2023-41287 – An SQL injection vulnerability in Movie Station that could allow end users to inject destructive code by way of a network (Tackled in Video Station 5.7.2 and later)
- CVE-2023-41288 – An working program command injection vulnerability in Video clip Station that could enable buyers to execute commands by means of a network (Resolved in Video Station 5.7.2 and later)
- CVE-2022-43634 – An unauthenticated distant code execution vulnerability in Netatalk that could enable attackers to execute arbitrary code (Resolved in QTS 184.108.40.20678 develop 20231110 and QuTS hero h220.127.116.1178 create 20231110)
Whilst there is no proof that the flaws have been exploited in the wild, it really is suggested that consumers just take actions to update their installations to the most recent variation to mitigate possible pitfalls.
Observed this write-up attention-grabbing? Comply with us on Twitter and LinkedIn to study extra exceptional material we put up.
Some areas of this short article are sourced from: