Vulnerabilities Discovered in CIPAce Enterprise Platform

  Versions Tested: CIPAce Version < 6.80 Build 2016031401 CIPAce Version < 9.1 Build 2019092801 Product: https://www.cipplanner.com/Products/CIPAce/Pages/CPMPlatform.aspx Security Advisories: N/A CVE Numbers: Requested CRITICALSTART‘s TEAMARES researchers have released a steady cadence of advice regarding the importance of testing your systems regularly for vulnerabilities. The following vulnerabilities uncovered during an external penetration test drives home this […]

Read More…

Resolve Security Program Disruptions With Remote Pentesting Tools

Due to current events, your organization is more than likely experiencing disruption resulting from a rush to implement remote work policies, social distancing, and other unexpected changes to business as usual. And if you’re like many organizations, chances are you did not have remote work contingency plans in place and may be scrambling to find […]

Read More…

Authentication Bypass Vulnerability Discovered in Infinias eIDC32 WebServer

Versions Tested: Web Revision: 1.107, Board: 3.001, Firmware: 2.213 Product: https://www.3xlogic.com/products/access-control/infinias-ethernet-enabled-integrated-door-controller-eidc Security Advisories: N/A CVE Numbers: Requested CVSS Score: N/A CWE: CWE-305: Authentication Bypass by Primary Weakness NIST: IA-4: Identifier Management OWASP: A2: Broken Authentication   With access to a system’s control interface, a malicious actor can unlock controls remotely, allowing them to gain physical […]

Read More…

CRITICALSTART’s TEAMARES Research Is Aiding Global Fight Against COVID-19

What does a computer virus have in common with the Coronavirus (COVID-19)? Plenty, believe it or not, as technology can be used to help solve both. The TEAMARES research team has found that our hash cracker Cthulhu can be used to run computer simulations that mimic the same complex protein folding that occurs in viruses. […]

Read More…

Regex Revelry

Regular Expressions (Regex) are used to identify strings that defy simple search terms, which infosec and technology professionals use for things like input validation, searching and scripting. Unfortunately, the syntax can be intimidating and the learning curve steep for beginners. Throw in a handful of different flavors and the confusion grows. While it can be […]

Read More…

Vulnerabilities Discovered in Tiff Server from AquaForest

Versions Tested: Tiff Server 4.0 Product: https://www.aquaforest.com/en/tiffserver.asp Security Advisories: N/A CVE Numbers: CVE-2020-9323 CVE-2020-9324 CVE-2020-9325 CVSS Score: Unauthenticated File and Directory Enumeration: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:W/RC:C Unauthenticated Arbitrary File Download: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C Unauthenticated SMB Hash Capture via UNC: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C CWE: Unauthenticated File and Directory Enumeration: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) Unauthenticated Arbitrary […]

Read More…

Vulnerability Focus: Exploits Impacting Organizations

No matter how much you think you’ve done to protect your data and systems, common vulnerabilities continue to wreak havoc on enterprises. Cyberattacks are already increasing due to global events, meaning it’s more important than ever to identify and secure vulnerabilities. The following are some vulnerability trends the TEAMARES team is seeing – and what […]

Read More…

Quentin Rhoads-Herrera: Evaluating Your Security Posture

Full video transcript: Our focus is around penetration testing, discovering vulnerabilities, and potential configuration issues that lead to data breaches on some of the biggest clients, Fortune 500, Fortune 50 and so on. I notice a lot of vendors, they will do a scan and hand it off and say, “It’s a pen test”, right? […]

Read More…

Reducing Vulnerabilities: Addressing Orphaned Systems and Weak Passwords

Luckily, it was only a test. During penetration testing for two international companies, our team found numerous vulnerabilities. In both cases we had total control over all systems within the clients’ network and could easily shut them down, siphon data from critical customer-facing systems, take over PCI assets, and more. If we were the bad […]

Read More…

The Importance of Password Managers and MFA in Your Security Stack

The subject of password strength and complexity requirements has been discussed and debated ad nauseam in the security industry. It’s a subject as old as information security and will not be going away any time soon. Cory Mathews, Offensive Security Technical Lead for CRITICALSTART‘s TEAMARES, outlines the importance of proper password management and the steps you can […]

Read More…

ManageEngine Privilege Escalation

Background: After running into ManageEngine products on a number of penetration tests, we decided to take a closer look at their products and see if there were any vulnerabilities that we could take advantage of. CVE Numbers: CVE-2019-12876 Versions Tested: DesktopCentral – 10.0.380 ADSelfService Plus – 5.7 ADManager Plus – 6.6.5 DLL Hijacking: Multiple ManageEngine […]

Read More…

ManageEngine User Enumeration

Background: While conducting a penetration test of a client’s external network, I discovered a way to enumerate users’ in ManageEngine’s ADSelfService Plus application. This allows an attacker to determine the system Admin username. Product: ManageEngine ADSelfService Plus Software Version: 5.7, build 5704 Issue: The login page is vulnerable to account enumeration. The admin login page […]

Read More…

VMware Horizon Connection Server Information Disclosure

Background:  While conducting a penetration test of a client’s external network, I discovered three separate instances of information disclosure in VMware’s Horizon Access Web Portal. An unauthenticated user could access information such as internal domain names, the Connection Server’s internal hostname, or the gateway’s internal IP address. Version Tested 4.7.0 CVE Number CVE-2019-5513 Security Advisoriess […]

Read More…

Information Disclosure in JForum 2.1.X – Syntax

  Background While conducting a penetration test for a customer, I encountered an unused developer forum using JForum version 2.1.8 and started looking for vulnerabilities within the application. Version Tested: 2.1.8 CVE Number: CVE-2019-7550 Security Advisories: None   Issue When creating a new user within the application, the browser sends a GET request to the […]

Read More…

The Next Step of Social Engineering: Social Media Hoaxes

From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made hoaxes and scams even more prevalent, evolving from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users […]

Read More…

A Commitment to Getting It Right: Palo Alto Networks’ Expedition Migration Tool

Background: During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, hashes, versions, and more that were uncovered. So, what’s a TEAMARES team member to do? I quickly grabbed my screenshots and informed Palo Alto […]

Read More…

CRITICALSTART‘s TEAMARES Researchers Identify Vulnerability In Paessler’s PRTG

Threat intelligence and penetration testing team finds local privilege escalation issue in network monitoring software Plano, TX – October 3, 2018 – CRITICALSTART, a leading provider of cybersecurity solutions, today announced its TEAMARES threat intelligence and security research team identified a local privilege escalation vulnerability in Paessler’s PRTG Network Monitor software. The team followed standard vulnerability […]

Read More…

PRTG Network Monitor Privilege Escalation

Background: Recently I’ve seen a decent number of privilege escalations occurring on Windows due to permission issues and using symlinks. The work from Ryan Hanson from Atredis on the Cylance privilege escalation and Windows Standard Collector privilege escalation really inspired me to research more into this issue and potentially find some myself. After several weeks […]

Read More…

Cisco Warns of Critical Remotely Exploitable Vulnerabilities

Cisco has issued security alerts for 30 vulnerabilities across a range of its products and services, with three being ranked as critical and remotely exploitable. Some 20 different Cisco products contain a vulnerable version of the Apache Struts 2 framework that is currently under active exploitation by miscreants dropping cryptocurrency miner malware on exposed systems.   READ MORE Featured in iTnews […]

Read More…

Cisco Releases 16 Security Alerts Rated Critical and High

Cisco published on Wednesday 30 security advisories on vulnerabilities identified in its products. Half of them are for high and critical severity bugs. Only three alerts refer to security problems with critical impact; among them is the recently disclosed remote code execution vulnerability in Apache Struts, for which several proof-of-concept exploits exist. Cisco notes that not all of its products that […]

Read More…

High-Severity Flaws in Cisco Secure Internet Gateway Service Patched

Two high-severity vulnerabilities have been disclosed in Cisco’s security platform that could allow an attacker to gain administrative privileges – and take full control of the impacted machine. The glitches, disclosed Wednesday, affect two parts of Cisco Umbrella, a secure internet gateway that acts as a cloud-delivered security service for corporate networks. Specifically, the Cisco […]

Read More…

Cisco Warns Customers of Critical Security Flaws, Advisory Includes Apache Struts

Cisco has issued a security advisory to customers detailing a swathe of critical and highly-rated vulnerabilities which have been resolved. The security advisory documents three critical vulnerabilities, 19 bugs rated “important,” and a number of medium-severity security flaws. One of the most serious bugs is a vulnerability impacting Apache Struts 2, which was publicly disclosed in August together with […]

Read More…

CRITICALSTART’s TEAMARES Researchers Identify Vulnerabilities in Cisco Umbrella

Threat intelligence and penetration testing team finds local privilege escalation issues in cloud-based secure internet gateway product; Cisco issues security advisory. PLANO, Texas – September 5, 2018 – CRITICALSTART, a leading provider of cybersecurity solutions, today announced its TEAMARES threat intelligence and security research team identified local privilege escalation vulnerabilities in Cisco Umbrella. The team […]

Read More…

Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products

Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella, and other products. Patches are also available for serious privilege escalation and information disclosure bugs in WebEx, a DoS flaw in Prime Access Registrar, a privilege escalation in Data Center […]

Read More…

Unauthenticated Command Injection Vulnerability in VMware NSX SD-WAN by VeloCloud

Exploits for network devices including routers, switches, and firewalls have been around for as long as networking has been a thing. It seems like every week a researcher discloses a new vulnerability or publishes proof of concept (PoC) code online for these types of devices, and that is exactly what is happening in this article. […]

Read More…

Fall of Sudo – A Pwnage Collection

Introduction Finding Linux servers heavily reliant on Sudo rules for daily management tasks is a common occurrence. While not necessarily bad, Sudo rules can quickly become security’s worst nightmare. Before discussing the security implications, let’s first discuss what Sudo is.   Defining Sudo What is Sudo? Sudo, which stands for “superuser do!,” is a program […]

Read More…

Finding Enterprise Credentials in Data Breaches

In the age of the breach, it’s a safe assumption that almost every public account’s credentials have been exposed at some point. “Have I Been Pwned” (HIBP), is a database that contains usernames and other information about any compromise they come across.  While available for individuals to search against, certain protections have been put in […]

Read More…