A security vulnerability has been disclosed in Kyocera’s Device Manager product that could potentially be exploited by bad actors to perform malicious activities on affected systems.
“If the ‘Restrict NTLM: Outgoing NTLM traffic to remote servers’ security policy is not enabled, this vulnerability allows an attacker to force an attempt to authenticate to their own resources, such as a malicious SMB share,” Trustwave said. Capturing or relaying Active Directory hashed credentials.” said.
Tracked as CVE-2023-50916Kyocera described this in an advisory late last month as a path traversal issue that allows an attacker to intercept a local path to a repository backup location and change it to a Universal Naming Convention (UNC) path.
This in turn can cause web applications to attempt to authenticate against malicious UNC paths, leading to unauthorized access to customer accounts and theft of data. Additionally, depending on the configuration of the environment, it can be used to launch NTLM relay attacks.
Kyocera Device Manager version 3.1.1213.0 resolves this defect.
QNAP releases fixes for multiple defects
At the same time, QNAP released fixes for multiple flaws, including high-severity vulnerabilities affecting QTS and QuTS Hero, QuMagie, Netatalk, and Video Station.
These include CVE-2023-39296, a prototype pollution vulnerability that could allow a remote attacker to “overwrite existing properties with properties of an incompatible type, which may cause the system to crash.”
This defect has been resolved in QTS 5.1.3.2578 build 20231110 and QuTS Hero h5.1.3.2578 build 20231110 versions.
A brief description of other notable flaws is as follows −
- CVE-2023-47559 – Cross-site scripting (XSS) vulnerability in QuMagie could allow authenticated users to inject malicious code over the network (resolved in QuMagie 2.2.1 and later)
- CVE-2023-47560 – Operating system command injection vulnerability in QuMagie could allow authenticated users to execute commands over the network (resolved in QuMagie 2.2.1 and later)
- CVE-2023-41287 – A SQL injection vulnerability exists in Video Station, which may allow users to inject malicious code through the network (resolved in Video Station 5.7.2 and later versions)
- CVE-2023-41288 – An operating system command injection vulnerability exists in Video Station, which may allow users to execute commands over the network (resolved in Video Station 5.7.2 and later versions)
- CVE-2022-43634 – An unauthenticated remote code execution vulnerability exists in Netatalk, which may allow an attacker to execute arbitrary code (resolved in QTS 5.1.3.2578 build 20231110 and QuTS Hero h5.1.3.2578 build 20231110)
While there is no evidence that these flaws have been widely exploited, users are advised to take steps to update their installations to the latest versions to mitigate potential risks.