UniFi – UAP Antenna Radiation Patterns

Use this article to compare the different antenna radiation patterns of our UniFi Access Points. For an explanation on how to read antenna radiation patterns see UniFi – Introduction to Antenna Radiation Patterns.

About Radiation Patterns

Radiation patterns can be used to better understand how each Ubiquiti UniFi access point model broadcasts wireless signal. These patterns are what antenna engineers call reciprocal—in that the transmit-power (the capability of the AP to ‘speak’) will be highest at the peaks, and so will the receive-sensitivity (the capability of the AP to ‘hear’).

Please note that these radiation patterns are gathered in a fully anechoic environment. Their shape, peak gain/directivity and efficiency will change in installed environments. Every deployment will behave differently due to interference, materials, geometries of structures, and how these materials behave at 2.4GHz and 5GHz.

With that in mind, use these radiation plots as a “general guide” to identify where most of the energy (and receive sensitivity) of the UniFi APs is being directed; but keep present that the ultimate way to know how successful the coverage design is—is to measure it. Measure signal strength and coverage before (with mock positioning), during (as you install), and after to guarantee that you have the coverage you want—and don’t have the coverage you don’t want (for example with self-interference: APs hearing each other or other AP stations on the same channel).

Radiation Plot Format

Radius represents ‘elevation’, with 0° representing antenna gain straight under the AP, and 90° representing antenna gain at horizon. The degrees on the circumference represent ‘Azimuth’. That is to say, left/right/front/back of the AP, when mounted overhead.

Comparison Table

Use this table to compare the radiation patterns of each UAP. The first column shows where the respective colored dots found in each radiation plot is placed in the actual devices. Note that colored dots in the plots might be in the outer perimeter or closer to center.

Note: Varying scales are represented in the graphs below. Consider each graph individually and take note of scale when comparing products.

Model Summary Plots

This section includes a graphic summary for each UniFi Access point shown in the table above, portraying radiation plots for Azimuth, Elevation 0°, Elevation 90° and Mapped 3D.U6 Lite

U6 LR

U6 Pro

U6 Mesh

UWB-XG

High Gain

Low Gain

UDM

UAP-IW-HD

UAP-FlexHD

UAP-BeaconHD

UAP-nanoHD

UAP-HD

UAP-SHD

UAP-AC-Lite

UAP-AC-LR

UAP-AC-PRO

UAP-AC-IW

UAP-AC-IW-PRO

UAP-AC-IN-WALL-PROOverall_-_Summary_Plot_-_5GHzfinal.png

UAP-AC-M

Note: The antennas for the UAP-AC-M were angled at 45° to generate the plots as shown in the images above.UAP-AC-M-PRO

UMA-D

UAP-XG

Antenna Files (.ant)

Please note the data in the .ant files below was extracted from full model simulations. Clicking on the links in the following table will prompt the immediate download of the .ant file.

UniFi Access Point Model	Downloadable Antenna Files (.ant)
UAP-AC-IW-Pro	UAP-AC-IW-Pro.zip
UAP-AC-IW	UAP-AC-IW.zip
UAP-AC-Lite	UAP-AC-Lite.zip
UAP-AC-LR	UAP-AC-LR.zip
UAP-AC-Pro	UAP-AC-Pro.zip
UAP-AC-Mesh	UAP-AC-Mesh.zip
UAP-AC-Mesh-Pro	UAP-AC-Mesh-Pro.zip
UAP-HD	UAP-HD.zip
UAP-SHD	UAP-SHD.zip
UAP-nanoHD	UAP-nanoHD.zip
UAP-IW-HD	UAP-IW-HD.zip
UAP-XG	UAP-XG.zip
UWB-XG	UWB-XG.zip
UMA-D	UMA-D.zip
UDM	UDM.zip
UAP-BeaconHD	UAP-BeaconHD.zip
UAP-FlexHD	UAP-FlexHD.zip

Source :

UniFi – USW: Configuring Access Policies (802.1X) for Wired Clients

This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.

Note: Please complete the prerequisite configuration found in the UniFi – USG: Configuring RADIUS Server article before following this guide’s instructions.

How to Enable the 802.1X Service on a Switch

This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the “Devices” section of the UniFi Network application.

ATTENTION:Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.

Differentiating 802.1X Port Modes

Auto: The port is unauthorized until a successful authentication exchange has taken place.
Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
Force Authorized: The port sends and receives normal traffic without client port-based authentication.
MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.

Working with Port Profiles

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.

Navigate to Settings > Profiles > Switch Ports.
Create a new profile with the desired 802.1X control.

NOTE:When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use.

Source :
https://help.ui.com/hc/en-us/articles/115004589707-UniFi-USW-Configuring-Access-Policies-802-1X-for-Wired-Clients

Which UniFi Switch is Right for Me?

Ubiquiti UniFi switches help you power, connect, and process traffic across all of your devices. Since each deployment’s size and layout are unique, we offer several distinct switch categories meticulously designed to optimize any network in any environment. We’d like to explore these categories further to help you identify the model(s) that will deliver the most value for you.

Flex and Lite switches are designed to be more stylish than traditional switches so you can easily place them anywhere without disrupting your décor. These switches offer a wide range of bandwidth, uplink speed, and Power-over-Ethernet (PoE) capability. Plus, they look great mounted to a wall or sitting on your desk!

Our marquee UniFi Switch models bring more uplink and power versatility to high-speed, device-dense networks. The UniFi Switch Pro line is even more powerful with enhanced fiber connectivity, routing, and PoE options.

UniFi Switch Enterprise models, coming later this year, are ideal solutions for demanding deployments. These switches are designed to direct a staggering amount of data and fully harness the power of UniFi 6 products.

To help you protect your enterprise deployment, we’ve created the UniFi Switch Mission Critical, which also be available later this year. The Mission Critical is a PoE switch with an uninterruptible power supply that will keep your pivotal devices (and UniFi Access products) running through outages and internal failures with its powerful internal battery and external backup battery connectors.

Detailed network insights anywhere, anytime

We know keeping track of ports and devices can be a headache, so we’ve engineered all of our switches to allow individual port naming, locking, and configuration—all from your UniFi Network application. Using UniFi Network, you’ll get real-time insights that will help you optimize your deployment.

Key network details are also visible on the sleek touchscreens built into our UniFi PoE Switch, Switch Pro, and Switch Enterprise models. You can even use your phone to view an augmented reality overlay that labels each port with its connected device!

See our switches in action

Your deployment is only as powerful as the switches powering it, so choosing the right UniFi Switch is critical for enhancing your network’s performance. To learn more, check out our new video above or the comparison table below for a deeper feature breakdown. Also, be sure to like and subscribe when you catch us on YouTube and check our blog regularly for brand-new UniFi content!

Choose the right switch for you

Source :
https://blog.ui.com/2021/03/30/which-unifi-switch-is-right-for-me/

New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”

Interestingly, the technique has been abused in the wild at least once before. In February 2020, Zscaler disclosed details of a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive (CS: GO) websites.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” Zscaler researcher Prakhar Shrotriya said at the time.

“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”

While this method significantly makes it easier to mount effective social engineering campaigns, it’s worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.

Source :
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

“The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,” Avast’s senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what’s now called the Mēris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain “globalmoby[.]xyz.”

Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

“When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page displaying a live counter of devices connected into the botnet.

But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.

The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

In light of these attacks, it’s recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router’s administration interface from the public side.

“It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,” Hron said. “This is done to either anonymize the attacker’s traces or to serve as a DDoS amplification tool.”

Update: Latvian company MikroTik told The Hacker News that the number “was only true before we released the patch in [the] year 2018. After patch was released, the actual affected number of devices is closer to 20,000 units that still run the older software. Also, not all of them are actually controlled by the botnet, many of them have a strict firewall in place, even though running older software.”

When reached out to Avast for comment, the cybersecurity company confirmed that the number of affected devices (~230,000) reflected the status of the botnet prior to its disruption. “However, there are still isolated routers with compromised credentials or staying unpatched on the internet,” the company said in a statement.

(The headline of the article has been corrected to take into account the fact that the number of affected MikroTik routers is no longer more than 200,000 as previously stated.)

Source :
https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems

Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).

Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.

“The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement,” firmware security company Binarly, which discovered the latter three flaws, said in a write-up.

“The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime.”

All the flaws relate to improper input validation vulnerabilities affecting the System Management Mode (SMM) of the firmware, effectively allowing a local authenticated attacker to leverage the system management interrupt (SMI) to achieve arbitrary code execution.

System Management Mode refers to a special-purpose CPU mode in x86 microcontrollers that’s designed for handling system-wide functions like power management, system hardware control, thermal monitoring, and other proprietary manufacturer-developed code.

Whenever one of these operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. Given that SMM code executes at the highest privilege level and is invisible to the underlying operating system, the method makes it ripe for abuse to deploy persistent firmware implants.

A number of Dell products, including Alienware, Inspiron, Vostro line-ups, and Edge Gateway 3000 Series, are impacted, with the Texas-headquartered PC manufacturer recommending customers to upgrade their BIOS at the “earliest opportunity.”

“The ongoing discovery of these vulnerabilities demonstrate what we describe as ‘repeatable failures’ around the lack of input sanitation or, in general, insecure coding practices,” Binarly researchers said.

“These failures are a direct consequence of the complexity of the codebase or support for legacy components that get less security attention, but are still widely deployed in the field. In many cases, the same vulnerability can be fixed over multiple iterations, and still, the complexity of the attack surface leaves open gaps for malicious exploitation.”

Source :
https://thehackernews.com/2022/03/new-dell-bios-bugs-affect-millions-of.html

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Problem

It’s time to start planning! Microsoft will stop their browsers displaying the ‘lock’ icon for services that are secured with a certificate that uses SHA1. This is going to happen in February 2017 so now’s the time to start thinking about testing your PKI environment, and making sure all your applications support SHA2.

Note: This includes code that has been signed using SHA1 as well!

Solution

Below I’m just using an ‘offline root CA’ server, if you have multi tiered PKI deployments, then start at the root CA, fix that, then reissue your Sub CA certificates to your intermediate servers, fix them, then repeat the process for any issuing CA servers. Obviously if you only have a two tier PKI environment you will only need to do the root and Sub CA servers.

For your SubCA’s see PART TWO of this article.

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

What about certificates that have already been issued?

We are NOT going to revoke any CA certificates that have already been issued so existing certificates will remain unaffected.

Here we can see my CA server is using SHA1

Note: If your server says the provider is Microsoft Strong Cryptographic Provider and not Microsoft Software Key Storage Provider then skip down a bit.

You may have multiple Certificates (that is not unusual).

Open a PowerShell Window (run as administrator), issue the following command;

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Restart Certificate Services.

net stop certsvc
net start certsvc

Now you need to generate a new CA certificate.

Now you can see your new cert is using SHA256.

Mine Won’t Change From SHA1?

That’s because your cryptographic provider does not support higher than SHA1, for example ‘The command to change to SHA256 was successful, but the new certificate still says SHA1. If you look the Provider is set to ‘Microsoft Strong Cryptography Provider‘.

As you can see the strongest hash algorithm that supports is SHA1 that’s why it refuses to change.

How Do I Change the CA Cryptographic Provider?

Make a backup of the CA Settings and the CA registry Settings.

Backup-CARoleService –path C:\CA-Backup -Password (Read-Host -Prompt "Enter Password" -AsSecureString) 
TYPE IN A PASSWORD
reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\Reg-Backup\CAregistry.reg

Note: You might want to create the Reg-Backup folder first and grant some rights to it.

Now we need to delete the certificates this CA uses (don’t panic we’ve backed them up!) But first we need to find the certificate’s hashes to delete. Open an administrative command prompt, stop certificate services, and then issue the following command;

Note: ROOT-CA is the name of YOUR CA.

Stop-service certsvc

Certutil –store my ROOT-CA >output.txt

Open output.txt then take a note of the hashes for the certificate(s)

Then Open an Administrative PowerShell window and delete them;

cd cert:\localmachine\my 
Del –deletekey <Certificate HASH>

Now we need to import the p12 file we backed up earlier, then export that as a PFX file. Change ROOT-CA to the name of YOUR CA and the path to your backup folder and certificate as approriate.

Certutil –csp “Microsoft Software Key Storage Provider” –importpfx C:\CA-Backup\ROOT-CA.p12
Certutil –exportpfx my ROOT-CA C:\CA-Backup\Exported-ROOT-CA.pfx 
ENTER AND CONFIRM A PASSWORD

Then restore the key from your PFX file.

Certutil –restorekey C:\CA-Backup\Exported-ROOT-CA.pfx

Now you need to import a couple of Registry files, in the examples below replace ROOT-CA with the name of your CA

Save the file as CA-Registry-Merge.reg (set the save as file type to All Files)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\CSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGHashAlgorithm"="SHA1"

Merge the file into the registry.

Repeat the process with the following regisry file save this one as CA-Registry-Merge2.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\EncryptionCSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGEncryptionAlgorithm"="3DES" 
"MachineKeyset"=dword:00000001 
"SymmetricKeySize"=dword:000000a8

Now change the hashing algorithm to SHA256, open an administrative command prompt and issue the following two commands;

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net start certsvc

Renew the CA Cert.

You can now see the new cert is using SHA256.

Source :
https://www.petenetlive.com/KB/Article/0001243

Increase In Malware Sightings on GoDaddy Managed Hosting

Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

We started seeing an overall increase in infected sites starting on March 11th:

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The decoded version of the backdoor looks like this:

And continued…

Mechanism of Operation

If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain. For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.

While the C2 domain does have a Russian TLD, we have no indication this attack campaign is politically motivated or related to the Russian invasion of Ukraine. The domain serves up a blank web page, but in 2019 was serving what appears to be adult content, possibly with an affiliate marketing angle.

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

A snippet of the encoded spam link-template looks like this:

We have not yet determined the Intrusion Vector for this campaign, but last year, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. We offer instructional resources on how clean your own hacked WordPress website. If you’d like our Incident Response team to clean your site for you, you can sign up for Wordfence Care and we will take care of it for you.

If you know anyone using GoDaddy’s Managed WordPress hosting, we urge you to forward this advisory to them because malicious search engine results can take a long time to recover from, and acting fast can help minimize the damage.

We made contact with GoDaddy security and have offered to share additional information with them. They did not provide a comment in time for publication.

All product and company names mentioned in this post are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Source :
https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/

WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

Vulnerability Analysis

As with all WordPress core releases containing security fixes, the Wordfence Threat Intelligence team has analyzed the update in detail to ensure our customers remain secure.

We have released two new firewall rules to protect against the vulnerabilities patched in WordPress 5.9.2. These rules have been deployed to Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence free users will receive these rules after 30 days on April 10, 2022.

Even if you are protected by the Wordfence firewall, we encourage you to update WordPress core on all your sites at your earliest convenience, if they have not already been automatically updated.

Contributor+ Stored Cross Site Scripting Vulnerability

Description: Contributor+ Stored XSS
Affected Versions: WordPress Core 5.9.0-5.9.1
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 5.9.2
Researcher/s: Ben Bidner

WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved.

Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post.

Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses.

The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.

This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. JavaScript running in an administrator’s session can be used to take over a site via several methods including the addition of new malicious administrative users and the injection of backdoors into a website.

Prototype Pollution Vulnerabilities

Description: Prototype Pollution via the Gutenberg wordpress/url package
Affected Versions: WordPress Core < 5.9.2
CVE ID: Pending
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Description: Prototype Pollution in jQuery
Affected Versions: WordPress Core < 5.9.2
CVE ID: CVE-2021-20083
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Prototype pollution vulnerabilities allow attackers to inject key/value “properties” into JavaScript objects and are in many ways similar to PHP Object Injection vulnerabilities. In cases where the webserver is running JavaScript such as with Node.js, this can be used to achieve critical-severity exploits such as Remote Code Execution. WordPress, however, is a PHP application and does not run on Node.js so the impact of these vulnerabilities are limited.

One of these vulnerabilities was present in the Gutenberg wordpress/url package, while a separate but very similar vulnerability was present in jQuery, which was patched separately and updated to jQuery 2.2.3.

We are not aware of any practical exploits at this time, but any such exploits targeting WordPress would require user interaction, such as an attacker tricking a victim into clicking a link, similar to reflected Cross-Site Scripting(XSS).

An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule designed to block exploit attempts against these vulnerabilities.

Conclusion

In today’s article, we covered the 3 vulnerabilities patched in the WordPress 5.9.2 security release. Most actively used WordPress sites should have already been patched via automatic updates. The Wordfence firewall also provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

Help secure the WordPress community by sharing this information with WordPress site owners in your circle.

Source :
https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities/

Ransomware is Everywhere

Of all the products and services you use each day, how many have been impacted by ransomware? SonicWall takes an in-depth look.

There’s no question that ransomware is on the rise. In the 2022 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported 623.3 million ransomware attacks globally, a 105% year-over-year increase. And many industries saw triple- and even quadruple-digit spikes, such as government (+1,885%), healthcare (+755%) and education (+152%).

If your organization hasn’t yet dealt with an attack like this, however, it’s easy to see ransomware as an unusual and far-off problem. While this may have been true 10 years ago, today ransomware touches every facet of our lives.

To illustrate both the pervasiveness of ransomware, as well as its ability to disrupt the lives of an average person, we’ve constructed an average day that any business traveler might experience:

At 7 a.m., the alarm on your Apple iPhone jolts you awake to start another day. You suds up with some Avon body wash, pull on your Guess slacks and a Boggi Milano blazer, and grab your Kenneth Cole briefcase before heading out the door.

Once inside your Honda Passport, you tune in to your favorite sports podcast, where they’re recapping last night’s San Francisco 49ers game. You become so immersed in the discussion you almost forget to stop for fuel — you grab a Coke while you’re there, just in case you’re waiting a while for your flight.

Once you get to the airport, you check in, then look for a quiet place to get some work done. Fortunately, at this point the lounge is deserted. You dig out your Bose earbuds and stream some Radiohead from your laptop while you wait for boarding.

Your flight is uneventful, and the crowds at Hartsfield-Jackson International are almost as sparse as the ones at Cleveland Hopkins International. But unfortunately, you’re completely famished by this point. There’s a McDonalds on Concourse A, and you order a cheeseburger.

The evening is young and you consider going out, but it’s been a long day. On your way to check in at the Ritz Carlton, you decide to stop at a Barnes and Noble. You grab a graphic novel and treat yourself to a box of SweeTarts to enjoy during your quiet night in.

According to the cable listings, there’s an NBA game on TV, but it doesn’t start until 9 p.m. — giving you a few minutes to log in to Kronos and get a head start on expense reports. With a full day of meetings ahead of you, you enjoy a hot shower, pull on your pajamas and slippers, and head off to bed.

While the number of organizations affected by ransomware grows every day, yours doesn’t have to be one of them. Part of avoiding ransomware is knowing how ransomware groups operate, what industries they target and where they’re likely to hit next. For a comprehensive look at SonicWall’s exclusive ransomware data for the past year, download the 2022 SonicWall Cyber Threat Report.

Source :
https://blog.sonicwall.com/en-us/2022/03/ransomware-is-everywhere/

Directional color dots on device	5GHz LowFrequency	5GHz MidFrequency	5GHz HighFrequency	2.4GHzFrequency
U6-Lite
U6-Pro
U6-LR	(5.20GHz)		(5.80GHz)
U6-Mesh	(5.20GHz)		(5.80GHz)
UDM
UWB-XG	(High Gain)	(High Gain)	(High Gain)	The UWB-XG models do not operate on the 2.4GHz band.
UAP-FlexHD
UAP-IW-HD
UAP-BeaconHD
UAP-nanoHD
UAP-HD
UAP-XG
UAP-SHD
UAP-AC-LR
UAP-AC-M-PRO
UAP-AC-M
UAP-AC-IW
UAP-AC-Lite
UAP-AC-PRO
UAP-AC-IW-PRO
UMA-D