Category: Internet

Trend Micro Defends FIFA World Cup from Cyber Threats

By: Jon Clay
January 11, 2024
Read time: 4 min (970 words)

Trend Micro collaborates with INTERPOL to defend FIFA World Cup by preventing attacks & mitigating risks to fight against the rising threat of cybercrime.

The prominent sporting event, FIFA World Cup, concluded in December 2022, and it generated a lot of online engagements from millions of fans around the world. The remarkable penalty-shootout in the finals was hailed the champion of the event and it was a trending topic in social media and headline news. Before and during this event, the online users were rejoicing and betting their favorite teams at the same time cybercriminals were taking advantage of the event to deploy spam and scams. With this, law enforcement, and in particular, INTERPOL, had to step up and tapped its gateway partners to be on the lookout and report to them the cyberthreats surrounding the 2022 FIFA World Cup. Trend Micro helped by proactively monitoring our global threat intelligence that revealed many malicious websites and scams before and during the event. For example, we saw websites disguised as ticketing systems of the 2022 FIFA World Cup and many survey scams. We shared this information to INTERPOL, helping in their goal of preventing attacks and mitigating the risk posed by the fraudsters of this event. Furthermore, through our global threat intelligence, we monitored the detections of malicious websites and files from the country of Qatar as INTERPOL worked closely with them to prevent cybercriminals and malicious actors in disrupting the sporting event.

Let’s look a bit deeper into the different cyber threats we discovered and shared with INTERPOL, besides blocking them for our customers.

Malicious Websites found throughout 2022

figure-1
Figure 1: Trend Micro detections of malicious sites bearing keywords of “FIFA” and “World Cup”
figure-2
Figure 2: Top affected countries of malicious sites related to FIFA World Cup
figure-3
Figure 3: Timeline of FIFA World Cup Cyberthreats

Fake Ticketing System

It is no wonder due to the millions of potential victims that cybercriminals created dubious sites for selling tickets to the 2022 FIFA World Cup and trick users into inputting their personal information and credit card details in phishing attempts. We observed a few sites such as fifa-ticketssales[.]com and prime-ticketssales[.]com, both imitating the FIFA World Cup ticketing page and one showing an unbelievable number of sold tickets and remaining number of seats. We also identified contact details of scammers such as phone numbers and email addresses, some of these phone numbers were linked to other scam sites which is typical for scammers to reuse phone numbers.

figure-4
Figure 4: Fake selling tickets of FIFA World Cup
figure-5
Figure 5: Questionable number of tickets sold and used as lure to users

Fake Live Streaming

Cybercriminals created several fake streaming sites to lure victims to click on it. We identified around 40 unique domains that hosted fake streaming of FIFA World Cup. Example sites are watchvsportstv[.]com/2022-FIFA-WORLD-CUP-FINAL, sportshdlivetv[.]com/FIFA-WORLD-CUP-FINAL and istream2watch[.]stream/video/fifa-world-cup. From our analysis of these fake live streaming pages, the user will be redirected to websites with subscription forms or premium access requests and lure these users to subscribe and pay. Among the top countries detected were Brazil, Philippines, and Malaysia.

Survey Scams

Survey scams are relentless and scammers have been using them for a long time now. One we reported for example was https://www.theregister.com/2012/03/23/pinterest_attracts_scammers/. While the FIFA World Cup 2022 was ongoing, especially as we approached the semi-finals and final game, we observed malicious sites hosting survey scams that offered free 50GB mobile data. We identified more than 40 IP addresses or servers hosting the scam sites. Mostly were registered by Chinese names and hosted under Google LLC. Survey scams aim to trick users into obtaining free mobile data 50GB for a faster streaming of video or a free mobile network. It tricks users into inputting phone number and personal information thus in the end it will incur charges to the victims not knowing that it is a scam and may use their personal information for future spam or scams. Additionally, mostly it will redirect to fake dating sites and would require and harvest email address which can allow spammers to include them in their next wave of spam.

figure-6
Figure 6: FIFA World Cup Survey scam that offers free mobile data
figure-7
Figure 7: It requests for phone number which may lead to unwanted charges.
figure-8
Figure 8: Displays the offer is successful, however, it requires the user to share it in WhatsApp, thus propagating this survey scam
figure-9
Figure 9: Survey scam common web page title

Crypto scamming and malicious app

Based on external reports there were crypto scammers that leveraged the sporting event. We observed some scam sites such as cristiano-binance[.]xyz, binance[.]supply, football-blnance[.]com, football-binance[.]com, birance[.]online and birance[.]site that lure users to click on the button “Connect wallet” and will compromise the account. We also observed malicious app or Android RAT which was reported from https://twitter.com/ESETresearch/status/1596222440996311040 https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/ and it was called “ Kora 442” with malicious site kora442[.]com. It lured users to download the app “kora442.apk” and promised live and exclusive broadcasts of the 2022 FIFA World Cup. Example of hashes are 2299d4e4ba3e9c2643ee876bb45d6a976362ce3c, c66564b7f66f22ac9dd2e7a874c6874a5bb43a26, 9c904c821edaff095e833ee342aedfcaac337e04 and 60b1da6905857073c4c46e7e964699d9c7a74ec7. The package name is com.app.projectappkora and we detect it as AndroidOS_DummyColl.HRX. It steals information from the infected device and sends it to the Command &Control (C&C) server.

figure-10
Figure 10: Fraudulent site potential hijacking of Crypto account
figure-11
Figure 11: Malicious mobile app site with download request

Trend Micro’s mission has always been making the world safe for exchanging digital information and our support of INTERPOL and the 2022 FIFA World Cup gave us an opportunity to do exactly this. We’re proud of our continued support of INTERPOL, whether it is helping them with investigations of cybercriminals, or helping with a major worldwide sporting event. Our 34 years of experience in proactively identifying new threats and attacks and protecting users against them will continue in the future and we look forward to more engagements with law enforcement and organizations managing these events.

Source :
https://www.trendmicro.com/it_it/research/24/a/trend-micro-defends-fifa-world-cup-from-cyber-threats.html

Forward Momentum: Key Learnings From Trend Micro’s Security Predictions for 2024

By: Trend Micro
December 06, 2023
Read time: 4 min (971 words)

In this blog entry, we discuss predictions from Trend Micro’s team of security experts about the drivers of change that will figure prominently in 2024.

Digital transformations in the year ahead will be led by organizations pursuing a pioneering edge from the integration of emergent technologies. Advances in cloud technology, artificial intelligence and machine learning (AI/ML), and Web3 are poised to reshape the threat landscape, giving it new frontiers outside the purview of traditional defenses. However, these technological developments are only as efficient as the IT structures that support them. In 2024, business leaders will have to take measures to ensure that their organization’s systems and processes are equipped to stay in step with these modern solutions — not to mention the newfound security challenges that come with implementing and securing them.

As the new year draws closer, decision-makers will need to stay on top of key trends and priority areas in enterprise cybersecurity if they are to make room for growth and fend off any upcoming threats along their innovation journey. In this blog entry, we discuss predictions from Trend Micro’s team of security experts about the drivers of change that will figure prominently next year.

Misconfigurations will allow cybercriminals to scale up their attacks using cloud-native worms

Enterprises should come into 2024 prepared to ensure that their cloud resources can’t be turned against them in “living-off-the-cloud” attacks. Security teams need to closely monitor cloud environments in anticipation of cyberattacks that, tailored with worming capabilities, can also abuse cloud misconfigurations to gain a foothold in their targets and use rootkits for persistence. Cloud technologies like containerized applications are especially at risk as once infected, these can serve as a launchpad from which attackers can spread malicious payloads to other accounts and services. Given their ability to infect multiple containers at once, leverage vulnerabilities at scale, and automate various tasks like reconnaissance, exploitation, and achieving persistence, worms will endure as a prominent tactic among cybercriminals next year.

AI-generated media will give rise to more sophisticated social engineering scams

The gamut of use cases for generative AI will be a boon not only for enterprises but also for fraudsters seeking new ways of profiteering in 2024. Though they’re often behind the curve when it comes to new technologies, expect cybercriminals — swayed by the potential of lucrative pay — to incorporate AI-generated lures as part of their upgraded social engineering attacks. Notably, despite the shutdown of malicious large language model (LLM) tool WormGPT, similar tools could still emerge from the dark web. In the interim, cybercriminals will also continue to find other ways to circumvent the limitations of legitimate AI tools available online. In addition to their use of digital impostors that combine various AI-powered tools in emerging threats like virtual kidnapping, we predict that malicious actors will resort specifically to voice cloning in more targeted attacks.

The rising tide of data poisoning will be a scourge on ML models under training

Integrating machine-learning (ML) models into their operations promises to be a real game changer for businesses that are banking on the potential of these models to supercharge innovation and productivity. As we step into 2024, attempts to corrupt the training data of these models will start gaining ground. Threat actors will likely carry out these attacks by taking advantage of a model’s data-collection phase or by compromising its data storage or data pipeline infrastructure. Specialized models using focused datasets will also be more vulnerable to data poisoning than LLMs and generative AI models trained on extensive datasets, which will prompt security practitioners to pay closer attention to the risks associated with tapping into external resources for ML training data.

Attackers will take aim at software supply chains through their CI/CD pipelines

Software supply chains will have a target on their back in 2024, as cybercriminals will aim to infiltrate them through their continuous integration and delivery (CI/CD) systems. For example, despite their use in expediting software development, components and code sourced from third-party libraries and containers are not without security risks, such as lacking thorough security audits, containing malicious or outdated components, or harboring overlooked vulnerabilities that could open the door to code-injection attacks. The call for developers to be wary of anything sourced from third parties will therefore remain relevant next year. Similarly, to safeguard the resilience of critical software development pipelines and weed out bugs in the coming year, DevOps practitioners should exercise caution and conduct routine scans of any external code they plan to use.

New extortion schemes and criminal gangs will be built around the blockchain

Whereas public blockchains are hardened by continuous cyberattacks, the same can’t be said of their permissioned counterparts because of the latter’s centralized nature. This lack of hard-won resilience will drive malicious actors to develop new extortion business models specific to private blockchains next year. In such extortion operations, criminals could use stolen keys to insert malicious data or modify existing records on the blockchain and then demand a payoff to stay mum on the attack. Threat actors can also strong-arm their victims into paying the ransom by wresting control of enough nodes to encrypt an entire private blockchain. As for criminal groups, we predict that 2024 will see the debut of the first criminal organizations running entirely on blockchains with smart contract or decentralized autonomous organizations (DAOs).

Countering future cyberthreats

Truly transformative technologies inevitably cross the threshold into standard business operations. But as they make that transition from novel to industry norm, newly adopted tools and solutions require additional layers of protection if they are to contribute to an enterprise’s expansion. So long as their security stance is anchored on preparedness and due diligence, organizations stand to reap the benefits from a growing IT stack without exposing themselves to unnecessary risks. To learn more about the key security considerations and challenges that lie ahead for organizations and end users, read our report, “Critical Scalability: Trend Micro Security Predictions for 2024.”

Source :
https://www.trendmicro.com/it_it/research/23/l/forward-momentum–key-learnings-from-trend-micro-s-security-pred.html

Stopping bot traffic: A guide for WordPress websites

DECEMBER 18, 2023 BY PAUL G.

When you picture your website visitors, you most likely picture a person sitting at a desk, or perhaps scrolling on their phone. However, not all your site’s visitors are flesh and bone; many are in fact bots, running automated tasks. 

Although some of these bots are legitimate, others can put your site at risk, so it’s important to take appropriate security measures. This article will take you through the ways bots interact with your site, give you some insights on the risks of leaving bad bots unchecked, and take you through how Shield Security PRO can help protect your site. 

What are WordPress bots?

Before we dive into how to protect your WordPress site from bad bots, let’s take a step back and talk about bots in general. Put simply, a bot is software that runs an automated task. 

Many of the bots that visit your website are perfectly fine – and, indeed, there are many good bots that you want to visit your site. For example, search engine crawlers automatically evaluate the value of your site’s content to determine its rank in search results.

However, there are also bots out there designed with nefarious purposes in mind. In the next section, we will look at good vs. bad bots in more detail so you know which ones you need to look out for. 

It’s worth remembering: One of the key challenges in cybersecurity is giving both good bots and human users a positive experience on your site, without enabling malicious bots to wreak havoc and compromise your security.

Good bots vs. bad bots

You may be surprised to learn that there are several kinds of good bots out there that should be perfectly welcome on your website. We mentioned search engine crawlers earlier, but they’re just one form of friendly bot that could visit your site. Others include:

  • Uptime monitoring bots: These collect performance data so you can see how well your site is doing 
  • SEO tracking bots: Many sites looking to improve their search engine ranks use analytics software to evaluate results. Tracking bots collect the data reflected in your key performance indicators.
  • Translation bots: These assist with language translation by automatically translating content to another language, helping viewers understand what your web pages are about.
  • AI Bots: AI companies use site crawlers to train their AI systems, particularly in terms of language learning. 

Some types of bad bots include: 

  • Comment spam bots: These are bots that automatically leave irrelevant comments on your site, often advertising another product or service, and generating links to that site. 
  • Brute force bots: Some cybercriminals use bots to perform brute force attacks in order to guess login credentials and gain access to restricted information. 
  • Probing bots: These are bots that simply probe your site for vulnerabilities – you can think of them as casing the joint. If they find any, they make a note so attackers can come back and exploit those vulnerabilities later. 

All of these can sap your resources and make you more vulnerable to major cyber security threats. The right cyber security approach will allow good bots to do their thing without leaving the door open to the baddies. 

Real-world Examples: How bad bots put your website at risk

Left unchecked, bad bots can damage your business in both the short and long term. They can drain your resources and increase your vulnerability to hacking attempts. Bots may flood your contact forms and comment sections with spam, which clutters your site and damages your credibility.

One example of enabling bots to run wild on your site is the Dunkin Donuts attack in 2015. The Dunkin Donuts brute force attack happened when hackers began using a type of attack called “credential stuffing” to gain access to and steal money from customer accounts. This is when bots use compromised passwords obtained from previous breaches to log in to their accounts and steal their data and card details.

A picture of coffee and a donut. Photo credit Pexels.

According to a lawsuit filed against Dunkin, the coffee shop’s parent company failed to address the attacks, despite warnings from developers to do so. While they never denied or accepted responsibility for the hacks, the company agreed to a $650,000 settlement. 

This illustrates that the stakes can get very high, especially when you’re handling sensitive information. Blocking bad bots from your website protects your business, your customers and your reputation, by restricting access to your site and data.

Bots are a drain on your site’s resources

Even if bots don’t put you in direct financial harm, they will still consume your site’s resources. 

An example of this is the case of Geeks2you, where bots were used to attempt to gain access to their servers. Monitoring software discovered over 8,000+ failed login attempts, and at least another 5,000 each hour after the attack was discovered. 

While it was extremely hard for them to actually get into the server (thanks to the company’s excellent password policy), with at least two attempts to hack every second, the attack ate into resources and rapidly degraded the site’s responsiveness to legitimate visitors. 

This demonstrates the harmful impact bots can have, even just for failed attempts to hack a site. Users can be robbed of a pleasant experience, sites can load slowly, images may not look right, and on-page features may fail. This can damage your reputation and cause you to lose valuable traffic. 

Bottom line: At a minimum, bad bots hog your resources and drag down your site’s performance. 

Your Solution: The AntiBot Detection Engine

When it comes to stopping bot traffic, you need to find a technological solution that can filter out the bad and leave you with the good. This is where Shield Security PRO comes in. 

The AntiBot Detection Engine, or ADE, works to distinguish between good bots, bad bots, and human users based on the behaviour of each visitor on the site. It can also distinguish fake web crawlers from true web crawlers. 

The way the technology does this is with “bot signals” it watches for when visitors interact with the site. (We’ll take a closer look at how the ADE does this in the next section.) 

Shield Security PRO displays bot signals logged and bot likelihood for blocked IP addresses.

When a user crosses the threshold of acceptable suspicious activity, Shield Security PRO automatically blocks their IP address and stops them from being able to access your site.

Spotting bot behaviour: login attempts 

One example of bad bot behaviour the ADE is designed to spot is excessive login attempts. Shield Security PRO can detect and capture login bots that can slow down your site and cause harm going forward. It does this by penalising visitors who use a valid username but the wrong password, as well as trying to log in without a username or with a username that doesn’t exist. 

Legitimate users might get their username and password wrong once in a while, but their behaviour is still going to be easy to distinguish from bots, especially when you look at their actions across the site as a whole. 

“Bots are just computer programs,” said Paul Goodchild, creator of Shield Security PRO, “They perform a limited number of tasks, such as login attempts, comment SPAM, and probing to trigger 404 errors.

“When you look at all these actions collectively,” Goodchild continued, “it looks nothing like normal human activity. The ADE acts as a ‘bot watcher’, looking at all requests collectively to sort the bots from the people.”

All-sides defence with Shield Security PRO 

ADE and bad bot blocking are core features of Shield Security PRO, but they’re also just a couple of the plugin’s features designed to keep your site safe and secure. For example, the security plugin has a comprehensive dashboard that allows you to see the current state of your website at a glance.  

Screenshot of Shield Security PRO’s security dashboard.

Other functionalities that help Shield Security PRO protect your site include:

  • DoS protection with traffic rate limitingThis essentially limits the rate at which traffic can access a network or web service, stopping it from being overwhelmed. DoS attacks aim to overwhelm a system’s resources, ultimately slowing or shutting down the site. 
  • Malware detection and vulnerability scanning: These are essential to your website’s safety, and identify and mitigate potential threats to your system. Our technology offers real-time protection and firewalls, scans for patterns or signs of existing malware, and identifies flaws and weak points in your defence.
  • Login protection for WooCommerce and other WordPress plugins: Shield Security PRO allows you to set up strong password requirements and two-factor authentication, keeping site access secure. You can also set customizable login attempt limits to further protect your site from malicious access attempts. 

Cybersecurity is most effective when you tackle it from all sides. The Shield Security PRO plugin kicks bad bots and suspicious visitors off your site and helps you detect any threats that do manage to sneak through. 

Banish bots from your site with Shield Security PRO 

If you let bad bots have unlimited access to your site, you’re taking a serious risk. Bad bots can increase your chances of hacking and data loss, as well as hog server resources and slow your site down. Both of these can damage your reputation as well as your bottom line.

Site owners can take action and protect their websites with a bad-bot blocking plugin like Shield Security PRO. The ADE efficiently identifies bad bots and blocks their IP addresses so they can’t bring their nefarious plans to fruition.

Don’t delay, get started with Shield Security PRO and kick bad bots off your site today for instant peace of mind.

Hey beautiful!

If you’re curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)

You’ll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.

Source :
https://getshieldsecurity.com/blog/stopping-bot-traffic-guide-wordpress-websites/

Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting

István Márton
December 12, 2023

On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.

All Wordfence PremiumWordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected by the Wordfence firewall’s built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.

Why are these vulnerabilities so common?

By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.

It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.

Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.

These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.

An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:

[custom_link class=”<p onmouseover=’alert(/XSS/)’>Click Here!</p>”]
In this case, wp_kses_post() checks and sanitizes the entire <p> tag and its attributes.

An example shortcode not sanitized by the wp_kses_post() function:
[cutsom_link class="' onmouseover='alert(/XSS/)'"]
As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.

Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.

Even the WordPress security handbook says the following about escaping output:

“Most WordPress functions properly prepare the data for output, and additional escaping is not needed.”

https://developer.wordpress.org/apis/security/escaping/

After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.

Vulnerability Summary from Wordfence Intelligence

Plugin Name Plugin Slug CVE Affected Versions Patched Version
VK Filter Search vk-filter-search CVE-2023-5705 <= 2.3.1 2.3.2
Telephone Number Linker telephone-number-linker CVE-2023-5743 <= 1.2
Tab Ultimate tabs-pro CVE-2023-5667 <= 1.3 1.4
Ibtana – WordPress Website Builder ibtana-visual-editor CVE-2023-6684 <= 1.2.2 1.2.2.1
Featured Image Caption featured-image-caption CVE-2023-5669 <= 0.8.10 0.8.11
Reusable Text Blocks reusable-text-blocks CVE-2023-5745 <= 1.5.3
Font Awesome More Icons font-awesome-more-icons CVE-2023-5232 <= 3.5
Podcast Subscribe Buttons podcast-subscribe-buttons CVE-2023-5308 <= 1.4.8 1.4.9
Slick Contact Forms slick-contact-forms CVE-2023-5468 <= 1.3.7
LiteSpeed Cache litespeed-cache CVE-2023-4372 <= 5.6 5.7
Theme Switcha – Easily Switch Themes for Development and Testing theme-switcha CVE-2023-5614 <= 3.3 3.3.1
WordPress Charts wp-charts CVE-2023-5062 <= 0.7.0
EasyRotator for WordPress – Slider Plugin easyrotator-for-wordpress CVE-2023-5742 <= 1.0.14
Leaflet Map leaflet-map CVE-2023-5050 <= 3.3.0 3.3.1
Bitly’s WordPress Plugin wp-bitly CVE-2023-5577 <= 2.7.1
flowpaper flowpaper-lite-pdf-flipbook CVE-2023-5200 <= 2.0.3 2.0.4
SEO Slider seo-slider CVE-2023-5707 <= 1.1.0 1.1.1
CallRail Phone Call Tracking callrail-phone-call-tracking CVE-2023-5051 <= 0.5.2 0.5.3
iframe iframe CVE-2023-4919 <= 4.6 4.7
Feeds for YouTube (YouTube video, channel, and gallery plugin) feeds-for-youtube CVE-2023-4841 <= 2.1 2.1.2
Instagram for WordPress instagram-for-wordpress CVE-2023-5357 <= 2.1.6
Awesome Weather Widget awesome-weather CVE-2023-4944 <= 3.0.2
FareHarbor for WordPress fareharbor CVE-2023-5252 <= 3.6.7 3.6.8
Shortcode Menu shortcode-menu CVE-2023-5565 <= 3.2
Modal Window – create popup modal window modal-window CVE-2023-5161 <= 5.3.5 5.3.6
Sponsors wp-sponsors CVE-2023-5662 <= 3.5.0
Gift Up Gift Cards for WordPress and WooCommerce gift-up CVE-2023-5703 <= 2.20.1 2.20.2
Bellows Accordion Menu bellows-accordion-menu CVE-2023-5164 <= 1.4.2 1.4.3
TCD Google Maps tcd-google-maps CVE-2023-5128 <= 1.8
Super Testimonials super-testimonial CVE-2023-5613 <= 2.9 3.0
SlimStat Analytics wp-slimstat CVE-2023-4597 <= 5.0.9 5.0.10
WP Font Awesome wp-font-awesome CVE-2023-5127 <= 1.7.9
Advanced Menu Widget advanced-menu-widget CVE-2023-5085 <= 0.4.1
Comments by Startbit facebook-comment-by-vivacity CVE-2023-5295 <= 1.4
BSK PDF Manager bsk-pdf-manager CVE-2023-5110 <= 3.4.1 3.4.2
Video PopUp video-popup CVE-2023-4962 <= 1.1.3 1.1.4
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages wplegalpages CVE-2023-4968 <= 2.9.2 2.9.3
WP Responsive header image slider responsive-header-image-slider CVE-2023-5334 <= 3.2.1
Interact: Embed A Quiz On Your Site interact-quiz-embed CVE-2023-5659 <= 3.0.7 3.1
WDContactFormBuilder contact-form-builder CVE-2023-5048 <= 1.0.72
Widget Responsive for Youtube youtube-widget-responsive CVE-2023-5063 <= 1.6.1 1.6.2
TM WooCommerce Compare & Wishlist tm-woocommerce-compare-wishlist CVE-2023-5230 <= 1.1.7
Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin poptin CVE-2023-4961 <= 1.3 1.3.1
WhatsApp Share Button whatsapp CVE-2023-5668 <= 1.0.1
Delete Me delete-me CVE-2023-5126 <= 3.0 3.1
WP MapIt wp-mapit CVE-2023-5658 <= 2.7.1
iframe forms iframe-forms CVE-2023-5073 <= 1.0
Newsletter – Send awesome emails from WordPress newsletter CVE-2023-4772 <= 7.8.9 7.9.0
Theme Blvd Shortcodes theme-blvd-shortcodes CVE-2023-5338 <= 1.6.8
Social Feed | All social media in one place add-facebook CVE-2023-5661 <= 1.5.4.6
WS Facebook Like Box Widget ws-facebook-likebox CVE-2023-4963 <= 5.0
Garden Gnome Package garden-gnome-package CVE-2023-5664 <= 2.2.8 2.2.9
Social Sharing Plugin – Social Warfare social-warfare CVE-2023-4842 <= 4.4.3 4.4.4
Skype Legacy Buttons skype-online-status CVE-2023-5615 <= 3.1
Simple Cloudflare Turnstile – CAPTCHA Alternative simple-cloudflare-turnstile CVE-2023-5135 <= 1.23.1 1.23.2
Booster for WooCommerce woocommerce-jetpack CVE-2023-4945 <= 7.1.0 7.1.1
Simple Shortcodes smpl-shortcodes CVE-2023-5566 <= 1.0.20
Font Awesome Integration font-awesome-integration CVE-2023-5233 <= 5.0
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress CVE-2023-5049 <= 1.12.0 1.12.2
ImageMapper imagemapper CVE-2023-5507 <= 1.2.6
Accordion accordions-wp CVE-2023-5666 <= 2.6 2.7
GEO my WordPress geo-my-wp CVE-2023-5467 <= 4.0 4.0.1
Related Products for WooCommerce woo-related-products-refresh-on-reload CVE-2023-5234 <= 3.3.15 3.3.16
Live Chat with Facebook Messenger wp-facebook-messenger CVE-2023-5740 <= 1.0
Contact form Form For All – Easy to use, fast, 37 languages. formforall CVE-2023-5337 <= 1.2
JQuery Accordion Menu Widget jquery-vertical-accordion-menu CVE-2023-4890 <= 3.1.2
Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout blog-filter CVE-2023-5291 <= 1.5.3 1.5.4
WordPress Social Login wordpress-social-login CVE-2023-4773 <= 3.0.4
QR Code Tag qr-code-tag CVE-2023-5567 <= 1.0
Buzzsprout Podcasting buzzsprout-podcasting CVE-2023-5335 <= 1.8.4 1.8.5
Drop Shadow Boxes drop-shadow-boxes CVE-2023-5469 <= 1.7.13 1.7.14
Carousel, Recent Post Slider and Banner Slider spice-post-slider CVE-2023-5362 <= 2.0 2.1
Weather Atlas Widget weather-atlas CVE-2023-5163 <= 1.2.1 2.0.0
Contact Form – Custom Builder, Payment Form, and More powr-pack CVE-2023-5741 <= 2.1.0
MapPress Maps for WordPress mappress-google-maps-for-wordpress CVE-2023-4840 <= 2.88.4 2.88.5
Media Library Assistant media-library-assistant CVE-2023-4716 <= 3.10 3.11
Google Maps Plugin by Intergeo intergeo-maps CVE-2023-4887 <= 2.3.2
SendPress Newsletters sendpress CVE-2023-5660 <= 1.22.3.31 1.23.11.6
Magic Action Box magic-action-box CVE-2023-5231 <= 2.17.2
Embed Calendly embed-calendly-scheduling CVE-2023-4995 <= 3.6 3.7
Team Showcase team-showcase CVE-2023-5639 <= 2.1 2.2
Horizontal scrolling announcement horizontal-scrolling-announcement CVE-2023-5001 <= 9.2
WP Post Columns wp-post-columns CVE-2023-5708 <= 2.2
Font Awesome 4 Menus font-awesome-4-menus CVE-2023-4718 <= 4.7.0
Advanced Custom Fields: Extended acf-extended CVE-2023-5292 <= 0.8.9.3 0.8.9.4
Options for Twenty Seventeen options-for-twenty-seventeen CVE-2023-5162 <= 2.5.0 2.5.1
Etsy Shop etsy-shop CVE-2023-5470 <= 3.0.4 3.0.5
Copy Anything to Clipboard copy-the-code CVE-2023-5086 <= 2.6.4 2.6.5
Email Encoder – Protect Email Addresses and Phone Numbers email-encoder-bundle CVE-2023-4599 <= 2.1.8 2.1.9
Advanced iFrame advanced-iframe CVE-2023-4775 <= 2023.8 2023.9
WP Mailto Links – Protect Email Addresses wp-mailto-links CVE-2023-5109 <= 3.1.3 3.1.4
Booster for WooCommerce woocommerce-jetpack CVE-2023-5638 <= 7.1.2 7.1.3
Ziteboard Online Whiteboard ziteboard-online-whiteboard CVE-2023-5076 <= 2.9.9 3.0.0
Simple Like Page Plugin simple-facebook-plugin CVE-2023-4888 <= 1.5.1 1.5.2
CPO Shortcodes cpo-shortcodes CVE-2023-5704 <= 1.5.0
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce wc-multivendor-marketplace CVE-2023-4960 <= 3.6.2 3.6.3
Connect Matomo (WP-Matomo, WP-Piwik) wp-piwik CVE-2023-4774 <= 1.0.28 1.0.29
Very Simple Google Maps very-simple-google-maps CVE-2023-5744 <= 2.9 2.9.1
Contact Form by FormGet – Best Form Builder Plugin for WordPress formget-contact-form CVE-2023-5125 <= 5.5.5
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic shareaholic CVE-2023-4889 <= 9.7.8 9.7.9

Security recommendations for developers

We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at: https://developer.wordpress.org/apis/security/escaping/

Technical Analysis #1

A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.

Let’s take an example where shortcode attributes are used as HTML attributes.

The vulnerable shortcode function:

1
2
3
4
5
6
7
8
9
10
11
12
function custom_link_shortcode( $atts, $content ) {
    $atts = shortcode_atts( array(
        'class' => 'custom-link', // default class value
        'href'  => '#', // default href value
    ), $atts );
 
    $output = '<a class="' . $atts['class'] . '" href="' . $atts['href'] . '">' . $content . '</a>';
 
    return $output;
}
 
add_shortcode( 'custom_link', 'custom_link_shortcode' );

Let’s take a look at an example where the following shortcode is used in the post content:
[custom_link class='my-custom-class']Link Text[/custom_link]

As a result, the following link will be displayed in the post:

1<aclass="my-custom-class"href="#">Link Text</a>

In this case, the class attribute of the shortcode is used and outputted in the class attribute of the <a> HTML tag.

The Exploit

Now, let’s take a look at a threat actor that wants to inject malicious web scripts into a post using the plugin’s shortcode. To accomplish this, the attacker needs to leave the specified HTML attribute, which in the example is the “class” attribute and add an additional malicious HTML attribute after.

Here’s an exploit example:
[custom_link class='" onmouseover="alert(/XSS/)']Link Text[/custom_link]

With the payload above, the following link will be displayed in the post:

1<aclass=""onmouseover="alert(/XSS/)"href="#">Link Text</a>

The first double quotation mark provided in the shortcode’s “class” attribute closes the “class” HTML attribute within the <a> tag. After that the “onmouseover” HTML attribute containing a malicious script is added to the <a> tag. This means that whenever a user mouses over the rendered shortcode, a prompt with “XSS” would appear on the screen.

The Solution

To make the shortcode secure, escape functions must be used. This prevents user-defined input from leaving the original “class” HTML attribute as any quotes used to leave the HTML attribute will be escaped.

Let’s make the example shortcode code secure:

123456789101112functioncustom_link_shortcode( $atts, $content) {    $atts= shortcode_atts( array(        'class'=> 'custom-link', // default class value        'href'=> '#', // default href value    ), $atts);    $output= '<a class="'. esc_attr( $atts['class'] ) . '" href="'. esc_url( $atts['href'] ) . '">'. $content. '</a>';    return$output;}add_shortcode( 'custom_link', 'custom_link_shortcode');

The “class” data is an attribute, so it is recommended to use the esc_attr() function there.
The “href” data is a url, which is an attribute that has more specific requirements, so it is recommended to use the esc_url() function there.

The above two functions make the shortcode completely secure against Cross-Site Scripting.

If the attacker tries to add a malicious shortcode using the patched functionality, it will result in the following link, which no longer contains executable JavaScript:

1<aclass="&quot; onmouseover=&quot;alert(/XSS/)"href="#">Link Text</a>

Technical Analysis #2

Next, let’s look at an example where shortcode attributes are used as JS variable values.

The vulnerable shortcode function assigns shortcode attributes to JS variables:

1234567891011functioncustom_js_color_variable_shortcode( $atts) {    $atts= shortcode_atts( array(        'color'=> 'red', // default color value    ), $atts);    $output= '<script>'. 'let color="'. $atts['color'] . '";'. '</script>';    return$output;}add_shortcode( 'custom_js_color_variable', 'custom_js_color_variable_shortcode');

Here’s an example where the following shortcode is used in the post content:
[custom_js_color_variable color='blue']

As a result, the following script with a variable setting for “color” will be displayed in the post:

1<script>let color="blue";</script>

The Exploit

Now, we’ll try to exploit the shortcode:
[custom_js_color_variable color='"; alert(/XSS/); let more="']

As a result, the following script will be displayed in the post:

1<script>let color=""; alert(/XSS/); let more="";</script>

The Solution

Let’s make the example shortcode code secure:

1234567891011functioncustom_js_color_variable_shortcode( $atts) {    $atts= shortcode_atts( array(        'color'=> 'red', // default color value    ), $atts);    $output= '<script>'. 'let color="'. esc_js( $atts['color'] ) . '";'. '</script>';    return$output;}add_shortcode( 'custom_js_color_variable', 'custom_js_color_variable_shortcode');

The “color” data is a JS variable, so it is recommended to use the esc_js() function.

The following script will be displayed in the post if the attacker tries using the same malicious shortcode:

1<script>let color="&quot;; alert(/XSS/); let more=&quot;";</script>

Conclusion

In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites.

We encourage WordPress users to verify that their sites are updated to the latest patched version of each impacted plugin. For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.

All Wordfence users, including those running Wordfence PremiumWordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this type of vulnerability.

If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this type of vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2023/12/over-100-wordpress-repository-plugins-affected-by-shortcode-based-stored-cross-site-scripting/

Ubiquiti UniFi Network Application 8.0.7

Overview

UniFi Network Application 8.0.7 adds support for Radio Manager, WireGuard VPN Client, and Site Overview, and improves the Port Manager section by adding an overview of all ports and the VLAN Viewer.

Radio Manager

The new Radios page provides an overview of the Access Point radios and their configuration, statistics, and performance.

  • Filter Devices – Show all APs or only specific devices.
  • Filter Bands – Use the filters to display only certain bands or MIMO, e.g. 5 GHz or 3×3.
  • Bulk Edit – Change the radio configuration on multiple APs at the same time.

Improved Port Manager

The new Ports page provides an overview of all ports across your devices.

  • Filter Ports – Use the filters to display only certain ports, e.g. only PoE or SFP ports.
  • Filter Devices – Show all ports or only ports on a specific device.
  • Insights – View and compare statistics between ports on the same device.

The VLAN port management has been redesigned to improve UX when managing VLANs.

  • Native VLAN / Network – Used for untagged traffic, i.e. not tagged with a VLAN ID. Previously this option was called ‘Primary Network’.
  • Tagged VLAN Management – Used for traffic tagged with a VLAN ID. Previously this option was called ‘Traffic Restriction’.
  • Allow All – Configured VLANs are automatically tagged (allowed) on the port.
  • Block All – All tagged VLANs are blocked (not allowed) on the port.
  • Custom – Specify which VLANs are tagged (allowed) on the port. Any VLAN that is not specified is blocked.

When adding a new VLAN, it is automatically tagged (allowed) on the port when using ‘Allow All’. If ‘Custom’ is used, the new VLAN needs to be manually added to the port.

VLAN Viewer

Provides an easy way to see Native and Tagged VLANs across your devices.

  • Native VLAN Assignment – This shows which VLAN ID is set as native.
  • VLAN Tagging – Shows which VLANs are tagged, blocked, or native.
  • Search for VLANs using the VLAN name, ID, or subnet.

WireGuard VPN Client

Allows you to connect your UniFi Gateway to a VPN service provider and send internet traffic from devices over the VPN. Uploading a file and manual configuration are both supported.

Site Overview

Provides an overview of all sites used on UniFi Network Applications managing multiple sites.

  • UniFi Devices – See how many devices are connected to each site.
  • Client Devices – See how many WiFi/wired clients and guests are connected to each site.
  • Insight – See which sites have offline devices and critical notifications.

Client Connections

The System Log now provides much more details on client connections such as the connection time and data usage.

Improvements

  • Improved Port Manager.
  • Added all ports overview.
  • Added VLAN Viewer.
  • Improved VLAN port management UX.
  • Added Site Overview.
  • Added ability to select which networks Suspicious Activity is enabled on.
  • Added sorting feature for IP Groups.
  • Added ability to allow opening predefined firewall rules.
  • Improved validation for Prefix ID in Virtual Network settings.
  • Improved empty MAC whitelist validation in Port Manager.
  • Improved validation for DHCP options.
  • Improved DHCP Server TFTP Server field validation.
  • Improved Traffic Rule IP Address validation.
  • Improved Firewall Rules UX.
  • Improved Security Settings UX.
  • Improved Global Network Settings UX.
  • Enabled auto upgrade for UXG-Pro after the adoption is completed.
  • Remove LTE Failover WAN from IPTV Options.
  • Show the local language in the Language dropdown.
  • Prevent provisioning more Layer 3 static routes than UniFi switches can support.
  • Routes that are over the limit at the time of upgrade will be marked as Paused.
  • This does not mean that total static route support on Layer 3 UniFi switches is decreased, instead, UX is improved to prevent configuration of routes that are not functional.

VPN

  • Added WireGuard VPN Client.
  • Added messaging to create traffic routes after creating VPN Clients. This applies to the VPN Client feature, not adding clients to VPN Servers.
  • Added validation in VPN Server settings when the port overlaps with a Port Forwarding rule.
  • Added IP/Hostname override option for OpenVPN and WireGuard VPN Servers.
  • This adds a custom hostname or IP address to the configuration file used by clients.
  • This option is useful if the UniFi Gateway is behind NAT or is using a dynamically assigned IP address.
  • Added validation for Local IP in IPsec Site-to-Site VPN settings.
  • Automatically remove Site-to-Site Auto IPsec configuration if the adopted gateway doesn’t support it.
  • Improved Site-to-Site VPN validations.
  • Improved configuration file generation time for OpenVPN Servers.
  • Increased OpenVPN and WireGuard VPN Client limit from 5 to 8. This applies to the VPN Client feature, not VPN users connecting to VPN Servers.
  • Remove the PPTP Server if the adopted gateway doesn’t support it.

Clients and Devices

  • Added PoE power cycle option to the device side panel.
  • Added confirmation message when configuring Network Overrides.
  • Improved UniFi Devices page performance on larger setups.
  • Improved System Logs for client connections.
  • Locked the first column for Devices/Clients pages when scrolling horizontally.
  • Client hostnames (if present) are now shown in the side panel overview.
  • Moved filters to the left side in the Device and Client pages.

WiFi

  • Added Radio Manager.
  • Added ability to enable Professional installer toggle for Consoles.
  • Improved adding clients to MAC Address Filters.
  • Improved actionable feedback when Outdoor Mode is enabled.
  • Removed Global AP Settings, you can now use Radio Manager for bulk editing.
  • Collapse RF Scan tab by default in the AP device panel.
  • Changed WiFi Experience to TX retries for APs in their device panel.
  • Enhanced voucher printing options.

Bugfixes

  • Fixed an issue where some UniFi devices were incorrectly shown on the Client Devices page or not shown at all.
  • As a result of this fix, unmanaged non-network UniFi devices (e.g. UniFi Protect camera) may appear again as offline devices.
  • These offline devices will be removed automatically based on the Data Retention settings.
  • Automatic removal is an automated, periodic process that will run for several minutes after updating. Manual removal is also possible.
  • Fixed an issue where blocked clients couldn’t connect if they were removed until the next AP provision.
  • Fixed incorrect channel width for BeaconHD/U6-Extender.
  • Fixed an issue where Virtual Network usable hosts were incorrectly calculated.
  • Fixed missing ISP names in internet-related notifications.
  • Fixed rare gateway adoption issues via Layer 3.
  • Fixed an issue where WiFiman speed test results were not shown.
  • Fixed issue where WAN configuration is not populated when moving a gateway device to a new site.
  • Fixed an issue where CGNAT IP addresses were incorrectly marked as public IPs for Site Magic.
  • Fixed invalid connected client count for In-Wall APs.
  • Fixed unmanaged Network devices not shown on Client and Device pages in rare cases.
  • Fixed an issue where the Console would appear offline in rare cases.
  • Fixed sorting when there are multiple pages.
  • Fixed an issue where Voice VLAN settings are not effective when all VLANs are auto-allowed on switch ports.
  • Fixed an issue where Lock to AP is not disabled when removing an AP.
  • Fixed an issue where RADIUS profiles couldn’t be disabled when using a WireGuard VPN Server.
  • Fixed rare gateway configuration error.

Additional information

  • Create a backup before upgrading your UniFi Network Application in the event any issues are encountered.
  • See the UniFi Network Server Help Center article for more information on self-hosting a server.
  • UniFi Network Application 7.5 and newer requires MongoDB 3.6 (up to 4.4) and Java 17.

UniFi Network Native Application for UniFi OS

A specific application version that is only compatible with the UDM and UDR (running UniFi OS 3.1.6 or newer).

  • The UniFi OS update uses the application version that is required for your console.
  • The manual update process via SSH requires you to use the compatible package. Incompatible packages will be rejected on installation.
  • Older UniFi OS versions (before UniFi OS 3.1.6) on the UDM and UDR still use regular UniFi Network Application for UniFi OS.

 Checksumsb6a4fc86282e114c3a683ee9b43b4fde *UniFi-installer.exe 93413c6edc8d2bc44034b5086fa06fd7 *UniFi-Network-Server.dmg 6f10183dc78bf6d36290309cee8b6714 *UniFi.unix.zip f8e3a81f533d5bedb110afc61695846f *unifi_sysvinit_all.deb f6303e22d7c66102558db1dfeba678a7 *unifi-uos_sysvinit.deb b86b7b88ab650bf1de1a337f2f65d712 *unifi-native_sysvinit.deb 601df32736f41e40a80a3e472450a3e1 *unifi_sh_api ———————————————————————————————————————— SHA256(UniFi-installer.exe)= 193e309725a24a9dc79ac8115ad6ec561e466d0f871bc10c1d48a1c1631e2cfd SHA256(UniFi-Network-Server.dmg)= eb6160c6763f884fbb73df03ecdbc67381ad3cd06f037b227c399a7b33a29c0f SHA256(UniFi.unix.zip)= b409eb13d666d3afbf6f299650f0ee929a45da0ce4206ffe804a72d097f19f36 SHA256(unifi_sysvinit_all.deb)= 4221d7a0f8ce66c58a4f71b70ba6f32e16310429d3fe8165bf0f47bbdb6401a6 SHA256(unifi-uos_sysvinit.deb)= fafdfa57fc5b324e8fc0959b4127e3aafa10f1e4cfdf34c91af6a366033c1937 SHA256(unifi-native_sysvinit.deb)= 3bfd0e985d099fe9bc99578b82548269cf5d65f77e354c714b6b49194e5cd368 SHA256(unifi_sh_api)= 1791685039ea795970bcc7a61eec854058e3e6fc13c52770e31e20f3beb622eb

Download links

UniFi Network Application for Windows

UniFi Network Application for macOS

UniFi Network Application for Debian/Ubuntu

UniFi Network Application for UniFi OS

UniFi Network Native Application for UniFi OS

UniFi Network Application for unsupported Unix/Linux distros *** DIY / Completely unsupported ***

unifi_sh_api (shell library)

Source :
https://community.ui.com/releases/UniFi-Network-Application-8-0-7/7818b9df-4845-4c82-ba3c-1218e61010d4

Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin

Alex Thomas
December 11, 2023

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! The researcher who reported this vulnerability was awarded $2,751.00! Register as a researcher and submit your vulnerabilities today! 🎁

On November 8th, 2023, Wordfence launched a Bug Bounty Program to help support our mission in securing the web. In only a month’s time, we have had over 270 vulnerability researchers register and submit almost 130 vulnerabilities!

On December 5th, 2023, shortly after the launch of our Holiday Bug Extravaganza, we received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.

We quickly released a firewall rule to protect Wordfence PremiumWordfence Care, and Wordfence Response customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.

We contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day we released our firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.

We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.

Vulnerability Summary from Wordfence Intelligence

Description: Backup Migration <= 1.3.7 backup-backup Unauthenticated Remote Code Execution
Affected Plugin: Backup Migration
Plugin Slug: backup-backup
Affected Versions: <= 1.3.7
CVE ID: CVE-2023-6553
Pending CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Nex Team
Fully Patched Version: 1.3.8
Bounty Award: $2,751.00

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.

Technical Analysis

Line 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62.

This means that BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.

Disclosure Timeline

December 5, 2023 – We receive the submission of the PHP Code Injection vulnerability in Backup Migration via the Wordfence Bug Bounty Program.
December 6, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 6, 2023 – We initiate contact with the plugin developer and send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. A fully patched version of the plugin, 1.3.8, is released.

Conclusion

In this blog post, we detailed a critical PHP Code Injection vulnerability within the Backup Migration plugin affecting versions 1.3.7 and earlier. This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise. The vulnerability has been fully addressed in version 1.3.8 of the plugin.

We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration.

Wordfence users running Wordfence PremiumWordfence Care, and Wordfence Response have been protected against these vulnerabilities as of December 6, 2023. Users still using the free version of Wordfence will receive the same protection on January 5, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/

The Ultimate Guide to Password Best Practices: Guarding Your Digital Identity

Dirk Schrader
Published: November 14, 2023
Updated: November 24, 2023

In the wake of escalating cyber-attacks and data breaches, the ubiquitous advice of “don’t share your password” is no longer enough. Passwords remain the primary keys to our most important digital assets, so following password security best practices is more critical than ever. Whether you’re securing email, networks, or individual user accounts, following password best practices can help protect your sensitive information from cyber threats.

Read this guide to explore password best practices that should be implemented in every organization — and learn how to protect vulnerable information while adhering to better security strategies.

The Secrets of Strong Passwords

A strong password is your first line of defense when it comes to protecting your accounts and networks. Implement these standard password creation best practices when thinking about a new password:

  • Complexity: Ensure your passwords contain a mix of uppercase and lowercase letters, numbers, and special characters. It should be noted that composition rules, such as lowercase, symbols, etc. are no longer recommended by NIST — so use at your own discretion.
  • Length: Longer passwords are generally stronger — and usually, length trumps complexity. Aim for at least 6-8 characters.
  • Unpredictability: Avoid using common phrases or patterns. Avoid using easily guessable information like birthdays or names. Instead, create unique strings that are difficult for hackers to guess.

Handpicked related content:

Combining these factors makes passwords harder to guess. For instance, if a password is 8 characters long and includes uppercase letters, lowercase letters, numbers and special characters, the total possible combinations would be (26 + 26 + 10 + 30)^8. This astronomical number of possibilities makes it exceedingly difficult for an attacker to guess the password.

Of course, given NIST’s updated guidance on passwords, the best approach to effective password security is using a password manager — this solution will not only help create and store your passwords, but it will automatically reject common, easy-to-guess passwords (those included in password dumps). Password managers greatly increase security against the following attack types.

Password-Guessing Attacks

Understanding the techniques that adversaries use to guess user passwords is essential for password security. Here are some of the key attacks to know about:

Brute-Force Attack

In a brute-force attack, an attacker systematically tries every possible combination of characters until the correct password is found. This method is time-consuming but can be effective if the password is weak.

Strong passwords help thwart brute force attacks because they increase the number of possible combinations an attacker must try, making it unlikely they can guess the password within a reasonable timeframe.

Dictionary Attack

A dictionary attack is a type of brute-force attack in which an adversary uses a list of common words, phrases and commonly used passwords to try to gain access.

Unique passwords are essential to thwarting dictionary attacks because attackers rely on common words and phrases. Using a password that isn’t a dictionary word or a known pattern significantly reduces the likelihood of being guessed. For example, the string “Xc78dW34aa12!” is not in the dictionary or on the list of commonly used passwords, making it much more secure than something generic like “password.”

Dictionary Attack with Character Variations

In some dictionary attacks, adversaries also use standard words but also try common character substitutions, such as replacing ‘a’ with ‘@’ or ‘e’ with ‘3’. For example, in addition to trying to log on using the word “password”, they might also try the variant “p@ssw0rd”.

Choosing complex and unpredictable passwords is necessary to thwart these attacks. By using unique combinations and avoiding easily guessable patterns, you make it challenging for attackers to guess your password.

How Password Managers Enhance Security

Password managers are indispensable for securely storing and organizing your passwords. These tools offer several key benefits:

  • Security: Password managers store passwords and enter them for you, eliminating the need for users to remember them all. All users need to remember is the master password for their password manager tool. Therefore, users can use long, complex passwords as recommended by best practices without worrying about forgetting their passwords or resorting to insecure practices like writing passwords down or reusing the same password for multiple sites or applications.
  • Password generation: Password managers can generate a strong and unique password for user accounts, eliminating the need for individuals to come up with them.
  • Encryption: Password managers encrypt password vaults, ensuring the safety of data — even if it is compromised.
  • Convenience: Password managers enable users to easily access passwords across multiple devices.

When selecting a password manager, it’s important to consider your organization’s specific needs, such as support for the platforms you use, price, ease of use and vendor breach history. Conduct research and read reviews to identify the one that best aligns with your organization’s requirements. Some noteworthy options include Netwrix Password Secure, LastPass, Dashlane, 1Password and Bitwarden.

How Multifactor Authentication (MFA) Adds an Extra Layer of Security

Multifactor authentication strengthens security by requiring two or more forms of verification before granting access. Specifically, you need to provide at least two of the following authentication factors:

  • Something you know: The classic example is your password.
  • Something you have: Usually this is a physical device like a smartphone or security token.
  • Something you are: This is biometric data like a fingerprint or facial recognition.

MFA renders a stolen password worthless, so implement it wherever possible.

Password Expiration Management

Password expiration policies play a crucial role in maintaining strong password security. Using a password manager that creates strong passwords also has an influence on password expiration. If you do not use a password manager yet, implement a strategy to check all passwords within your organization; with a rise in data breaches, password lists (like the known rockyou.txt and its variations) used in brute-force attacks are constantly growing. The website haveibeenpawned.com offers a service to check whether a certain password has been exposed. Here’s what users should know about password security best practices related to password expiration:

  • Follow policy guidelines: Adhere to your organization’s password expiration policy. This includes changing your password when prompted and selecting a new, strong password that meets the policy’s requirements.
  • Set reminders: If your organization doesn’t enforce password expiration via notifications, set your own reminders to change your password when it’s due. Regularly check your email or system notifications for prompts.
  • Avoid obvious patterns: When changing your password, refrain from using variations of the previous one or predictable patterns like “Password1,” “Password2” and so on.
  • Report suspicious activity: If you notice any suspicious account activity or unauthorized password change requests, report them immediately to your organization’s IT support service or helpdesk.
  • Be cautious with password reset emails: Best practice for good password security means being aware of scams. If you receive an unexpected email prompting you to reset your password, verify its authenticity. Phishing emails often impersonate legitimate organizations to steal your login credentials.

Password Security and Compliance

Compliance standards require password security and password management best practices as a means to safeguard data, maintain privacy and prevent unauthorized access. Here are a few of the laws that require password security:

  • HIPAA (Health Insurance Portability and Accountability Act): HIPAA mandates that healthcare organizations implement safeguards to protect electronic protected health information (ePHI), which includes secure password practices.
  • PCI DSS (Payment Card Industry Data Security Standard): PCI DSS requires organizations that handle payment card data on their website to implement strong access controls, including password security, to protect cardholder data.
  • GDPR (General Data Protection Regulation): GDPR requires organizations that store or process the data of EU residents to implement appropriate security measures to protect personal data. Password security is a fundamental aspect of data protection under GDPR.
  • FERPA (Family Educational Rights and Privacy Act): FERPA governs the privacy of student education records. It includes requirements for securing access to these records, which involves password security.

Organizations subject to these compliance standards need to implement robust password policies and password security best practices. Failure to do so can result in steep fines and other penalties.

There are also voluntary frameworks that help organizations establish strong password policies. Two of the most well known are the following:

  • NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) provides guidelines and recommendations, including password best practices, to enhance cybersecurity.
  • ISO 27001: ISO 27001 is an international standard for information security management systems (ISMSs). It includes requirements related to password management as part of its broader security framework.

Password Best Practices in Action

Now, let’s put these password security best practices into action with an example:

Suppose your name is John Doe and your birthday is December 10, 1985. Instead of using “JohnDoe121085” as your password (which is easily guessable), follow these good password practices:

  • Create a long, unique (and unguessable) password, such as: “M3an85DJ121!”
  • Store it in a trusted password manager.
  • Enable multi-factor authentication whenever available.

10 Password Best Practices

If you are looking to strengthen your security, follow these password best practices:

  • Remove hints or knowledge-based authentication: NIST recommends not using knowledge-based authentication (KBA), such as questions like “What town were you born in?” but instead, using something more secure, like two-factor authentication.
  • Encrypt passwords: Protect passwords with encryption both when they are stored and when they are transmitted over networks. This makes them useless to any hacker who manages to steal them.
  • Avoid clear text and reversible forms: Users and applications should never store passwords in clear text or any form that could easily be transformed into clear text. Ensure your password management routine does not use clear text (like in an XLS file).
  • Choose unique passwords for different accounts: Don’t use the same, or even variations, of the same passwords for different accounts. Try to come up with unique passwords for different accounts.
  • Use a password management: This can help select new passwords that meet security requirements, send reminders of upcoming password expiration, and help update passwords through a user-friendly interface.
  • Enforce strong password policies: Implement and enforce strong password policies that include minimum length and complexity requirements, along with a password history rule to prevent the reuse of previous passwords.
  • Update passwords when needed: You should be checking and – if the results indicate so – updating your passwords to minimize the risk of unauthorized access, especially after data breaches.
  • Monitor for suspicious activity: Continuously monitor your accounts for suspicious activity, including multiple failed login attempts, and implement account lockouts and alerts to mitigate threats.
  • Educate users: Conduct or partake in regular security awareness training to learn about password best practices, phishing threats, and the importance of maintaining strong, unique passwords for each account.
  • Implement password expiration policies: Enforce password expiration policies that require password changes at defined circumstances to enhance security.

How Netwrix Can Help

Adhering to password best practices is vital to safeguarding sensitive information and preventing unauthorized access.

Netwrix Password Secure provides advanced capabilities for monitoring password policies, detecting and responding to suspicious activity and ensuring compliance with industry regulations. With features such as real-time alerts, comprehensive reporting and a user-friendly interface, it empowers organizations to proactively identify and address password-related risks, enforce strong password policies, and maintain strong security across their IT environment.

Conclusion

In a world where cyber threats are constantly evolving, adhering to password management best practices is essential to safeguard your digital presence. First and foremost, create a strong and unique password for each system or application — remember that using a password manager makes it much easier to adhere to this critical best practice. In addition, implement multifactor authentication whenever possible to thwart any attacker who manages to steal your password. By following the guidelines, you can enjoy a safer online experience and protect your valuable digital assets.

Dirk Schrader

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.

Source :
https://blog.netwrix.com/2023/11/15/password-best-practices/

PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.

We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.

Technical Analysis

We’ve written about Object Injection vulnerabilities in the past, and the primary reason most Object Injection vulnerabilities are difficult to exploit is the lack of useful POP chains.

The problem here resides in the WP_HTML_Token class, which was introduced in WordPress 6.4 and is used to improve HTML parsing in the block editor. It includes a __destruct magic method that is automatically executed after PHP has processed the request. This __destruct method uses call_user_func to execute the function passed in through the on_destroy property, accepting the bookmark_name property as an argument:

12345publicfunction__destruct() {    if( is_callable( $this->on_destroy ) ) {        call_user_func( $this->on_destroy, $this->bookmark_name );        }}

Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.

While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.

The patch is very simple:

123publicfunction__wakeup() {   thrownew\LogicException( __CLASS__. ' should never be unserialized');}

The newly added __wakeup method ensures that any serialized object with the WP_HTML_Token class throws an error as soon as it is unserialized, preventing the __destruct function from executing.

We have released a firewall rule to protect Wordfence PremiumWordfence Care, and Wordfence Response users. Wordfence free users will receive the same protection in 30 days, on January 5, 2024.

Conclusion

In today’s PSA, we analyzed a patch for a potentially critical issue in WordPress 6.4-6.4.1 that could allow attackers to take advantage of any Object Injection vulnerability present in any plugin to execute code. While most sites should automatically update to WordPress 6.4.2, we strongly recommend manually checking your site to ensure that it is updated.

We recommend sharing this advisory with everyone you know who uses WordPress, as this is a potentially critical issue that could lead to complete site takeover.

Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2/

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁

On November 24, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Unauthenticated Arbitrary File Upload vulnerability in MW WP Form plugin, which is actively installed on more than 200,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server when the “Saving inquiry data in database” option in the form settings is enabled.

All Wordfence PremiumWordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Malicious File Upload protection.

We contacted the Web-Soudan Team on November 24, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on November 29, 2023. We would like to commend The Web-Soudan Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of MW WP Form, which is version 5.0.2 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload
Affected Plugin: MW WP Form
Plugin Slug: mw-wp-form
Affected Versions: <= 5.0.1
CVE ID: CVE-2023-6316
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: István Márton
Fully Patched Version: 5.0.2

The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘_single_file_upload’ function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Technical Analysis

The MW WP Form plugin provides a shortcode-based form builder, with many customizable fields and many useful form options. Files can also be uploaded to the form with the [mwform_file name="file"] shortcode field.

Examining the code reveals that the plugin uses the _single_file_upload() function in the MW_WP_Form_File class to file upload, and the check_file_type() function in the MWF_Functions class is used to check the file type.

11classMWF_Functions {
212213214215216217218219220221222223224225226227228229230231232/** * Return true when correct file type. * * @param string $filepath Uploaded file path. * @param string $filename File name. * @return bool */publicstaticfunctioncheck_file_type( $filepath, $filename= '') {    if( ! file_exists( $filepath) ) {        returnfalse;    }    // File type restricted by WordPress (get_allowed_mime_types)    if( $filename) {        $wp_check_filetype= wp_check_filetype( $filename);    } else{        $wp_check_filetype= wp_check_filetype( $filepath);    }    if( empty( $wp_check_filetype['type'] ) ) {        returnfalse;    }

This is a completely common and safe file type checking function that uses the WordPress core function.

11classMW_WP_Form_File {
60616263646566676869707172737475767778798081828384858687888990919293949596979899100101102protectedfunction_single_file_upload( $form_id, $name, $file) {    if( empty( $file['tmp_name'] ) ) {        returnfalse;    }    $error= $file['error'];    try{        if( UPLOAD_ERR_OK !== $error&& UPLOAD_ERR_NO_FILE !== $error||            ! MWF_Functions::check_file_type( $file['tmp_name'], $file['name'] ) ) {            if( UPLOAD_ERR_INI_SIZE === $error|| UPLOAD_ERR_FORM_SIZE === $error) {                thrownew\RuntimeException( '[MW WP Form] File size of the uploaded file is too large.');            }            thrownew\RuntimeException( '[MW WP Form] An error occurred during file upload.');        }    } catch( \Exception $e) {        error_log( $e->getMessage() );    }    try{        $new_user_file_dir= MW_WP_Form_Directory::generate_user_file_dirpath( $form_id, $name);        if( ! wp_mkdir_p( $new_user_file_dir) ) {            thrownew\RuntimeException( '[MW WP Form] Creation of a temporary directory for file upload failed.');        }    } catch( \Exception $e) {        error_log( $e->getMessage() );    }    MW_WP_Form_Directory::do_empty( $new_user_file_dir, true );    $filename= sanitize_file_name( sprintf( '%1$s-%2$s', $name, $file['name'] ) );    $filepath= MW_WP_Form_Directory::generate_user_filepath( $form_id, $name, $filename);    try{        if( ! move_uploaded_file( $file['tmp_name'], $filepath) ) {            thrownew\RuntimeException( '[MW WP Form] There was an error saving the uploaded file.');        }    } catch( \Exception $e) {        error_log( $e->getMessage() );    }    return$filename;}

The upload function checks the file and then copies it to the server with the move_uploaded_file() function. The file is only stored on the server if the “Saving inquiry data in database” option is selected in the form settings. Otherwise the file is immediately deleted after submitting the form.

Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log() function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.

We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Saving inquiry data in database” option in the form settings, because the plugin only saves the files in this configuration.

Disclosure Timeline

November 24, 2023 – Discovery of the Arbitrary File Upload vulnerability in MW WP Form.
November 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
November 24, 2023 – The vendor confirms the inbox for handling the discussion.
November 24, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
November 29, 2023 – A fully patched version of the plugin, 5.0.2, is released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of MW WP Form.

All Wordfence users, including those running Wordfence PremiumWordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated-arbitrary-file-upload-in-mw-wp-form-allows-malicious-code-execution/

Apply BGP Route Map for Numbered VPN Tunnel Interface Between AWS and SonicWall

11/16/2023

Description

This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.

 Below is the Schema used for the VPN  tunnel configuration between SonicWall and AWS.

  • Configuring the VPN Policy 
  • Configuring the Tunnel Interface 
  • Configuring the BGP routing
  • Configuring the Route-map
Image
IP Addresses used in this article  
   
 Site A (NSA 6650)AWS
WAN IPX1:  10.20.1.2X2: 10.30.1.210.6.220.6510.6.210.2
Tunnel IP192.168.5.1192.168.6.1192.168.5.2192.168.6.2
Local Network172.16.32.0/24172.16.31.0/24
Peer Network(VPN)172.16.31.0/24172.16.32.0/24
BGP AS NUMBERAS  65530AS 65532//65531

Cause

A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.

Resolution

STEP 1: Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.

General tab:

Policy type: Tunnel Interface

Auth method: IKE using Preshared Secret

Local/Peer IKE ID: IPv4 Address

Note: When configuring a Numbered Tunnel Interface VPN, do not select “Allow Advance Routing” in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.

Image
Image

 NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.

STEP 2: Configuring the Tunnel Interface.

Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.

Image

STEP 3: Configure BGP using CLI.

Config terminal

config#  routing  / Enter to Routing Module

(config-routing)#  bgp / Enter to BGP module

ARS BGP> configure terminal / Enter configure mode

ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL

ARS BGP(config-router)> neighbor 192.168.5.2 remote-as 65532 / Configure neighbor connection

ARS BGP(config-router)> neighbor 192.168.6.2 remote-as 65531 / Configure neighbor connection

ARS BGP(config-router)> neighbor 192.168.5.2 soft-reconfiguration inbound

ARS BGP(config-router)> neighbor 192.168.6.2 soft-reconfiguration inbound

ARS BGP(config-router)> network 172.16.32.0/24/ Advertise your network

STEP 4: Configure BGP using CLI and Sending the  outgoing traffic via Tunnel  1 and receiving  the incoming traffic via Tunnel 1.

ARS BGP(config-router)> neighbor 192.168.5.2 route-map to31 in

ARS BGP(config-router)> neighbor 192.168.6.2 route-map to32 out

ip prefix-list 1 to31 permit 172.16.31.0/24 

ip prefix-list 1 to32 permit 172.16.32.0/24 

!

route-map to31 permit 10

match ip address prefix-list to31

set Local-preference 200

!

route-map to32 permit 10

match ip address prefix-list to32

set as-path prepend 1000 1000 1000 1000

Related Articles

Categories

Source :
https://www.sonicwall.com/support/knowledge-base/apply-bgp-route-map-for-numbered-vpn-tunnel-interface-between-aws-and-sonicwall/190110123222176/

Exit mobile version