Red Hat Security Advisory 2024-8680-03 - An update for mod_http2 is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and null pointer vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8680.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: mod_http2 security updateAdvisory ID:        RHSA-2024:8680-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8680Issue date:         2024-10-31Revision:           03CVE Names:          CVE-2024-36387====================================================================Summary: An update for mod_http2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.Security Fix(es):* mod_http2: DoS by null pointer in websocket over HTTP/2 (CVE-2024-36387)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36387References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2295006

Red Hat Security Advisory 2024-8680-03

Red Hat Security Advisory 2024-8679-03 - An update for podman is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8679.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: podman security updateAdvisory ID:        RHSA-2024:8679-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8679Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-9675====================================================================Summary: An update for podman is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.Security Fix(es):* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9675References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317458

Red Hat Security Advisory 2024-8679-03

Red Hat Security Advisory 2024-8678-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a cross site scripting vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8678.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:8678-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8678Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-9355====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9355References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2315719https://bugzilla.redhat.com/show_bug.cgi?id=2318052

Red Hat Security Advisory 2024-8678-03

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

The Case Against Abandoning CrowdStrike Post-Outage

Red Hat Security Advisory 2024-8676-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.17.0 on Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8676.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift Data Foundation 4.17.0 Security, Enhancement, & Bug Fix Update  
Advisory ID:        RHSA-2024:8676-03  
Product:            Red Hat OpenShift Data Foundation  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8676  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2023-26136  
====================================================================

Summary: 

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.17.0 on Red Hat Enterprise Linux 9.

Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

These updated packages include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.17/html/4.17_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these packages that provide these bug fixes and enhancements.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-26136

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2059669  
https://bugzilla.redhat.com/show_bug.cgi?id=2190161  
https://bugzilla.redhat.com/show_bug.cgi?id=2219310  
https://bugzilla.redhat.com/show_bug.cgi?id=2241329  
https://bugzilla.redhat.com/show_bug.cgi?id=2245068  
https://bugzilla.redhat.com/show_bug.cgi?id=2250364  
https://bugzilla.redhat.com/show_bug.cgi?id=2253013  
https://bugzilla.redhat.com/show_bug.cgi?id=2257271  
https://bugzilla.redhat.com/show_bug.cgi?id=2259668  
https://bugzilla.redhat.com/show_bug.cgi?id=2262777  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2271773  
https://bugzilla.redhat.com/show_bug.cgi?id=2272597  
https://bugzilla.redhat.com/show_bug.cgi?id=2275225  
https://bugzilla.redhat.com/show_bug.cgi?id=2275965  
https://bugzilla.redhat.com/show_bug.cgi?id=2276393  
https://bugzilla.redhat.com/show_bug.cgi?id=2276672  
https://bugzilla.redhat.com/show_bug.cgi?id=2279751  
https://bugzilla.redhat.com/show_bug.cgi?id=2279876  
https://bugzilla.redhat.com/show_bug.cgi?id=2280308  
https://bugzilla.redhat.com/show_bug.cgi?id=2280608  
https://bugzilla.redhat.com/show_bug.cgi?id=2280637  
https://bugzilla.redhat.com/show_bug.cgi?id=2283994  
https://bugzilla.redhat.com/show_bug.cgi?id=2292435  
https://bugzilla.redhat.com/show_bug.cgi?id=2292668  
https://bugzilla.redhat.com/show_bug.cgi?id=2294234  
https://bugzilla.redhat.com/show_bug.cgi?id=2294723  
https://bugzilla.redhat.com/show_bug.cgi?id=2297265  
https://bugzilla.redhat.com/show_bug.cgi?id=2297295  
https://bugzilla.redhat.com/show_bug.cgi?id=2297447  
https://bugzilla.redhat.com/show_bug.cgi?id=2297454  
https://bugzilla.redhat.com/show_bug.cgi?id=2299630  
https://bugzilla.redhat.com/show_bug.cgi?id=2299639  
https://bugzilla.redhat.com/show_bug.cgi?id=2300021  
https://bugzilla.redhat.com/show_bug.cgi?id=2300312  
https://bugzilla.redhat.com/show_bug.cgi?id=2300331  
https://bugzilla.redhat.com/show_bug.cgi?id=2300499  
https://bugzilla.redhat.com/show_bug.cgi?id=2301889  
https://bugzilla.redhat.com/show_bug.cgi?id=2302201  
https://bugzilla.redhat.com/show_bug.cgi?id=2302257  
https://bugzilla.redhat.com/show_bug.cgi?id=2302448  
https://bugzilla.redhat.com/show_bug.cgi?id=2302507  
https://bugzilla.redhat.com/show_bug.cgi?id=2302575  
https://bugzilla.redhat.com/show_bug.cgi?id=2302774  
https://bugzilla.redhat.com/show_bug.cgi?id=2302841  
https://bugzilla.redhat.com/show_bug.cgi?id=2302842  
https://bugzilla.redhat.com/show_bug.cgi?id=2303028  
https://bugzilla.redhat.com/show_bug.cgi?id=2303342  
https://bugzilla.redhat.com/show_bug.cgi?id=2303403  
https://bugzilla.redhat.com/show_bug.cgi?id=2303619  
https://bugzilla.redhat.com/show_bug.cgi?id=2303820  
https://bugzilla.redhat.com/show_bug.cgi?id=2303821  
https://bugzilla.redhat.com/show_bug.cgi?id=2303822  
https://bugzilla.redhat.com/show_bug.cgi?id=2303823  
https://bugzilla.redhat.com/show_bug.cgi?id=2303824  
https://bugzilla.redhat.com/show_bug.cgi?id=2303825  
https://bugzilla.redhat.com/show_bug.cgi?id=2303829  
https://bugzilla.redhat.com/show_bug.cgi?id=2304073  
https://bugzilla.redhat.com/show_bug.cgi?id=2304231  
https://bugzilla.redhat.com/show_bug.cgi?id=2304232  
https://bugzilla.redhat.com/show_bug.cgi?id=2304235  
https://bugzilla.redhat.com/show_bug.cgi?id=2304238  
https://bugzilla.redhat.com/show_bug.cgi?id=2304799  
https://bugzilla.redhat.com/show_bug.cgi?id=2304810  
https://bugzilla.redhat.com/show_bug.cgi?id=2304815  
https://bugzilla.redhat.com/show_bug.cgi?id=2304993  
https://bugzilla.redhat.com/show_bug.cgi?id=2305274  
https://bugzilla.redhat.com/show_bug.cgi?id=2305295  
https://bugzilla.redhat.com/show_bug.cgi?id=2305660  
https://bugzilla.redhat.com/show_bug.cgi?id=2305880  
https://bugzilla.redhat.com/show_bug.cgi?id=2306026  
https://bugzilla.redhat.com/show_bug.cgi?id=2306387  
https://bugzilla.redhat.com/show_bug.cgi?id=2306577  
https://bugzilla.redhat.com/show_bug.cgi?id=2307823  
https://bugzilla.redhat.com/show_bug.cgi?id=2307835  
https://bugzilla.redhat.com/show_bug.cgi?id=2307909  
https://bugzilla.redhat.com/show_bug.cgi?id=2308091  
https://bugzilla.redhat.com/show_bug.cgi?id=2308101  
https://bugzilla.redhat.com/show_bug.cgi?id=2308144  
https://bugzilla.redhat.com/show_bug.cgi?id=2308193  
https://bugzilla.redhat.com/show_bug.cgi?id=2308304  
https://bugzilla.redhat.com/show_bug.cgi?id=2308442  
https://bugzilla.redhat.com/show_bug.cgi?id=2308446  
https://bugzilla.redhat.com/show_bug.cgi?id=2309191  
https://bugzilla.redhat.com/show_bug.cgi?id=2309195  
https://bugzilla.redhat.com/show_bug.cgi?id=2309485  
https://bugzilla.redhat.com/show_bug.cgi?id=2309486  
https://bugzilla.redhat.com/show_bug.cgi?id=2309487  
https://bugzilla.redhat.com/show_bug.cgi?id=2309488  
https://bugzilla.redhat.com/show_bug.cgi?id=2309489  
https://bugzilla.redhat.com/show_bug.cgi?id=2309700  
https://bugzilla.redhat.com/show_bug.cgi?id=2310369  
https://bugzilla.redhat.com/show_bug.cgi?id=2310385  
https://bugzilla.redhat.com/show_bug.cgi?id=2310841  
https://bugzilla.redhat.com/show_bug.cgi?id=2310908  
https://bugzilla.redhat.com/show_bug.cgi?id=2311042  
https://bugzilla.redhat.com/show_bug.cgi?id=2311043  
https://bugzilla.redhat.com/show_bug.cgi?id=2311152  
https://bugzilla.redhat.com/show_bug.cgi?id=2311153  
https://bugzilla.redhat.com/show_bug.cgi?id=2311154  
https://bugzilla.redhat.com/show_bug.cgi?id=2311171  
https://bugzilla.redhat.com/show_bug.cgi?id=2311468  
https://bugzilla.redhat.com/show_bug.cgi?id=2311551  
https://bugzilla.redhat.com/show_bug.cgi?id=2311790  
https://bugzilla.redhat.com/show_bug.cgi?id=2311867  
https://bugzilla.redhat.com/show_bug.cgi?id=2311885  
https://bugzilla.redhat.com/show_bug.cgi?id=2311893  
https://bugzilla.redhat.com/show_bug.cgi?id=2312137  
https://bugzilla.redhat.com/show_bug.cgi?id=2312442  
https://bugzilla.redhat.com/show_bug.cgi?id=2313178  
https://bugzilla.redhat.com/show_bug.cgi?id=2313203  
https://bugzilla.redhat.com/show_bug.cgi?id=2313515  
https://bugzilla.redhat.com/show_bug.cgi?id=2313717  
https://bugzilla.redhat.com/show_bug.cgi?id=2313736  
https://bugzilla.redhat.com/show_bug.cgi?id=2314200  
https://bugzilla.redhat.com/show_bug.cgi?id=2314211  
https://bugzilla.redhat.com/show_bug.cgi?id=2314404  
https://bugzilla.redhat.com/show_bug.cgi?id=2314454  
https://bugzilla.redhat.com/show_bug.cgi?id=2314636  
https://bugzilla.redhat.com/show_bug.cgi?id=2315624  
https://bugzilla.redhat.com/show_bug.cgi?id=2315651  
https://bugzilla.redhat.com/show_bug.cgi?id=2315666  
https://bugzilla.redhat.com/show_bug.cgi?id=2315709  
https://bugzilla.redhat.com/show_bug.cgi?id=2315733  
https://bugzilla.redhat.com/show_bug.cgi?id=2315846  
https://bugzilla.redhat.com/show_bug.cgi?id=2318490  
https://bugzilla.redhat.com/show_bug.cgi?id=2319102  
https://bugzilla.redhat.com/show_bug.cgi?id=2319238

Red Hat Security Advisory 2024-8676-03

Red Hat Security Advisory 2024-8675-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8675.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:8675-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8675Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-9675====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9675References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317458

Red Hat Security Advisory 2024-8675-03

Red Hat Security Advisory 2024-8428-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8428.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.37 packages and security update  
Advisory ID:        RHSA-2024:8428-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8428  
Issue date:         2024-10-31  
Revision:           03  
CVE Names:          CVE-2024-9341  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.15.37. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8425

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in  
containers/common Go Library (CVE-2024-9341)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

CVEs:

CVE-2024-9341

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2315691  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-8428-03

Red Hat Security Advisory 2024-8337-03 - Run Once Duration Override Operator for Red Hat OpenShift 1.1.2 for RHEL 9.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8337.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Run Once Duration Override Operator for Red Hat OpenShift 1.1.2 for RHEL 9  
Advisory ID:        RHSA-2024:8337-03  
Product:            Run Once Duration Override Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8337  
Issue date:         2024-10-31  
Revision:           03  
CVE Names:          CVE-2024-34155  
====================================================================

Summary: 

Run Once Duration Override Operator for Red Hat OpenShift 1.1.2 for RHEL 9.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

The Run Once Duration Override Operator for Red Hat OpenShift is an optional  
operator that makes it possible to override activeDeadlineSecondsOverride  
field during pod admission.

Security Fix(es):

* Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

Solution:

CVEs:

CVE-2024-34155

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529

Red Hat Security Advisory 2024-8337-03

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.

Source: US Navy Photo via Alamy Stock Photo

Just days after Chinese state-sponsored hackers attacked the presidential campaigns of both Donald Trump and Kamala Harris, Beijing is leveling accusations at unnamed foreign entities, accusing them of using secret maritime buoys and seabed equipment to spy on its naval activities.

In a message on WeChat — China's biggest social media app — the country's Ministry of State Security (MSS) claimed it has discovered devices designed for "reconnaissance and monitoring of our country's waters" and "intelligence collection and technical theft activities."

It went on to allege that foreign "secret guards" are lurking as drifting "spies" and acting as "lighthouses" to guide outsider submarines.

"Faced with the severe and complex situation of covert struggle in the deep-sea security field and the real threat of foreign espionage intelligence agencies, the national security agencies will ... firmly defend our sovereignty," the MSS reportedly said. 

"It’s highly unlikely we will ever find out for definite if these claims are accurate, but when it comes to the culprits, suspicion will definitely land on the West," says Ryan McConechy, chief technology officer at Barrier Networks. "The key lesson here is that the online world has become the preferred playing field for all adversaries today. Nation-states and criminals can operate much stealthier, they can often get deeper into networks and secrets than physical access would allow, and it is much safer for the troops who can physically distance themselves from targets."

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

William Wright, CEO of Closed Door Security, noted that at-sea ships do make for juicy espionage targets.

"Few people fully understand the importance of the maritime industry today, but vessels are like floating computers, and they often contain highly sensitive information," he explains. "Whether the information relates to China's rapidly growing navy, or information on trading, it could prove to be very valuable to another nation-state and China is clearly concerned."

**Tit for Tat? News Follows Reported Chinese Campaign Hacks**

The claims from Beijing come on the heels of reports from the Washington Post and Reuters last weekend that an unnamed advanced persistent threat (APT) infiltrated the Verizon Communications telecom network and intercepted phone calls and texts made by campaign staffers for both Trump and Harris.

In addition, the eavesdroppers also reportedly targeted Trump's own phone calls, along with those of his running mate JD Vance — though how successful these latter attempts were is unknown.

Related:Facebook Businesses Targeted in Infostealer Phishing Campaign

Following the reports, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed they were investigating "unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China," and acknowledged they were seeing "specific malicious activity targeting the sector," though they did not name victims or mention the candidates.

Verizon told Reuters meanwhile that it was "aware of a sophisticated attempt to target US telecoms and gather intelligence."

**China-US Tensions: Time to Up Critical Infrastructure Cyber Defense**

The activity aligns with prior attacks from the now-infamous Chinese state-sponsored APT Volt Typhoon, which first came to light in March 2023 after compromising telecom networks in Guam. It has since consistently targeted critical infrastructure in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and across the Pacific.

Similarly, another Chinese APT known as Salt Typhoon attacked US ISPs last month. The focus on high-value communications service provider networks in the US likely indicates a similar dual set of goals, researchers said at the time — to steal information and set up a launchpad for disruptive attacks.

Related:Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

"While it's alarming, the recent campaign targeting is also pretty unsurprising," says Casey Ellis, founder and adviser at Bugcrowd. "Given the US election season, and the access that Salt Typhoon had, I'd be surprised if they didn't target the elected officials and candidates for the presidential election."

All industries should learn from these types of campaigns, says Barrier Networks' McConechy, who notes that the seafaring espionage might be in retaliation for Volt Typhoon's assaults.

"Whether it's spyware implanted into routers, snooping hot air balloons, or spying submersibles, nation-states are getting increasingly creative when it comes to eavesdropping on other countries, so critical industries must be prepared for these assaults," he stresses. "In the digital world, these types of cyber-physical espionage campaigns have become the norm. Most countries will deny they conduct them, but they will be, they just won't want to publicly announce it, or let their target know."

He adds, "All systems must be scanned regularly for malware, and the locations close to where critical infrastructure resides must be continuously monitored for intruders, whether human or robotic. Improving defenses both physically and digitally must be a priority.”

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Latest News