An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.

**Release Notes**

**OTRS Group, the world’s leading provider of the OTRS service management suite, including the fully managed OTRS solution and the ITIL® V3-compliant IT service management software OTRS::ITSM.**

*   26/04/2019
*   Security Advisories

**April 26, 2019 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.**

**Security Advisory Details**

*   ID: OSA-2019-05
*   Date: 2019-04-26
*   Title: Reflected and Stored XSS
*   Severity: 3.1 low
*   Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
*   Fixed in: OTRS 7.0.7, OTRS 6.0.18, OTRS 5.0.35
*   FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R
*   References: CVE-2019-10067

**Vulnerability Description**

This advisory covers vulnerabilities discovered in the OTRS framework.

**Privilege Escalation**

An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.

Affected by this vulnerability are all releases of OTRS 7.0.x up to and including 7.0.6, OTRS 6.0.x up to and including 6.0.17 and OTRS 5.0.x up to and including 5.0.35.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

**Release Name:**

Security Advisory 2019-05: Security Update for OTRS Framework

**PGP Key**

*   pub 2048R/9C227C6B 2011-03-21 \[expires at: 2020-11-16\]
*   uid OTRS Security Team <security@otrs.org\>
*   GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

**Archives**

*   Security Advisories

**Find us on Social Media**

CVE-2019-10067: Security Advisory 2019-05: Security Update for OTRS Framework - ((OTRS)) Community Edition

A memory corruption vulnerability exists in the DMG File Format Handler functionality of PowerISO 7.9. A specially crafted DMG file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. The vendor fixed it in a bug-release of the current version.

**Summary**

A memory corruption vulnerability exists in the DMG File Format Handler functionality of PowerISO 7.9. A specially crafted DMG file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. The vendor fixed it in a bug-release of the current version.

**Tested Versions**

PowerISO 7.9

**Product URLs**

https://www.poweriso.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787 - Out-of-bounds Write

**Details**

PowerISO is a powerful CD/DVD/BD image file processing tool, which allows to open, extract, burn, create, edit, compress, encrypt, split and convert ISO files, and mount ISO files with an internal virtual drive. Recent versions provide support for Apple Disk Image file format (also known as DMG - file extension).

Apple Disk Image is a disk image format commonly used by the macOS operating system. This format can be structured according to one of several proprietary disk image formats, including the Universal Disk Image Format (UDIF) from Mac OS X and the New Disk Image Format (NDIF) from Mac OS 9. This format is still not officially documented by Apple. However there are various 3rd party resources that provide additional details regarding the Apple Disk Image format.

Typically, when inflating a ZLIB block inside a DMG file, the output buffer size should be limited to SECTOR_SIZE * BuffersNeeded (from the BLKXTable), but whatever the output buffer size limit is, it should be checked during the inflation operation. PowerISO, while inflating ZLIB section, does not correctly check the boundary of the output buffer. This leads to memory corruption when specifically crafted DMG file is parsed:

    .text:0000000000006E73 loc_6E73:                               ; CODE XREF: sub_6B20+376↓j
    .text:0000000000006E73                 mov     al, [rcx+1]
    .text:0000000000006E76                 add     rcx, 3
    .text:0000000000006E7A                 add     r8, 3
    .text:0000000000006E7E                 mov     [r8-2], al      ; memory corruption 1
    .text:0000000000006E82                 mov     al, [rcx-1]
    .text:0000000000006E85                 add     r11d, 0FFFFFFFDh
    .text:0000000000006E89                 cmp     r11d, 2
    .text:0000000000006E8D                 mov     [r8-1], al
    .text:0000000000006E91                 mov     al, [rcx]
    .text:0000000000006E93                 mov     [r8], al        ; memory corruption 2
    .text:0000000000006E96                 ja      short loc_6E73
    .text:0000000000006E98                 test    r11d, r11d
    .text:0000000000006E9B                 jz      short loc_6EC0 
    

Memory for decompression function is provided here:

    0x71E8: entry func init r11=dest=000000002fdd7b20
    0x833E: set dest buff r11=000000002fdd7b2d
    0x7F0A: before CALL buggy_inflate entry r11=dest=000000002fdd7b2d max_write=000000002fddfb2d r9=0000000000007ff3
    
    0:000> db 0x2fdd7b2d+0x8000
    00000000`2fddfb2d  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fddfb3d  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fddfb4d  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fddfb5d  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    

Typical window size is 0x8000 bytes. In a malformed DMG file (malformed ZLIB section) it is possible to add a malformed DIST (waiting for distance code) or DISTEX (waiting for distance extra bits) to the ZLIB bytecode. This leads to further problems with decompression.

In a typical ZLIB implementation, after each cycle of inflate function, there is a safety check present \[1\]:

    in -= strm->avail_in;
    out -= strm->avail_out;
    strm->total_in += in;
    strm->total_out += out;
    state->total += out;
    if (state->wrap && out)
        strm->adler = state->check =
            UPDATE(state->check, strm->next_out - out, out);
    strm->data_type = state->bits + (state->last ? 64 : 0) +
                      (state->mode == TYPE ? 128 : 0);
                      
    if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK) [1]
      ret = Z_BUF_ERROR;
    

Typical ZLIB output when inflating our malformed file:

    INFLATE
    have=0 left=1637
    LEN have=0 left=1637
    in = 0 (strm->avail_in = 0)
    out = 0 (strm->avail_out = 1637)
    return ERROR Z_BUF_ERROR
    

Z_BUF_ERROR is returned when no progress was possible or if there was not enough room in the output buffer.  
In PowerISO’s implementation the output buffer length is not verified or is not verified correctly, which leads to memory corruption.

    PowerISO+0x6e7e:
    00000000`00406e7e 418840fe        mov     byte ptr [r8-2],al ds:00000000`2fdd9000=??
    0:000> db @r8-2
    00000000`2fdd9000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    00000000`2fdd9070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.Sec
        Value: 1
    
        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on I
        Key  : Analysis.DebugData
        Value: CreateObject
    
        Key  : Analysis.DebugModel
        Value: CreateObject
    
        Key  : Analysis.Elapsed.Sec
        Value: 81
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 108
    
        Key  : Analysis.System
        Value: CreateObject
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 19890
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 1513
    
    
    NTGLOBALFLAG:  400
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 0000000000406e93 (PowerISO+0x0000000000006e93)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 0000000005b57000
    Attempt to write to address 0000000005b57000
    
    FAULTING_THREAD:  0000197c
    
    PROCESS_NAME:  PowerISO.exe
    
    WRITE_ADDRESS:  0000000005b57000 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  0000000000000001
    
    EXCEPTION_PARAMETER2:  0000000005b57000
    
    STACK_TEXT:  
    00000000`0014ddc0 00000000`00407f2a : 00000000`00008000 00000000`01010117 00000000`0000003f 00000000`00008000 : PowerISO+0x6e93
    00000000`0014de40 00000000`004092fa : 00000000`00007ff3 00000000`00000000 00000000`00008000 00000000`05000401 : PowerISO+0x7f2a
    00000000`0014dee0 00000000`0040afa1 : 00000000`00000000 00000000`05a1c730 00000000`00000bc0 00000000`00000000 : PowerISO+0x92fa
    00000000`0014dfb0 00000000`004059a2 : 00000000`00000bc0 00000000`00001000 00000000`00010000 00000000`00010000 : PowerISO+0xafa1
    00000000`0014e020 00000000`0041486a : 00000000`00000002 00000000`058de6f0 00000000`00000008 00000000`00000000 : PowerISO+0x59a2
    00000000`0014e080 00000000`004167d6 : 00000000`059e3ed0 00000000`00416d44 00000000`00000028 00000000`005d115a : PowerISO+0x1486a
    00000000`0014e0f0 00000000`00415b5d : 00000000`00000000 00000000`059cbe30 00000000`00000004 00000000`059e3db0 : PowerISO+0x167d6
    00000000`0014e180 00000000`00417518 : 00000000`00000000 00000000`059e3db0 00000000`058de6f0 00000000`00000000 : PowerISO+0x15b5d
    00000000`0014e1e0 00000000`00405ea2 : 00000000`00000028 00000000`00000000 00000000`058829a0 00000000`00000000 : PowerISO+0x17518
    00000000`0014e260 00000000`004063f8 : 00000000`01188be3 00000000`12b97fcb 00000000`c0340a62 00000000`4609824c : PowerISO+0x5ea2
    00000000`0014e310 00000000`005af9db : 00000000`0014e550 00000000`0014e550 00000000`00000001 00000000`02b77d4c : PowerISO+0x63f8
    00000000`0014e4c0 00000000`004e507d : 00000000`0014e670 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1af9db
    00000000`0014e5e0 00000000`004e5949 : 00000000`01188b17 00000000`0014e948 00000000`12b97fcb 00000000`c0340a62 : PowerISO+0xe507d
    00000000`0014e910 00000000`00531da3 : 00000000`00000004 00000000`05895e8c 00000000`00000000 00000000`030cb650 : PowerISO+0xe5949
    00000000`0014e940 00000000`004e09a1 : 00000000`0014ea80 00000000`00000000 00000000`00000004 00007ff9`00000002 : PowerISO+0x131da3
    00000000`0014e970 00000000`005fbce5 : 00000000`00000001 00007ff9`2272c7b8 00000000`00000000 00000000`00503eec : PowerISO+0xe09a1
    00000000`0014f890 00000000`005f887f : 00000000`02a50150 00000000`00613ddd 00000000`00000005 00000000`00000080 : PowerISO+0x1fbce5
    00000000`0014f9c0 00000000`004e0f37 : 00000000`00000000 00000000`0010046a 00000000`030cb650 00000000`00000001 : PowerISO+0x1f887f
    00000000`0014fa20 00000000`005fa008 : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xe0f37
    00000000`0014fa50 00000000`005fa1b6 : 00000000`008b3bc0 00000000`00c4d430 00000000`00000001 00007ff9`02000002 : PowerISO+0x1fa008
    00000000`0014fb10 00007ff9`2272e858 : 00000000`008b3b60 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x1fa1b6
    00000000`0014fb70 00007ff9`2272e299 : 00000000`0010046a 00000000`005fa168 00000000`0010046a 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
    00000000`0014fd00 00000000`005f6295 : 00000000`005fa168 00000000`008b3b60 00000000`00000002 00000000`008b3b60 : USER32!DispatchMessageWorker+0x249
    00000000`0014fd80 00000000`005f60d1 : 00000000`008b3b60 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x1f6295
    00000000`0014fdc0 00000000`005fe64f : 00000000`005c948c 00000000`00000000 00000000`00621258 00000000`00621268 : PowerISO+0x1f60d1
    00000000`0014fe20 00000000`005ceeab : 00000000`00000041 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x1fe64f
    00000000`0014fe80 00007ff9`22dc7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1ceeab
    00000000`0014ff30 00007ff9`24062651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    00000000`0014ff60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  PowerISO+6e93
    
    MODULE_NAME: PowerISO
    
    IMAGE_NAME:  PowerISO.exe
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
    
    Followup:     MachineOwner
    ---------
    

**Timeline**

2021-06-05 - Vendor Disclosure  
2021-06-28 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2021-21871: TALOS-2021-1308 || Cisco Talos Intelligence Group

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.

@@ -12,38 +12,69 @@ import (  
func TestClean(t \*testing.T) { tests := \[\]struct { path string expVal string path string wantVal string }{ { path: "../../../readme.txt", expVal: "readme.txt", path: "../../../readme.txt", wantVal: "readme.txt", }, { path: "a/../../../readme.txt", expVal: "readme.txt", path: "a/../../../readme.txt", wantVal: "readme.txt", }, { path: "/../a/b/../c/../readme.txt", expVal: "a/readme.txt", path: "/../a/b/../c/../readme.txt", wantVal: "a/readme.txt", }, { path: "/a/readme.txt", expVal: "a/readme.txt", path: "/a/readme.txt", wantVal: "a/readme.txt", }, { path: "/", expVal: "", path: "/", wantVal: "", },  
{ path: "/a/b/c/readme.txt", expVal: "a/b/c/readme.txt", path: "/a/b/c/readme.txt", wantVal: "a/b/c/readme.txt", },  
// Windows-specific { path: \`..\\..\\..\\readme.txt\`, wantVal: "readme.txt", }, { path: \`a\\..\\..\\..\\readme.txt\`, wantVal: "readme.txt", }, { path: \`\\..\\a\\b\\..\\c\\..\\readme.txt\`, wantVal: "a/readme.txt", }, { path: \`\\a\\readme.txt\`, wantVal: "a/readme.txt", }, { path: \`..\\..\\..\\../README.md\`, wantVal: "README.md", }, { path: \`\\\`, wantVal: "", },  
{ path: \`\\a\\b\\c\\readme.txt\`, wantVal: \`a/b/c/readme.txt\`, }, } for \_, test := range tests { t.Run("", func(t \*testing.T) { assert.Equal(t, test.expVal, Clean(test.path)) t.Run(test.path, func(t \*testing.T) { assert.Equal(t, test.wantVal, Clean(test.path)) }) } }

CVE-2022-1992: pathutil: check both styles of `os.PathSeparator` (#7020) · gogs/gogs@2ca0142

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

@@ -120,6 +120,7 @@ $userName = Filter::filterVar($postData\['userName'\], FILTER\_UNSAFE\_RAW); $userRealName = Filter::filterVar($postData\['realName'\], FILTER\_UNSAFE\_RAW); $userEmail = Filter::filterVar($postData\['email'\], FILTER\_VALIDATE\_EMAIL); $automaticPassword = Filter::filterVar($postData\['automaticPassword'\], FILTER\_VALIDATE\_BOOLEAN); $userPassword = Filter::filterVar($postData\['password'\], FILTER\_UNSAFE\_RAW); $userPasswordConfirm = Filter::filterVar($postData\['passwordConfirm'\], FILTER\_UNSAFE\_RAW); $userIsSuperAdmin = Filter::filterVar($postData\['isSuperAdmin'\], FILTER\_VALIDATE\_BOOLEAN); @@ -138,6 +139,12 @@ if (is\_null($userEmail)) { $errorMessage\[\] = $PMF\_LANG\['ad\_user\_error\_noEmail'\]; } if (!$automaticPassword) { if (strlen($userPassword) <= 7 || strlen($userPasswordConfirm) <= 7) { $errorMessage\[\] = $PMF\_LANG\['ad\_passwd\_fail'\]; } }  
if (count($errorMessage) === 0) { if (!$newUser\->createUser($userName, $userPassword)) { $errorMessage\[\] = $newUser\->error(); @@ -204,6 +211,12 @@ exit(1); }  
if (strlen($newPassword) <= 7 || strlen($retypedPassword) <= 7) { $http\->setStatus(400); $http\->sendJsonWithHeaders(\['error' => $PMF\_LANG\['ad\_passwd\_fail'\]\]); exit(1); }  
$user\->getUserById($userId, true); $auth = new Auth($faqConfig); $authSource = $auth\->selectAuth($user\->getAuthSource('name'));

CVE-2023-0793: fix: added missing check on password length · thorsten/phpMyFAQ@00c0409

By Deeba Ahmed
Conor Brian Fitzpatrick (Pompompurin on the forum) launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums.
This is a post from HackRead.com Read the original post: BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Conor Brian Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum.

Conor Brian Fitzpatrick, a 21-year-old man from Peekskill, New York, has been sentenced to 20 years of supervised release in the Eastern District of Virginia for operating the notorious BreachForums hacking forum.

For your information, Fitzpatrick launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums. It served as an ideal platform for selling/leaking millions of personal data worldwide. The platform contained nearly 900 stolen databases storing more than 14 billion individual records, which BreachForums members were entitled to use. 

BreachForums ceased operations after the FBI apprehended Fitzpatrick and reportedly reemerged under the management of ShinyHunters, causing concern among cybersecurity experts and law enforcement agencies worldwide. Baphomet, one of the original forum administrators, confirmed the resurgence in a PGP-signed message, leaving little doubt about its authenticity.

Fitzpatrick was arrested on 15th March 2023 from his family home. Under custody, he admitted to owning/operating BreachForums under the “pompompurin” moniker. The accused was released on a $300,000 bond and was re-arrested on 2nd January 2024 for violating pretrial release conditions by using a computer without the required monitoring software and using VPN services.

Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum. Court documents reveal that he possessed nearly 26 video files containing sexually explicit videos of minors, including prepubescent ones. Prosecutors claimed Fitzpatrick knowingly possessed these files.

The sentencing recommendation memo reveals several incidents involving Fitzpatrick, including a data leak in December 2022 exposing records of 87,760 members of InfraGuard, 200 million users of a US social media company, 20 million user records for a background check service company, and data theft involving thousands of users’ private health insurance information in March 2023.

Fitzpatrick pleaded guilty to several counts, including Conspiracy to Commit Access Device Fraud, Solicitation for the Purpose of Offering Access, and Possession of CSAM on July 13, 2023 (PDF). He served as a middleman for stolen data transactions and admitted to feeding false information to law enforcement.

Prosecutors sought 188 months (15.7 years) of imprisonment. The defendant’s attorneys filed a memo under seal recommending his sentencing, citing confidential and medical information that should not be disclosed to the public. The court showed leniency and sentenced Fitzpatrick to time served and 20 years of supervised release. The sentencing memorandum was submitted (PDF) on 16th January 2024.

Per the sentencing conditions (PDF), for the first two years of his release, Fitzpatrick will stay at home arrest with a GPS locator and also receive mental health treatment. Fitzpatrick cannot access the internet during his first year of supervised release, and a probation officer will install monitoring software on his computer.

Prosecutors claimed that Fitzpatrick’s platform enabled hackers and fraudsters to commit “more sophisticated crimes than any could have done alone,” impacting nearly every sector of U.S. society.

****_RELATED ARTICLES_****

1.  **Authorities seize the world’s biggest dark web child abuse site**
2.  **Data Breach at New BreachForums: 4,000 members’ data leaked**
3.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
4.  **Raidforums Database Leak: Data of 460,000 Users Dumped Online**
5.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Enterprise storage devices have 14 security weaknesses on average, putting them at risk of compromise by cyberattackers and especially ransomware attacks.

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network settings and unaddressed CVEs, affecting the average device. That leaves these repositories — often the first line of protection in the event of a ransomware attack — as sitting ducks for cybercriminals.

That's according to a data analysis published on March 22 by storage security firm Continuity Software, which found that the average device had 14 security risks, including three critical issues, which are considered those capable of allowing a significant compromise. The top three risks affecting companies' storage systems are insecure network settings, unaddressed vulnerabilities, and lax access privileges. 

Overall, the data suggests that even companies with significant security maturity may not give their backup systems as much scrutiny as other systems, the Continuity report stated. The statistics are concerning given that network-attached storage, cloud storage, and backup devices are increasingly coming under attack. In 2021, threat groups targeted a flaw in certain network-attached storage systems made by Western Digital, such as the MyBook and other devices common in smaller businesses, taking advantage of the devices lack of support due to the products reaching their end of life. Attackers have also targeted large enterprises with a ransomware attack known as Deadbolt, which targets QNAP network-attacked storage, as well as other ransomware campaigns over the last few years.

Continuity's "2023 State of Storage and Backup Security Report" also found that the lack of security surrounding storage networks and backup servers affects most companies, across all industries. 

"Although it is commonly accepted that certain industries, like financial services, tend to have more mature security strategies, this report shows that the entire field of storage \[and\] backup security across all industries is still overlooked," the report stated. "While this was similar to the last report, it is still very surprising, given the severity of recent-years data-targeted attacks, and the amount of time the industry had to develop more robust security measures."

Gil Hecht, CEO of Continuity, says that certain industry segments have surprisingly lax cyber defenses for these corporate assets.

"In more than half of the banks in the US, you will find devices that still have factory default passwords — which is unbelievable, unacceptable, makes no sense whatsoever," he says. "But the reason it happens is because storage and backup are considered to be ... back-office devices that don't need security."

**With Ransomware Comes More Risk**

The study shows that large organizations and enterprises are still catching up with the change in perspective that came along with the rise in ransomware over the past decade. In the past, storage systems and backup servers were considered protected because they were behind the firewall and often did not play a role in daily operations.

Yet ransomware is increasingly targeting backup systems so that victims have fewer recovery options, and companies that do not check the defensive posture of their storage and backup devices run serious risks, Continuity's Hecht says.

"The most terrifying thing is if you lose all the data and you cannot recover it — that is 'game over' for most companies," he says. "The second worst thing is to have all your data made public."

Recovering data from backup systems is a time intensive process, but not having the data from which to recover is worse, so companies should make sure to take defensive steps, GigaOm stated in a report on primary storage ransomware protection.

"Ransomware does not discriminate among infrastructure layers; once in, it will attempt to encrypt all of an organization’s assets within reach, which is why proper segmentation of access and networks is important," GigaOm analysts Max Mortillaro and Arjan Timmerman stated. "Losing primary data and having to restore it from data protection platforms is a time-intensive process, limited by the throughput of the backup media and network bandwidth, especially if protected data resides on the cloud."

**Patching Storage Gives Pause to IT Teams**

A major problem affecting data storage and backup devices is that they are difficult to patch — a problem that companies need to work around in their business planning, Continuity's Hecht says.

"A typical storage array in an enterprise will support, let's say, 1,000 servers," he says. "Patching a server requires downtime for the server being patched, but patching a storage array requires downtime for all 1,000 servers, and ... if there is a problem during the upgrade, you just cause a failure of all 1,000 servers."

While the need to patch can cause downtime that can broadly affect the business, having up-to-date devices is critical to a strong defensive posture, he says.

A number of technologies have been positioned as strong defenses against ransomware, such as immutable data storage, but Continuity stressed that the technologies still need to be regularly scanned to make sure they are functional and properly configured.

"This \[immutable data copy\] is an important capability," the report stated. "However, it can lead to a false sense of security if not implemented properly, and unfortunately, we did detect a significant number of misconfiguration issues specific to these features."

The Continuity report used scans from actual networks and devices to determine the subjects' defensive posture, whether the devices were properly configured and if their access controls were appropriately limited.

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.

Cybercriminal group Kimsuky has evolved into a full-fledged, persistent threat, carrying out "unusually aggressive" social-engineering attacks aimed at gathering intelligence, and stealing and laundering cryptocurrency to support the North Korean government.

Researchers from Mandiant have tracked a number of changes to the activity of the group, which they call APT43, in a series of rapid-fire attacks against targets in the US, South Korea, and Japan, they revealed in a report published today.

Kimsuky, also tracked as Thallium, has been on various researchers' radar screens since 2018, and its previous activity has been widely reported. In earlier attacks, the group mainly focused on conducting cyber espionage against research institutions, geo-political think tanks, and — particularly during the height of the pandemic — pharmaceutical companies.

The group typically used spear-phishing campaigns to lure in users and then installed various public and non-public malware, including spyware, onto targeted devices, which were often Android-based smartphones. In fact, Kimsuky was identified as recently as earlier this month leveraging malicious Chrome browser extensions and Android app-store services to target individuals conducting research on the inter-Korean conflict.

Now, however, Mandiant researchers have found that APT43 is evolving in several ways.

**New Financial & Social Tactics**

For one, the group is now following in the shoes of other North Korean APTs and branching out beyond mere cyber espionage to steal cryptocurrency, the researchers have found. In addition to using the ill-gotten currency to fund the regime of Kim Jong-un, as other groups do, APT43 also uses it to bolster its own activities, they said.

The group is even going the extra step of laundering the crypto through legitimate cloud-mining services so it comes out as clean currency and is difficult to track — an activity that might be used by other groups, but has flown under the radar until now, the researchers said.

"The washing of funds and the 'how' has been the missing piece of the equation," notes Michael Barnhart, Mandiant principal analyst at Google Cloud. "We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies."

For a small fee, these services provide hash power, which APT43 uses to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer's original payments. This allows the APT to use stolen funds to mine for a different cryptocurrency, the researchers said. By spending very little, threat actors walk away with untracked, clean currency to do as they wish, Barnhart explains.

Moreover, APT43 — while technologically unsophisticated — relies on advanced and persistent social-engineering tactics in which threat actors create convincing fake personas and exhibit patience in building relationships with targets over several weeks without using malware, the researchers said.

"I've never seen an APT quite as successful with such novel techniques," Barnhart notes. "They pretend to be subject-matter experts or reporters and ask targeted questions — often with the promise of quoting the victim in a report or news article — and successfully gain feedback."

Indeed, in some instances, attackers successfully convinced targeted victims to send over proprietary, geopolitical analysis and research without deploying malware at all, the researchers said.

This deviates from standard procedure for most threat groups, allowing APT43 to expend little effort or resources in building malware and gaining the information they are seeking in a low-fi way — by merely asking victims for it, Barnhart notes.

**High Volume Cyberattacks, Shifting Targets**

APT43 has shifted its targets, and the malware it uses, in campaigns over the years in response to the demands of the North Korean government and the cyberespionage activities it requires of the group, according to Mandiant.

"APT43 ultimately modifies its targeting and tactics, techniques, and procedures (TTPs) to suit its sponsors, including carrying out financially-motivated cybercrime as needed to support the regime," the researchers said in the report.

For example, prior to October 2020, the group primarily targeted US and South Korean government offices, diplomatic organizations, and think tank-related entities with a stake in foreign policy and security issues affecting the Korean peninsula. Over the next year, however, the group shifted its focus to COVID-19 response efforts in North Korea by targeting health-related verticals and pharmaceutical companies in South Korea, the US, Europe, and Japan.

One notable difference that has emerged between the group and other North Korean threat actors is a recent shift to expand, targeting "everyday users" based on "the sheer velocity and volume of attacks," says Joe Dobson, Mandiant principal analyst.

"By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target," he says. "Their pace of execution, combined with their success rate, is alarming."

APT43 is aiming its high-volume activity at entities and organizations in government, business services, and manufacturing as well as think tanks and organizations in education and research related to geopolitical and nuclear policy in the US, South Korea, and Japan, the researchers said.

Given its advanced social-engineering tactics and tendency to go after both specific individuals and wider-net targets, researchers advised organizations that may be at risk to share with their employees "a greater understanding of cyber hygiene and heightened awareness," Barnhart says. "It's important to make personnel aware of this threat actor's TTPs," Barnhart says.

He adds that the APT's spoofed emails are highly convincing, which makes them difficult to spot, even for savvy users; thus, organizations at risk should be on high alert.

North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43

Ubuntu Security Notice 6554-1 - Zygmunt Krynicki discovered that GNOME Settings did not accurately reflect the SSH remote login status when the system was configured to use systemd socket activation for OpenSSH. Remote SSH access may be unknowingly enabled, contrary to expectation.

==========================================================================  
Ubuntu Security Notice USN-6554-1  
December 13, 2023

gnome-control-center vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GNOME Settings could allow unintended access to network services.

Software Description:  
- gnome-control-center: utilities to configure the GNOME desktop

Details:

Zygmunt Krynicki discovered that GNOME Settings did not accurately reflect  
the SSH remote login status when the system was configured to use systemd  
socket activation for OpenSSH. Remote SSH access may be unknowingly  
enabled, contrary to expectation.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  gnome-control-center            1:45.0-1ubuntu3.1

Ubuntu 23.04:  
  gnome-control-center            1:44.0-1ubuntu6.1

Ubuntu 22.04 LTS:  
  gnome-control-center            1:41.7-0ubuntu0.22.04.8

Ubuntu 20.04 LTS:  
  gnome-control-center            1:3.36.5-0ubuntu4.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6554-1  
  CVE-2023-5616

Package Information:  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:45.0-1ubuntu3.1  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:44.0-1ubuntu6.1  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:41.7-0ubuntu0.22.04.8  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:3.36.5-0ubuntu4.1

Ubuntu Security Notice USN-6554-1

mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

I can confirm that @awakenine 's fix works. I also can't think of a reason to accept a ReturnTo argument that contains a scheme but no hostname in the URI, but maybe others could. If there is no use-case for such argument, I would vote for merging the patch.

OTOH, I don't completely agree with removal of the backslash check. Maybe my knowledge of the codebase is still not so deep, but it appears that the backslash check is sort of orthogonal to the parsing and moreover am_check_url is used in fewer locations than am_validate_redirect_url and the functions are not codependent.

At the very least, the commit message of the patch that touches am_validate_redirect_url should be a bit better.

As I understand from this conversation backslash check was introduced as a fix to previous bypass. Now, it should be covered with hostname check because apr_uri_parse() will parse any http and https URL without :// as URI \[scheme\]:\[path\], and it will cause HTTP\_BAD\_REQUEST.

    uri: 'http:/\example.com/page.html' (ret=0)
    	scheme: 'http'
    	hostinfo: '(null)'
    	user: '(null)'
    	password: '(null)'
    	hostname: '(null)'
    	port_str: '(null)'
    	path: '/\example.com/page.html'
    	query: '(null)'
    	fragment: '(null)'
    	port: '0'
    	is_initialized: '1'
    	dns_looked_up: '0'
    	dns_resolved: '0'
    psznewuri: 'http:/\example.com/page.html'
    

Please let me know if you can bypass that.

CVE-2019-13038: Open Redirection issue · Issue #35 · Uninett/mod_auth_mellon

Code Sector TeraCopy 3.9.7 does not perform proper access validation on the source folder during a copy operation. This leads to Arbitrary File Read by allowing any user to copy any directory in the system to a directory they control.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us