Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1570.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: ACS 4.4 enhancement and security update  
Advisory ID:        RHSA-2024:1570-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1570  
Issue date:         2024-03-29  
Revision:           03  
CVE Names:          CVE-2019-25210  
====================================================================

Summary: 

Important: Updated images are now available for Red Hat Advanced Cluster Security.

Description:

Updated images are now available for Red Hat Advanced Cluster Security. The  
updated image includes new features and bug fixes.

This release includes the following features and updates:

* New Compliance capabilities (Technology Preview)  
* Network graph enhancements for internal entities  
* Build-time network policy tools is now generally available  
* Init-bundle graphical user interface improvements  
* eBPF CO-RE collection method enabled by default  
* Bring your own database for RHACS Central is now generally available  
* Support RHACS on ROSA hosted control plane  
* Life cycle updates  
* Integration with Red Hat OpenShift Cluster Manager and Paladin Cloud to discover unsecured clusters  
* Migration to stock Red Hat OpenShift SCCs during manual upgrade by using roxctl CLI  
* Cluster discovery by using cloud source integrations  
* Short-lived API tokens for Central  
* Enhanced roxctl deployment check command  
* Authentication of AWS and GCP integrations by using short-lived tokens (Technology Preview)  
* Scanner V4 that uses upstream ClairCore (Technology Preview)  
* Filter workload CVEs by using component and component source

For more information, including bug fix descriptions, see https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html.

Security fixes:  
* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)  
* helm: Missing YAML content leads to panic (CVE-2024-26147)  
* helm: Shows secrets with --dry-run option in clear text (CVE-2019-25210)

Solution:

CVEs:

CVE-2019-25210

References:

https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2222167  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://issues.redhat.com/browse/ROX-23399

Red Hat Security Advisory 2024-1570-03

Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a heap buffer overflow vulnerability as the IPP service did not parse attribute names properly. This would allow an attacker to execute arbitrary code on the device.

   **An unexpected error occurred.  
   We are now investigating the problem.  
   Please wait for a while.**

CVE-2019-13192: Brother support website

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

Chat app Signal will shield users' phone numbers by default from now on. Check whether you need to change your settings to adapt to the new version

Chat app Signal will shield user’s phone numbers by default from now on. And, it will no longer be necessary to exchange phone numbers when people want to connect through the app.

In November, we reported that Signal was testing usernames to eliminate the need to share your phone number. Signal has now announced that these options are live, and will be rolled out to everyone in the coming weeks.

So, what exactly has changed?

*   Your phone number will no longer be visible to everyone you chat with by default. People who already have your number saved in their phone’s contacts will still see it.
*   In case you don’t want to hand out your phone number to connect with someone on Signal, you can now create a unique username that you can use instead.
*   If you don’t want people to be able to find you by searching for your phone number on Signal, you can now enable a new, optional privacy setting.

Note that the unique username is not your profile name which is displayed in chats, it’s not a permanent handle, and not even visible to the people you’re connected with in Signal.

The optional privacy setting will only allow people that have your exact unique username to start a conversation, even if they have your phone number.

During the transition, it is important to realize that both you and the people you are chatting with on Signal will need to be using the updated version of the app to take advantage of them.

The changes are optional. You are not required to create a username and you have full control over whether you want to enable people to find you by your phone number or not.

If you’d still like everyone to see your phone number when messaging them, you can change the default by going to **Settings** > **Privacy** > **Phone Number** > **Who can see my number**. You can either choose to have your phone number visible to **Everyone** you message on Signal or **Nobody**. If you select **Nobody**, the only people who will see your phone number in Signal are people who already have it saved to their phone’s contacts.

**How to create a username on Signal**

To create a username, go to **Settings** > **Profile**. A username on Signal (unlike a profile name) must be unique and must have two or more numbers at the end of it. This choice was made with the intention to help keep usernames egalitarian and minimize spoofing. Usernames can be changed as often as you like, and you can delete your username entirely if you prefer to no longer have one.

You will still have to have a phone number in order to create a Signal account as they act as a unique identification and anti-spam measure.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Signal to shield user phone numbers by default 

A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in try_to_divide_boxes() in pgm2asc.c.

Comment 2 Product Security DevOps Team 2021-05-20 23:32:07 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

CVE-2021-33481: stack-based buffer overflow in try_to_divide_boxes() in pgm2asc.c

swaylock before 1.6 allows attackers to trigger a crash and achieve unlocked access to a Wayland compositor.

Comment 2 Product Security DevOps Team 2022-03-22 11:01:07 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

CVE-2022-26530: 2066596 – (CVE-2022-26530) CVE-2022-26530 swaylock: lock screen bypasses

A DLL hijacking vulnerability in Samsung portable SSD T5 PC software before 1.6.9 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows 7, 10, or 11 to exploit this vulnerability.)

*   A DLL hijacking vulnerability could allow a local attacker to escalate privileges on affected system.  
    An attacker must already have user privilege on Windows 7, 10, 11 to exploit this vulnerability.
    
    CVE ID
    
    CVE-2022-25154
    
    Title
    
    DLL hijacking vulnerability
    
    Affected Product
    
    Samsung portable SSD T5 PC software
    
    Affected Version
    
    Below 1.6.9 version
    
    Severity
    
    7.8
    
    Reported Date
    
    09-Jan-2022
    
    Patched Version
    
    1.6.10
    

1.  Home
2.  _Product Security Updates_

CVE-2022-25154: Product Security Update | Support | Samsung Semiconductor Global

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers would enter the target’s phone number and name, and the service would initiate an automated phone call to the target that alerts them about unauthorized activity on their account.

Three men in the United Kingdom have pleaded guilty to operating **otp\[.\]agency**, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.

The call would prompt the target to enter a one-time passcode that was sent to the user via SMS when the thieves attempted to log in. Any codes shared by the target were then relayed to the scammer’s user panel at the OTP Agency website.

A statement published Aug. 30 by the U.K.’s **National Crime Agency** (NCA) said three men pleaded guilty to running OTP Agency: **Callum Picari**, 22, from Hornchurch, Essex; **Vijayasidhurshan Vijayanathan**, 21, from Aylesbury, Buckinghamshire; and **Aza Siddeeque**, 19, from Milton Keynes, Buckinghamshire.

KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.

Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:

> Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat
> 
> Vijayanathan: Are you sure
> 
> Picari: So much evidence in there
> 
> Vijayanathan: Are you 100% sure
> 
> Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find
> 
> Vijayanathan: Exactly so if we just shut EVERYTHING down
> 
> Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%
> 
> Vijayanathan : Everyone with a brain will tell you stop it here and move on
> 
> Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f\*^k their investigations…There’s nothing fraudulent on the site

Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.

OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.

But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 month the service was active.

Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.

The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.

OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called **SMSRanger**. More on SMSRanger in an upcoming post.

Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, _do not respond_.  Just hang up, full stop.

If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.

Further reading: When in Doubt, Hang Up, Look Up, and Call Back

Owners of 1-Time Passcode Theft Service Plead Guilty

An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output. The output is different from #763.

\=================================================================  
\==6659==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7f8d891f0592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x418dff in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:108  
#2 0x418dff in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

**Crash Input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-ml-01

**Verification steps：**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-ml-01 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43037: Memory leaks with ASAN in mp42aac · Issue #788 · axiomatic-systems/Bento4

An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip.

\[Vulnerability description\]

Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded

\[Vulnerability Type\]  
Sensitive file reading(Information Disclosure)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]

Condition: tomcat deployment project

The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)

\[Code Details\]

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip  
The code checks the two parameters "dir" and "names" separately

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)  
Check whether there is directory traversal, no restrictions on accessible directories

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet  
(1) The file name is empty  
(2) The file name contains illegal characters  
Accessible directories are not restricted

Search

lenovo warranty check/lookup | check warranty status | lenovo support us