Prometei botnet continued its activity since Cisco Talos first reported about it in 2020.  Since November 2022, we have observed Prometei improving the infrastructure components and capabilities.

Prometei botnet improves modules and exhibits new capabilities in recent updates

Red Hat Security Advisory 2024-1780-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1780.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security and bug fix updateAdvisory ID:        RHSA-2024:1780-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1780Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSECresolver.Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1780-03

Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Thursday, December 21, 2023 11:00

_By Mike Gentile,_ _Asheer Malhotra_ _and_ _Vitor Ventura__._

**Editor’s note:** This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

*   Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
*   Talos’ analysis revealed that rebooting an iOS or Android device may **_not_** always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
*   Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
*   Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
*   Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
*   After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

**Implants’ persistence is an add-on in Intellexa’s offering**

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

**Intellexa’s product development journey**

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Evolution timeline

**Pricing model**

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

*   20 concurrent infections.
*   One-click exploit for initial access.
*   Predator C2 and administrative hardware and software.
*   Project plans, documentation, etc.
*   12 months of warranty support.

Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

**Plausible deniability**

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know _how_ victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports

investigation

, Intellexa sold their solution to the Sudanese government.

Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

**Business risks****Human resources**

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group. The timing of the hire indicates that the firm needed to integrate the implant with the exploit chain to deploy it reliably on iOS devices.

Snippet of the iOS security expert Curriculum Vitae

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background:  

Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

**Target operating system support**

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

**Vulnerability exploits chain patching**

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “_...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…_”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

**The lack of impact from public exposure**

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

aiohttp v3.8.1 was discovered to contain an invalid IPv6 URL which can lead to a Denial of Service (DoS).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-33124

**Denial of Service in aiohttp**

Moderate severity GitHub Reviewed Published Jun 24, 2022 • Updated Jun 25, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

pip aiohttp (pip)

**Affected versions**

<= 3.8.1

**Description**

GHSA-rwqr-c348-m5wr: Denial of Service in aiohttp

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.274
*   **Jenkins LTS** up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   **Jenkins weekly** should be updated to version 2.275
*   **Jenkins LTS** should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21611: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

CVE-2021-21608: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

CVE-2021-21610: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

CVE-2021-21603: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   Jenkins weekly up to and including 2.274
*   Jenkins LTS up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   Jenkins weekly should be updated to version 2.275
*   Jenkins LTS should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21605: Jenkins Security Advisory 2021-01-13

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us