The Windows kernel suffers from out-of-bounds reads and other issues when operating on long registry key and value names.

Windows Kernel Long Registry Key / Value Out-Of-Bounds Read

HEUR:Trojan.MSIL.Agent.gen malware suffers from an information disclosure vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/bc2ccf92bea475f828dcdcb1c8f6cc92.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: HEUR:Trojan.MSIL.Agent.genVulnerability: Information DisclosureDescription: the malware runs an HTTP service on port 19334. Attackers who can reach an infected host can make HTTP GET requests to download and or stat arbitrary files using forced browsing.Family: AgentType: PE64MD5: bc2ccf92bea475f828dcdcb1c8f6cc92Vuln ID: MVID-2022-0654Disclosure: 11/09/2022Exploit/PoC:C:\>curl "http://192.168.18.125:19334/c:/Windows/system.ini" -v  Trying 192.168.18.125:19334...  Connected to 192.168.18.125 (192.168.18.125) port 19334 (#0)  GET /c:/Windows/system.ini HTTP/1.1  Host: 192.168.18.125:19334  User-Agent: curl/7.83.1  Accept: */** Mark bundle as not supporting multiuse* HTTP 1.0, assume close after body  HTTP/1.0 200 OK  content-encoding: utf8  content-type: application/octet-stream  date: Tue, 08 Nov 2022 23:11:55 GMT  last-modified: Sat, 16 Jul 2016 07:45:35 GMT  content-disposition: attachment; filename*=UTF-8''system.ini; filename="system.ini"; for 16-bit app support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]* Closing connection 0Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

HEUR:Trojan.MSIL.Agent.gen MVID-2022-0654 Information Disclosure

The Windows kernel suffers from multiple memory corruption vulnerabilities when operating on very long registry paths.

Windows Kernel Long Registry Path Memory Corruption

Red Hat Security Advisory 2022-6882-01 - Openshift Logging 5.3.13 security and bug fix release.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging 5.3.13 security and bug fix release  
Advisory ID:       RHSA-2022:6882-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6882  
Issue date:        2022-11-09  
CVE Names:         CVE-2020-35525 CVE-2020-35527 CVE-2022-0494  
                   CVE-2022-1353 CVE-2022-2509 CVE-2022-2588  
                   CVE-2022-3515 CVE-2022-21618 CVE-2022-21619  
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628  
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-29900  
                   CVE-2022-29901 CVE-2022-32149 CVE-2022-37434  
                   CVE-2022-39399 CVE-2022-40674  
====================================================================  
1. Summary:

An update is now available for OpenShift Logging 5.3.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Openshift Logging 5.3.13 security and bug fix release

Security Fix(es):

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. References:

https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2022-0494  
https://access.redhat.com/security/cve/CVE-2022-1353  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2v3pdzjgjWX9erEAQieXA//RS5LPNCMBmQuk2BFdWb8ac7zWMDMh6ia  
qMmQdkJurPEKzihaFAHCTv8cAjQhydghH48dATJobRXe545sGP2BpLOUrlQj52/u  
tY80fOTre7ocZqtQPznax7CFeigk3f959PjWzjPztSznxblj/2i52DrPFNg9uvj+  
5BI/kp+tztKTXLFmjUXC+SilR5Q1KLNsEhscIJ6frqz3wIB4acVj2YMNHbFLC3Zu  
aTH64AFFvfac1IhBFtD51KgS+0p6ReAetCt3KssdEFgv+ajLwvnitzfrBOCnp4y7  
rvc/AdhKeQDWYvvFPsjYdD8qRHplMMBSDolshDLq4/Qhxwha80wTJ4282NTpZilY  
8zdweut+1H+Wg8o6RYKmoWPbuncdhk3JVoqNFmmYsOdFRyH2Dezeqpe1P3eiT4vY  
iM8zOfJM8XyCSis3rm1A9hUed2yBl7A1mNMVRke24xmayBfe5cVUHdguKhUQTDyh  
4lVvkFY91S6izDLyiVTU5QoPmMHSef6w+uRkumOHDuGCxFctlmBMFHzBiUTYdkmk  
moPMpZWf4YKzFSMLZuC562uQ2Y7lP/GBkPuVxa0aa04PMXdMb0fLuYyaUzsks8kW  
r37lN9gtMLVrLaX5tTa4UyHjWy2P2kkH+8ZeHs7RqrDHawISEGoo0NsD8D4LG7FC  
2eYvDFN/BO4=lzPS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6882-01

Red Hat Security Advisory 2022-7896-01 - Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases. Debezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Debezium 1.9.7 security update  
Advisory ID:       RHSA-2022:7896-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7896  
Issue date:        2022-11-09  
CVE Names:         CVE-2021-22569 CVE-2022-3171  
====================================================================  
1. Summary:

A security update for Debezium is now available for Red Hat Integration.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Debezium is a distributed platform that turns your existing databases into  
event streams, so applications can see and respond immediately to each  
row-level change in the databases.

Debezium is built on top of Apache Kafka and provides Kafka Connect  
compatible connectors that monitor specific database management systems.  
Debezium records the history of data changes in Kafka logs, from where your  
application consumes them. This makes it possible for your application to  
easily consume all of the events correctly and completely. Even if your  
application stops unexpectedly, it will not miss anything: when the  
application restarts, it will resume consuming the events where it left  
off.

Security Fix(es):

* protobuf-java: potential DoS in the parsing procedure for binary data  
(CVE-2021-22569)

* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

To apply this update just follow standard installation procedure

https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_openshift/index  
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_rhel/index

4. Bugs fixed (https://bugzilla.redhat.com/):

2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2022-3171  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version 22-Q4

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2v3otzjgjWX9erEAQhmmw/+NujxA03qhV4k8/pvL88Dazs3bt6ZH8ar  
ELY1Ueri1EgfWROfGB2+SKK2hbFNN+ft4iY2YWHhDX6PUAmVMPiaB0M8NCQkj7GW  
17Bo/muRWOti78J03+2314VxLwNHn+s2qCtAR3/Ks4bfcEDUMwsy/u3YTs+wtbK5  
tvO5s6uUPB2evIlliJuYKVfUFB9R900tZv44JZ2d+PC3R4S+dUcVTASRX8lDQMhx  
lOSxVePvV1rNTBJ0e7GaPCWNHR2eNSewpwI/XLhfBOh7ojIgNDUNCi69aEYyVLHW  
R7uh5R3+PFZvQX+mJ74qcQV2aYVQ4MnhKZrWqbkGyhMqHVRuF7d6DzXd2yMWVDWk  
vjgnu2NHR0SG/uRdA2Iykm0MGCq9/69KTo3C+nFEoDNg2vVdH155IInpAdpiw/zn  
iKOXcdQkrLyvClNz/giifooNm9/8HSYhI26ayOj/t+H0AGQfAGLfVHGbNQJ7y00W  
tSU1OfNPU53KCvbIk/l/3H4SOeXPbOb5pgXaEOM+8ssPk48aBSkQ5Ru7HrJOZwYY  
fU3652+qceb/IAWoHsGfW2UKOOLeyipD9i4rxhKaAQYtOsETGAoeqxF43e78VFBy  
y47unTuLhi0DyhZw+ZPKzit3j4VLTUTrB79JxyZQ+WZYXOU/ZUpwSkRwMqwjMm9Q  
+d4cGdgfQ7Y<J6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7896-01

Ubuntu Security Notice 5719-1 - It was discovered that OpenJDK incorrectly handled long client hostnames. An attacker could possibly use this issue to cause the corruption of sensitive information. It was discovered that OpenJDK incorrectly randomized DNS port numbers. A remote attacker could possibly use this issue to perform spoofing attacks. It was discovered that OpenJDK did not limit the number of connections accepted from HTTP clients. An attacker could possibly use this issue to cause a denial of service.

=========================================================================  
Ubuntu Security Notice USN-5719-1  
November 09, 2022

openjdk-8, openjdk-lts, openjdk-17, openjdk-19 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in OpenJDK.

Software Description:  
- openjdk-17: Open Source Java implementation  
- openjdk-19: Open Source Java implementation  
- openjdk-8: Open Source Java implementation  
- openjdk-lts: Open Source Java implementation

Details:

It was discovered that OpenJDK incorrectly handled long client hostnames.  
An attacker could possibly use this issue to cause the corruption of  
sensitive information. (CVE-2022-21619)

It was discovered that OpenJDK incorrectly randomized DNS port numbers. A  
remote attacker could possibly use this issue to perform spoofing attacks.  
(CVE-2022-21624)

It was discovered that OpenJDK did not limit the number of connections  
accepted from HTTP clients. An attacker could possibly use this issue to  
cause a denial of service. (CVE-2022-21628)

It was discovered that OpenJDK incorrectly handled X.509 certificates. An  
attacker could possibly use this issue to cause a denial of service. This  
issue only affected OpenJDK 8 and OpenJDK 11. (CVE-2022-21626)

It was discovered that OpenJDK incorrectly handled cached server  
connections. An attacker could possibly use this issue to perform spoofing  
attacks. This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.  
(CVE-2022-39399)

It was discovered that OpenJDK incorrectly handled byte conversions. An  
attacker could possibly use this issue to obtain sensitive information.  
This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.  
(CVE-2022-21618)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  openjdk-11-jdk                  11.0.17+8-1ubuntu2  
  openjdk-11-jre                  11.0.17+8-1ubuntu2  
  openjdk-11-jre-headless         11.0.17+8-1ubuntu2  
  openjdk-11-jre-zero             11.0.17+8-1ubuntu2  
  openjdk-17-jdk                  17.0.5+8-2ubuntu1  
  openjdk-17-jre                  17.0.5+8-2ubuntu1  
  openjdk-17-jre-headless         17.0.5+8-2ubuntu1  
  openjdk-17-jre-zero             17.0.5+8-2ubuntu1  
  openjdk-19-jdk                  19.0.1+10-1  
  openjdk-19-jre                  19.0.1+10-1  
  openjdk-19-jre-headless         19.0.1+10-1  
  openjdk-19-jre-zero             19.0.1+10-1  
  openjdk-8-jdk                   8u352-ga-1~22.10  
  openjdk-8-jre                   8u352-ga-1~22.10  
  openjdk-8-jre-headless          8u352-ga-1~22.10  
  openjdk-8-jre-zero              8u352-ga-1~22.10

Ubuntu 22.04 LTS:  
  openjdk-11-jdk                  11.0.17+8-1ubuntu2~22.04  
  openjdk-11-jre                  11.0.17+8-1ubuntu2~22.04  
  openjdk-11-jre-headless         11.0.17+8-1ubuntu2~22.04  
  openjdk-11-jre-zero             11.0.17+8-1ubuntu2~22.04  
  openjdk-17-jdk                  17.0.5+8-2ubuntu1~22.04  
  openjdk-17-jre                  17.0.5+8-2ubuntu1~22.04  
  openjdk-17-jre-headless         17.0.5+8-2ubuntu1~22.04  
  openjdk-17-jre-zero             17.0.5+8-2ubuntu1~22.04  
  openjdk-19-jdk                  19.0.1+10-1ubuntu1~22.04  
  openjdk-19-jre                  19.0.1+10-1ubuntu1~22.04  
  openjdk-19-jre-headless         19.0.1+10-1ubuntu1~22.04  
  openjdk-19-jre-zero             19.0.1+10-1ubuntu1~22.04  
  openjdk-8-jdk                   8u352-ga-1~22.04  
  openjdk-8-jre                   8u352-ga-1~22.04  
  openjdk-8-jre-headless          8u352-ga-1~22.04  
  openjdk-8-jre-zero              8u352-ga-1~22.04

Ubuntu 20.04 LTS:  
  openjdk-11-jdk                  11.0.17+8-1ubuntu2~20.04  
  openjdk-11-jre                  11.0.17+8-1ubuntu2~20.04  
  openjdk-11-jre-headless         11.0.17+8-1ubuntu2~20.04  
  openjdk-11-jre-zero             11.0.17+8-1ubuntu2~20.04  
  openjdk-17-jdk                  17.0.5+8-2ubuntu1~20.04  
  openjdk-17-jre                  17.0.5+8-2ubuntu1~20.04  
  openjdk-17-jre-headless         17.0.5+8-2ubuntu1~20.04  
  openjdk-17-jre-zero             17.0.5+8-2ubuntu1~20.04  
  openjdk-8-jdk                   8u352-ga-1~20.04  
  openjdk-8-jre                   8u352-ga-1~20.04  
  openjdk-8-jre-headless          8u352-ga-1~20.04  
  openjdk-8-jre-zero              8u352-ga-1~20.04

Ubuntu 18.04 LTS:  
  openjdk-11-jdk                  11.0.17+8-1ubuntu2~18.04  
  openjdk-11-jre                  11.0.17+8-1ubuntu2~18.04  
  openjdk-11-jre-headless         11.0.17+8-1ubuntu2~18.04  
  openjdk-11-jre-zero             11.0.17+8-1ubuntu2~18.04  
  openjdk-17-jdk                  17.0.5+8-2ubuntu1~18.04  
  openjdk-17-jre                  17.0.5+8-2ubuntu1~18.04  
  openjdk-17-jre-headless         17.0.5+8-2ubuntu1~18.04  
  openjdk-17-jre-zero             17.0.5+8-2ubuntu1~18.04  
  openjdk-8-jdk                   8u352-ga-1~18.04  
  openjdk-8-jre                   8u352-ga-1~18.04  
  openjdk-8-jre-headless          8u352-ga-1~18.04  
  openjdk-8-jre-zero              8u352-ga-1~18.04

Ubuntu 16.04 ESM:  
  openjdk-8-jdk                   8u352-ga-1~16.04  
  openjdk-8-jre                   8u352-ga-1~16.04  
  openjdk-8-jre-headless          8u352-ga-1~16.04  
  openjdk-8-jre-zero              8u352-ga-1~16.04

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any Java  
applications or applets to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5719-1  
  CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626,  
  CVE-2022-21628, CVE-2022-39399

Package Information:  
  https://launchpad.net/ubuntu/+source/openjdk-17/17.0.5+8-2ubuntu1  
  https://launchpad.net/ubuntu/+source/openjdk-19/19.0.1+10-1  
  https://launchpad.net/ubuntu/+source/openjdk-8/8u352-ga-1~22.10  
  https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.17+8-1ubuntu2  
  https://launchpad.net/ubuntu/+source/openjdk-17/17.0.5+8-2ubuntu1~22.04  
  https://launchpad.net/ubuntu/+source/openjdk-19/19.0.1+10-1ubuntu1~22.04  
  https://launchpad.net/ubuntu/+source/openjdk-8/8u352-ga-1~22.04  
  https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.17+8-1ubuntu2~22.04  
  https://launchpad.net/ubuntu/+source/openjdk-17/17.0.5+8-2ubuntu1~20.04  
  https://launchpad.net/ubuntu/+source/openjdk-8/8u352-ga-1~20.04  
  https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.17+8-1ubuntu2~20.04  
  https://launchpad.net/ubuntu/+source/openjdk-17/17.0.5+8-2ubuntu1~18.04  
  https://launchpad.net/ubuntu/+source/openjdk-8/8u352-ga-1~18.04  
  https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.17+8-1ubuntu2~18.04

Ubuntu Security Notice USN-5719-1

Ubuntu Security Notice 5720-1 - It was discovered that Zstandard was not properly managing file permissions when generating output files. A local attacker could possibly use this issue to cause a race condition and gain unauthorized access to sensitive data.

    ==========================================================================Ubuntu Security Notice USN-5720-1November 09, 2022libzstd vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Zstandard could be made to expose sensitive informationSoftware Description:- libzstd: fast lossless compression algorithmDetails:It was discovered that Zstandard was not properly managing filepermissions when generating output files. A local attacker couldpossibly use this issue to cause a race condition and gainunauthorized access to sensitive data.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libzstd1 1.3.1+dfsg-1~ubuntu0.16.04.1+esm3   zstd 1.3.1+dfsg-1~ubuntu0.16.04.1+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5720-1   CVE-2021-24031, CVE-2021-24032

Ubuntu Security Notice USN-5720-1

WordPress Blog2Social versions 6.9.11 and below suffer from a missing authorization vulnerability.

Description: Missing Authorization to Authenticated (Subscriber+) Settings Update

Affected Plugin: Blog2Social

Plugin Slug: blog2social

Affected Versions: <= 6.9.11

CVE ID: CVE-2022-3622

CVSS Score: 4.7 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s: Marco Wotschka

Fully Patched Version: 6.9.12

Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.

As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.

More specifically, the plugin provides administrators with the ability to enable legacy mode, which is intended to reduce server load. In legacy mode, the plugin will load content one item at a time instead of loading all content in bulk in an attempt to reduce the likelihood of dashboard freeze-ups. In order to reduce the number of concurrent outgoing connections, legacy mode will also load connections to social media accounts in sequential order as opposed to doing so simultaneously. While functionality should not be significantly affected by this for most use cases, this legacy option setting is reserved for administrators only. Unfortunately, due to a lack of capability checking on the function and in the user interface, site subscribers had access to this setting via the dashboard:

/wp-admin/admin.php?page=blog2social-settings

Furthermore, the same URL offers access to a Social Meta Data tab, which contains forms that are disabled for non-administrative users. However, browsers offer inspector tools, which can be used to modify html on the fly in order to change properties of such forms and their elements. For instance, a save button with the following properties can be modified to become functional by removing the disabled attribute from the button:

<button class="btn btn-primary pull-right" disabled="disabled" type="submit">save</button> – as a result, such a form can be submitted by a subscriber. This indicates the developer used client-side validation, which can easily be bypassed by modifying the request sent to the server.

A request could be submitted using a third party tool similar to this one:

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: 127.0.0.1

Cookie:

b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce>

This had consequences such as allowing subscribers to change social meta tags which could potentially be used to impact brand reputation.

A third issue that we discovered surrounded the plugin’s general authorization mechanism.

[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWydX-1ZpVtDW5m3pbH5yxlc9W2C4PM94S6TLRN1sYgXV5mNXrV3Zsc37CgPpPW1_8BsQ650vs3W86NLQQ1Cb22gW8qlQJx717QmtN2Cx03MLNfRLW2-JNJb7nLtJDW6WM7R34PtmhMW1Q6y_X7lS_zWVjVDs36QWQxhVzcJwS8zW-6JW8R8sdQ5n8VyMW3xQZRx311bNnW52MK5T99M-WqN2bB3jwTbxZzW1VZPJL4W2QZ5W1sVXxZ2kr-JTTbvjx4xd9hxN1FlKQT1fwwDW7k9F6p6vRy5QVbh2jM4ll2JJW999K9x38XkPRW6ZTcyY2C85K-W5CC1TG1747mhW7gFskm1Y2Zy8W1f8khN7hdTbPVNS67c54W0xjW19nHJ55SGL4QW4BD90m6r6kRYW90HD6J3JT--YW9cg9wz21JSczW3tFWZp50-1qtW8wjp8m8gL9xyW7JNDB-5x1VB83f5z1 )

The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:

- current_user_can('read') – This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.  
- isset($_POST['b2s_security_nonce']) – this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.  
- (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0 – this verifies the nonce after some sanitization.

As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_ for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.

The Importance of Capability Checks

Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.

add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));

While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read') does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as

current_user_can('manage_options').

The plugin does make use of B2S_PLUGIN_BLOG_USER_ID, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:

define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());

Timeline

October 1, 2022 – Initial outreach to the plugin developer.

October 5, 2022 – We disclosed details of the vulnerabilities with the developer.

October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.

October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.

October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.

November 26, 2022 – Wordfence Free users receive a firewall rule.

Conclusion

In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.

Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care.  If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.

WordPress Blog2Social 6.9.11 Missing Authorization

Red Hat Security Advisory 2022-7885-01 - The kpatch management tool provides a kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2022:7885-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7885  
Issue date:        2022-11-09  
CVE Names:         CVE-2022-2588  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - ppc64le, x86_64

3. Description:

The kpatch management tool provides a kernel patching infrastructure which  
allows you to patch a running kernel without rebooting or restarting any  
processes.

Security Fix(es):

* kernel: a use-after-free in cls_route filter implementation may lead to  
privilege escalation (CVE-2022-2588)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_80_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_81_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_87_1-1-1.el8_2.src.rpm  
kpatch-patch-4_18_0-193_90_1-1-1.el8_2.src.rpm  
kpatch-patch-4_18_0-193_91_1-1-1.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_80_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_80_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_80_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_87_1-debugsource-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-1.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_80_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_80_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_80_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_81_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_87_1-debugsource-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2ujRtzjgjWX9erEAQgxZhAAj8EcB5GD5UdWVdH9s9UjFoyQdGq1apG4  
Oc9Q3qq93YzUui9PdMeqsY9YIKDh/3N1f5QlLnHJKv2TBd+7IWowNGnxVfyL2Lht  
YuCYE7PoQ0IIJ9d/XfXq56Z42EJTUCOG0In+pM3KAIs+rPwaKR+u0jEbMISQabDj  
QAWuChE0qcsdz59+NYiDaDgYEQQQezj59pAuuuPC/W8PaGR93COJ611LWzmgDL+l  
17lOs0FFvQe05SMNTSy6ofqfNAKbucQJC+80nmTnTlyMZ8unLa2WeZ1QtDLiDcML  
F9lijF4qbMcXWzKbZrd378qmw5rkIt9ygrXrCpsqOr7MhsClgxdwQAvOC06lHlqk  
XP7LWaasq7xqOFk5UihiVloCyxkURWL7uwaGfJzBvfPNnWyaRvVbTrYtimwKlAcc  
XPEQHscMBOOVEoOCRxGy2V+HPEaGfhShDe0czPAdqF3CnX/qS13VLnbatj/qgRgz  
eirLyBCij++lIvSwR17ngEov98kpu/OO+9bPl3pLMqQA6oAfjR1M17z5F/8Niv8k  
nOfpTYbwZv+WR8Y6BJZgw+o6uX1yqZtCTW7qobLmASJB3o8Wq5yL+lytNXYVpKOf  
cak4umPp3dtvNKpuQT9N3naMn3+DRrs9Lkd/RATTao5sGCO+nFpCsi2wm1vRvb+z  
AF5BT2DqJ+o=1SyI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7885-01

Red Hat Security Advisory 2022-7887-01 - The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: linux-firmware security update  
Advisory ID:       RHSA-2022:7887-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7887  
Issue date:        2022-11-09  
CVE Names:         CVE-2020-12321  
====================================================================  
1. Summary:

An update for linux-firmware is now available for Red Hat Enterprise Linux  
7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended  
Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch

3. Description:

The linux-firmware packages contain all of the firmware files that are  
required by various devices to operate.

Security Fix(es):

* hardware: buffer overflow in bluetooth firmware (CVE-2020-12321)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1893914 - CVE-2020-12321 hardware: buffer overflow in bluetooth firmware

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
linux-firmware-20190429-73.gitddde598.el7_7.src.rpm

noarch:  
iwl100-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl1000-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl105-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl135-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2000-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2030-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl3160-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl3945-firmware-15.32.2.9-73.el7_7.noarch.rpm  
iwl4965-firmware-228.61.2.24-73.el7_7.noarch.rpm  
iwl5000-firmware-8.83.5.1_1-73.el7_7.noarch.rpm  
iwl5150-firmware-8.24.2.2-73.el7_7.noarch.rpm  
iwl6000-firmware-9.221.4.1-73.el7_7.noarch.rpm  
iwl6000g2a-firmware-17.168.5.3-73.el7_7.noarch.rpm  
iwl6000g2b-firmware-17.168.5.2-73.el7_7.noarch.rpm  
iwl6050-firmware-41.28.5.1-73.el7_7.noarch.rpm  
iwl7260-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl7265-firmware-22.0.7.0-73.el7_7.noarch.rpm  
linux-firmware-20190429-73.gitddde598.el7_7.noarch.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
linux-firmware-20190429-73.gitddde598.el7_7.src.rpm

noarch:  
iwl100-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl1000-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl105-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl135-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2000-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2030-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl3160-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl3945-firmware-15.32.2.9-73.el7_7.noarch.rpm  
iwl4965-firmware-228.61.2.24-73.el7_7.noarch.rpm  
iwl5000-firmware-8.83.5.1_1-73.el7_7.noarch.rpm  
iwl5150-firmware-8.24.2.2-73.el7_7.noarch.rpm  
iwl6000-firmware-9.221.4.1-73.el7_7.noarch.rpm  
iwl6000g2a-firmware-17.168.5.3-73.el7_7.noarch.rpm  
iwl6000g2b-firmware-17.168.5.2-73.el7_7.noarch.rpm  
iwl6050-firmware-41.28.5.1-73.el7_7.noarch.rpm  
iwl7260-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl7265-firmware-22.0.7.0-73.el7_7.noarch.rpm  
linux-firmware-20190429-73.gitddde598.el7_7.noarch.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
linux-firmware-20190429-73.gitddde598.el7_7.src.rpm

noarch:  
iwl100-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl1000-firmware-39.31.5.1-73.el7_7.noarch.rpm  
iwl105-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl135-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2000-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl2030-firmware-18.168.6.1-73.el7_7.noarch.rpm  
iwl3160-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl3945-firmware-15.32.2.9-73.el7_7.noarch.rpm  
iwl4965-firmware-228.61.2.24-73.el7_7.noarch.rpm  
iwl5000-firmware-8.83.5.1_1-73.el7_7.noarch.rpm  
iwl5150-firmware-8.24.2.2-73.el7_7.noarch.rpm  
iwl6000-firmware-9.221.4.1-73.el7_7.noarch.rpm  
iwl6000g2a-firmware-17.168.5.3-73.el7_7.noarch.rpm  
iwl6000g2b-firmware-17.168.5.2-73.el7_7.noarch.rpm  
iwl6050-firmware-41.28.5.1-73.el7_7.noarch.rpm  
iwl7260-firmware-22.0.7.0-73.el7_7.noarch.rpm  
iwl7265-firmware-22.0.7.0-73.el7_7.noarch.rpm  
linux-firmware-20190429-73.gitddde598.el7_7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12321  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2ujQ9zjgjWX9erEAQhqAw/+OphS9QKDHty/D7XjsP5WK5u+a6Ri3DlS  
egdW3yP+wu+9QYeaIvLivGs3JBZdyI538dCEzfWS6ePy6czEqrjKYznkiqqvv1Wl  
dbrgJEo5F8KMVWjOs2HtRHmM6kf8T9OpWx2S82W9K/K/4UYYAKTZNNzsdWcrU2Bk  
j9dCFcfbjkpexoJoobLW1PHaYPLtmvRsQAZPGbkTHnCyvWPRlqtvXkFB9O/fCSDB  
T+w2Dn8DnJCwfbj16wi6BA8je8ZL4mBSR5vh/Uie1B7bRnuHWoG5qBZaBYubawB1  
BK/ztdtqy9gLGVHTFTf0KygMXhSFpv0ef+5MT1ZsQoDOGrBlKC/fXVUUQWmaG0hN  
4lFqTwgSO83cxt13rfglXXMkTipMTIXJ//kOO5Ko2yrRR2UFMgjnAlaMKzyxSmvf  
uNBX4JjhdUhWzDesAr7HD9B0pMnHJA8rZqr24QVOHSvK5SmbELyU1YAr2p892QHM  
f6RzWQeVUZKHrOItjxlRil6RISUVhJD8qq57/J7POpBFLmSipv58J0/jfLevtzcK  
e7OrIhkkKHir1od+uELDsKZwdlm3Dr3XwIh8RKGpsNqk9xk+EC3zNdDEAtTXn0MV  
dTVnV8jIGFyDRmI4NMMj1Op52aj3keA5sfHW5UyMNYEwpCFzsHTxImoBq0ueBjO5  
C+EAysMTcQM=W/2L  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm