A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-j822-x5gg-5r56: Moodle allows users to retrieve information they did not have permission to access

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

GHSA-r4xr-m393-778m: Moodle IDOR when accessing list of course badges

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

GHSA-fhg2-r2h9-h7q8: Moodle IDOR when deleting OAuth2 linked accounts

Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.This issue affects django Filer: from 3 before 3.3.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-j4v3-wwwx-5gqv: django Filer Unrestricted Upload of File with Dangerous Type

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django CMS Attributes Fields allows Stored XSS.This issue affects django CMS Attributes Fields: before 4.0.

GHSA-vxcv-4xvf-pc22: django CMS Attributes Field Cross-site Scripting

QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.

Wednesday, November 20, 2024 06:00

*   QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos’ data, roughly 60% of all email containing a QR code is spam.  
*   Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code's orientation and position. 
*   Further complicating detection, both by users and anti-spam filters, Talos found QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes increased, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a two-dimensional matrix bar code that can encode just over 7,000 numeric characters, or up to approximately 4,300 alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

**Quantifying the QR code problem **

Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up between .01% and .2% of all email worldwide. This equates to roughly one out of every 500 email messages. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, **roughly 60% of all email containing a QR code is spam**.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication (MFA) requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate wi-fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred. 

**Why are malicious QR codes hard to detect? **

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters.

__An email containing a QR code constructed from Unicode characters (defanged).__

The graphical parts of the image are contained within a PDF file. The PDF metadata indicates it was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

__HTML used to construct a malicious QR Code from Unicode characters.__

**Defanging QR codes **

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, and/or to add brackets (“\[\]”) around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging.” Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

__A news article from BBC containing a working QR code (this has been defanged by Talos).__

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. **To make malicious QR codes safe for consumption, they should be defanged.** 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code's orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. Additional details on how this is achieved, will be covered later in the blog. 

A normal QR code on the left vs. a defanged QR code on the right.

**Be careful what you scan! **

For years, security professionals have encouraged users **not** to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images that are “QR code art.” These images blend the data points of a QR code seamlessly into an artistic image so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it.

**How to protect yourself from malicious QR codes **

QR codes have become ubiquitous, appearing in email, on restaurant menus, at public events, on retail packaging, in museums, and even public parks and trails. The perfect defense is to avoid scanning any QR codes; however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will allow you to more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party.

Malicious QR Codes: How big of a problem is it, really?

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Source: CG Alex via Shutterstock

Every night for five years, computers and network appliances from the headquarters of the African Union in Ethiopia — a facility built by Chinese firms — reportedly reached out to China-based systems and uploaded sensitive data. The espionage through the technology supply chain, which China's government denies, undermined the security of the pan-African organization.

The incident and more recent supply-chain breaches have underscored that reliance on foreign technological supply chains carries with it significant risks. While using a technology supply chain anchored in China was seen as a less constrained option than US and European options, the truth is that African nations need to evaluate the security of all their supply chains across applications, consumer devices, infrastructure, and service providers, according to a report published by the Africa Center for Strategic Studies, a research and academic center funded by the US Department of Defense.

"I don't think there's an African country that doesn't have some kind of interest in fostering a more robust technology industry and finding various ways to exert more ownership and agency over various aspects of the technology sector," says Nate Allen, associate professor at the Africa Center for Strategic Studies and the author of the report. "You are seeing increasing African interest in having more ownership and say over their technology supply chains."

Supply-chain security has become a major issue worldwide following malicious events, such as the WannaCry and NotPetya worms and the compromise of SolarWinds, as well as IT supply-chain failures, like this summer's CrowdStrike outage. The US government has voiced concerns over the extent to which US maritime ports are reliant on Chinese equipment and investment, and China has begun creating its own operating system and software ecosystem.

Similarly, African nations have become wary of information technology supplied by any number of foreign countries, including China, Russia, the US, and Europe. While African nations need the technology and investment, they are pursuing initiatives to reduce their reliance, says Mark Walker, vice president of data and analytics for the Middle East, Turkey, and Africa for IDC South Africa.

"The reality is that we live in a multidimensional, globally interconnected world, \[where\] development is reliant on significant capital investment and R&D to develop technology — often this is in limited supply across Africa," he says. "That said, many African nations are focusing on developing local software and technology skills in their populations to offset reliance on global players and also ensure that solutions are relevant to local market condition and needs. Education plays a significant role in this."

**China, US Dominate Africa's Tech Market**

Those efforts are still nascent, with the reality that the top technology suppliers in Africa come from China and the US. In mobile applications, for example, 36 of 2023's top-100 applications are from Chinese companies, while 23 are from US companies, according to a report from DataSparkle, a provider of data and analytics for emerging markets. Africa-based developers only account for only seven applications, mostly focused on digital cash and payment applications.

The US dominates the operating-system supply chain with Microsoft's Windows, Google's Android, and Apple's iOS dominating the field.

"If you're not China and you're not the United States, you just have a lot of dependencies in your technology supply chain, and there's no way around it — even to some extent, if you are China and the United States," ACSS's Allen says.

Yet, the 54 nations on the content have options. While foreign firms provide much of the technology, the African market continues to grow and the domestic technology sector continues to have the most insight into nation-by-nation needs.

"\[A\] detailed view of Africa’s technology sector reveals that it is not under the control of any one actor, and there are plenty of opportunities for Africans to assert agency," the ACSS report stated. "By further fostering diversity and competition within the tech sector, African governments can help mitigate the vulnerabilities that come from external actor influence."

**Future of Technology Supply Chains in Africa**

Companies entering the market should find ways to address the cybersecurity concerns of African customers, because if they don't, someone else will, says IDC South Africa's Walker.

"Competition is strong, and vendors are judged on their ability to supply relevant technologies and services at a fair price with solid \[local\] support structures," he says, adding that companies should understand "the local market dynamics, including economic and political realities and the local regulatory environments. Security issues faced in the Horn of Africa around Somalia are different to those faced in northern Nigeria and the Magreb, which again, differ significantly from southeast Africa."

Among incidents in Africa, Chinese hackers targeted Kenyan officials following the nation's trouble paying back loans from China, according to news reports published in 2023, while another incident involved a state-sponsored group targeting foreign-affairs ministries, embassies, and military forces in Africa in an operation dubbed Diplomatic Specter, according to a threat analysis published in May.

In addition, African officials have warned that an important technology supply chain for the continent — open-source software (OSS) — needs to be better secured to prevent malicious attacks.

"I don't think that Africans are naive, or any government around the world is naive — I think they know that, if you are being sold a technology product that is not domestically produced, then there's always going to be some kind of security risk there," says ACSS's Allen. "I think the question is, how can you mitigate that security risk?"

Companies working in the markets need to have an answer to that question, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

Oracle is warning that a high-severity security flaw impacting the Agile Product Lifecycle Management (PLM) Framework has been exploited in the wild.
The vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), could be exploited sans authentication to leak sensitive information.
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network

Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation

More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.

Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

RIIG is a risk intelligence and cybersecurity solutions provider offering open source intelligence solutions designed for zero-trust environments.

Source: Olekcii Mach via Alamy Stock Photo

As cyber threats get more sophisticated and the volume of attacks increase, organizations are looking at how artificial intelligence (AI) can help beef up defenses. RIIG, a risk intelligence and cybersecurity solutions provider, combines AI And machine learning technologies with network threat detection to provide risk intelligence. With access to 17 intelligence agencies and collaborations with commercial partners, RIIG provides organizations with high-quality, verifiable data and advanced intelligence, the company said in a statement.

Charlottesville-Va.-based RIIG, which emerged from stealth today, specializes in "white hat data trust services" and offers open source risk intelligence for zero-trust environments, the company said. RIIG offers both risk intelligence offerings, such as open source intelligence, regulation, and forensics, as well as cybersecurity solutions, such as vulnerability assessments, strategic implementation, and tech validation. 

RIIG plans to partner with local academic institutions for access to industry-leading research and talent. 

The company also announced it raised $3 million in seed funding, led by the Felton Group. The funds will be used to accelerate product development and expand client support.

**About the Author**

Tag

#auth