osCommerce version 4 suffers from a cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to CraCkEr in November of 2023.

    # Exploit Title: osCommerce 4 - Reflected XSS# Exploit Author: skalvin# Date: 22/04/2024# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/furniture/# Tested on: Windows 11 Pro# Impact: Manipulate the content of the site# CVE: CVE-2024-4348# VDB: VDB-262488# CWE: CWE-79 / CWE-74 / CWE-707# CAPEC: CAPEC-10 / CAPEC-209 / CAPEC-250# ATT&CK: T1059.007## DescriptionAttacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsGET parameter 'cat' is vulnerable to RXSSPath: /furniture/catalog/all-productshttps://demo.oscommerce.com/furniture/catalog/all-products?cat=[XSS]https://demo.oscommerce.com/watch/catalog/all-products?cat=[XSS]## Live POC:https://demo.oscommerce.com/furniture/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1https://demo.oscommerce.com/watch/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1[-] Done

osCommerce 4 Cross Site Scripting

Ubuntu Security Notice 6761-1 - It was discovered that Anope did not properly process credentials for suspended accounts. An attacker could possibly use this issue to normally login to the platform as a suspended user after changing their password.

==========================================================================  
Ubuntu Security Notice USN-6761-1  
April 30, 2024

anope vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Anope could be made to bypass authentication checks for suspended accounts.

Software Description:  
- anope: an open source set of IRC Services

Details:

It was discovered that Anope did not properly process credentials for  
suspended accounts. An attacker could possibly use this issue to normally  
login to the platform as a suspended user after changing their password.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   anope                           2.0.12-1ubuntu1

Ubuntu 23.10  
   anope                           2.0.12-1ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   anope                           2.0.9-1ubuntu0.1

Ubuntu 20.04 LTS  
   anope                           2.0.6-1ubuntu0.1

Ubuntu 18.04 LTS  
   anope                           2.0.4-2ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   anope                           2.0.3-1ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6761-1  
   CVE-2024-30187

Package Information:  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu1  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.9-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.6-1ubuntu0.1

Ubuntu Security Notice USN-6761-1

Red Hat Security Advisory 2024-2517-03 - An update for wpa_supplicant is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2517.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: wpa_supplicant security updateAdvisory ID:        RHSA-2024:2517-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2517Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-52160====================================================================Summary: An update for wpa_supplicant is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver.Security Fix(es):* wpa_supplicant: potential authorization bypass (CVE-2023-52160)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52160References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2264593

Red Hat Security Advisory 2024-2517-03

Red Hat Security Advisory 2024-2438-03 - An update for pam is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2438.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: pam security updateAdvisory ID:        RHSA-2024:2438-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2438Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2024-22365====================================================================Summary: An update for pam is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.Security Fix(es):* pam: allowing unprivileged user to block another user namespace (CVE-2024-22365)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22365References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2257722https://issues.redhat.com/browse/RHEL-16727https://issues.redhat.com/browse/RHEL-20943https://issues.redhat.com/browse/RHEL-22300https://issues.redhat.com/browse/RHEL-5099https://issues.redhat.com/browse/RHEL-5100

Red Hat Security Advisory 2024-2438-03

Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.

Liat Hayun, Co-Founder & CEO, Eureka Security

April 30, 2024

3 Min Read

Source: Aleksandr Matveev via Alamy Stock Photo

COMMENTARY

This year's RSA Conference theme, "The Art of Possible," celebrates the challenges brought about by new frontiers, broken boundaries, and promising horizons. While the shift to the cloud initially caused concern and hesitation, as data began moving through it, across environments and with very little oversight, data security professionals knew this profound shift in the modern business model would bring about not only challenges but also opportunities. As we enter the age of AI, the security community must embrace the possibilities of improved data security mechanisms, alongside — without obstructing — improved business processes. Looking ahead to this year's RSA Conference, here are six leading data security sessions we're excited to attend — and that will help us uncover AI's risks and opportunities.

**My Top Six Picks****Operational Data Governance-by-Design Techniques for a Data Practitioner**

Monday, May 6

Why you should attend: This session, led by Cisco Systems, seems like a unique opportunity to discover practical tools for implementing data governance across your organization while presenting various use cases, with attention given to all aspects of data use and management. Assess your level of data governance by engaging with other data practitioners in the audience in this live discussion.

**Bridging Theory and Practice of Privacy and Data Protection**

Monday, May 6

Why you should attend: The more data floods the industry, the more practical tools security practitioners need to ensure that privacy and data protection concerns are addressed across their organizational environments. This session will include practical examples of integrating data security and privacy guardrails and measures in real business environments, sourced from the audience.

**ChatGPT Unleashed: Solving Data Breach Puzzles With Precision**

Monday, May 6

Why you should attend: A data security challenge leveraging AI? Sign us up! This unique session challenges participants to use ChatGPT prompts to mitigate a looming data breach, with hidden malware waiting to be found and fixed. Beyond a fun experience, this session will expand the knowledge of what may be possible with the next generation of AI technology and lead us through an innovative learning experience.

**Controlling a Data Footprint — How to Build a Data Disposition Framework**

Monday, May 6

Why you should attend: Data is a goldmine for organizations, and they're constantly innovating in how they gather and leverage it to achieve business goals. This session will equip you with a step-by-step approach to building a data lifecycle management framework. This framework will empower companies to decide how long to hold onto data, and outline methods for safeguarding, transforming, or eliminating data to comply with regulations.

**Establishing a Data Perimeter on AWS**

Wednesday, May 8

Why you should attend: While it may seem like there are no boundaries in the cloud era to where data can reside, be stored, and be used, data security guardrails and mechanisms exist for this purpose exactly — to let data roam free for business use, while ensuring that security controls are set in place and visibility is maintained across all environments, at all times. This session will present some of the controls used by AWS to protect data from unauthorized access.

**Data Heist: How Stolen Information Becomes a Hot Commodity**

Thursday, May 9

Why you should attend: We're so busy preventing breaches that we don't often take the time to consider what malicious actors do with the data they steal after the crime. This session dives deeper, exploring the clandestine marketplaces where stolen information is peddled. You'll be exposed to the inner workings of these criminal data shops, with comprehensive risk assessments comparing the vulnerabilities of various data types and how to best protect them.

**Final Thoughts**

While data security has been a top-of-mind business and security concern for the past decade, the ever-evolving landscape of data innovation constantly introduces new and emerging threats for security practitioners. To stay ahead of the curve, cybersecurity professionals must remain vigilant and adapt their strategies accordingly. The upcoming RSA Conference provides a phenomenal platform to achieve just that, with a wide range of sessions on the latest data security trends and solutions. Hope to see you there!

**About the Author(s)**

Co-Founder & CEO, Eureka Security

Liat Hayun is the Co-founder and CEO of Eureka Security, a Cloud Data Security Posture Management platform that enables security teams to successfully navigate the ongoing and often chaotic expansion and growth of cloud data. Prior to co-founding Eureka Security, Liat spent a decade leading cybersecurity efforts in the Israeli Cyber Command and Palo Alto Networks. Her IDF service merited the prestigious Israel Defense Prize. As VP of Product Management at PANW, Liat led the production of Cortex XDR and PANW’s Managed Threat Hunting service. These roles have enabled Liat to pursue her greatest interests and concerns in the cybersecurity threat landscape, as well work with wonderfully talented people on their solutions. Passionate about working closely with others, she is driven to identify meaningful operational security gaps and develop exciting new technologies and strategies to help fellow security leaders tackle them.

The 6 Data Security Sessions You Shouldn't Miss at RSAC 2024

President Joe Biden has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

“It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.

In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.

To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.

The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.

The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.

“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.

In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.

Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.

CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.

First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.

The government will work with the companies on the important-entities list—there are fewer than 500 of them—“to ensure they have the resources necessary to manage risk,” a second senior administration official told reporters on Monday. Those companies will also be priorities for regulation.

While it updates key parts of the government’s defensive playbook, the memo does not change the basic structure underpinning this work: the 16 sectors—each containing a collection of related industries—that together comprise the nation’s critical infrastructure. A CISA report published in late 2021 recommended that the administration consider adding new sectors for the space and bioeconomy industries, but officials decided not to do so.

“Because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector,” the second senior official says. (CISA is, however, focused on space cybersecurity.) Government leaders similarly decided that bioeconomy risks were not unique enough to merit a new sector. But both industries could receive their own sectors in the future “if there are significant changes” to the risks they face, says the second official.

In light of how quickly those risks and other conditions could change, the memo directs DHS to submit a “national risk management plan” to the White House every two years summarizing what the government is doing to prevent harm.

Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

The White House Has a New Master Plan to Stop Worst-Case Scenarios

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.DiscoveryOn Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a n

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.

****Discovery****

On Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a new XZ library that was shipped by Debian.

The Debian security team relayed this information to the Red Hat Information Security (InfoSec) team. Our InfoSec team is responsible for protecting our network perimeter and company assets.

****Understanding the threat****

InfoSec involved Red Hat’s Product Security (ProdSec) department, the ones in charge of securing the software that we provide to our customers and community. Then, this global multidisciplinary team containing many of our finest developers, PenTesters, offensive analysts, managers, directors and program managers started the then confidential efforts to properly establish, understand and assess the findings from Andres.

After establishing the gravity of the situation, InfoSec and ProdSec engaged their Incident Response Plans (IRP), sharing a more complete view of this embargoed incident to help further understand how it works and assess any potential compromise to our products, both upstream and especially in Red Hat Enterprise Linux (RHEL), as well Red Hat internal assets.

At this stage, there were two major fronts: The most urgent was to determine to what extent, if any, the malware had infiltrated our products. The second was to analyze the malicious nature of the package and better understand its cleverly concealed malicious payloads.

****Securing the fort****

Our next step was establishing the affectedness of our systems, as this presented a number of concerns: Were build systems compromised? Were any other external or internal systems affected? Was there any data exfiltration? If so, was a footprint left behind?

Over the course of the investigation, we found that this is a kind of dormant malware targeting a very specific set of systems: Specifically the x86\_64 architecture, requiring both systemd and sshd. It was not targeting BSDs, Android cell phones, wi-fi routers, IoT devices, Raspberry Pis, or anything else. Essentially, it had to be a standard Linux server.

Querying VirusTotal for the rogue .o object file hash returned no results, so it was indeed something not widely known prior to Andres’ finding.

At this point, we established that this had not affected RHEL and Fedora stable branches. While no Fedora stable builds were affected, Fedora 40 beta nightly builds, the leading edge of Linux innovation, were affected.

The collaboration kept moving swiftly throughout Thursday afternoon (in US time zones), with our InfoSec team delivering the first YARA rules, ProdSec evaluating the Vulnerability Management aspects (which version affects what), and the ProdSec Supply Chain team verifying if our productization pipeline was sound and not using affected versions.

Early Thursday morning, Red Hat and IBM executives were briefed about this incident and given a complete picture of what was known so far.

****Multi-vendor collaboration****

At this stage, distro-lists at Openwall were beginning to see some traffic, but due to the limited reach of this community, we engaged the US Cybersecurity and Infrastructure Security Agency (CISA) to start a collaborative Vulnerability Information and Coordination Environment (VINCE) ticket. This enabled other vendors not participating in distro-lists, as well as the vulnerability discoverer by Andres Freund, to be engaged continuously.

Collaboration continued to flow with the ticket creation, moving around the clock through 48 participating entities: BSDs, proprietary software vendors, national Security Response teams and the heavyweights of the hardware and software landscape were working together to advance and level the field on the findings, investigation progress, other products’ affectedness and more, all done at speed to make the issue public as soon as possible.

****To CVE or not to CVE****

Historically, malware has been categorically and intentionally omitted from the CVE ecosystem. They are typically beyond the control of the vendors who provide software. However, in this case it was embedded into the vendor code, there was a vulnerable condition and relying on antivirus software to detect the existence of this malicious software can leave room for detection failure.

During the discussion with other CVE Numbering Authorities (CNAs), we erred on the side of caution. This is a condition that:

*   Has to be looked for and detected
*   Compromises confidentiality, integrity, and availability
*   Is described by an existing CWE type
*   Is a type of compromise that has a precedent of assigned CVEs
*   Affects a very specific name-version-release (NVR)
*   Is a high profile issue that needs the CVE ID as an industry-wide common identifier

That said, as a CNA, we decided to assign a CVE for this vulnerability: CVE-2024-3094.

****Good Friday****

On Friday, all the ducks (and there were a lot of them) were lined up and while this probably ruined a fair number of holidays, the participants in the VINCE ticket, including the finder, agreed to bring this to the public as soon as possible. As soon as Andres’ post went live in OSS-Security, CISA alerted the general public and Red Hat published a post as well. We had our Communications team fully engaged, informed and ready for the inquiries. Minutes after disclosure in OSS-Security, we started receiving inquiries from major news outlets asking for more information.

The impacted distros immediately pulled back the affected libraries and prepared statements to their user bases.

It was good (no pun intended) that in the end, this attack only affected a very limited set of worldwide systems in a small number of leading-edge distributions, including Fedora, and there was no evidence of further tampering or manipulation in affected systems.

To err on the side of safety, all Red Hat assets that were running the affected Fedora versions were deemed as tainted and were required to be reinstalled or redone.

Although this event had the potential to really hurt the open source community, at the end of the day, it actually displayed its strength. Multiple people, organizations and contributors worked together to stop a very real threat. The imminent incident has been stopped and remediated, but the work is not done. Many lessons have been learned around the world from this event, and I think it is fair to say that the open source community will implement improvements to minimize future risks with our distributions.

Understanding Red Hat’s response to the XZ security incident

The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers -- including AT&T, Sprint, T-Mobile and Verizon -- for illegally sharing access to customers' location information without consent.

The **U.S. Federal Communications Commission** (FCC) today levied fines totaling nearly $200 million against the four major carriers — including **AT&T**, **Sprint**, **T-Mobile** and **Verizon** — for illegally sharing access to customers’ location information without consent.

The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.

The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.

“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”

The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.

The commission said it took action after **Sen. Ron Wyden** (D-Ore.) sent a letter to the FCC detailing how a company called **Securus Technologies** had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that **LocationSmart** — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.

“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.

The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.

The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.

**Update, 6:25 p.m. ET:** Clarified that the FCC launched its investigation at the request of Sen. Wyden.

FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.

Source: Billion Photos via Shutterstock

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves R's process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics applications. It is popular among developers in sectors such as financial services, healthcare, research, government and in environments involving large datasets such as AI and machine learning. The Comprehensive R Archive Network (CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while R-Forge, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.

**Deserialization Issue**

Researchers at HiddenLayer found a weakness in R's process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists," HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this week. "An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction," according to the report.

The maintainers of R have addressed the issue in R version 4.4.0 after HiddenLayer informed them of the issue.

**A Lazy Promise Allows Tinkering**

The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.

What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file," according to the analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code," Schulz tells Dark Reading. "Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package." An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.

**Potentially Vast Attack Surface: Multiple Infection Sources**

There are literally dozens of major hubs, such as R-Forget and Bioconductor, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. "Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate risk: "In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth