By Waqas
Immediate Action Required: Update Your Apple Devices, Including iPads, MacBooks, and iPhones, NOW!
This is a post from HackRead.com Read the original post: Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

Apple has recently released security updates to tackle two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that hackers are actively exploiting.

Apple Inc. today released crucial security updates aimed at mitigating two critical zero-day vulnerabilities identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities have been actively exploited by hackers, posing a significant risk to a wide range of Apple devices.

The vulnerabilities allow attackers to execute arbitrary code and access sensitive data on compromised devices. These security flaws are particularly concerning because they can be exploited through malicious web pages, exploiting a memory corruption bug to gain unauthorized access.

****Affected Devices****

Apple’s advisory lists a comprehensive range of devices vulnerable to these exploits:

*   iPhone XS and later models
*   iPad Pro 10.5-inch
*   iPad (6th generation and later)
*   iPad Air (3rd generation and later)
*   iPad mini (5th generation and later)
*   iPad Pro 11-inch (1st generation and later)
*   iPad Pro 12.9-inch (2nd generation and later)
*   Mac computers running macOS Monterey, Ventura, and Sonoma

****Immediate Action Recommended****

Apple urges all users of these devices to update their software immediately. The updates are designed to patch the vulnerabilities and protect devices from potential exploits. Users can update their devices by going to the ‘Settings’ menu, selecting ‘General’, and then tapping on ‘Software Update’.

The urgent release of these security patches highlights the growing challenges in cybersecurity. Security experts advise users to always keep their software updated to the latest version and to be cautious of suspicious web pages and downloads.

In a comment to Hackread.com, Michael Covington, VP of Portfolio Strategy at Apple device security and management company Jamf, urged users to immediately update their devices.

“These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content,” Michael said. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users,” he wanted.

****How to Update Your Apple Devices?****

Apple provides detailed instructions to ensure that users update their devices effectively. For iPhone and iPad users, navigate to Settings > General and click on Software Update.

For macOS users, click on the Apple menu (), go to System Settings, select General, and then click on Software Update. Automatic updates should be enabled to receive the Rapid Security Response patches seamlessly. Restarting the device may be necessary to complete the update process.

****_RELATED ARTICLES_****

1.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
2.  **Update NOW! Pegasus Spyware Exploiting iPhones on Latest iOS**
3.  **Apple issues iPhone software update after fake police ransomware scam**

Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. An admin credential is passed as a value of URL parameters without encryption, so it allows remote attackers to steal the password and gain full control of Loytec device configuration.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Thu, 23 Nov 2023 02:54:46 +0000  

\[+\] CVE                                 : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 
\[+\] Title                                : Multiple vulnerabilities in Loytec LINX Configurator 
\[+\] Vendor                           : LOYTEC electronics GmbH
\[+\] Affected Product(s)     : LINX Configurator 7.4.10
\[+\] Affected Components : LINX Configurator
\[+\] Discovery Date             : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

 CVE-2023-46383 : Insecure Permissions
 Loytec LINX Configurator could be connected to Loytec devices with
 an administrator credential, and it could configure device settings. 
 Since it uses HTTP Basic Authentication, which transmits usernames 
 and passwords in base64-encoded cleartext, so anyone could easily
 steal credentials if they sniff network traffics. Once obtaining the
 admin password, attackers could connect and control Loytec devices 
 via LINX configurator.
 
 CVE-2023-46384 :  Insecure Permissions 
 Following registry key contains hard-coded clear text admin password 
 for recently connected Loytec device. (password cache) If an attacker 
 succeeds in getting this registry key value, attackers could connect 
 and control Loytec devices via LINX configurator.

  Key: Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\LOYTEC\\LOYTEC LINX Configurator\\OhioIni
  Value name: ftp\_pass
  Value dada: <admin password>

 CVE-2023-46385 : Insecure Permissions
 When Loytec LINX Configurator connects to a device, it sends HTTP GET 
 request to login. Since cleartext password is passed as an URL parameter, 
 "password" without sufficient protection, anyone could easily steal 
 credentials if they sniff network traffics. Once obtaining the admin 
 password, attackers could connect and control Loytec devices via LINX 
 configurator.
 http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login


\[Timeline\]

 01-Sep-2021 : Vulnerabilities discovered
 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
 07-Oct-2022 : ICS CERT reported to vendor (no response)
 03-Nov-2023 : Public Disclosure

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46383, CVE-2023-46384, CVE-2023-46385\] Multiple vulnerabilities in Loytec products (2)** _Chizuru Toyama (Nov 27)_

CVE-2023-46385: [CVE-2023-46383, CVE-2023-46384, CVE-2023-46385] Multiple vulnerabilities in Loytec products (2)

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 Firmware 7.2.4 are vulnerable to Incorrect Access Control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Thu, 23 Nov 2023 02:57:14 +0000  

\[+\] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  
\[+\] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers
\[+\] Vendor                            : LOYTEC electronics GmbH
\[+\] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4
\[+\] Affected Components : L-INX Automation Servers
\[+\] Discovery Date              : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

CVE-2023-46386 : Insecure Permissions
'registry.xml' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting registry.xml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46387 : Improper Access Control
'/var/lib/lgtw/dpal\_config.zml' file is accessible via file download API. 
 'dpal\_config.wbx' which is extracted from 'dpal\_config.zml' includes
sensitive configuration information such as smtp client information.  
 Authentication is required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal\_config.zml

CVE-2023-46388 : Insecure Permissions
'dpal\_config.wbx' file contains hard-coded clear text credentials for 
 smtp client account. If an attacker succeeds in getting dpal\_config.zml file, 
 the email account could be compromised. Password should be encrypted.

CVE-2023-46389 : Improper Access Control
'/tmp/registry.xml' file is accessible via file download API. 
 'registry.xml' includes device configuration information which includes
sensitive information such as smtp client information. Authentication is
required to exploit this vulnerability.
http://<IP>:<port>/DT?filename=/tmp/registry.xml


\[Timeline\]

01-Sep-2021 : Vulnerabilities discovered
13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
07-Oct-2022 : ICS CERT reported to vendor (no response)
03-Nov-2023 : Public Disclosure


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389\] Multiple vulnerabilities in Loytec products (3)** _Chizuru Toyama (Nov 27)_

CVE-2023-46389: [CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389] Multiple vulnerabilities in Loytec products (3)

ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation.

**Impact**

The ZStack Cloud releases before 3.10.38(included) are vulnerable to unauthorized access.

**Patches**

The problem already patched in ZStack 3.10.40 and all further versions (ZStack Cloud 4.x are not vulnerable).

**Workarounds**

We strongly suggest users upgrade to patched versions.

If you have a Web Application Firewall(WAF), filter requests GET /calls/uuids could reduce the impact of this vulnerability.

if you do not have a WAF, iptables could be an alternative(make sure running bellow command on all management node)

iptables -I INPUT -i br\_eth0 -p tcp --dport 5000 -m string --string "/calls/uuids" --algo kmp -j DROP  
# replace br\_eth0 and 5000 to corresponding network interface and port number

**For more information**

If you have any questions or comments about this advisory:

*   Contact our support ZStack
*   Open an issue in ZStack Github Repo
*   Email us at contact@zstack.io

CVE-2023-46326: Unauthorized access in ZStack Cloud

Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47307: overflow/LBT-T310 Buffer overflow.md at main · forever-more-cjy/overflow

Early disclosures related to September compromise insisted less than 1% of Okta customers were impacted; now, the company says it was all of them.

Source: Ilnur Khisamutdinov via Alamy Stock Photo

Identity access management vendor Okta has released an update following an investigation into a hack this fall on its systems, revising the number of impacted customers up from less than 1% to a staggering 100%.

A blog post dated Nov. 29 from Okta chief security officer David Bradbury explained that an analysis of a breach from September revealed that an unauthorized user was able to run a report on Sept. 28 containing data on every user of Okta's customer support system, which leaked the following data: company name, contact information, user name, role description, and a "collection of other data." This type of information could be useful to threat actors in launching social engineering attacks, like the ones that leveraged Okta to breach MGM Resorts and Caesars Entertainment.

Thus, Okta is warning all of its customers to be prepared for similar phishing and social engineering cyber-scams.

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users," Bradbury wrote. "While 94% of Okta customers already require MFA \[multifactor authentication\] for their administrators, we recommend all Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security."

The company added that it does not have any evidence the compromised Okta customer data is being actively exploited yet, however. Even so, cybersecurity experts advise Okta customers to focus on cybersecurity best practices, including user training.

"What is needed to secure Okta customers is a focus on best practices; for example, 6% of their users do not have multifactor authentication enabled," says Viakoo CEO Bud Broomhead. "Likewise, setting session timeouts or requiring reauthentication for sessions from a new IP address should be done across all Okta users."

**Okta Breach Brand & Financials Ramifications**

That bit of bad news for Okta customers was tempered by another piece of data out of Okta on Nov. 29. According to its latest quarterly financial report, the company announced that it has seen a more than 20% increase in revenues. The bottom-line growth increase is marked for the quarter ending Oct. 31, the same quarter Okta's systems were used in high-profile breaches of MGM and Caesars.

"Our Q3 performance was highlighted by solid top-line growth, record non-GAAP operating profit, and record free cash flow," Todd McKinnon, CEO and co-founder of Okta, said in a statement about the company's earnings. "We are particularly enthusiastic about the adoption of Okta Identity Governance and the general availability of Okta Privileged Access, which uniquely positions us as the only unified modern identity platform. Over 18,800 leading organizations around the world put their trust in Okta and we are thankful for their continued partnership."

The news of the leaked customer data did drive down Okta stock prices when it happened, but the investor fallout appears to be hovering in the single digits.

That said, the time lag for sales revenues to be impacted by major cyber incidents like the ones Okta has experienced should be taken into account when analyzing whether the breach impacted the brand, according to Jasson Casey, CEO of Beyond Identity.

"The sales cycle for midmarket customers is typically three to four months, while the enterprise sales cycle can be six-plus months," Casey tells Dark Reading. "Revenue numbers being reported today don't reflect the market's processing and intake of the latest news."

However, Casey tells Dark Reading that personally, he's seeing a market shift away from Okta.

"Anecdotally, we're seeing a large number of companies actively search for migration pathways from Okta to other SSO \[single sign-on\] platforms due to the continued string of news related to Okta security practices," he adds. "Okta has a hard road in front of them to convince the mid/enterprise market that security is a foundational principle given their continued missteps over the last two years."

Okta declined to comment on customer reactions to the compromise.

Okta Breach Widens to Affect 100% of Customer Base

Cybercriminals use legal search terms to ensnare unwitting victims, then launch ransomware or business email compromise attacks.

Source: The Lightwriter via Adobe Stock

Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and business email compromise (BEC).

On Nov. 24, managed service provider CTS, which provides IT services to law firms, acknowledged that the firm had suffered a breach, but did not give details about the source of the attack. The incident has reportedly affected services to dozens of law firms, particularly in the real estate sector. The attack follows claims by the LockBit group that it compromised London-based law firm Allen & Overy, listing the firm among the victims on its data-leak site and demanding a ransom. The firm confirmed a breach, but did not acknowledge the ransomware attack.

The attacks are only the latest to target law firms and legal departments. At least one attack group has targeted law firms specifically, seeding compromised sites with legal jargon to make the sites rise in search rankings and then deliver a ransomware attack chain to visitors, says Keegan Keplinger, a senior security researcher with managed detection and response firm eSentire.

"When \[the targeting\] hasn't been a legal organization, it's often been the legal department or a legal user — a paralegal or the legal consultant — in an organization," he says. "We saw a hospital get hit once, but it was the legal user in that hospital that downloaded \[the malware\]."

GootLoader, which leads to Blackcat ransomware, has focused heavily on law firms. Source: eSentire

Hackers have long favored law firms as a way to steal secrets, absconding with Uber drivers' personal information from law firm Genova Burns LLC in January; hijacking data on the contracts and personal emails from 200 high-profile celebrities — including Lady Gaga, Madonna, and Rod Stewart — from New York law firm Grubman Shire Meiselas & Sacks in 2020; and allegedly leaking the "Panama Papers" — 11.5 million documents on wealthy tax evaders — from Panama-based law firm Mossack Fonseca.

Traditionally, the attraction for online attackers has not been money, says Ilia Kolochenko, chief architect at application security firm ImmuniWeb.

"Law firms are pretty far from being attractive victims for cybercriminals," he says. "However, their clients — namely, secrets of their clients — make law firms a magnet for all kind of cybercriminals."

**Clickbait Turns to SEO Poisoning**

That has changed, as cybercriminals increasingly focus on law firms as a way to cash in with ransomware and BEC attacks. More than a quarter of law firms (27%) suffered a security breach in 2022, up from 25% in 2021, according to the American Bar Association's annual cybersecurity report, which stresses that a security breach is not as severe a classification as a data breach. The legal sector is the fourth most targeted sector by cybercriminals — behind services, manufacturing, and financial firms, according to eSentire's data.

The most significant threat to law firms may be GootLoader, a browser-based threat that is delivered through search engine optimization (SEO) poisoning. The group behind GootLoader has seeded malicious content and malvertising linked to 3.5 million search terms, a high percentage of which are legal terms. As a result, a lawyer or paralegal who searches for specific content may find the top search result leading to a GootLoader-infected file. Downloading and opening the file will execute the program, which almost always leads to BlackCat ransomware, says Joe Stewart, a principal security researcher at eSentire.

"This \[is\] what I call a landmine approach," he says. "They're just mining the entire Web with these search keywords and just waiting for somebody in the legal profession, or somebody who needs this legal document, to just stumble on it and open it up, say, 'What's this? Oh, I will click on this JavaScript. No problem.'"

Ransomware is not the only worry for law firms. A number of threat groups are also targeting law firms with BEC scams. Law firms are the perfect victims for such schemes, says Dan Caplin, director of cybersecurity and incident response at S-RM, a cybersecurity consultancy.

"Firstly, they do a lot of business over and in emails, and secondly, law firms often occupy a privileged position in situations where payment instructions and details are exchanged — this, again, is mostly done over email," he says. "This makes email account takeover, intercepting a thread about a legitimate payment, and diverting funds to a fraudulent bank account a really effective approach."

**Will Get Worse Before It Gets Better**

Because law firms tend to be smaller, often just one or two people, cybersecurity knowledge is often lacking, says ImmuniWeb's Kolochenko.

"Solo practitioners and small law firms are usually poorly protected, having very modest budgets for cybersecurity," he says. "Large law firms, however, increasingly spend more on cybersecurity and cyber defense, \[but most firms\] have similar problems as all other industries including shadow IT, working from home, \[and\] underprotected third parties."

Unfortunately, law firms are often tasked as the custodian of extremely sensitive information, making any breach a problem and making the firm more likely to pay a ransom. It's little wonder that GootLoader has targeted the industry, says eSentire's Keplinger.

"For a variety of reasons, law firms are behind the curve a little bit on security," he says. "With ransomware — especially the double whammy (both stealing and encrypting the data) — legal firms are an obvious organization that would be vulnerable to that — especially, that would care about publishing their data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Law Firms & Legal Departments Singled Out for Cyberattacks










KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.









CVE-2023-5909

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges.

CVE-2023-47207

A vulnerability was found in SourceCodester Book Borrower System 1.0 and classified as problematic. This issue affects some unknown processing of the file endpoint/add-book.php. The manipulation of the argument Book Title/Book Author leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246443.

Tag

#auth