By Waqas
Trellix Uncovers Deceptive Chrome Browser Update Campaign Leveraging NetSupport Manager RAT.
This is a post from HackRead.com Read the original post: Fake Chrome Browser Update Installs NetSupport Manager RAT

*   **Fake Chrome Browser Update Scam:** Trellix exposes a scheme using fake Chrome browser updates to sneak NetSupport Manager onto victim computers, granting cybercriminals control and data access.

*   **Possible SocGholish Link:** While resembling SocGholish, differences in tools raise doubt about a direct connection, highlighting evolving tactics.

*   **Compromised Sites as Launchpads:** Compromised websites act as launchpads for the attack, affecting diverse sectors, including government and finance.

*   **Deceptive Path to RAT:** Victims fall for the fake update, unknowingly downloading a malicious JavaScript file, “Browser\_portable.js,” which activates NetSupport Manager.

*   **Urgent Need for Vigilance:** Trellix’s discovery underscores the critical importance of global threat intelligence and advanced security solutions in countering evolving cyber threats.

Cybersecurity firm Trellix has identified a new cyber campaign exploiting unsuspecting victims by disguising itself as a legitimate Chrome browser update. The deceptive scheme employs a malicious remote administration tool (RAT) known as NetSupport Manager RAT, allowing threat actors to gain unauthorized access to victims’ computers and seize control.

Moreover, the Trellix Advanced Research Center uncovered striking similarities to a previously reported SocGholish campaign, although a definitive connection remains elusive. Yet, concrete links between the two campaigns remain scarce.

The campaign, which came to light in late June 2023, exploits compromised websites as a platform for delivering the fraudulent Chrome update. Victims are lured into downloading and installing the fake update, unwittingly inviting the NetSupport Manager RAT onto their systems. The malware allows cybercriminals to pilfer sensitive information and manipulate victim computers to their advantage.

The modus operandi of the campaign involves injecting compromised websites with a carefully crafted HTML script tag that retrieves JavaScript content from the attackers’ command and control server.

This technique, seemingly automated, hinges on the unsuspecting victims falling for the fake browser update ruse. The success of the scheme relies heavily on the prevalence of compromised websites.

Trellix researchers found evidence of this campaign infiltrating a Chamber of Commerce website, with traffic from governmental entities, financial institutions, and consulting services. Although the site has since been cleansed of the injected script, it suffered compromise for at least one day.

The deceptive journey commences when victims encounter the injected script on a compromised website, leading them to a fake browser update page. This manipulation, which directs users to unwittingly install the NetSupport RAT, isn’t novel; similar tactics have been documented in past instances like the SocGholish campaign.

Fake Chrome Browser Update page (Screenshot: Trellix)

However, it’s the tools employed in the present campaign that stand apart from SocGholish. SocGholish exploited PowerShell with WMI capabilities to facilitate RAT download and installation. In contrast, the current campaign utilizes batch files (.BAT), VB scripts, and the Curl tool to carry out its malevolent operations. The use of these distinct tools underscores the evolving strategies of cybercriminals.

Should a victim succumb to the allure of the fake browser update and click on the “Update Chrome” link, a ZIP archive named “UpdateInstall.zip” containing a malevolent JavaScript file, “Browser\_portable.js,” is initiated for download. This script serves as a downloader for the ensuing stage of the attack.

Upon extraction of the NetSupport Manager RAT via the downloaded 7-zip utility, execution transpires via a scheduled task, orchestrated by the “2.bat” batch file. Furthermore, this batch file also engenders persistence for the RAT, ensuring automatic execution upon system startup.

The malevolent configuration file (“client32.ini”) for the RAT reveals a gateway address set to 5.252.178.48. At this juncture, with the RAT firmly entrenched within the victim’s system, threat actors possess substantial control, enabling them to execute further malware deployment, data exfiltration, network reconnaissance, and lateral movement.

The infection chain (Screenshot: Trellix)

In conclusion, this campaign serves as a reminder that threat actors consistently exploit successful techniques to advance their malicious agendas. The deployment of familiar lures, such as the phony browser update, underscores the persistent nature of these attacks.

The proliferation of RATs, while not always updated, showcases their enduring utility for cybercriminals. As attackers adopt increasingly sophisticated tactics, the challenge of detection intensifies. The utilization of native Windows scripting languages, like VBScript and Batch script, combined with tools like Curl, exemplifies their adaptability and innovation.

Joseph Tal, Senior Vice President of Trellix’s Advanced Research Center, cautioned that the prevalence of these NetSupport RAT attacks underscores the need for comprehensive global threat intelligence and innovative security solutions.

Commenting on this, Dr Klaus Schenk, senior vice president, Security and Threat Research at Verimatrix told Hackread.com that _“_The reports of threat actors exploiting fake Chrome browser updates to spread the NetSupport Manager Remote Access Trojan are concerning. While the attack vector of abusing browser updates is common, this particular campaign stands out for its sophistication and targeting. The attribution to the SocGholish group, known for cyber espionage aligned with Russian state interests, makes this a high-priority threat._“_

_“_While the details connecting this attack to SocGholish are inconclusive, the examination by Trellix seems reliable. The threat actors clearly spent time crafting a credible lure using Chrome’s market dominance. I recommend to wait a bit to see if this attacks manifests — but it would be a good idea to prioritise incident response and user education to detect and mitigate this threat,” Tal added.

_“_Even though users must still click a malicious link, the sophistication of this attack makes it likely to evade defenses. We should continue monitoring for new developments, but organisations should act swiftly to harden systems, update browsers, and inform personnel about this threat,” Tal recommend.

Nevertheless, the continually evolving threat landscape necessitates a proactive and holistic approach to cybersecurity, particularly as more enterprises rely on Chromium-based browsers for their web applications.

**RELATED ARTICLES**

1.  New malware in pirated games disables Windows Updates
2.  Fake ROBLOX &Nintendo game cracks drop ChromeLoader malware
3.  Fake Chrome & Firefox browser update lead users to malware infection
4.  Over 20 million Chrome users have installed fake malicious Ad Blockers
5.  Big Head Ransomware Found in Malvertising and Fake Windows Updates

Fake Chrome Browser Update Installs NetSupport Manager RAT

QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Topics Snippets
    
*   Register
*   Sign in

*   Klaus Jensen
*   QEMU
*   Commits
*   6c8f8456

**Commit 6c8f8456** authored Aug 08, 2023 by  **Klaus Jensen** 🍻

Browse files

**hw/nvme: fix null pointer access in directive receive**

nvme\_directive\_receive() does not check if an endurance group has been
configured (set) prior to testing if flexible data placement is enabled
or not.

Fix this.

Cc: qemu-stable@nongnu.org
Resolves: #1815
Fixes: 73064edf

 ("hw/nvme: flexible data placement emulation")
Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com\>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com\>

parent a8fc5165

*   Changes 1

Hide whitespace changes

Inline Side-by-side

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2023-40360: hw/nvme: fix null pointer access in directive receive (6c8f8456) · Commits · Klaus Jensen / QEMU · GitLab

Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch.

CVE-2023-28768

A post-authentication command injection vulnerability in the NTP feature of Zyxel NBG6604 firmware version V1.01(ABIR.1)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request.

CVE-2023-33013

This is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more!

    *Background:*Microsoft makes use of a number of different domains and subdomains foreach of their Azure services. From SQL databases to SharePoint drives, eachservice maps to its respective domain/subdomain, and with the propertoolset, these can be identified through DNS enumeration to yieldinformation about the target domain's infrastructure.enum_azuresubdomains.rb is a Metasploit module for enumerating public Azureservices by validating legitimate subdomains through various DNS recordqueries. This cloud reconnaissance module rapidly identifies API services,storage accounts, key vaults, databases, and more! Expedite your cloudreconnaissance phases with enum_azuresubdomains.rb.*Code:*### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::DNS::Enumeration  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Azure Subdomain Scanner and Enumerator',        'Description' => 'This module can be used for enumerating publicAzure services by locating valid subdomains through various DNS queries.',        'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me>'],        'References' => ['www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'],        'License' => MSF_LICENSE      )      )    register_options(      [        OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:victim rather than victim.org)']),        OptBool.new('PERMUTATIONS',                    [false,                     'Prepend and append permutated keywords to domain',false]),        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',true]),        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])      ]    )  end  def dns_enum(target_domains)    target_domains.each do |domain|      next unless dns_get_a(domain)      print_good("Discovered Target Domain: #{domain} \n")      dns_get_a(domain) if datastore['ENUM_A']      dns_get_cname(domain) if datastore['ENUM_CNAME']      dns_get_ns(domain) if datastore['ENUM_NS']      dns_get_mx(domain) if datastore['ENUM_MX']      dns_get_soa(domain) if datastore['ENUM_SOA']      dns_get_txt(domain) if datastore['ENUM_TXT']    end  end  def run    # Array of subdomains to enumerate    domain = datastore['DOMAIN']    subdomains = [      '.onmicrosoft.com',      '.scm.azurewebsites.net',      '.azurewebsites.net',      '.p.azurewebsites.net',      '.cloudapp.net',      '.file.core.windows.net',      '.blob.core.windows.net',      '.queue.core.windows.net',      '.table.core.windows.net',      '.mail.protection.outlook.com',      '.sharepoint.com',      '.redis.cache.windows.net',      '.documents.azure.com',      '.database.windows.net',      '.vault.azure.net',      '.azureedge.net',      '.search.windows.net',      '.azure-api.net',      '.azurecr.io'    ]    # Array of keywords to prepend and append    permutations = %w[      root      web      api      azure      azure-logs      data      database      data-private      data-public      dev      development      demo      files      filestorage      internal      keys      logs      private      prod      production      public      service      services      splunk      sql      staging      storage      storageaccount      test      useast      useast2      centralus      northcentralus      westcentralus      westus      westus2    ]    # Create permutated array of keywords and target domain    if datastore['PERMUTATIONS']      permutated_domains = []      permutations.each do |keywords|        permutated_domains.append("#{domain}-#{keywords}")        permutated_domains.append("#{keywords}-#{domain}")      end      # Permutated and Normal list of subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)        permutated_domains.each do |_subdomain|          target_domains.append(domain + tld)        end      end      # Query DNS records of permutated and normal target subdomains    else      # Query DNS records of normal target subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)      end    end    dns_enum(target_domains)  endend

Microsoft Azure Subdomain Scanner / Enumerator

Qualys scanners use the ssh-rsa algorithm for pubkey signing in its attempt of SSH login. Modern SSHD servers reject pubkey login with ssh-rsa, so Qualys is unable to scan up-to-date Linux e.g. Debian12 or RHEL9. Qualys does not check the list of pubkey signing algorithms accepted by SSHD servers, and therefore cannot notify about any insecure ones.

=== Introduction ===================================================

My institution uses Qualys

  www.qualys.com

to scan for vulnerabilities, including on some Debian Linux machines  
that I manage. The scanner does some network scans, and also logs in  
to each machine to do "authenticated scans".

=== Discovery ======================================================

When I recently updated my machines from Debian11 to Debian12, the  
Qualys scanner was no longer able to SSH login, with syslog lines:

  sshd: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

The ssh-rsa algorithm was removed from the default list in Debian12  
(has OpenSSH 9.2, up from 8.4 in Debian11), see e.g.

  www.openssh.com/txt/release-8.8  
    ... disables RSA signatures using the SHA-1 hash algorithm by  
    default. This change has been made as the SHA-1 hash algorithm  
    is cryptographically broken ...

I confirmed that Qualys uses (requires) ssh-rsa as public key signing  
algorithm: its SSH login to Debian12 suceeds with the SSHD setting  
"PubkeyAcceptedAlgorithms +ssh-rsa", and to Debian11 fails with the  
opposite "PubkeyAcceptedKeyTypes -ssh-rsa".

=== Issues =========================================================

 - Qualys scanner uses insecure ssh-rsa algorithm for pubkey signing  
   in its attempt of SSH login.

 - Modern SSHD servers reject pubkey login with ssh-rsa, so Qualys is  
   unable to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys does not check the list of pubkey signing algorithms  
   accepted by SSHD servers, cannot notify about any insecure ones.

=== Vulnerability ==================================================

Any SSHD server that accepts the insecure ssh-rsa algorithm for pubkey  
signing is vulnerable. The fact that Qualys had been able to log in to  
all Linux machines at my institution, shows that all accept ssh-rsa  
and are vulnerable. It is expected that anywhere that Qualys is used,  
all Linux machines (except recently updated) are similarly vulnerable.

The vulnerability affects all uses of public key authentication.  
Qualys itself facilitates an internal attack, by providing the account  
used to do "authenticated scans", forced onto all machines and with  
root (sudo) access, with the public key commonly available to any  
local admins of any scanned machines. An attack on this account is  
both easier and more fruitful; admittedly an attack may be impractical  
with currently available computing resources.

=== Fixes needed ===================================================

 - Qualys to reconfigure the scanner to use a secure pubkey signing  
   algorithm for its SSH login attempt. This same fix also enables  
   Qualys to scan up-to-date Linux e.g. Debian12 or RHEL9.

 - Qualys to check the pubkey signing algorithms accepted by SSHD  
   servers, and notify when insecure ones are in use.

 - Administrators of Linux machines to check SSHD settings, ensure  
   that ssh-rsa is not accepted. This is needed on all SSHD servers,  
   regardless of whether Qualys is used.

=== Comments =======================================================

It is curious how Qualys:  
 - uses (requires!) an insecure pubkey signing algorithm, though  
   better alternatives have been the norm for decades;  
 - did not notice its inability to do authenticated scans on RHEL9  
   and similar machines, since over a year ago;  
 - checks many similar (similarly impractical) SSHD issues, but does  
   not check pubkey signing; and  
 - seems to know all about SSH, reporting esoteric issues in its  
   internals, but still uses it wrongly.

=== Dedication =====================================================

I dedicate this advisory to Luis Fuentes-Cobas, my one-time professor  
of Electromagnetism, who taught me logic, deduction and persistence.  
Maybe I missed the class about patience.

=== References =====================================================

www.qualys.com/  
www.qualys.com/docs/qualys-authenticated-scanning-unix.pdf  
www.openssh.com/txt/release-8.2  
www.openssh.com/txt/release-8.8  
https://eprint.iacr.org/2020/014.pdf  
www.usenix.org/conference/usenixsecurity20/presentation/leurent  
https://csrc.nist.gov/news/2006/nist-comments-on-cryptanalytic-attacks-on-sha-1  
https://csrc.nist.gov/Projects/hash-functions/nist-policy-on-hash-functions  
https://en.wikipedia.org/wiki/SHA-1  
www.rfc-editor.org/rfc/rfc4252.html  
https://success.qualys.com/support/s/article/000003219  
https://success.qualys.com/support/s/article/000006407  
https://seclists.org/fulldisclosure/2016/Jan/44  
https://seclists.org/oss-sec/2023/q1/75  
https://seclists.org/fulldisclosure/2023/Jul/31

=== Timeline =======================================================

24 June 2023  Discovered, notified internally within my institution  
 9 July 2023  Qualys contacted via "community" post  
16 July 2023  Qualys contacted via security@qualys.com  
26 July 2023  CVE requested from bugreport@qualys.com (a CNA partner)

====================================================================

--   
Paul Szabo       psz@maths.usyd.edu.au       www.maths.usyd.edu.au/u/psz  
School of Mathematics and Statistics   University of Sydney    Australia

Qualys RSA Usage Issue

Red Hat Security Advisory 2023-4625-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.4.2 security update  
Advisory ID:       RHSA-2023:4625-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4625  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-2828 CVE-2023-35941 CVE-2023-35943   
                   CVE-2023-35944   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.4.2 Containers

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

Security Fix(es):

* envoy: OAuth2 credentials exploit with permanent validity  
(CVE-2023-35941)

* envoy: Incorrect handling of HTTP requests and responses with mixed case  
schemes (CVE-2023-35944)

* envoy: CORS filter segfault when origin header is removed  
(CVE-2023-35943)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity  
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes  
2217987 - CVE-2023-35943 envoy: CORS filter segfault when origin header is removed

5. References:

https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-35941  
https://access.redhat.com/security/cve/CVE-2023-35943  
https://access.redhat.com/security/cve/CVE-2023-35944  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pgEAAoJENzjgjWX9erEdf8P/R2dp7OtPRZPuUU1x21pHihH  
Ks8Pu3HrM3aWGm6GBBEeEJ/kw+S/Jjiy+L06w1NuzemAUfP/tTkqlRTjyqmCZpwk  
JjwmO3ee7Z8Lz+LJbLPa2EX+h0hNbyP0xn58Z82fZdfJcCM696fzNIvYMwoJEgp0  
wB/T3ZI625iNN4gWJrV1w4IbyvVXJ1J3RC+gYW8i2IfpR+1jeNQ0RAbgjSSEYGZO  
HvwWuvwx8JYlPDHuXZbG9IkSngOl+W8rULiQVUr1adClGl9lFiYBservNLJ2Kt2E  
obkiqsZRPhPmLiSM9xJPHM3y3eqVJgAjFIUzzbiFEDfE8jnZza1rnEE1sCoZk+p8  
/8HQnPdNK6GKMbxpAFQRTvL3Cjy8NnWFqf44RvjX212SlCnNxw+cQnYF3XhtH+uc  
6Z2ALAgbW5k3smrWAnS2W4uaJdKVX6RBDewDe4BeXxq5kAwsjtDfGOtacl4Gj8Ia  
UEUopVSdpr83/BQwD6T1F33A8IkDWMl5cIOB3ZpnoYkNvkAAM65vrOfIIcxN1AfD  
j4LTNmRoVGl3SgVxbDZTb/d1nhwq5fAYZfYfyHIoGYt7dPUUC/z4LNFwuGWGRqfo  
fqpoA40Ja6hCphgueK4LeH+yGKvQCK1eftSSA3zXqn1EKa7P59LzfPZunyS56Kh/  
pEqFz6KLYjjapPMGqs6Q  
=ffX8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4625-01

Red Hat Security Advisory 2023-4623-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.2.9  security update  
Advisory ID:       RHSA-2023:4623-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4623  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-27487 CVE-2023-27488 CVE-2023-27491   
                   CVE-2023-27492 CVE-2023-27493 CVE-2023-27496   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an OpenShift Container  
Platform installation.

Security Fix(es):

* envoy: Client may fake the header `x-envoy-original-path`  
(CVE-2023-27487)

* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)

* envoy: gRPC client produces invalid protobuf when an HTTP header with  
non-UTF8 value is received (CVE-2023-27488)

* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream  
(CVE-2023-27491)

* envoy:  Crash when a large request body is processed in Lua filter  
(CVE-2023-27492)

* envoy: Crash when a redirect url without a state param is received in the  
oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`  
2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream  
2179139 - CVE-2023-27492 envoy:  Crash when a large request body is processed in Lua filter  
2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter  
2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received  
2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

5. References:

https://access.redhat.com/security/cve/CVE-2023-27487  
https://access.redhat.com/security/cve/CVE-2023-27488  
https://access.redhat.com/security/cve/CVE-2023-27491  
https://access.redhat.com/security/cve/CVE-2023-27492  
https://access.redhat.com/security/cve/CVE-2023-27493  
https://access.redhat.com/security/cve/CVE-2023-27496  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfaAAoJENzjgjWX9erE16UP/Az3YBHc2BsjRSY0/48IyI49  
PZ8yFpBCQMocY7dnts48iFeeVZtQlFruLzOOvGWvaKyPCSiyC0XtTg/6sw71XCaf  
bpOsMXNV75ggf0tTO6JEgGqD326pdOnYqXMUfBnxvgtqQ/Ej1kyGCig+c7bEcvB0  
l0m4NsAo224h8U33fnOPbgP/m/0elWCTcZbOUBLd+qRqwE9edZX4Chd+3l3pq5kg  
zJHLKHui/q+dAIqgsoK6CznTglUXuFQlYpu+vlAomrMGED7kx3t7QgttmhlL7krl  
rKIBgJml3nottyavLGmdCBiuklBlcNNV6LHZNkIEaIaH7Hlgbcb0AWHcOr97KXxQ  
K1ZpIdNOX0IDgltC3cGWbmiNmM45KSWKjCTUKXPiD0jlIxbuDIrqT25tOlNw4nRa  
R4hoiJUvUBl33zcg0q1JZmr9iYA7kKmrQUTgjMaFersmaeVaALBsmwdmTasaAsC0  
jdNzrbRB2JCnozPUphYff6Zc0iIKKPmMKtAWDzdyor0eQ+7sPfXNyND2WC5OQtVS  
oLK/juc7CxQkMhOI09goLFMSUEO7czvKzdr5rzG8s1D7JHNtPLlCy2D0X4jAXIKD  
Ca53KIpxVrEUpmrApFvZscITKSyEGt0pouxEh2mFU6Op1ZcnONOeDXz7+KVfQTZZ  
3+soC5oF43vm3/r9KJAz  
=xctn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4623-01

Red Hat Security Advisory 2023-4624-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Issues addressed include a memory leak vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.3.6 security update  
Advisory ID:       RHSA-2023:4624-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4624  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-2828 CVE-2023-35941 CVE-2023-35942   
                   CVE-2023-35943 CVE-2023-35944 CVE-2023-35945   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.3.6 Containers

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

Security Fix(es):

* envoy: OAuth2 credentials exploit with permanent validity  
(CVE-2023-35941)

* envoy: Incorrect handling of HTTP requests and responses with mixed case  
schemes (CVE-2023-35944)

* envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)

* envoy: gRPC access log crash caused by the listener draining  
(CVE-2023-35942)

* envoy: CORS filter segfault when origin header is removed  
(CVE-2023-35943)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity  
2217978 - CVE-2023-35942 envoy: gRPC access log crash caused by the listener draining  
2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec  
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes  
2217987 - CVE-2023-35943 envoy: CORS filter segfault when origin header is removed

5. References:

https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-35941  
https://access.redhat.com/security/cve/CVE-2023-35942  
https://access.redhat.com/security/cve/CVE-2023-35943  
https://access.redhat.com/security/cve/CVE-2023-35944  
https://access.redhat.com/security/cve/CVE-2023-35945  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfYAAoJENzjgjWX9erE200P/2Y3yaoe64sMk4EThWMQnyDf  
IeHQt7welubO7E6MbIF+8yclV1ckQUFL5ajX8IWtqrTvvnZjYNXmRxSubbPgrBNa  
MUQiyLvj6UXIsMqxaJN9n6rtz1ItbiBNK/AH6ITdN4TAHYG+fzTI58PapJ9g8urX  
8Pd00dx953Jj2gU5toyw6VTR/fJp3ZCgbQxmI78FSnsN77i2/q6WOkJ0TRLcGe+z  
GJw62bxyNKGA1I72NoZqyt/SmIqIhfXP+ofaA4kgWP8XI4/pjL2SDvNsVC0wMNZx  
zQO1cZvYBDo//oZ3NBtR5YpFNZSxpDvv6eiuGOP3LNsTaXot5nAZLSkpzyCFCY9v  
xccDTjVSYysz/aGqa6vTjCd264P4JVMewI/rfDPfaqV3PcCrtm64YCedNTBEwXMx  
uMbdbW02xiX9sRa7Ln38FjvDMCfdOAHaoNOmbOnfS4erQuWF9cJxYXMGPBIk+PY4  
XtxrOPONWbyFPCTspH2D+ISaibu+rK363ZacEXgZ5JOCo5H38y4BINTUPoC2cxF3  
ezwQgKMLPHeCOKBlesQnoPz/EeOL0d3eeNzQvvCAnUk2GCBqazfbxOrjFlqdp9zK  
ugK8VgJcAFiEDeLrhYpSK88BgScJSE/p5cCKdJy3BSHugnVSRD9iKyccuowC3vcT  
ZlAhHXpt+D9ytCT8F+R4  
=ZtLZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4624-01

BookingWizz version 6.0.1 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : BookingWizz v6.0.1 sensitive information disclosure Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/booking-system/87919?s_rank=9                                                          |  | # Dork      : "BookingWizz v6.0"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The error is from the developer, as it does not warn you to delete the installation file after completion, or it is deleted automatically.[+] When you add install file they show you the real user and pass for admin panel.[+] Use Payload : /install.php[+] https://127.0.0.1therazorsedgebarberscom/tiff/install.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#auth