Watch out for the Russian hackers from the infamous RomRom group, also known as Storm-0978, Tropical Scorpius, or UNC2596, and their use of a custom backdoor.

****SUMMARY****

*   **RomCom Exploits Double Zero-Day:** RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

*   **Attack Chain:** Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

*   **Targeted Sectors:** RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

*   **Quick Patches:** Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

*   **Sophisticated Threat:** The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked **RomCom group**, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (**CVE-2024-9680**, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (**CVE-2024-49039**, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed **RomCom’s custom backdoor**, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s **investigation** shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as **Storm-0978, Tropical Scorpius, or UNC2596**, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of **zero-day vulnerabilities**.

1.  **Russian Cyber Offensive Shifts Focus to Ukraine’s Military**
2.  **Russian APT29 Use NSO Group-Style Exploits in Attacks, Google**
3.  **Russian Malware Targets Ukrainian Military Recruits via Telegram**
4.  **Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures**
5.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**

Russian Hackers Exploit Firefox and Windows 0-Days to Deploy Backdoor

Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Script Kiddie Assembles Massive DDoS Botnet

Amazon Web Services' identity and access management platform has added new features that help developers implement secure, scalable, and customizable authentication solutions for their applications.

Source: GK Images via Alamy Stock Photo

Amazon Web Services (AWS) has announced updates to Amazon Cognito, its identity and access management service for Web and mobile applications. The service allows developers to secure machine-to-machine authentication, enable role-based access to AWS resources, and create sign-in and sign-up experiences in applications. 

Cognito now supports passwordless login with managed login, enabling users to integrate passwordless authentication methods, including passkeys, email one-time-passwords, and SMS one-time-passwords. 

The new features include a developer-focused console experience that streamlines onboarding via a wizard and use-case specific recommendations. This allows developers to configure their sign-in options and follow the system-provided instructions to create the application's sign-in and sign-up pages. A new user pool, a user directory for authentication and authorization, is automatically created, according to the blog post announcing the new updates. Amazon Cognito also supports major application frameworks and offers detailed instructions for integrating them using standard OpenID Connect (OIDC) and OAuth open source libraries.

Amazon has updated the pricing structure for Cognito, adding user pool feature tiers: Lite, Essentials, and Plus. New user pools are created at the Essentials tier by default, and users can switch between tiers depending on their needs. 

The Lite tier includes user registration, password-based authentication, and social identity provider integration. The Essentials tier includes expanded authentication and access control features, including managed login and passwordless capabilities and enhanced security features. The Plus tier offers more security features, including threat protection capabilities against suspicious logins and compromised credential detection. 

Pricing is based on monthly active users. The Essentials and Plus tiers are available in all AWS regions where Cognito is available, except AWS GovCloud (US) regions. 

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

AWS Rolls Out Updates to Amazon Cognito

Protection ranged from 0.38% to 50.57% for security effectiveness.

PRESS RELEASE

AUSTIN, Texas, Nov. 26, 2024 /PRNewswire/ -- CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent "Mini-Test" of Cloud Service Provider (CSP) Native Firewalls from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Security effectiveness protection ranged from 0.38% to 50.57%.

In today's cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP's marketplace. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization's ability to protect against cyber threats.

The CSP firewalls were tested against 522 exploits using Keysight's CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. Only known Common Vulnerabilities and Exposures (CVEs) from the last ten years with a severity of medium or higher were used to assess security effectiveness, usability, and protection. The exploit (CVE) types targeted servers and are typically relevant to cloud workload deployments.

"This was designed to be an entry level test," said Vikram Phatak, CEO of CyberRatings.org. "The exploits were straightforward; we didn't apply any evasions which is normally how attackers bypass security products. The number of missed exploits is concerning. Until cloud native firewalls demonstrate they have a higher level of security effectiveness to protect against cyber threats, we strongly recommend that customers consider third-party providers with a proven track record."

This test is part one of a two-part test. Part two will include a higher number of exploits, along with evasions and malware. The second part of the test will also compare cloud service provider native solutions against market leading third-party cloud network firewall providers.

The native firewalls were tested using Keysight's CyPerf v5.0 software testing platform. Enterprises can easily replicate the results with a 2-week free trial from Keysight. Further details of the strike library can be found here: https://www.keysight.com/us/en/products/network-test/cloud-test/cyperf.html

The test report is available for free at cyberratings.org.

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

SOURCE  CyberRatings.org

CyberRatings.org Announces Test Results for Cloud Service Provider Native Firewalls

### Summary
A server side request forgery vuln was found within geonode when testing on a bug bounty program. Server side request forgery allows a user to request information on the internal service/services.

### Details
The endpoint /proxy/?url= does not properly protect against SSRF. when using the following format you can request internal hosts and display data. /proxy/?url=http://169.254.169.254\@whitelistedIPhere. This will state wether the AWS internal IP is alive. If you get a 404, the host is alive. A non alive host will not display a response. To display metadata, use a hashfrag on the url /proxy/?url=http://169.254.169.254\@#whitelisteddomain.com or try   /proxy/?url=http://169.254.169.254\@%23whitelisteddomain.com

### Impact
Port scan internal hosts, and request information from internal hosts.


Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-rmxg-6qqf-x8mr: GeoNode Server Side Request forgery

PRESS RELEASE

New York City, NY. November 21, 2024 – Apono, the leader in privileged access for the cloud, today announced an update to the Apono Cloud Access Platform that enables users to automatically discover and revoke standing access to resources across their cloud environments. Users can then create guardrails for sensitive resources, allowing Apono to process and assess access requests, and quickly provide Just-in-Time, Just-Enough access to users when needed. Today’s update will be available across all three major cloud service providers, with AWS being the first to launch, followed by Azure and Google Cloud Platform. 

“Today’s update enriches the Apono Cloud Access Platform’s unique combination of automated discovery, assessment, management, and enforcement capabilities,” said Rom Carmel, CEO and Co-founder of Apono. “With deep visibility across the cloud, seamless permission revocation, and automated Just-in-time, Just-Enough Access, we eliminate one of the largest risks organizations face while ensuring development teams can innovate rapidly with seamless access within secure guardrails. This powerful combination is essential for modern businesses, unlocking a new level of security and productivity for our customers.” 

Standing access within the cloud has long been a prime target for cybercriminals, enabling them to swiftly escalate both horizontally and vertically during a breach. However, security teams have lacked complete visibility over existing standing access, leaving critical vulnerabilities across the user base. Additionally, security teams have been reluctant to revoke existing standing access due to the risk of impacting users' day-to-day needs, which can ultimately lead to significantly hampering business operations across the organization.  

Today’s update allows users to overcome this challenge by enabling security teams to: 

Gain complete visibility over user permissions, identifying 100% of standing user entitlements in the cloud and where high-risk, standing privileges exist. 

Confidently and seamlessly remove 95% of standing entitlements without impacting business operations.  

Use critical insights on high-risk permissions to inform remediation plans, guide administrators in establishing access flows, and automatically grant Just-in-Time, Just-Enough access to cloud resources for only the required duration before access is revoked again. 

“Over-privileged access is one of the most significant risks to identity security that organizations face today, and it's made even more challenging to manage by expanding cloud environments. At the same time, to keep pace, organizations need to grant permissions dynamically to support day-to-day work. This creates a complex obstacle: how can an organization grant the necessary access for productivity while also enhancing its identity security?” said Simon Moffatt, Founder and Analyst, The Cyber Hut, “With this in mind, delivering Just-in-Time and Just-Enough Access across cloud services should be the goal of modern identity management. An approach to solve this will help companies significantly reduce their attack surface while ensuring a seamless access experience for their workforce.” 

Apono will provide in-person demonstrations of today's update and the complete Apono Cloud Access Platform at AWS re:Invent from December 2-6. Click here to learn more.  

For more information, visit the Apono website here: www.apono.io. 

You May Also Like

Apono Enhances Platform Enabling Permission Revocation and Automated Access

Forces Penpals, a social network for US and UK military personnel, exposed the sensitive data of 1.1M users,…

Forces Penpals, a social network for US and UK military personnel, exposed the sensitive data of 1.1M users, including SSNs, personal details, and proof of service. Learn about the incident and its possible impact.

Forces Penpals, a dating service and social network for members of the US and UK armed forces and their supporters since 2002, was found leaking personal details of over 1.1 million registered users.

This issue was identified by Jeremiah Fowler, a prominent cybersecurity researcher recognized for uncovering and advising on securing **misconfigured cloud servers** and databases.

According to Fowler’s **report** for VPNmentor, shared with Hackread.com ahead of its publication on November 20, 2024, the data belonged to Conduitor Limited, which publicly trades as Forces Penpals.

****The Exposed Data****

The analysis revealed that the leaked information included both Personally Identifiable Information (PII) and sensitive images. Additionally, the exposed data contained Social Security Numbers (SSNs) of unsuspecting users. This echoes the August 6, 2024, breach at National Public Data, where a hacker leaked 3.6 billion records from users in the USA, Canada, and the UK, which also included billions of SSNs.

In the case of Forces Penpals, the server exposed the following data:

*   **Images**
*   **Locations**
*   **Full names**
*   **Mailing addresses**
*   **Social Security Numbers**
*   **National Insurance Numbers (Similar to SSN in the UK).**

Fowler noted that the server also contained additional data that should not have been exposed. This included documents such as proof of service, military ranks, the branch of service the individual belongs to, and other sensitive details.

> _“The publicly exposed database was not password-protected or encrypted. It contained a total of 1,187,296 documents. In a limited sampling, a majority of the documents I saw were user images, while others were photos of potentially sensitive proof of service documents.”_  
> 
> Jeremiah Fowler

Screenshot from the exposed data (Screenshot via VPNmentor)

****Current Status****

Forces Penpals has acknowledged the breach, attributing it to a coding error that misdirected documents and left a directory listing publicly accessible. The company has since taken steps to secure the database.

However, it is still unclear whether any malicious actors accessed the exposed information. Forces Penpals has yet to disclose the duration of the exposure or report any signs of suspicious activity.

It is also unclear whether the data was leaked through the website or the company’s iOS and Android apps. Nevertheless, this incident is a reminder for similar services to focus on data security and safeguard their users’ privacy from growing cyber threats.

1.  **Data Leak Exposes Indian Police, Military Biometric Data**
2.  **US military personnel defrauded into losing $822m in scams**
3.  **British Military’s Twitter and YouTube Hacked in Crypto Scam**
4.  **US Military Targeted by Smartwatches Linked to Data Breaches**
5.  **Misconfigured AWS Buckets Expose US Military Spying Campaign**

US and UK Military Social Network “Forces Penpals” Exposes SSN, PII Data

Ubuntu Security Notice 7120-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7120-2November 20, 2024linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-6.8: Linux kernel for Microsoft Azure cloud systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - File systems infrastructure;  - Network traffic control;(CVE-2024-46800, CVE-2024-43882)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1018-azure    6.8.0-1018.21  linux-image-6.8.0-1018-azure-fde  6.8.0-1018.21  linux-image-azure               6.8.0-1018.21  linux-image-azure-fde           6.8.0-1018.21Ubuntu 22.04 LTS  linux-image-6.8.0-1016-oracle   6.8.0-1016.17~22.04.1  linux-image-6.8.0-1016-oracle-64k  6.8.0-1016.17~22.04.1  linux-image-6.8.0-1018-azure    6.8.0-1018.21~22.04.1  linux-image-6.8.0-1018-azure-fde  6.8.0-1018.21~22.04.1  linux-image-6.8.0-1019-aws      6.8.0-1019.21~22.04.1  linux-image-aws                 6.8.0-1019.21~22.04.1  linux-image-azure               6.8.0-1018.21~22.04.1  linux-image-azure-fde           6.8.0-1018.21~22.04.1  linux-image-oracle              6.8.0-1016.17~22.04.1  linux-image-oracle-64k          6.8.0-1016.17~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7120-2  https://ubuntu.com/security/notices/USN-7120-1  CVE-2024-43882, CVE-2024-46800Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1018.21  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1019.21~22.04.1  https://launchpad.net/ubuntu/+source/linux-azure-6.8/6.8.0-1018.21~22.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1016.17~22.04.1

Ubuntu Security Notice USN-7120-2

Ubuntu Security Notice 7121-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7121-1November 19, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - S390 architecture;  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - ATM drivers;  - Device frequency scaling framework;  - GPU drivers;  - Hardware monitoring drivers;  - VMware VMCI Driver;  - Network drivers;  - Device tree and open firmware driver;  - SCSI drivers;  - Greybus lights staging drivers;  - BTRFS file system;  - File systems infrastructure;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - Netfilter;  - Memory management;  - Ethernet bridge;  - IPv6 networking;  - IUCV driver;  - Logical Link layer;  - MAC80211 subsystem;  - NFC subsystem;  - Network traffic control;  - Unix domain sockets;(CVE-2023-52614, CVE-2024-26633, CVE-2024-46758, CVE-2024-46723,CVE-2023-52502, CVE-2024-41059, CVE-2024-44987, CVE-2024-36020,CVE-2023-52599, CVE-2023-52639, CVE-2024-26668, CVE-2024-42094,CVE-2022-48938, CVE-2022-48733, CVE-2024-27397, CVE-2023-52578,CVE-2024-38560, CVE-2024-38538, CVE-2024-42310, CVE-2024-46722,CVE-2024-46800, CVE-2024-41095, CVE-2024-42104, CVE-2024-35877,CVE-2022-48943, CVE-2024-46743, CVE-2023-52531, CVE-2024-46757,CVE-2024-36953, CVE-2024-46756, CVE-2024-38596, CVE-2023-52612,CVE-2024-38637, CVE-2024-41071, CVE-2024-46759, CVE-2024-43882,CVE-2024-26675, CVE-2024-43854, CVE-2024-44942, CVE-2024-44998,CVE-2024-42240, CVE-2024-41089, CVE-2024-26636, CVE-2024-46738,CVE-2024-42309)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-4.15.0-1137-oracle  4.15.0-1137.148                                  Available with Ubuntu Pro  linux-image-4.15.0-1158-kvm     4.15.0-1158.163                                  Available with Ubuntu Pro  linux-image-4.15.0-1168-gcp     4.15.0-1168.185                                  Available with Ubuntu Pro  linux-image-4.15.0-1175-aws     4.15.0-1175.188                                  Available with Ubuntu Pro  linux-image-4.15.0-1183-azure   4.15.0-1183.198                                  Available with Ubuntu Pro  linux-image-4.15.0-231-generic  4.15.0-231.243                                  Available with Ubuntu Pro  linux-image-4.15.0-231-lowlatency  4.15.0-231.243                                  Available with Ubuntu Pro  linux-image-aws-lts-18.04       4.15.0.1175.173                                  Available with Ubuntu Pro  linux-image-azure-lts-18.04     4.15.0.1183.151                                  Available with Ubuntu Pro  linux-image-gcp-lts-18.04       4.15.0.1168.181                                  Available with Ubuntu Pro  linux-image-generic             4.15.0.231.215                                  Available with Ubuntu Pro  linux-image-kvm                 4.15.0.1158.149                                  Available with Ubuntu Pro  linux-image-lowlatency          4.15.0.231.215                                  Available with Ubuntu Pro  linux-image-oracle-lts-18.04    4.15.0.1137.142                                  Available with Ubuntu Pro  linux-image-virtual             4.15.0.231.215                                  Available with Ubuntu ProUbuntu 16.04 LTS  linux-image-4.15.0-1168-gcp     4.15.0-1168.185~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-1175-aws     4.15.0-1175.188~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-1183-azure   4.15.0-1183.198~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-231-generic  4.15.0-231.243~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-231-lowlatency  4.15.0-231.243~16.04.1                                  Available with Ubuntu Pro  linux-image-aws-hwe             4.15.0.1175.188~16.04.1                                  Available with Ubuntu Pro  linux-image-azure               4.15.0.1183.198~16.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 4.15.0.1168.185~16.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-16.04   4.15.0.231.243~16.04.1                                  Available with Ubuntu Pro  linux-image-gke                 4.15.0.1168.185~16.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-16.04  4.15.0.231.243~16.04.1                                  Available with Ubuntu Pro  linux-image-oem                 4.15.0.231.243~16.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-16.04   4.15.0.231.243~16.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7121-1  CVE-2022-48733, CVE-2022-48938, CVE-2022-48943, CVE-2023-52502,  CVE-2023-52531, CVE-2023-52578, CVE-2023-52599, CVE-2023-52612,  CVE-2023-52614, CVE-2023-52639, CVE-2024-26633, CVE-2024-26636,  CVE-2024-26668, CVE-2024-26675, CVE-2024-27397, CVE-2024-35877,  CVE-2024-36020, CVE-2024-36953, CVE-2024-38538, CVE-2024-38560,  CVE-2024-38596, CVE-2024-38637, CVE-2024-41059, CVE-2024-41071,  CVE-2024-41089, CVE-2024-41095, CVE-2024-42094, CVE-2024-42104,  CVE-2024-42240, CVE-2024-42309, CVE-2024-42310, CVE-2024-43854,  CVE-2024-43882, CVE-2024-44942, CVE-2024-44987, CVE-2024-44998,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46738, CVE-2024-46743,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46800

Ubuntu Security Notice USN-7121-1

Ubuntu Security Notice 7120-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7120-1November 19, 2024linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-hwe-6.8,linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency,linux-oem-6.8, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-nvidia: Linux kernel for NVIDIA systems- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-gcp-6.8: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-6.8: Linux hardware enablement (HWE) kernel- linux-nvidia-6.8: Linux kernel for NVIDIA systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - File systems infrastructure;  - Network traffic control;(CVE-2024-46800, CVE-2024-43882)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1014-gke      6.8.0-1014.18  linux-image-6.8.0-1015-raspi    6.8.0-1015.17  linux-image-6.8.0-1016-ibm      6.8.0-1016.16  linux-image-6.8.0-1016-oracle   6.8.0-1016.17  linux-image-6.8.0-1016-oracle-64k  6.8.0-1016.17  linux-image-6.8.0-1017-oem      6.8.0-1017.17  linux-image-6.8.0-1018-gcp      6.8.0-1018.20  linux-image-6.8.0-1018-nvidia   6.8.0-1018.20  linux-image-6.8.0-1018-nvidia-64k  6.8.0-1018.20  linux-image-6.8.0-1018-nvidia-lowlatency  6.8.0-1018.20.1  linux-image-6.8.0-1018-nvidia-lowlatency-64k  6.8.0-1018.20.1  linux-image-6.8.0-1019-aws      6.8.0-1019.21  linux-image-6.8.0-49-generic    6.8.0-49.49  linux-image-6.8.0-49-generic-64k  6.8.0-49.49  linux-image-aws                 6.8.0-1019.21  linux-image-gcp                 6.8.0-1018.20  linux-image-generic             6.8.0-49.49  linux-image-generic-64k         6.8.0-49.49  linux-image-generic-64k-hwe-24.04  6.8.0-49.49  linux-image-generic-hwe-24.04   6.8.0-49.49  linux-image-generic-lpae        6.8.0-49.49  linux-image-gke                 6.8.0-1014.18  linux-image-ibm                 6.8.0-1016.16  linux-image-ibm-classic         6.8.0-1016.16  linux-image-ibm-lts-24.04       6.8.0-1016.16  linux-image-kvm                 6.8.0-49.49  linux-image-nvidia              6.8.0-1018.20  linux-image-nvidia-64k          6.8.0-1018.20  linux-image-nvidia-lowlatency   6.8.0-1018.20.1  linux-image-nvidia-lowlatency-64k  6.8.0-1018.20.1  linux-image-oem-24.04           6.8.0-1017.17  linux-image-oem-24.04a          6.8.0-1017.17  linux-image-oracle              6.8.0-1016.17  linux-image-oracle-64k          6.8.0-1016.17  linux-image-raspi               6.8.0-1015.17  linux-image-virtual             6.8.0-49.49  linux-image-virtual-hwe-24.04   6.8.0-49.49Ubuntu 22.04 LTS  linux-image-6.8.0-1018-gcp      6.8.0-1018.20~22.04.1  linux-image-6.8.0-1018-nvidia   6.8.0-1018.20~22.04.1  linux-image-6.8.0-1018-nvidia-64k  6.8.0-1018.20~22.04.1  linux-image-6.8.0-49-generic    6.8.0-49.49~22.04.1  linux-image-6.8.0-49-generic-64k  6.8.0-49.49~22.04.1  linux-image-gcp                 6.8.0-1018.20~22.04.1  linux-image-generic-64k-hwe-22.04  6.8.0-49.49~22.04.1  linux-image-generic-hwe-22.04   6.8.0-49.49~22.04.1  linux-image-nvidia-6.8          6.8.0-1018.20~22.04.1  linux-image-nvidia-64k-6.8      6.8.0-1018.20~22.04.1  linux-image-nvidia-64k-hwe-22.04  6.8.0-1018.20~22.04.1  linux-image-nvidia-hwe-22.04    6.8.0-1018.20~22.04.1  linux-image-oem-22.04           6.8.0-49.49~22.04.1  linux-image-oem-22.04a          6.8.0-49.49~22.04.1  linux-image-oem-22.04b          6.8.0-49.49~22.04.1  linux-image-oem-22.04c          6.8.0-49.49~22.04.1  linux-image-oem-22.04d          6.8.0-49.49~22.04.1  linux-image-virtual-hwe-22.04   6.8.0-49.49~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7120-1  CVE-2024-43882, CVE-2024-46800Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-49.49  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1019.21  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1018.20  https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1014.18  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1016.16  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1018.20  https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1018.20.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1017.17  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1016.17  https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1015.17  https://launchpad.net/ubuntu/+source/linux-gcp-6.8/6.8.0-1018.20~22.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-6.8/6.8.0-49.49~22.04.1  https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1018.20~22.04.1

Tag

#aws