Red Hat Security Advisory 2023-7215-01 - Red Hat OpenShift Service Mesh 2.2.12 Containers. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7215.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Service Mesh Containers for 2.2.12Advisory ID:        RHSA-2023:7215-01Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7215Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Service Mesh 2.2.12 ContainersRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7215-01

Red Hat Security Advisory 2023-7205-01 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7205.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: nodejs:20 security update  
Advisory ID:        RHSA-2023:7205-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7205  
Issue date:         2023-11-14  
Revision:           01  
CVE Names:          CVE-2023-38552  
====================================================================

Summary: 

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* nodejs: permission model improperly protects against path traversal (CVE-2023-39331)

* nodejs: path traversal through path stored in Uint8Array (CVE-2023-39332)

* nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)

* nodejs: code injection via WebAssembly export names (CVE-2023-39333)

* node-undici: cookie leakage (CVE-2023-45143)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-38552

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2244104  
https://bugzilla.redhat.com/show_bug.cgi?id=2244413  
https://bugzilla.redhat.com/show_bug.cgi?id=2244414  
https://bugzilla.redhat.com/show_bug.cgi?id=2244415  
https://bugzilla.redhat.com/show_bug.cgi?id=2244418

Red Hat Security Advisory 2023-7205-01

By Waqas
The FBI arrested the operator of the IPStorm botnet, a Russian-Moldovan national, in Spain.
This is a post from HackRead.com Read the original post: Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

The IPStorm botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America.

A Russian-Moldovan national has pleaded guilty to operating an illegal botnet proxy service called IPStorm, responsible for infecting thousands of internet-connected devices worldwide.

Sergei Makinin, 32, of Moscow, Russia, was arrested by the F.B.I. with the cooperation of law enforcement authorities in Spain and Bitdefender, which provided cybersecurity consulting, resources, and guidance to track the suspect.

Makinin pleaded guilty to “three counts of violating 18 U.S.C. § 1030(a)(5)(A) Fraud and Related Activity in Connection with Computers,” in a district court in Puerto Rico as per the U.S. Department of Justice press release.

Makinin was suspected of running an extensive botnet-for-rent operation called Interplanetary Storm (IPStorm) used for illegal activities from June 2019 through December 2022. Bitdefender first documented the operation in a research paper in October 2020.

The botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America. IPStorm anonymized its users’ internet traffic, allowing them to conduct malicious activities such as hacking, identity theft, and fraud.

Countries targeted by IPStorm botnet based on the number of victims (Credit: Bitdefender)

In his guilty plea, Makinin admitted that he and his accomplices ran IPStorm from 2015 to 2019 and successfully compromised over 40,000 devices using the IPStorm malware and 23,000 “highly anonymous” proxies. The domains used by Makinin is the scam were proxx.io and proxx.net.

The IPStorm malware allowed Makinin hijack the devices and use them as a proxy. Cybercriminals preferred the service because it was inexpensive, easy to use, and effectively anonymized their internet traffic. Makinin also admitted to developing/distributing malware for infecting the devices, earning $550,0000, and laundering the money.

Makinin is the first to be charged in connection with IPStorm. He faces up to 10 years in prison and will have to forfeit the cryptocurrency wallets linked with the scam. The sentencing is yet to be scheduled. Meanwhile, the F.B.I. and DoJ will continue to investigate the service.

Prices offered by Makinin (Screenshot credit: Hackread.com)

Commenting on this development is the operation’s lead researcher and Bitdefender’s Investigation and Forensics Unit’s senior director, Alexandru Catalin Cosoi. Cosoi shared with Hackread.com that IPStorm was a “complex” botnet rented by cybercriminals for various nefarious activities:

“The Interplanetary Storm botnet was complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices. Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests,” Cosio explained.

“This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice.”

Makinin’s conviction is a significant victory for law enforcement in the fight against cybercrime. Botnet proxy services remain a serious threat because they are used to committing cybercrimes. This development sends a strong message to other cybercriminals that they will be held accountable for their actions sooner or later.

****_RELATED ARTICLES_****

1.  **Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet**
2.  **Man whose DDoS attacks took down entire country’s Internet jailed**
3.  **Luminosity RAT author pleads guilty to creating, selling hacking tool**
4.  **2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering**
5.  **No Prison for Student who Developed Spam Botnet to Pay College Fee**

Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

Multiple buffer copy without checking size of input ('classic buffer overflow') vulnerabilities [CWE-120] in FortiADC version 7.2.0 and before 7.1.2 & FortiDDoS-F version 6.5.0 and before 6.4.1 allows a privileged attacker to execute arbitrary code or commands via specifically crafted CLI requests.

** PSIRT Advisories**

**FortiADC & FortiDDoS-F - Buffer overflows in CLI commands**

**Summary**

Multiple buffer copy without checking size of input ('classic buffer overflow') vulnerabilities \[CWE-120\] in FortiADC & FortiDDoS-F may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI requests.

Version

Affected

Solution

FortiDDoS-F 6.5

6.5.0

Upgrade to 6.5.1 or above

FortiDDoS-F 6.4

6.4.0 through 6.4.1

Upgrade to 6.4.2 or above

FortiDDoS-F 6.3

6.3 all versions

Migrate to a fixed release

FortiDDoS-F 6.2

6.2 all versions

Migrate to a fixed release

FortiDDoS-F 6.1

6.1.0 through 6.1.4

FortiADC 7.2

7.2.0

Upgrade to 7.2.1 or above

FortiADC 7.1

7.1.0 through 7.1.2

Upgrade to 7.1.3 or above

FortiADC 7.0

7.0 all versions

Migrate to a fixed release

FortiADC 6.2

6.2 all versions

Migrate to a fixed release

FortiADC 6.1

6.1 all versions

Migrate to a fixed release

FortiADC 6.0

6.0 all versions

Migrate to a fixed release

FortiADC 5.4

5.4 all versions

Migrate to a fixed release

FortiADC 5.3

5.3 all versions

Migrate to a fixed release

FortiADC 5.2

5.2 all versions

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

**Timeline**

2023-11-02: Initial publication

CVE-2023-29177: Fortiguard

Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed OracleIV.
"Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable

Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed **OracleIV**.

"Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv\_latest' and containing Python malware compiled as an ELF executable," Cado researchers Nate Bill and Matt Muir said.

The malicious activity starts with attackers using an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server.

Oracleiv\_latest purports to be a MySQL image for docker and has been pulled 3,500 times to date. In a perhaps not-so-surprising twist, the image also includes additional instructions to fetch an XMRig miner and its configuration from the same server.

That said, the cloud security firm said it did not observe any evidence of cryptocurrency mining performed by the counterfeit container. The shell script, on the other hand, is concise and incorporates functions to conduct DDoS attacks such as slowloris, SYN floods, and UDP floods.

Exposed Docker instances have become a lucrative attack target in recent years, often used as conduits for cryptojacking campaigns.

"Once a valid endpoint is discovered, it's trivial to pull a malicious image and launch a container from it to carry out any conceivable objective," the researchers said. "Hosting the malicious container in Docker Hub, Docker's container image library, streamlines this process even further."

It's not just Docker, as vulnerable MySQL servers have emerged as the target of another DDoS botnet malware known as Ddostf, according to the AhnLab Security Emergency Response Center (ASEC).

"Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period," ASEC said.

"Only DDoS commands can be performed on the new C&C server. This implies that the Ddostf threat actor can infect numerous systems and then sell DDoS attacks as a service."

Compounding matters further is the emergence of several new DDoS botnets, such as hailBot, kiraiBot, and catDDoS that are based on Mirai, whose source code leaked in 2016.

"These newly developed Trojan horses either introduce new encryption algorithms to hide critical information or better hide themselves by modifying the go-live process and designing more covert communication methods," cybersecurity company NSFOCUS revealed last month.

Another DDoS malware that has resurfaced this year is XorDdos, which infects Linux devices and "transforms them into zombies" for follow-on DDoS attacks against targets of interest.

Palo Alto Networks Unit 42 said the campaign began in late July 2023, before peaking around August 12, 2023.

"Before malware successfully infiltrated a device, the attackers initiated a scanning process, employing HTTP requests to identify potential vulnerabilities in their targets," the company noted. "To evade detection, the threat turns its process into a background service that runs independently of the current user session."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

Red Hat Security Advisory 2023-6251-01 - Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6251.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Virtualization 4.11.7 Images security and bug fix update  
Advisory ID:        RHSA-2023:6251-01  
Product:            OpenShift Virtualization  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6251  
Issue date:         2023-11-01  
Revision:           01  
CVE Names:          CVE-2022-41723  
====================================================================

Summary: 

Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.11.7 images.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* 4.11.7 containers (BZ#2246329)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41723

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6251-01

Red Hat Security Advisory 2023-6248-01 - Red Hat OpenShift Virtualization release 4.12.8 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6248.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Virtualization 4.12.8 Images security updateAdvisory ID:        RHSA-2023:6248-01Product:            OpenShift VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6248Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2022-41723====================================================================Summary: Red Hat OpenShift Virtualization release 4.12.8 is now available with updates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.This advisory contains OpenShift Virtualization 4.12.8 images.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-41723References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6248-01

Red Hat Security Advisory 2023-6239-01 - An update is now available for Kiali for RHEL 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6239.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Kiali (Kiali 1.65.10) security updateAdvisory ID:        RHSA-2023:6239-01Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6239Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update is now available for Kiali (Kiali 1.65.10) for RHEL 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6239-01

Red Hat Security Advisory 2023-6235-01 - Red Hat OpenShift Virtualization release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Virtualization 4.13.5 Images security update  
Advisory ID:        RHSA-2023:6235-01  
Product:            OpenShift Virtualization  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6235  
Issue date:         2023-11-01  
Revision:           01  
CVE Names:          CVE-2022-41723  
====================================================================

Summary: 

Red Hat OpenShift Virtualization release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.5 images.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* [4.13] portworx: update the storageProfile (BZ#2237872)

* kubevirt_vmi_phase_count metrics is not working in 4.13.5 (BZ#2240675)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41723

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#ddos