Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

Wednesday, June 11, 2025 09:47

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**catdoc zero-day vulnerabilities **

_Discovered by Ali Rizvi-Santiago of Cisco Talos._    

The catdoc program pulls plain text content from Microsoft Word, Excel, PowerPoint and Rich Text Format files. The vendor was unreachable, Debian will be merging our patches into their distribution. https://github.com/Cisco-Talos/catdoc-talos-fixes/releases/tag/talos-fixes.2025-05

TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 

TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger. 

**Parallel integer overflow vulnerability  **

_Discovered by KPC of Cisco Talos._    

Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.

TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).

*   TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl\_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
*   TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
*   TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.

**NVIDIA integer overflow vulnerability  **

_Discovered by Dimitrios Tatsis of Cisco Talos._    

NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard \`objdump\` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc. 

TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. 

**High-Logic out-of-bounds read vulnerability  **

_Discovered by KPC of Cisco Talos._    

High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts. 

An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

We often write about important updates for the most popular browser, Google Chrome. Since it would be out of scope to post elaborate update instructions for every possible platform and operating system (OS)—like iOS, macOS, Windows, Android, etc.—we decided to turn this topic into a separate post that is easy to find (and link to). Also, keep in mind that not every update will be available for every platform or at the same time. You can find when the latest update for your operating system was released on this Google Chrome releases website.

Keeping your Google Chrome browser up to date is essential for security, performance, and access to the latest features. Whether you’re on Windows, Mac, Linux, Android, or iOS, updating Chrome is straightforward, if you know where to look.

But first a few words about the version numbers, because they can be confusing at times.

The Chrome version number consists of four parts separated by dots, like this:

**MAJOR.MINOR.BUILD.PATCH**

Each part has a specific meaning. In order of relevance they are:

*   **MAJOR**: This number increases with significant releases that may include major new features or changes. It usually raises in increments about 7 – 8 times per year, roughly every 6 weeks, reflecting Chrome’s release cycle.
*   **MINOR**: This number is typically zero and rarely changes. It mainly supports the versioning scheme but doesn’t usually affect how users track updates.
*   **BUILD**: This number increases steadily and represents a specific snapshot of Chrome’s source code at a given time. It advances with each new build candidate and is the key indicator of how recent the core code is.
*   **PATCH**: This number changes in increments for smaller fixes and security patches applied to a particular build. It resets with each new build and helps identify minor updates within the same build.

For example, a version like **137.0.7151.56** means:

*   Major version 137 (the milestone release)
*   Minor version 0 (standard)
*   Build number 7151 (the code snapshot)
*   Patch number 56 (the latest fix on that build)

**Why does the version number matter?**

The **BUILD** and **PATCH** numbers together uniquely identify the exact code you are running. Even if two versions share the same major number, a higher build or patch number means you have a newer, more up-to-date Chrome version.

Sometimes you might see slightly different patch numbers on the same major build, for example, **118.0.5993.117** vs. **118.0.5993.118**. This usually happens because Google released a quick fix or minor patch shortly after the initial release. Both are part of the same major update, but the higher patch number is newer.

**How to check if you have the latest version**

To verify your Chrome version:

1.  Open Chrome.
2.  Click the three-dot menu (⋮) in the top-right corner.
3.  Go to **Help** > **About Google Chrome**.

Chrome will display your current version and automatically check for updates. If a newer version is available, it will download and prompt you to relaunch once it’s ready updating.

Chrome is updating

**Update Chrome on Windows**

Method 1: Use Chrome’s built-in update feature

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) in the top-right corner.
3.  Hover over **Help**, then click **About Google Chrome**.
4.  Chrome will automatically check for updates and download them if available.
5.  Once downloaded, click **Relaunch** to complete the update.

To enable automatic updates for Google Chrome on Windows, ensure that the “**Automatically update Chrome for all users**” option is enabled in Chrome’s settings. You can find this setting by going to “**About Google Chrome**” within the Chrome settings. Closing and restarting Chrome may be required to apply the update. 

Method 2: using Windows Update (for Chrome Enterprise)

If your organization manages Chrome updates via Windows Update or group policies, updates may be automatic. Contact your IT admin if you don’t see updates.

Method 1: For each device

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) at the top-right.
3.  Select **Help** > **About Google Chrome**.
4.  Chrome will check for updates and install them automatically.
5.  Click **Relaunch** to finish updating.

You can also set up automatic browser updates for all users of your computer if Google Chrome is installed in your Applications folder. Go to “**About Google Chrome**,” and click **Automatically update Chrome for all users**.

Method 2: For Chrome Enterprise

As a Mac administrator, you can use Google Software Update to manage Chrome browser and Chrome apps updates on your users’ Mac computers.

**Update Chrome on Linux**

Chrome updates on Linux depend on your distribution and how you installed it.

For Debian/Ubuntu-based systems:

1.  Open a terminal.
2.  Run:

sudo apt update

sudo apt --only-upgrade install google-chrome-stable

3.  Restart Chrome to apply updates.

For Fedora/openSUSE:

1.  Open a terminal.
2.  Run:

sudo dnf upgrade google-chrome-stable

3.  Restart Chrome.

If you installed Chrome via a package manager, it should handle updates automatically when you update your system.

**Update Chrome on Android**

Chrome updates on Android are handled through the Google Play Store:

1.  Open the **Google Play Store** app.
2.  Tap your profile icon (top right).
3.  Select **Manage apps & device**.
4.  Under **Updates available**, look for **Chrome**.
5.  Tap **Update** next to Chrome if available.

Alternatively, if you have auto-updates enabled, Chrome updates automatically. To enable auto-updates for Android apps, open the Google Play Store, tap your profile picture, go to “Manage apps and device,” and then tap “Manage.” Select the app you want to update automatically, tap the “More” button, and toggle on “Enable auto-update.”

**Update Chrome on iOS (iPhone and iPad)**

Chrome updates on iOS come through the Apple App Store:

1.  Open the **App Store**.
2.  Tap your profile icon at the top right.
3.  Scroll down to **Available Updates**.
4.  Find **Google Chrome** and tap **Update**.

If auto-updates are enabled on your device, Chrome updates automatically.

Chrome in App Store’s recently updated section

**Updating Chrome on Chrome OS**

Chrome OS updates include Chrome browser updates:

1.  Click the time in the bottom-right corner.
2.  Click the **Settings** gear icon.
3.  In the left menu, select **About Chrome OS**.
4.  Click **Check for updates**.
5.  If an update is available, it will download and install automatically.
6.  Restart your Chromebook to complete the update.

Summary table of update methods

**Platform**

**Update Method**

**Notes**

Windows

Chrome Menu > Help > About Chrome

Manual or automatic update

macOS

Chrome Menu > Help > About Chrome

Manual or automatic update

Linux

Package manager commands

Varies by distro

Android

Google Play Store

Manual or automatic update

iOS

Apple App Store

Manual or automatic update

Chrome OS

Settings > About Chrome OS

System update

If you still have questions about updating the Chrome browser, let us know in the comments and allow us to update this article.

 How to update Chrome on every operating system 

Qualys details CVE-2025-5054 and CVE-2025-4598, critical vulnerabilities affecting Linux crash reporting tools like Apport and systemd-coredump. Learn how…

Qualys details CVE-2025-5054 and CVE-2025-4598, critical vulnerabilities affecting Linux crash reporting tools like Apport and systemd-coredump. Learn how to protect your Ubuntu, Red Hat, and Fedora systems.

Cybersecurity experts at Qualys have uncovered two significant weaknesses in common Linux operating systems. These information disclosure vulnerabilities, found in software tools called Apport and systemd-coredump, could allow attackers to steal sensitive information like password hashes from affected systems, reveals Qualys’ report shared with Hackread.com.

****Understanding the Flaws****

The Qualys Threat Research Unit (TRU) identified these issues as race-condition vulnerabilities. This means an attacker can exploit a brief moment in time when a program is handling data to gain unauthorized access.

One vulnerability tracked as CVE-2025-5054 affects Apport, which is Ubuntu’s built-in system for reporting crashes. This flaw occurs because a check for detecting if a crashing process was replaced by another process in a container happened too late. This could lead to sensitive information being sent to the container, potentially leaking it.

The second, CVE-2025-4598, targets systemd-coredump, a similar tool serving as the default crash handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora. This flaw allows an attacker to crash a SUID process (a program that runs with special permissions) and quickly replace it with a regular program.

If the attacker wins this _race_, they can then read the core dump of the original SUID process, gaining access to sensitive data that was in its memory, such as password hashes from the /etc/shadow file.

Both Apport and systemd-coredump are designed to create core dumps (snapshots of a program’s memory when it crashes). These dumps are very useful for developers trying to fix software problems. However, they can also contain private information, such as passwords or encryption keys. Normally, access to these files is restricted to prevent misuse.

According to Qualy’s blog post, its TRU has created proofs of concept (POCs) showing how a local attacker could use these vulnerabilities. Specifically, they’ve shown how an attacker could exploit a crashed program like unix\_chkpwd (which checks user passwords) to steal password hashes from the /etc/shadow file, a critical system file containing user passwords.

> _“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps.”_
> 
>   
> Saeed Abbasi, Manager Product – Threat Research Unit, Qualys

****Who is Affected and How to Protect Yourself****

Many Linux systems are impacted by these newly discovered flaws. For Apport, all Ubuntu releases since 16.04 are vulnerable, with versions up to 2.33.0 being affected, including the recent Ubuntu 24.04.

Conversely, for systemd-coredump, Fedora 40 and 41, along with Red Hat Enterprise Linux 9 and the newly released RHEL 10, are at risk. Debian systems are generally safe by default unless systemd-coredump has been manually installed.

Exploiting these vulnerabilities could lead to serious security breaches, risking the confidentiality of sensitive data and potentially causing system downtime or reputational damage for organizations.

To help protect systems, Qualys recommends setting the /proc/sys/fs/suid_dumpable parameter to 0. This disables core dumps for programs that run with special permissions, which can act as a temporary fix if immediate software patches aren’t available. Qualys is also releasing new security scan IDs (QIDs), such as QID 383314, to help organizations detect these vulnerabilities.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), advises treating crash management as a secure data pipeline, isolating or disabling dump processing, encrypting dumps, shredding data post-triage, and tightening handler controls, to reduce risk and stay ahead of future threats.

Linux Crash Reporting Flaws (CVE-2025-5054, 4598) Expose Password Hashes

A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.

A newly disclosed vulnerability in Google Chrome and Chromium-based browsers is putting users at risk of data leaks. Tracked as CVE-2025-4664, the flaw allows attackers to extract sensitive information like login tokens and session IDs from previously visited websites.

The security issue was detailed today by Wazuh, a cybersecurity company specializing in open-source threat detection. It affects users on both Windows and Linux, including Debian and Gentoo systems.

****How It Works****

The issue resides in the Chrome’s handling of the Link HTTP header when loading sub-resources like images and scripts. While most browsers ignore referrer policies in these headers, Chrome accepts them, even on cross-origin requests. That means an attacker can intentionally set a relaxed policy, such as unsafe-url, to access full referrer URLs.

These URLs can include sensitive data from other sites a user recently visited. If an attacker controls the destination server, they can quietly collect that data without the user knowing.

****Who’s Affected****

Users on the following systems are vulnerable if their browsers have not been updated:

*   **Windows**: Google Chrome versions before 136.0.7103.113

*   **Debian 11 Linux**: Chromium up to version 120.0.6099.224

*   **Gentoo Linux**: Chrome or Chromium versions before 136.0.7103.113

****What to Do****

Google has issued an emergency update to fix the vulnerability in Chrome on Windows and Chromium on Gentoo Linux. Debian users should uninstall affected versions of Chromium until a patched version becomes available.

****How to Manually Update Chrome (If auto-update is turned off)****

If Chrome isn’t updating automatically, follow these steps to make sure you’re running the latest version and protected against CVE-2025-4664:

1.  **Open Chrome** – Launch Google Chrome on your device.
2.  **Go to the Menu** – Click the three vertical dots in the top-right corner of the browser window.
3.  **Select “Help” → “About Google Chrome”** – This will open a new tab that shows your current version and automatically checks for updates.
4.  **Wait for Chrome to Check for Updates** – If a newer version is available, Chrome will start downloading it right away.
5.  **Click “Relaunch”** – Once the update is downloaded, click “Relaunch” to restart the browser and complete the installation.

****Check Update Status After Relaunch****

To confirm the update, go back to **Help > About Google Chrome**. The browser should now show the latest version number and the message “Google Chrome is up to date.”

If you’re on Windows, make sure the Chrome Update service is enabled in your system settings or through the Group Policy Editor. On Linux systems, especially those using Chromium, updates may require package manager commands or manual downloads depending on the distribution.

Wazuh’s blog post explains the importance of proactive vulnerability detection. Their tools provide real-time tracking and insights that help administrators stay on top of security threats, especially when zero-day flaws like this one come into play.

Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity

Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.

Tuesday, May 20, 2025 06:00

**Summary and background**

Google Cloud Platform (GCP) Cloud Functions are event-triggered, serverless functions that automatically scale and execute code in response to specific events like Hypertext Transfer Protocol (HTTP) requests or data changes. Tenable Research published an article discussing a vulnerability they discovered within GCP’s Cloud Functions serverless compute service and its Cloud Build continuous integration and continuous delivery or deployment (CI/CD) pipeline service.

“When a GCP user creates or updates a Cloud Function, a multi-step backend process is triggered,” Tenable author Liv Matan writes. “This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment.” This default Cloud Build Service Account (SA) previously gave users excessive Cloud Function permissions. An attacker who has gained the ability to create or update a cloud function could utilize the function’s deployment process to escalate privileges to the default Cloud Build service account or assign a higher privileged SA. Google has since partially addressed Tenable’s discovery to ensure the default Cloud Build service account no longer provides users with excessive permissions.

Based on Tenable’s research, Cisco Talos conducted a series of offensive tests within Cisco’s Google Cloud Platform (GCP) to identify additional threats that may affect customer environments.

During its research, Talos discovered that the technique Tenable identified could be adapted to perform other malicious activities. By implementing different malicious console commands into the Node Package Manager (NPM) ‘package.json’ file used in this technique, threat actors could execute behaviors such as environment enumeration.

Talos furthered this research by attempting to replicate similar behaviors in Amazon Web Services (AWS) and Microsoft Azure to determine if these techniques could be employed to perform similar malicious activities in other cloud-based environments.

**Research****Prerequisites**

To utilize this attack vector, certain prerequisites must be met. Talos set up a Debian Linux server within the GCP environment with Node Package Manager (NPM) and Ngrok installed. However, the virtual machine for this research can be created in any cloud environment.

After installing NPM and Ngrok, Talos configured both tools to function as intended.

Once NPM and Ngrok were configured, a Python server was created to output the data received from the cloud function.

With NPM, Ngrok, and the Python server set up and configured, the next step was to create and modify the NPM package.

Talos then replaced the content of the package.json file with the following code:

Finally, once all the necessary files are created and configured, Talos set up the environment to visually display the data output from deploying the functions. To achieve this, Talos activated both the Ngrok server and the Python server created earlier.

To replicate the GCP behavior discussed in Tenable’s article, Talos created/updated an SA with function build and cloud build permissions. This SA was then assigned to the GCP Cloud Run Function to allow the code to be executed with privileged access.

Once the servers and service accounts were online and configured to receive and output data, the emulation of the behavior could begin.

**Emulation**

With the package.json file configured to be utilized by the build function, Talos began emulating the technique described in Tenable’s research article.

The first step in Talos’ replication involved the utilizing a misconfigured GCP function to extract the default Cloud Build service account token. To initiate this process, the "malicious" package.json was updated on the virtual machine, ensuring that it contains code similar to that used by Tenable.

Once the package.json file was modified as desired, it needed to be published to the public NPM registry. To do this, Talos executed the following command:

With the package.json file uploaded to the NPM public registry, it was time to deploy the GCP Cloud Run Function so that the package.json can execute the provided code. To do this, the user must to navigate to their GCP Cloud Run Functions page and select or create a Cloud Run Function, ensuring it is assigned a service account with Cloud Build permissions.

Figure 1. Google Cloud Run Function displaying the assigned service account.

As Talos created or selected our existing GCP Cloud Run Function, we navigated to the source page of the cloud function. Here, Talos modified the package.json file to install the malicious package uploaded to NPM.

Figure 2. Google Cloud Run Function’s Source page.

Once Talos updated the package.json file with the correct name and version of the NPM package, we selected "Deploy" or "Save and Redeploy" to initiate the build process. During this process, the function sends the requested data to the Ngrok server, which was then output on the Python server.

Talos confirmed that the exfiltration of GCP service account access tokens can no longer be achieved using this method, due to Google's response and patching of the issue. We further verified this by executing the same command provided to our NPM-uploaded package.json from a separate virtual machine. The command executed successfully, confirming our suspicion that this specific technique for obtaining privileged service account tokens has been patched out.

**Original Research**

Cisco Talos' research extended Tenable’s original behavior concept by applying it to other cloud environments through modifications to their respective cloud services. AWS Lambda and Azure Functions are serverless compute services that allow users to run code without provisioning or managing servers. By creating a Lambda function or an Azure function with a Node.js 20.x runtime, a package.json file can be created with dependencies set to execute a malicious package uploaded to NPM’s public repository. These malicious packages may contain harmful console commands that provide a threat actor with valuable enumeration information.

Although this specific vector of threat actor behavior is no longer possible, other commands have proven useful in providing adversaries with valuable enumeration capabilities. These commands can be used on cloud platforms beyond GCP Cloud Build Function, such as AWS Lambda and Azure Functions.

Some examples of the types of enumeration a threat actor can perform using this method include the following.

**ICMP Discovery**

Internet Control Message Protocol (ICMP) Discovery is utilized to gather information about network devices and their configurations. By analyzing ICMP responses, adversaries can infer the network's structure, including the presence of routers, gateways, and the pathways between devices. This information can be crucial for planning attacks.

**Existence of .dockerenv**

Identifying the presence of a .dockerenv file indicates that a process is running inside a Docker container. By checking for this file, threat actors can confirm whether they are operating within a Docker environment. This information can influence their selection of tools and techniques, as containers often possess different security boundaries compared to host systems.

**CPU Scheduling**

Enumerating CPU Scheduling provides detailed scheduling and status information about the process with process identifier (PID) 1, which is typically the init system or main process in a containerized environment. Threat actors can determine the init system in use, such as systemd or sysvinit. This information helps them understand the system's configuration and identify potential vulnerabilities associated with the specific init system.

CPU Scheduling Data Output Plain Text

**Control Group Container ID**

Enumerating Control Group Container ID provides detailed information about current mount points. Threat actors can use this information to identify critical or sensitive filesystems that might be targeted for data exfiltration. By examining mount options, they can look for insecure configurations, such as filesystems mounted with exec permissions in directories where malicious binaries could be introduced. In containerized environments, understanding mount namespaces can aid in developing container escape techniques, enabling attackers to break out of the container and access the host system.

Control Group Container ID Plain Text 1 & Control Group Container ID Plain Text 2

**Initial Server Overview**

For Initial Server Overview enumeration, combining the following commands provides comprehensive details about the system's kernel, architecture and distribution, which are critical for understanding the environment and planning potential exploits. Knowing the exact OS and kernel version enables threat actors to choose the most effective exploits, as many vulnerabilities are version-specific.

**User and Permission Enumeration**

The following User and Permission commands provides insights into user accounts, privileges and group memberships, which are crucial for planning privilege escalation and lateral movement within a system.

**Network Discovery**

The following Network and Discovery commands help gather detailed insights into the system's operating environment and network setup, which can be used to identify vulnerabilities and plan attacks.

**Detailed System Commands**

The ‘cat /etc/os-release’ command reveals the operating system distribution and version. Knowing the exact OS helps attackers identify specific vulnerabilities and tailor their exploits to the target's environment.

**User Related Commands**

The ‘/etc/shadow’ file contains hashed passwords for user accounts, which, if accessed, can be used to crack passwords and gain elevated access to the system.

User Related Commands Data Output Plain Text

**AWS Lambda Functions**

The following example demonstrates Talos using the same commands previously mentioned within a Google Cloud Platform (GCP) environment, now applied in an Amazon Web Services (AWS) environment using Lambda functions. This illustrates that the method utilized by the Tenable lab can be adapted for other cloud-based environments, such as AWS.

**Azure Functions**

The following example demonstrates the same process performed with an AWS Lambda function, but instead utilizing Azure Functions within the Azure environment. This further proves that the method can be employed across various cloud-based environments.

**Conclusion and Defense Summary****Google’s Response**

As described in Tenable’s article, Google responded to their research by creating a remediation patch. This update altered the default behavior of Cloud Build and the default Cloud Build SA. Additionally, new organization policies were released to give organizations full control over which SA Cloud Build uses by default. While Google has implemented this remediation, Cloud Build services can still be used to execute non-privileged commands as a means of enumerating an environment.

**Mitigation Summary**

The most effective mitigation strategy to protect your environment from similar threat actor behavior is to ensure that all SAs within your cloud environment adhere to the principle of least privilege and that no legacy cloud SAs are still in use. Ensure that all cloud services and dependencies are up to date with the latest security patches. If legacy SAs are present, replace them with least-privilege SAs. 

Additionally, users with access to Cloud Functions should not have IAM permissions to the services included in the function’s orchestration.

**Threat Hunting Recommendations**

1.  **Audit and monitor SA permissions**: Regularly audit and monitor SA permissions, with a particular focus on the default Cloud Build SA. Adhere to the principle of least privilege by removing any excessive permissions that are not essential for the SA’s operations.
2.  **Alert setup for Cloud Functions**: Establish alerts for any unusual or unauthorized creation or modification of Cloud Functions. Identify potentially malicious activities where an attacker may be attempting to exploit function deployments for privilege escalation.
3.  **Inspect network traffic**: Analyze network traffic for unusual patterns or connections that might indicate data exfiltration attempts. Pay attention to data being sent to unknown or unauthorized external endpoints, such as those using Ngrok or similar tunneling services.
4.  **Verify NPM package integrity**: Ensure the integrity and authenticity of NPM packages used within Cloud Functions. Prevent the execution of malicious scripts embedded in package.json files that could facilitate environment enumeration or other malicious activities.
5.  **Detect environment enumeration**: Detect and respond to signs of environment enumeration, such as ICMP discovery or system information gathering.

Duping Cloud Functions: An emerging serverless attack vector

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.

Unmasking the new persistent attacks on Japan

January Linux Patch Wednesday. Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits. 🔸 RCE – Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects “case-insensitive file systems” like Windows or MacOS. However, Debian lists it as affecting tomcat9 […]

**January** **Linux Patch Wednesday****.** Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits.

🔸 **RCE** – Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects “case-insensitive file systems” like Windows or MacOS. However, Debian lists it as affecting tomcat9 and tomcat10. Either this is about rare case-insensitive Linux installations or there is an error in the description. 🤷‍♂️  
🔸 **RCE** – Chromium (CVE-2025-0291). According to the FSTEC BDU, a public exploit exists.  
🔸 **RCE** – 7-Zip (CVE-2024-11477). What’s in the public is not an exploit, but a write-up.  
🔸 **Memory Corruption** – Theora (CVE-2024-56431). It’s not clear yet how to exploit this. 🤷‍♂️  
🔸 **Memory Corruption** – Telegram (CVE-2021-31320, CVE-2021-31319, CVE-2021-31315, CVE-2021-31318, CVE-2021-31322). Ubuntu fixed these vulnerabilities in the rlottie library package.

🗒 Full Vulristics report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

January Linux Patch Wednesday

Debian Linux Security Advisory 5823-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5823-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
December 02, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-44308 CVE-2024-44309

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-44308

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to arbitrary code  
    execution. Apple is aware of a report that this issue may have  
    been actively exploited on Intel-based Mac systems.

CVE-2024-44309

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to a cross site scripting  
    attack. Apple is aware of a report that this issue may have been  
    actively exploited on Intel-based Mac systems.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.4-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmdOKWgACgkQAAyEYu0C  
2AKrzQ/+MLk4EQ2c7zkYM1BU8PzgI1oNGvvl6VTcM696OWCvnj+hzyFLFsrwtwoc  
GeZ+Enz6VKBvtsXxTDgXLXw9NbFfFiVX2LnlIOzPcqfBXg9RTs70WwSM4CGUHTBs  
nPK1yixyYjCOy4MrlaCKrHttlrxqvK7VJeY0RypTfAkJlhzmHHdSpCfYAlJXtpFb  
dbGtP7pSxBnguTWq+oJFTG2wjyXjLcfd81QgcpOgINtnyn4hQaVVJOHr/H9+xoV5  
Rz6iGRS+MpmXyqc2kw2alEfY8UxfaP8K9X2u0A/YV8t+N6GKBLUNOo+XlFIFFb/J  
vbPbXRqaKCQzW0sIZ5um4Q9aBLX3JUiZIuz6+4lb5NTBbhnpjkG+EBGaoqG3OodY  
bZ9qmFZpXUYE/vSUzAcRWNsD6jWFV89Exu1BivAZdJ7J7tYzvs/2szHsATMkNjZo  
Twb6LH7PBd90hU6PETbuknrBgYd5dbdXXKn+v3SH9HXLMLd5S+xobEOMtGjG2zsd  
Z46JPP1FNqPDY+rHhWCDyVcvRnXx0WhY7PrGV/rjJ89M9xVYVZc136Bx8xrrULmo  
ZiAFBnz5VZRdeF/ma/inzsb8vXDCPX+0ruxtHdISiJf3Shjqft2mdfcR5mwPazab  
9GD3rCMl42A0Tftjg7b4f5J1x3ufy+kvfs+fEQ0jXYIuvoh7kF4=  
=v253  
-----END PGP SIGNATURE-----

Debian Security Advisory 5823-1

Debian Linux Security Advisory 5815-2 - The update for needrestart announced as DSA 5815-1 introduced a regression reporting false positives for processes running in chroot or mountns. Updated packages are now available to correct this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5815-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 02, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : needrestart  
Debian Bug     : 1087917 1087918 1087957 1087958 1088012 1088047

The update for needrestart announced as DSA 5815-1 introduced a  
regression reporting false positives for processes running in chroot or  
mountns. Updated packages are now available to correct this issue.

For the stable distribution (bookworm), this problem has been fixed in  
version 3.6-4+deb12u3.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdOLfZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sn3g//WQsjNzCoGkx1iIZBPHr+pwZgH8n+eY0dNawuXsY2C1qev5h1d7Z+sHaR  
4HL6cMdWV02gryQ67G9rWgd63qY8btOrGqPfUSr3gWeqdbz9tQMrn+/9k2y9i+v3  
TIMrQ6dJUrK2fGXy0tQSOKUg18x3PMnMfedgzhT1fMagTMVl9b3FZLzZliSwajW9  
za5XnlbyRxulxBPRRoxVmnIeTUVr4oy3hOXI7X7ShrI7o/F5m5MBobBcgzFrl4Jq  
4NoqeXVpZ3LrZApGvKCylLFuuiMdmVcp9p1bA627HuKwyBRSM8hr0BECdSOKWddi  
jpAmX17qgrBcLhtLul4re2OA5x6sazwg15FH2d7wY8ROLWJnWIY9NoMTQPqWpxts  
C5KvRfzexYThKXo93hY9xg1bq6DAGiAAmndCoxsjAAEijYHQgWGdaDOvaO4zJ+qj  
jS13+/ox1oNbKV+5hTq/Tk+hROGttSKqx1McVz9lgTmprUaNlzti5pL2qCGQ91sA  
RhQ5m6OVEv+4DuuUQ7YFWFEZMVZtBCNI9fx8jlhrOCNAI10lAfrKAI7WYjHzrt+C  
/v5ufT8ESVdn2Qb2+z4zThj1S7BWi0KinRJS/dyR0UXIepCXlRWCOTvH+9CU+6d3  
j23hDNbSy0DZvPbClwH7jF4j0SksUXP/DbXLHQmabmDo/1PbbRo=  
=ZY8f  
-----END PGP SIGNATURE-----

Debian Security Advisory 5815-2

Debian Linux Security Advisory 5822-1 - It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, is prone to a XXE vulnerability when loading an (untrusted) XML document.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5822-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 02, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : simplesamlphpCVE ID         : CVE-2024-52596It was discovered that in SimpleSAMLphp, an implementation of the SAML2.0 protocol, is prone to a XXE vulnerability when loading an(untrusted) XML document.For the stable distribution (bookworm), this problem has been fixed inversion 1.19.7-1+deb12u1.We recommend that you upgrade your simplesamlphp packages.For the detailed security status of simplesamlphp please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/simplesamlphpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdNx7dfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Ramw//R//UPGNKlLuKl+WKnQgmgGaI41VEE+Ny4juiPNpHDfB1xlQLO/QyrALMtolILT6yeCgYP7nYUj5iEWaEP04iAa8xZyt1dQyCBmHPWrRhGPD0fB2Ne1dC6xujjHWFyQ/j26It23Vuogp8I/Kh1EdMYfDP4heSaPQlL6hMrj+tMMCfIZfmrVgFAVSFVNtWFbmkidySw8rGtNKr5rv8DCPyxGZWGIFNsog4IbQ/9F01eovIdAbVMANKmj0Anw9BjH9eXK38CPvhUmewT/l7WPcMyhav9yQtE/OxMilIiCTT3BOlO+kdUmdfk0jr6+Q57mmdQR7CYM4eAjXeDg7akyquhT+L/x0zNZl25bA/E2XMkQwxBnzV5KU3Z8WjBXXirbkIjHkwPAKrZCOv75ryYL2WKj5yT6KaLAx7KMqq5OQPFAOAD/3/0llsT9vQyTBk0f5MaTjZ4mIRIcsSD5Vu4QgaaZXH1FLlKK6ykcZ2QHGNdGYkRmfP2YdTcK5s8rReoIUSaclhlz3rKS+lv5WrbOQbcOvtpq+squIFqD0rRGA9r4dN/g0mGu6Uh/fY7xmkE9Ell5Lkg2LUwsOpsx/AvO1QOPJhxUcqYtko8sC8waC3TAlYOeBycWQk5aFeDPpgzs7JoZLfZB2hIsjD4QLe/Kavp06JCwIcHDzlnwJ7RaZ/cYE==5GGL-----END PGP SIGNATURE-----

Tag

#debian