The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023.
That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's

The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023.

That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's tactics, techniques, and procedures (TTPs).

"AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies said. "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data."

The ransomware strain first emerged on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environments.

A key hallmark of AvosLocker attacks is the reliance on open-source tools and living-off-the-land (LotL) tactics, leaving no traces that could lead to attribution. Also used are legitimate utilities like FileZilla and Rclone for data exfiltration as well as tunneling tools such as Chisel and Ligolo.

Command-and-control (C2) is accomplished by means of Cobalt Strike and Sliver, while Lazagne and Mimikatz are used for credential theft. The attacks also employ custom PowerShell and Windows Batch scripts for lateral movement, privilege escalation, and disarming security software.

"AvosLocker affiliates have uploaded and used custom web shells to enable network access," the agencies noted. Another new component is an executable named NetMonitor.exe that masquerades as a network monitoring tool but actually functions as a reverse proxy to allow the threat actors to connect to the host from outside the victim's network.

CISA and FBI are recommending critical infrastructure organizations to implement necessary mitigations to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents.

This includes adopting application controls, limiting the use of RDP and other remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping all systems up-to-date, and maintaining periodic offline backups.

The development comes as Mozilla warned of ransomware attacks leveraging malvertising campaigns that trick users into installing trojanized versions of Thunderbird, ultimately leading to the deployment of file-encrypting malware and commodity malware families such as IcedID.

Ransomware attacks in 2023 have witnessed a major surge, even as threat actors are moving swiftly to deploy ransomware within one day of initial access in more than 50% of engagements, according to Secureworks, dropping from the previous median dwell time of 4.5 days in 2022.

What's more, in more than 10 percent of incidents, ransomware was deployed within five hours.

"The driver for the reduction in median dwell time is likely due to the cybercriminals' desire for a lower chance of detection," Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit, said.

"As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high."

Exploitation of public facing applications, stolen credentials, off-the-shelf malware, and external remote services have emerged as the three largest initial access vectors for ransomware attacks.

To rub salt into the wound, the RaaS model and the ready availability of leaked ransomware code have lowered the barrier to entry for even novice criminals, making it a lucrative avenue to make illicit profits.

"While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks," Smith added. "Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace."

Microsoft, in its annual Digital Defense Report, said 70% of organizations encountering human-operated ransomware had fewer than 500 employees, and that 80 to 90 percent of all compromises originate from unmanaged devices.

Telemetry data gathered by the company shows that human-operated ransomware attacks have gone up more than 200 percent since September 2022. Magniber, LockBit, Hive, and BlackCat comprised almost 65 percent of all ransomware encounters.

On top of that, approximately 16 percent of recent successful human-operated ransomware attacks involved both encryption and exfiltration, while a 13 percent used exfiltration only.

"Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks," the tech giant said. "This reinforces the importance of a holistic security approach."

Redmond said it also observed a "sharp increase" in the use of remote encryption during human-operated ransomware attacks, accounting for 60 percent on average over the past year.

"Instead of deploying malicious files on the victim device, encryption is done remotely, with the system process performing the encryption, which renders process-based remediation ineffective," Microsoft explained. "This is a sign of attackers evolving to further minimize their footprint."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure

Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.

CVE-2023-5573

Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.

@@ -1,11 +1,10 @@ import { appRouter, errors, publicPlugin, trpcPlugin } from "@vrite/backend"; import { errors, publicPlugin, trpcPlugin, processAuth } from "@vrite/backend"; import staticPlugin from "@fastify/static"; import websocketPlugin from "@fastify/websocket"; import axios from "axios"; import viewPlugin from "@fastify/view"; import handlebars from "handlebars"; import { FastifyReply } from "fastify"; import { processAuth } from "@vrite/backend/src/lib/auth"; import { nanoid } from "nanoid"; import multipartPlugin from "@fastify/multipart"; import mime from "mime-types"; Expand All @@ -15,7 +14,7 @@ import path from "path";  
const appService \= publicPlugin(async (fastify) \=> { const renderPage \= async (reply: FastifyReply): Promise<void\> \=> { return reply.view("index.html", { return reply.header("X-Frame-Options", "SAMEORIGIN").view("index.html", { PUBLIC\_APP\_URL: fastify.config.PUBLIC\_APP\_URL, PUBLIC\_API\_URL: fastify.config.PUBLIC\_API\_URL, PUBLIC\_COLLAB\_URL: fastify.config.PUBLIC\_COLLAB\_URL, Expand Down Expand Up @@ -51,57 +50,6 @@ const appService = publicPlugin(async (fastify) => { fastify.setNotFoundHandler(async (\_request, reply) \=> { return renderPage(reply); }); fastify.get<{ Querystring: { url: string } }\>("/proxy\*", async (request, reply) \=> { const filterOutRegex \= /(localhost|\\b(?:(?:25\[0-5\]|2\[0-4\]\\d|\[01\]?\\d\\d?)\\.){3}(?:25\[0-5\]|2\[0-4\]\\d|\[01\]?\\d\\d?)(?::\\d{0,4})?\\b)/;  
if (request.headers.origin) { reply.header("Access-Control-Allow-Origin", fastify.config.PUBLIC\_APP\_URL); reply.header("Access-Control-Allow-Methods", "GET"); reply.header( "Access-Control-Allow-Headers", request.headers\["access-control-request-headers"\] ); } else if ( fastify.config.NODE\_ENV !== "development" && !fastify.config.PUBLIC\_APP\_URL.includes("localhost") ) { // Prevent proxy abuse in production return reply.status(400).send("Invalid Origin"); }  
if ( filterOutRegex.test(request.query.url) && !request.query.url.includes(fastify.config.PUBLIC\_ASSETS\_URL) ) { return reply.status(400).send("Invalid URL"); }  
if (request.method \=== "OPTIONS") { // CORS Preflight reply.send(); } else { const targetURL \= request.query.url;  
try { const response \= await axios.get(targetURL, { responseType: "arraybuffer" });  
if (!\`${response.headers\["content-type"\]}\`.includes("image")) { return reply.status(400).send("Invalid Content-Type"); }  
reply.header("content-type", response.headers\["content-type"\]); reply.send(Buffer.from(response.data, "binary")); } catch (error) { // eslint-disable-next-line no-console console.error(error);  
return reply.status(500).send("Could not fetch"); } } }); fastify.post<{ Body: Buffer; }\>("/upload", async (req, res) \=> { Expand Down

CVE-2023-5572: Vrite v0.3 (#45) · vriteio/vrite@1877683

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.

**Cross-site Scripting (XSS) in froxlor/froxlor**

Moderate severity GitHub Reviewed Published Oct 13, 2023 to the GitHub Advisory Database • Updated Oct 13, 2023

GHSA-j5hq-6frc-64v3: Cross-site Scripting (XSS) in froxlor/froxlor

Improper Authentication vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules allows a remote unauthenticated attacker to obtain sequence programs from the product or write malicious sequence programs or improper data in the product without authentication by sending illegitimate messages.








%PDF-1.7 %���� 193 0 obj <> endobj 217 0 obj <>/Encrypt 194 0 R/Filter/FlateDecode/ID\[<45ABE724E55DAD4D846015193B9C4179><27416F8FC7DC2B469F6B2BB55C31DF91>\]/Index\[193 40\]/Info 192 0 R/Length 113/Prev 172988/Root 195 0 R/Size 233/Type/XRef/W\[1 3 1\]>>stream h�bbd\`\`\`b\`\`f�L�A$C�d����\`v8X�;Xe:�d߁ Yg�H�,����k��)�D���a<�lf��f���j���Z���� ����j�����n endstream endobj startxref 0 %%EOF 232 0 obj <>stream w���\_�ى�\\�"�n��mH�0�",J�mLN�M�F� =.�$���(��dZ�M�\`�b�TKDJ�d�Xo�|�-Y�?sP<�� ��}�Ck�ٌ��Y�:�� �(��/mR�$h\[EG��x�T�݃\[��=\\;\_���b4��Oia7�K��# endstream endobj 194 0 obj <>>>/Filter/Standard/Length 256/O(��FW�Z\\)5\\n�f�w �c�O��3���������w'\\nG:uO~�Ѱ)/OE(����Em��>��W��w6�����f�H�����)/P -1324/Perms(G�����G6���1t;��)/R 6/StmF/StdCF/StrF/StdCF/U(<���f�v��vv�J��Omj@��v�8�E����!>\$\$W�^O���)/UE(7S6S�4}IEYc���,�e�eF�Z�����)/V 5>> endobj 195 0 obj <>/Metadata 6 0 R/PageLayout/OneColumn/Pages 191 0 R/StructTreeRoot 11 0 R/Type/Catalog>> endobj 196 0 obj <>/ProcSet\[/PDF/Text\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 197 0 obj <>stream ����C嗼�S�zk�V�܋��8G�h#!��\\�B�g�v%M=Ј�O�\`� �\_b�ߍgnB������J���6Y1vj�e\\������\_:��8��Dc:�ϰ�hځ��:�=���p��&f�o��0| #9� �=��ល�W� A� /�����û���tI/b��I�lvv��j��)���c\*8�to}|\`�$��2ip�,����GuE��Tb�� �M�,�@�����|a�aP��~vʲ����L� �rPu�!\*GbO��IɃB��5�����r���\[��{�i^ J��� :��GΆ�\\k\_X�~�� ���8�\`�U��T.�\*o��;xQ#�&�d~��Z7�煱9�#=�����7δC�>S�N��+���\*E�����G���ֱ��p2ŊٖhʬEr��-|���Y�\[�h�Q��hl�Qcܝ�\*�S�ve �>�T�ԛ �IY�󍮰&��y����f�{F��P���@�� �w=� &9D�GPd0�Bv^���¬r�K�ᤦ�VR�7d�W�Y9jo��p�Ad(�\[ D�L�f;ʬ, ^$cs�d�%�xe<�C}U0�"�����^G�ɴ1�N^^����t^��"΂使ק����/��6�9�ՒQ>��C�AT�\\ �\\��f���%D�EVf6K�k����@�\`ڸ��8�t���c��'X�u�T��������}���U�wbd }�Pk^���4��\_���3!3����JET?�kL>&DQe��;����MS�x.�l��&�����i�җ�؆�R���L�#��"���&��Ȉ{�$Z�/\[�<ص��8�$���ՓVs����ew\`(2�d�4l|��|�m�b"˼��Km ��� \`0� 6�d�Y��D,��qW�!kH��wt�˂��Kԝ\[�.װ���&I9�=���d�6\`����>��k���N ��O����zP �Z�86������ϵTڍ�f��~�'��H�w�d�#�y#x�#�e|���F�;,ױ��-E������u� endstream endobj 198 0 obj <>stream ���jTI�;-��F���}o/I�W ��\*�6|,l)�s26r�ځ"l�nK��l5�~��H��f@i%z@a��2y@7����;D��w\_6;�w�6�������m�"�\`�$�V��C!V@����^���d0�6���m���L���&�l��v�'��%kA5�S�p��Lo�e �HO8tT�'\_��IA�2�͢}e�6Id?u@�MX+pS��}�^A\`��O���ߵ=��{ٌ!3ܑ������\[S�&م�ц�����q endstream endobj 199 0 obj <>stream ��?��>X�g� ��\*�lrh�T�\[z\_�xBYLa�sg

CVE-2023-4562

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 448

*   Code
*   Issues 42
*   Pull requests 5
*   Actions
*   Projects 3
*   Wiki
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

enable markdown syntax in custom\_notes field

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

*   Loading branch information

d00p committed

Oct 2, 2023

1 parent a808a3f commit e8ed430

Showing **9 changed files** with **511 additions** and **39 deletions**.

*   composer.json
*   composer.lock
*   *   *   Markdown.php
    *   *   *   Customer.php
            *   Text.php
        *   *   FroxlorTwig.php
*   *   de.lng.php
    *   en.lng.php
*   *   index.html.twig

4 changes: 2 additions & 2 deletions composer.json

Expand Up

@@ -53,10 +53,10 @@

"froxlor/idna-convert-legacy": "^2.1",

"voku/anti-xss": "^4.1",

"twig/twig": "^3.3",

"erusev/parsedown": "^1.7",

"symfony/console": "^5.4",

"pear/net\_dns2": "^1.5",

"amnuts/opcache-gui": "^3.4"

"amnuts/opcache-gui": "^3.4",

"league/commonmark": "^2.4"

},

"require-dev": {

"phpunit/phpunit": "^9",

Expand Down

**0 comments on commit e8ed430**

Please sign in to comment.

CVE-2023-5564: enable markdown syntax in custom_notes field · Froxlor/Froxlor@e8ed430

An issue was discovered in Plixer Scrutinizer before 19.3.1. It exposes debug logs to unauthenticated users at the /debug/ URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41263: advisories/ATREDIS-2023-0001.md at master · atredispartners/advisories

Finding the right post-quantum cryptographic (PQC) algorithms is necessary, but not sufficient, to future-proof cybersecurity.

The quantum threat to cybersecurity is easy enough to state. A quantum computer of sufficient size can efficiently factor integers and compute discrete logarithms by Shor's algorithm, breaking much of the public-key cryptography in use today, including Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). Vulnerable public-key cryptography permeates all layers of the stack, creating a pressing need for post-quantum cryptography (PQC) — public-key algorithms that can protect against quantum computing threats.

Security analysis of the National Institute for Standards and Technology (NIST) candidate algorithms for PQC standardization suggests the need for cryptographic agility, meaning the ability to easily change the underlying cryptographic algorithms or implementations. For example, in the third and fourth rounds of the NIST algorithm evaluation process, experts developed novel attacks against the GeMSS and Rainbow digital signature schemes and the KEM candidate SIKE, causing their elimination from consideration. And recent research demonstrated a side-channel attack on Crystals-Kyber — one of the four algorithms NIST selected for standardization.

In a few years' time, it is unlikely that PQC algorithms and implementations will look exactly as they do now. However, organizations cannot afford to wait to begin the migration to PQC. A breakthrough in quantum computing research could mean that a quantum computer with enough power to break current public-key cryptography gets deployed before organizations have fully inventoried and upgraded all instances of vulnerable cryptography in all internal and third-party applications. Cryptographic orchestration — the ability to centrally view and manage the use of cryptography throughout an enterprise — needs to be a near-term strategy to address security and compliance at scale.

**The Importance of Agility**

The typical deployment model for cryptography is highly decentralized and fragmented, with cryptography coupled directly to end applications and provided by a mix of platform- or language-specific libraries. This model, in turn, leads to reduced visibility and agility. As a result, it is no wonder that a recent memo from the NSA sets a target date of 2035 for the migration to PQC — over 10 years from now.

To balance the need to begin migration now with the realities of an immature ecosystem, organizations should pursue PQC solutions that are agile. Fundamentally, cryptographic agility for a library, protocol, or application means the ability to swap out the cryptographic algorithms or implementations in use with minimal disruption. A cryptographically agile system can rapidly respond to novel cryptanalysis or implementation bugs by easily swapping out or upgrading vulnerable cryptography. Cryptographic agility also allows systems to take advantage of new implementations that are faster or use less memory.

Cryptographic agility, however, should not be the end of the story. Just as with previous transitions — from DES to AES, MD5 to SHA-1, and SHA-1 to SHA-2 — cryptographic algorithms have a life cycle that includes improved iterations and occasionally a phase-out stage. To future-proof their security, organizations should look to develop or integrate solutions with cryptographic orchestration — a single system interface to track and manage the cryptography in use by applications and devices throughout the entire algorithm life cycle.

**Why Orchestration Matters**

The idea of cryptographic orchestration mirrors software-defined networking (SDN) in computer networking. Managing a traditional IP network is a time-intensive, error-prone process that involves manually configuring switches, routers, and middleboxes using vendor-specific tools or command-line interfaces.

The innovation of SDN is a layer of middleware that abstracts away the low-level details of the switches and routers responsible for forwarding packets and exposes an abstract interface at the network policy level. The middleware ensures that the low-level elements implement a given policy. With SDN, implementing dynamic routing policies at scale becomes a tractable problem.

Cryptographic orchestration applies a similar level of abstraction and automation on top of the low-level entities executing cryptographic protocols or algorithms to expose an interface for cryptographic policy. By working at the level of policy, orchestration can also ease the burden for organizations to meet current and future regulatory and compliance requirements at scale.

In the migration to PQC, consider that any compliance target, such as FIPS 140-2, that references vulnerable public-key cryptography will have to change with the quantum threat. Cryptographic orchestration makes such tasks much easier by providing visibility into which algorithms, key sizes, key rotation policies, or entropy sources any instance of cryptography is using, in addition to providing the means to easily swap out vulnerable or noncompliant instances. Orchestration will become even more important as the number of devices and applications in an organization increases due to computing trends such as "bring your own device" (BYOD) and the Internet of Things (IoT).

**PQC Lessons for Enterprise**

Overall, the migration to PQC brings a couple of key considerations for enterprise security to the forefront. First, the PQC standardization process is still ongoing. Experts continue to attack and probe the candidates, while submission teams look to patch deficiencies and optimize implementations in software and hardware. In the short term, the shifting PQC landscape requires cryptographic agility in libraries, protocols, and applications to securely navigate the migration away from vulnerable public-key algorithms.

Second, the PQC process more broadly reminds us that cryptographic algorithms have a life cycle. Classical public-key algorithms are nearing the end of their life cycle, whereas most of the PQC algorithms are still at the beginning. No one can foresee if a new classical or quantum attack will make a particular algorithm obsolete and require yet another migration — or if another technology as disruptive as quantum computing is on the horizon. Consequently, it is critical that we engineer systems that can adequately respond to new developments. Orchestrated and agile cryptography is a vision to achieve this lofty goal and empower organizations to meet security, regulatory, and compliance goals at scale.

Though the PQC migration represents a major challenge for organizations across government and industry, it also represents a fantastic opportunity to shift the enterprise cryptography paradigm toward one of agility and orchestration.

Making the Case for Cryptographic Agility and Orchestration

This Tech Tip outlines how enterprise defenders can mitigate the risks of the curl and libcurl  vulnerabilities in their environments.

Security teams don’t have to swing into crisis mode to address the recently fixed vulnerabilities in the command-line tool curl and the libcurl library, but that doesn't mean they don't have to worry about identifying and remediating impacted systems. If the systems are not immediately exploitable, security teams have some time to make those updates.

This Tech Tip aggregates guidance on what security teams need to do to ensure they aren't at risk.

A foundational networking tool for Unix and Linux systems, cURL is used in command lines and scripts to transfer data. Its prevalence is due to the fact that it is used as both a standalone utility (curl) as well as a library that is included in many different types of applications (libcurl). The libcurl library, which allows developers to access curl APIs from their own code, can be introduced directly into the code, used as a dependency, used as part of an operating system bundle, included as part of a Docker container, or installed on a Kubernetes cluster node.

**What Is CVE-2023-38545?**

The high severity vulnerability affects curl and libcurl versions 7.69.0 to 8.3.0, and the low severity vulnerability impacts libcurl versions 7.9.1 to 8.3.0. However, the vulnerabilities cannot be exploited under default conditions. An attacker trying to trigger the vulnerability would need to point curl at a malicious server under the attacker’s control, make sure curl is using a SOCKS5 proxy using proxy-resolver mode, configure curl to automatically follow redirects, and set the buffer size to a smaller size.

According to Yair Mizrahi, a senior security researcher at JFrog, the libcurl library is vulnerable only if the following environment variables are set: _CURLOPT\_PROXYTYPE_  set to type _CURLPROXY\_SOCKS5\_HOSTNAME_; or _CURLOPT\_PROXY_ or _CURLOPT\_PRE\_PROXY_  set to scheme _socks5h://_. The library is also vulnerable if one of the proxy environment variables is set to use the _socks5h://_ scheme. The command-line tool is vulnerable only if it is executed with the _\-socks5-hostname_ flag, or with _\--proxy_ (-x) or _\--preproxy_ set to use the scheme _socks5h://_. It is also vulnerable if curl is executed with the affected environment variables.

“The set of pre-conditions needed in order for a machine to be vulnerable (see previous section) is more restrictive than initially believed. Therefore, we believe the vast majority of curl users won’t be affected by this vulnerability,” Mizrahi wrote in the analysis.

**Scan the Environment for Vulnerable Systems**

The first thing organizations need to do is to scope their environments to identify all systems using curl and libcurl to assess whether those preconditions exist. Organizations should inventory their systems and evaluate their software delivery processes using software composition analysis tools for code, scanning containers, and application security posture management utilities, notes Alex Ilgayev, head of security research at Cycode. Even though the vulnerability does not affect every implementation of curl, it would be easier to identify the impacted systems if the team starts with a list of potential locations to look.

The following commands identify which versions of curl are installed:

_Linux/MacOS:_

_find / -name curl 2>/dev/null -exec echo "Found: {}" \\; -exec {} --version \\;_

_Windows:_

_Get-ChildItem -Path C:\\ -Recurse -ErrorAction SilentlyContinue -Filter curl.exe | ForEach-Object { Write-Host "Found: $($\_.FullName)"; & $\_.FullName --version }_

GitHub has a query to run in Defender for Endpoint to identify all devices in the environment that have curl installed or use curl. Qualys has published its rules for using its platform.

Organizations using Docker containers or other container technologies should also scan the images for vulnerable versions. A sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate liburl copies. Docker has pulled together a list of instructions on assessing all images.

_To find existing repositories:_

_docker scout repo enable --org <org-name> <org-name>/scout-demo_

_To analyze local container images:_

_docker scout policy \[IMAGE\] --org \[ORG\]_

This issue highlights the importance of keeping meticulous track of all open source software being used in an organization, according to Henrik Plate, a security researcher at Endor Labs.

“Knowing about all the uses of curl and libcurl is the prerequisite for assessing the actual risk and taking remediation actions, be it patching curl, restricting access to affected systems from untrusted networks, or implementing other countermeasures,” Plate said.

If the application comes with a software bill of materials, that would be a good place to start looking for instances of curl, adds John Gallagher, vice president of Viakoo Labs.

Just because the flaws are not exploitable doesn’t mean the updates are not necessary. Patches are available directly for curl and libcurl, and many of the operating systems (Debian, Ubuntu, Red Hat, etc.) have also pushed fixed versions. Keep an eye out for security updates from other applications, as libcurl is a library used by many operating systems and applications.

One workaround until the updates can be deployed is to force curl to use local hostname resolving when connecting to a SOCKS5 proxy, according to JFrog’s Mizrahi. This syntax uses the socks5 scheme and not socks5h: _curl -x socks5://someproxy.com_. In the library, replace the environment variable _CURLPROXY\_SOCKS5\_HOSTNAME_ with _CURLPROXY\_SOCKS5_.

According to Benjamin Marr, a security engineer at Intruder,  security teams should be monitoring curl flags for excessive large strings, as that would indicate the system had been compromised. The flags are _\--socks5-hostname_, or _\--proxy_ or _\--preproxy_ set to use the scheme _socks5h://_.

How to Scan Your Environment for Vulnerable Versions of Curl

**PRESS RELEASE**

**(Lehi, UT) Oct. 12, 2023 —** DigiCert, a leading global provider of digital trust, today announced its next generation Discovery, a set of key capabilities in DigiCert® Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats.

"The majority of organizations have not yet implemented a centralized crypto-management solution," said DigiCert Chief Product Officer Deepika Chauhan. "This is becoming critical now, as IT leaders consider how to transition their cryptographic algorithms and certificates to quantum-safe standards in order to protect their organizations against 'harvest now, decrypt later' strategies."

In a recent Gartner® report1, Senior Director Analyst Brian Lowans wrote, "All cryptographic technologies will need to evolve to cope with the future threat of quantum computing, which is increasing the need for innovative technologies such as crypto-agility, postquantum cryptography and quantum key distribution."

Trust Lifecycle Manager Discovery employs a broad set of methods for finding certificates within an organization, including integration with private CAs, such as AWS Private CA and Microsoft CA, integration with vulnerability management solutions such as Qualys and Tenable, integrations with web servers and load balancers, and port-based scanning. 

"The integration of Qualys Vulnerability Management, Discovery and Response (VMDR) and DigiCert products enables our customers to manage and automate the cryptographic assets that they discover in their vulnerability scans," said Pinkesh Shah, Chief Product Officer, Qualys. "This seamless integration enables companies to tightly couple their vulnerability management and cryptoagility strategies, improving their security posture and agility while reducing their cyber risk."

Learn more about Trust Lifecycle Manager Discovery here. 

1.  Gartner, Hype Cycle™ for Data Security, 2023, Brian Lowans, 14 July 2023

GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.

**About DigiCert, Inc.**  
DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

Tag

#git