Red Hat Security Advisory 2024-4943-03 - An update for httpd is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4943.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd security updateAdvisory ID:        RHSA-2024:4943-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4943Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-38474====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38474References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295013https://bugzilla.redhat.com/show_bug.cgi?id=2295014https://bugzilla.redhat.com/show_bug.cgi?id=2295016

Red Hat Security Advisory 2024-4943-03

Red Hat Security Advisory 2024-4858-03 - Red Hat OpenShift Container Platform release 4.16.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include deserialization and memory exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4858.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.16.5 packages and security update  
Advisory ID:        RHSA-2024:4858-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4858  
Issue date:         2024-07-31  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.5 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.5. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2024:4855

Security Fix(es):

* gorilla/schema: Potential memory exhaustion attack due to sparse slice  
deserialization (CVE-2024-37298)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://bugzilla.redhat.com/show_bug.cgi?id=2295010

Red Hat Security Advisory 2024-4858-03

Red Hat Security Advisory 2024-4848-03 - Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include deserialization and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4848.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Container Platform 4.13.46 security updateAdvisory ID:        RHSA-2024:4848-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4848Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-37298====================================================================Summary: Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.13.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.Security Fix(es):* gorilla/schema: Potential memory exhaustion attack due to sparse slicedeserialization (CVE-2024-37298)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s)listed in the References section.Solution:https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.htmlCVEs:CVE-2024-37298References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2294000https://bugzilla.redhat.com/show_bug.cgi?id=2295010

Red Hat Security Advisory 2024-4848-03

Red Hat Security Advisory 2024-4846-03 - Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4846.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.13.46 security update  
Advisory ID:        RHSA-2024:4846-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4846  
Issue date:         2024-07-31  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.46. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:4848

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://issues.redhat.com/browse/OCPBUGS-11449  
https://issues.redhat.com/browse/OCPBUGS-35053  
https://issues.redhat.com/browse/OCPBUGS-36745  
https://issues.redhat.com/browse/OCPBUGS-36782  
https://issues.redhat.com/browse/OCPBUGS-36962  
https://issues.redhat.com/browse/OCPBUGS-37075  
https://issues.redhat.com/browse/OCPBUGS-37160

Red Hat Security Advisory 2024-4846-03

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

**Elliptic's EDDSA missing signature length check**

Low severity GitHub Reviewed Published Aug 2, 2024 to the GitHub Advisory Database • Updated Aug 5, 2024

GHSA-f7q4-pwc6-w24p: Elliptic's EDDSA missing signature length check

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

**Elliptic allows BER-encoded signatures**

Low severity GitHub Reviewed Published Aug 2, 2024 to the GitHub Advisory Database • Updated Aug 5, 2024

GHSA-49q7-c7j4-3p7m: Elliptic allows BER-encoded signatures

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

**Elliptic's ECDSA missing check for whether leading bit of r and s is zero**

Low severity GitHub Reviewed Published Aug 2, 2024 to the GitHub Advisory Database • Updated Aug 5, 2024

GHSA-977x-g7h5-7qgw: Elliptic's ECDSA missing check for whether leading bit of r and s is zero

Even with `authorized_keys` is filled with allowed pubkeys, If `noscraper` is enabled, It will allow anyone to use bqouncer even it's pubkey is not in `authorized_keys`.

### Impact
- Private bouncer

### Patches
Available on version [3.0.10](https://github.com/Yonle/bostr/releases/tag/3.0.10)

### Workarounds
Disable `noscraper` if you have `authorized_keys` being set in config

### References
This [line of code](https://github.com/Yonle/bostr/blob/8665374a66e2afb9f92d0414b0d6f420a95d5d2d/auth.js#L21) is the cause.

**Bostr Improper Authorization vulnerability**

Moderate severity GitHub Reviewed Published Aug 1, 2024 in Yonle/bostr • Updated Aug 2, 2024

GHSA-5cf7-cxrf-mq73: Bostr Improper Authorization vulnerability

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.
"Upon installation, this code would execute automatically,

In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.

"Upon installation, this code would execute automatically, setting in motion a chain of events designed to compromise and control the victim's systems, while also exfiltrating their data and draining their crypto wallets," Checkmarx researchers Yehuda Gelb and Tzachi Zornstain said in a report shared with The Hacker News.

The campaign, which began on June 25, 2024, specifically singled out cryptocurrency users involved with Raydium and Solana. The list of rogue packages uncovered as part of the activity is listed below -

*   raydium (762 downloads)
*   raydium-sdk (137 downloads)
*   sol-instruct (115 downloads)
*   sol-structs (292 downloads)
*   spl-types (776 downloads)

The packages have been collectively downloaded 2,082 times. They are no longer available for download from the Python Package Index (PyPI) repository.

The malware concealed within the package served a full-fledged information stealer, casting a wide net of data, including web browser passwords, cookies, and credit card details, cryptocurrency wallets, and information associated with messaging apps like Telegram, Signal, and Session.

It also packed in capabilities to capture screenshots of the system, and search for files containing GitHub recovery codes and BitLocker keys. The gathered information was then compressed and exfiltrated to two different Telegram bots maintained by the threat actor.

Separately, a backdoor component present in the malware granted the attacker persistent remote access to victims' machines, enabling potential future exploits and long-term compromise.

The attack chain spans multiple stages, with the "raydium" package listing "spl-types" as a dependency in an attempt to conceal the malicious behavior and give users the impression that it was legitimate.

A notable aspect of the campaign is the use of Stack Exchange as a vector to drive adoption by posting ostensibly helpful answers referencing the package in question to developer questions related to performing swap transactions in Raydium using Python.

"By choosing a thread with high visibility — garnering thousands of views—the attacker maximized their potential reach," the researchers said, adding it was done so to "lend credibility to this package and ensure its widespread adoption."

While the answer no longer exists on Stack Exchange, The Hacker News found references to "raydium" in another unanswered question posted on the Q&A site dated July 9, 2024: "I have been struggling for nights to get a swap on solana network running in python 3.10.2 installed solana, solders and Raydium but I can't get it to work," a user said.

References to "raydium-sdk" have also surfaced in a post titled "How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide" that was shared by a user named SolanaScribe on the social publishing platform Medium on June 29, 2024.

It's currently not clear when the packages were removed from PyPI, as two other users have responded to the Medium post seeking help from the author about installing "raydium-sdk" as recently as six days ago. Checkmarx told The Hacker News that the post is not the work of the threat actor.

This is not the first time bad actors have resorted to such a malware distribution method. Earlier this May, Sonatype revealed how a package named pytoileur was promoted via another Q&A service called Stack Overflow to facilitate cryptocurrency theft.

If anything, the development is evidence that attackers are leveraging trust in these community-driven platforms to push malware, leading to large-scale supply chain attacks.

"A single compromised developer can inadvertently introduce vulnerabilities into an entire company's software ecosystem, potentially affecting the whole corporate network," the researchers said. "This attack serves as a wake-up call for both individuals and organizations to reassess their security strategies."

The development comes as Fortinet FortiGuard Labs detailed a malicious PyPI package called zlibxjson that packed features to steal sensitive information, such as Discord tokens, cookies saved in Google Chrome, Mozilla Firefox, Brave, and Opera, and stored passwords from the browsers. The library attracted a total of 602 downloads before it was pulled from PyPI.

"These actions can lead to unauthorized access to user accounts and the exfiltration of personal data, clearly classifying the software as malicious," security researcher Jenna Wang said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#js