Gentoo Linux Security Advisory 202407-20 - A vulnerability has been discovered in KDE Plasma Workspaces, which can lead to privilege escalation. Versions greater than or equal to 5.27.11.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: KDE Plasma Workspaces: Privilege Escalation  
     Date: July 06, 2024  
     Bugs: #933342  
       ID: 202407-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in KDE Plasma Workspaces, which can  
lead to privilege escalation.

Background  
==========

KDE Plasma workspace is a widget based desktop environment designed to  
be fast and efficient.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
kde-plasma/plasma-workspace  < 5.27.11.1   >= 5.27.11.1

Description  
===========

Multiple vulnerabilities have been discovered in KDE Plasma Workspaces.  
Please review the CVE identifiers referenced below for details.

Impact  
======

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE  
based purely on the host, allowing all local connections. This allows  
another user on the same machine to gain access to the session  
manager.

A well crafted client could use the session restore feature to execute  
arbitrary code as the user on the next boot.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All KDE Plasma Workspaces users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1"

References  
==========

[ 1 ] CVE-2024-36041  
      https://nvd.nist.gov/vuln/detail/CVE-2024-36041

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-20

This whitepaper discusses eBPF technology in the Linux kernel and introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem.

BRF: eBPF Runtime Fuzzer

Gentoo Linux Security Advisory 202407-19 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Versions greater than or equal to 115.11.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: July 06, 2024  
     Bugs: #932375  
       ID: 202407-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could lead to remote code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
mail-client/thunderbird      < 115.11.0    >= 115.11.0  
mail-client/thunderbird-bin  < 115.11.0    >= 115.11.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 4 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 5 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 6 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 7 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-19

Gentoo Linux Security Advisory 202407-18 - A vulnerability has been discovered in Stellarium, which can lead to arbitrary file writes. Versions greater than or equal to 23.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Stellarium: Arbitrary File Write  
     Date: July 05, 2024  
     Bugs: #905300  
       ID: 202407-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Stellarium, which can lead to  
arbitrary file writes.

Background  
==========

Stellarium is a free open source planetarium for your computer. It shows  
a realistic sky in 3D, just like what you see with the naked eye,  
binoculars or a telescope.

Affected packages  
=================

Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
sci-astronomy/stellarium  < 23.1        >= 23.1

Description  
===========

A vulnerability has been discovered in Stellarium. Please review the CVE  
identifier referenced below for details.

Impact  
======

Attackers can write to files that are typically unintended, such as ones  
with absolute pathnames or .. directory traversal.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Stellarium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sci-astronomy/stellarium-23.1"

References  
==========

[ 1 ] CVE-2023-28371  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28371

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-18

Red Hat Security Advisory 2024-4353-03 - An update for the nodejs:16 package is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4353.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:4353-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4353Issue date:         2024-07-08Revision:           03CVE Names:          CVE-2024-27983====================================================================Summary: An update for the nodejs:16 package is now available for Red Hat EnterpriseLinux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Node.js is a software development platform for building fast and scalablenetwork applications in the JavaScript programming language.Security Fix(es):* nodejs/16: CONTINUATION frames DoS (CVE-2024-27983)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27983References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2272764

Red Hat Security Advisory 2024-4353-03

Red Hat Security Advisory 2024-4352-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4352.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:4352-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4352  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 03 July 2024]

The text of this advisory has been updated with the correct product name (Red  
Hat Enterprise Linux 8) in the Topics section. In the Problem Description  
section, CVEs of the same sub-components have been grouped together. The  
packages included in this revised update have not been changed in any way from  
the packages included in the original advisory.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583

* kernel-rt: kernel: PCI interrupt mapping cause oops [rhel-8] (CVE-2021-46909)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)

* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)

* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)

* kernel: Squashfs: check the inode number is not the invalid value of zero  (CVE-2024-26982)

* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)

* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)

* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)

* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)

* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)

* kernel: can: (CVE-2023-52878, CVE-2021-47456)

* kernel: usb: (CVE-2023-52781, CVE-2023-52877)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)

* kernel: gro: fix ownership transfer (CVE-2024-35890)

* kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)

* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)

* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)

* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)

* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)

* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.10.z kernel (JIRA:RHEL-40882)

* [rhel8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:RHEL-8779)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4352-03

Red Hat Security Advisory 2024-4351-03 - An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4351.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: virt:rhel and virt-devel:rhel security and bug fix update  
Advisory ID:        RHSA-2024:4351-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4351  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2024-4418  
====================================================================

Summary: 

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Description:

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

Security Fix:

* virt:rhel/libvirt: stack use-after-free in virNetClientIOEventLoop (CVE-2024-4418) 

Bug fix:

* virsh destroy with --graceful destroyed a paused guest (qemu process paused by SIGSTOP) (JIRA:RHEL-36064)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-4418

References:

https://access.redhat.com/security/updates/classification/#low  
https://bugzilla.redhat.com/show_bug.cgi?id=2278616  
https://issues.redhat.com/browse/RHEL-36064

Red Hat Security Advisory 2024-4351-03

An emerging ransomware-as-a-service (RaaS) operation called Eldorado comes with locker variants to encrypt files on Windows and Linux systems.
Eldorado first appeared on March 16, 2024, when an advertisement for the affiliate program was posted on the ransomware forum RAMP, Singapore-headquartered Group-IB said.
The cybersecurity firm, which infiltrated the ransomware group, noted that its

An emerging ransomware-as-a-service (RaaS) operation called Eldorado comes with locker variants to encrypt files on Windows and Linux systems.

Eldorado first appeared on March 16, 2024, when an advertisement for the affiliate program was posted on the ransomware forum RAMP, Singapore-headquartered Group-IB said.

The cybersecurity firm, which infiltrated the ransomware group, noted that its representative is a Russian speaker and that the malware does not overlap with previously leaked strains such as LockBit or Babuk.

"The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption," researchers Nikolay Kichatov and Sharmine Low said. "It can encrypt files on shared networks using Server Message Block (SMB) protocol."

The encryptor for Eldorado comes in four formats, namely esxi, esxi\_64, win, and win\_64, with its data leak site already listing 16 victims of June 2024. Thirteen of the targets are located in the U.S., two in Italy, and one in Croatia.

These companies span various industry verticals such as real estate, education, professional services, healthcare, and manufacturing, among others.

Further analysis of the Windows version of artifacts has revealed the use of a PowerShell command to overwrite the locker with random bytes before deleting the file in an attempt to clean up the traces.

Eldorado is the latest in the list of new double-extortion ransomware players that have sprung up in recent times, including Arcus Media, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears once again highlighting the enduring and persistent nature of the threat.

LukaLocker, linked to an operator dubbed Volcano Demon by Halcyon, is notable for the fact that it does not make use of a data leak site and instead calls the victim over the phone to extort and negotiate payment after encrypting Windows workstations and servers.

The development coincides with the discovery of new Linux variants of Mallox (aka Fargo, TargetCompany, Mawahelper) ransomware as well as decryptors associated with seven different builds.

Mallox is known to be propagated by brute-forcing Microsoft SQL servers and phishing emails to target Windows systems, with recent intrusions also making use of a .NET-based loader named PureCrypter.

"The attackers are using custom python scripts for the purpose of payload delivery and victim's information exfiltration," Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi said. "The malware encrypts user data and appends .locked extension to the encrypted files."

A decryptor has also been made available for DoNex and its predecessors (Muse, fake LockBit 3.0, and DarkRace) by Avast by taking advantage of a flaw in the cryptographic scheme. The Czech cybersecurity company said it has been "silently providing the decryptor" to victims since March 2024 in partnership with law enforcement organizations.

"Despite law enforcement efforts and increased security measures, ransomware groups continue to adapt and thrive," Group-IB said.

Data shared by Malwarebytes and NCC Group based on victims listed on the leak sites show that 470 ransomware attacks were recorded in May 2024, up from 356 in April. A majority of the attacks were claimed by LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.

"The ongoing development of new ransomware strains and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained," Group-IB noted. "Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these ever-evolving threats."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Ransomware-as-a-Service 'Eldorado' Targets Windows and Linux Systems

Gentoo Linux Security Advisory 202407-17 - Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.34.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: BusyBox: Multiple Vulnerabilities  
     Date: July 05, 2024  
     Bugs: #824222  
       ID: 202407-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in BusyBox, the worst of  
which could lead to arbitrary code execution.

Background  
==========

BusyBox is set of tools for embedded systems and is a replacement for  
GNU Coreutils.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/busybox  < 1.34.0      >= 1.34.0

Description  
===========

Multiple vulnerabilities have been discovered in BusyBox. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All BusyBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.34.0"

References  
==========

[ 1 ] CVE-2021-42373  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42373  
[ 2 ] CVE-2021-42374  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42374  
[ 3 ] CVE-2021-42375  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42375  
[ 4 ] CVE-2021-42376  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42376  
[ 5 ] CVE-2021-42377  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42377  
[ 6 ] CVE-2021-42378  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42378  
[ 7 ] CVE-2021-42379  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42379  
[ 8 ] CVE-2021-42380  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42380  
[ 9 ] CVE-2021-42381  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42381  
[ 10 ] CVE-2021-42382  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42382  
[ 11 ] CVE-2021-42383  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42383  
[ 12 ] CVE-2021-42384  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42384  
[ 13 ] CVE-2021-42385  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42385  
[ 14 ] CVE-2021-42386  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42386

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-17

Gentoo Linux Security Advisory 202407-16 - A vulnerability has been discovered in Coreutils, which can lead to a heap buffer overflow and possibly arbitrary code execution. Versions greater than or equal to 9.4-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Coreutils: Buffer Overflow Vulnerability  
     Date: July 05, 2024  
     Bugs: #922474  
       ID: 202407-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Coreutils, which can lead to a  
heap buffer overflow and possibly aribitrary code execution.

Background  
==========

The GNU Core Utilities are the basic file, shell and text manipulation  
utilities of the GNU operating system.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
sys-apps/coreutils  < 9.4-r1      >= 9.4-r1

Description  
===========

A vulnerability has been discovered in the Coreutils "split" program  
that can lead to a heap buffer overflow and possibly arbitrary code  
execution.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Coreutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/coreutils-9.4-r1"

References  
==========

[ 1 ] CVE-2024-0684  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0684

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux