Red Hat Security Advisory 2024-2097-03 - An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2097.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:4.0 security updateAdvisory ID:        RHSA-2024:2097-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2097Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-2097-03

Red Hat Security Advisory 2024-2086-03 - An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, bypass, integer overflow, and out of bounds read vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2086.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: shim security update  
Advisory ID:        RHSA-2024:2086-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2086  
Issue date:         2024-04-29  
Revision:           03  
CVE Names:          CVE-2023-40546  
====================================================================

Summary: 

An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended  
Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The shim package contains a first-stage UEFI boot loader that handles chaining  
to a trusted full boot loader under secure boot environments.

Security Fix(es):

* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)

* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section  
on 32-bits systems (CVE-2023-40548)

* shim: Out-of-bounds read printing error messages (CVE-2023-40546)

* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file  
(CVE-2023-40549)

* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)

* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-40546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2234589  
https://bugzilla.redhat.com/show_bug.cgi?id=2241782  
https://bugzilla.redhat.com/show_bug.cgi?id=2241796  
https://bugzilla.redhat.com/show_bug.cgi?id=2241797  
https://bugzilla.redhat.com/show_bug.cgi?id=2259915  
https://bugzilla.redhat.com/show_bug.cgi?id=2259918

Red Hat Security Advisory 2024-2086-03

Red Hat Security Advisory 2024-2079-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2079.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git-lfs security updateAdvisory ID:        RHSA-2024:2079-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2079Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: An update for git-lfs is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288,VU#421644.3)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2079-03

Red Hat Security Advisory 2024-2077-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2077.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:rhel8 security and bug fix updateAdvisory ID:        RHSA-2024:2077-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2077Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2022-4122====================================================================Summary: An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Security team has rated the vulnerability impact of the fixed issues as Important.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)* podman: Symlink error leads to information disclosure (CVE-2022-4122)* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-4122References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2134010https://bugzilla.redhat.com/show_bug.cgi?id=2144983https://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2077-03

By Deeba Ahmed
Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself!
This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Cybersecurity firm Deep Instinct has discovered that attackers are using the Cobalt Strike loader to deploy old zero-day exploits, a relatively new trend. Let’s delve deeper into this.

Deep Instinct Threat Lab has discovered a targeted operation against Ukraine in which hackers are using an old zero-day vulnerability, CVE-2017-8570, as the initial vector and a custom loader for Cobalt Strike Beacon, a professional pen-testing tool designed for evaluating computer security by red teams. However, in this attack, hackers have used a cracked version with no legitimate user. 

They’ve exploited CVE-2017-8570, an old Microsoft Office vulnerability identified in 2017, to launch the Cobalt Strike Beacon, targeting Ukraine’s systems. They used a malicious PPSX (PowerPoint Slideshow) file disguised as an old US Army instruction manual for mine-clearing tank blades, bypassing traditional security measures and allowing them to hide the payload and complicate analysis. The file used a “script:” prefix before the HTTPS URL to hide the payload and complicate analysis. 

> _“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk(.)space and petapixel(.)fun are disguised as an obscure generative art site (weavesilk(.)com) and a popular photography site (petapixel(.)com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”_
> 
> Deep Instinct

The use of the Cobalt Strike loader, a malicious, versatile toolset commonly employed in targeted attacks, suggests a sophisticated approach by the attackers. Cobalt Strike allows adversaries to deploy malware, steal data, and maintain persistence on compromised systems. In the context of Ukraine, it is used as a delivery mechanism for these zero-day exploits, maximizing their impact.

Deep Instinct’s research indicates that attackers are actively leveraging zero-day exploits, which are vulnerabilities unknown to security software vendors. This makes them particularly dangerous as traditional defences may not be able to detect and block them.

Researchers couldn’t attribute the attacks to any known threat actor or rule out the possibility of a red team exercise. Evidence indicates the sample was uploaded from Ukraine, the second stage was hosted under a Russian VPS provider, and the Cobalt beacon C&C was registered in Warsaw, Poland.

_“_Given the n-day exploitation trends against > 12-month-old edge device and email server CVEs we’ve seen over the past 4 years, seeing a threat actor exploit a Wine vulnerability from 2017 is weirdly refreshing,_“_ stated Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd

_“_The use of undocumented low-level WinAPI calls is unusual as well. I can understand why threat analysts are having difficulty with attribution, it’s an esoteric and somewhat nerdy kill chain._“_ Casey explained.

“Aside from the technical pieces, the fact that it’s not Russia is noteworthy, and the TTPs suggest a previously unknown player. Cobalt Strike usage as a C2 is fairly commonplace and the key takeaway here is that old vulnerabilities in easily forgotten software still matter._“_

**How to Stay Safe?**

Deep Instinct’s research suggests that traditional security solutions may not be enough for zero-day exploits. Organizations should adopt advanced threat detection through behavioural analysis and machine learning. Vigilance is also crucial, especially for cyber threats targeting Ukraine, and a proactive defence strategy combining firewalls and antivirus software.

1.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
2.  5 year old vulnerability used for Monero mining on Linux servers
3.  Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
4.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
5.  17-year-old “wormable” SigRed vulnerability found in Windows servers

7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Debian Linux Security Advisory 5674-1 - It was discovered that PDNS Recursor, a resolving name server, was susceptible to denial of service if recursive forwarding is configured.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5674-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 25, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pdns-recursorCVE ID         : CVE-2024-25583It was discovered that PDNS Recursor, a resolving name server, wassusceptible to denial of service if recursive forwarding is configured.For the stable distribution (bookworm), this problem has been fixed inversion 4.8.8-1.We recommend that you upgrade your pdns-recursor packages.For the detailed security status of pdns-recursor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pdns-recursorFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYqrogACgkQEMKTtsN8TjbKDg//bFtgtpr7H0WEGL6u5aHSqnIU5HNnKDW3rCy7OdHE6GHrnhADszvImyiH+IkLXb7uEdoL+Hy4A8ymr9KS+w2Ai90NYAjhYexWuTi4Kse0oKGkPYIEfAmeybf6zduxdsKJUU7x92VwnMybQN9E6g+a0b6c+UyFYPZpUAywTqU5aT4ZH1KwjwFeu1Ab1Uj0ySEWdd/qe/ZHS6rWB0SKWTjv15L+lx2IcO6dPDQtZA8B9SpOoTQWtIwroQtxeZrdH/V9O1D796TFFyrrr1afJCBb++nH7f191qDPrkLCaC7/EhVxEqKrbTHaVwqhOmsSR9kxvvC9wSA+FshgBfJEFSyPbX7TGOvBNjMBVGr1R/NpQeDY4L9Ta1fz6z0EUpTCuer+QU9bo5A1LMbC4sEwoGRD2/oSdmgiXSnBfJ7HXsrUUVqTeTmkMDSXwAd7WFI68awRnNuqC4CqOvynbLc19QeH8TDWNpB4dwVevrXjEdVgQANSAJmcOhN/dyynC5WoIDOXPHc9TNtGROxhP84Nj5gKgrkCh3bG5uEHycIT0S+PIWZDJvYAm6YoZKX46jZqgGSrz5/Foa0dvOlriQRFtVPpODsNSkVce8Uwvyonc1SxvytcNMugEjBP4ePGXruQ2wy+RZ4VXJvYNnQImrJ1Vvi0CCygRcK4e/4qaq8o3/fofvk==PwIZ-----END PGP SIGNATURE-----

Debian Security Advisory 5674-1

Red Hat Security Advisory 2024-2066-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2066.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:2066-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2066Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2066-03

Red Hat Security Advisory 2024-2064-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2064.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:2064-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2064Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The buildah package provides command line tool for creating Open Container Initiative (OCI) Images.Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2064-03

Red Hat Security Advisory 2024-2063-03 - An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2063.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: yajl security updateAdvisory ID:        RHSA-2024:2063-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2063Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2022-24795====================================================================Summary: An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Yet Another JSON Library (YAJL) is a small event-driven (SAX-style) JSON parser written in ANSI C, and a small validating JSON generator.Security Fix(es):* yajl: heap-based buffer overflow when handling large inputs due to an integer overflow (CVE-2022-24795)* yajl: Memory leak in yajl_tree_parse function (CVE-2023-33460)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-24795References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2072912https://bugzilla.redhat.com/show_bug.cgi?id=2221249

Red Hat Security Advisory 2024-2063-03

Caliptra 1.0 offers a blueprint for integrating security features directly into microprocessors.

Source: Alexmillos via Alamy Stock Vector

A consortium of top chip makers have finalized the first version of Caliptra, a specification to add zero-trust security features directly inside silicon.

The Caliptra 1.0 specification has hardware and software blocks providing multiple protection layers for encrypted data on chips.

"We believe Caliptra is a foundational aspect to the future of confidential computing and couldn't be more excited to reach our 1.0 milestone," says Andrés Lagar-Cavilla, a distinguished engineer at Google. Caliptra is currently being integrated by companies across the ecosystem into chips that will start to appear in the market in 2026.

Security-focused hardware exists, but usually as separate components on the hardware. At the moment, chips typically access security features that are available as separate hardware components on the motherboard. The Caliptra specification provides a blueprint to embed the security features into the chip instead of accessing those hardware cores.

For example, the Trusted Platform Module (TPM), which is required on all machines running Windows 11, is a secure processor carrying out cryptographic functions, such as Windows Hello authentication and BitLocker drive encryption. Caliptra could make possible an on-silicon version of TPM.

The specification was built around the concept of confidential computing, an emerging technology focused on building walls to protect data and programs during storage, transport, and execution. Users and code are verified before being allowed to enter the secure area, after which they can run programs.

**Caliptra-Spec Chips on the Way?**

The Caliptra specification aims to fend off cyberattacks and protect from vulnerabilities, such as Meltdown and Spectre, which exposed confidential user data to hackers.

Caliptra's protection layers on silicon include a root-of-trust block, in which code, users, and firmware are isolated, verified, and authenticated. The spec extends to protecting firmware and ROMs. The root-of-trust layer also detects and recovers data that may be corrupted.

The specification is now available for tape-in, which means it is also ready for testing for chips that may be going into production. Google's Lagar-Cavilla says the company is actively integrating Caliptra in first-party silicon designs and collaborating with suppliers to ensure their system-on-chips — across CPUs, GPUs, DPUs, BMCs, SSDs, and more — include Caliptra.

Caliptra is an open source technology, so chip makers can adopt and modify it for free.

A company called Antmicro is developing a Caliptra-based security core for an emerging chip architecture called RISC-V. The technology is an alternative to the dominant x86 and ARM instruction set architectures. RISC-V has a modular design that makes it easier to include technologies like Caliptra in production-level silicon.

Google is a lead developer of Caliptra, working alongside Advanced Micro Devices, Microsoft, Marvell, and NVIDIA. The Linux Foundation's CHIPS Alliance is managing the development of the specification.

Intel is one of the big names in chips missing from the group of companies developing Caliptra. Intel is pushing its own on-chip security technology to protect user data and chips from hackers.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tag

#linux