MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

Red Hat Security Advisory 2024-1239-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1239.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1239-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1239Issue date:         2024-03-08Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1239-03

Red Hat Security Advisory 2024-1235-03 - An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1235.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openvswitch3.1 security updateAdvisory ID:        RHSA-2024:1235-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1235Issue date:         2024-03-07Revision:           03CVE Names:          CVE-2023-3966====================================================================Summary: An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.Security Fix(es):* openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet (CVE-2023-3966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3966References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2178363https://issues.redhat.com/browse/FD-3266https://issues.redhat.com/browse/FDP-310

Red Hat Security Advisory 2024-1235-03

Red Hat Security Advisory 2024-1234-03 - An update for openvswitch2.17 is now available for Fast Datapath for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1234.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openvswitch2.17 security updateAdvisory ID:        RHSA-2024:1234-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1234Issue date:         2024-03-07Revision:           03CVE Names:          CVE-2023-3966====================================================================Summary: An update for openvswitch2.17 is now available for Fast Datapath for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.Security Fix(es):* openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet (CVE-2023-3966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3966References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2178363https://issues.redhat.com/browse/FD-3267https://issues.redhat.com/browse/FDP-308

Red Hat Security Advisory 2024-1234-03

Red Hat Security Advisory 2024-1227-03 - An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1227.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openvswitch3.1 security updateAdvisory ID:        RHSA-2024:1227-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1227Issue date:         2024-03-07Revision:           03CVE Names:          CVE-2023-3966====================================================================Summary: An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.Security Fix(es):* openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet (CVE-2023-3966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3966References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2178363https://issues.redhat.com/browse/FD-3269https://issues.redhat.com/browse/FDP-311

Red Hat Security Advisory 2024-1227-03

By Deeba Ahmed
Cisco announced patches for high-severity vulnerabilities on Wednesday, March 6, 2024.
This is a post from HackRead.com Read the original post: Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

Critical security vulnerabilities patched in the Cisco Secure Client VPN application. Update now to protect your VPN connections from credential theft, unauthorized access, and potential code execution. This advisory also details unpatched flaws in Cisco Small Business wireless access points.

Network equipment giant Cisco has addressed critical security flaws impacting its Secure Client enterprise VPN application and endpoint security solutions. For your information, Secure Client is widely used to establish secure Virtual Private Network (VPN) connections. On Wednesday, Cisco announced patches for high-severity vulnerabilities CVE-2024-20337 (CVSS score: 8.2) and CVE-2024-20338 (CVSS score: 7.3).

CVE-2024-20337 is a Carriage Return Line Feed (CRLF) injection vulnerability allowing attackers to execute script code or access sensitive information in a browser if configured with the SAML External Browser feature.

The flaw affects Linux, macOS, and Windows versions of Secure Client, and can be exploited in CRLF injection attacks. CRLF injections are vulnerabilities where attackers inject CR and LF characters into web applications, adding extra headers or causing browsers to ignore original content.

Unauthenticated remote attackers can execute arbitrary scripts or steal sensitive information like users’ valid SAML authentication tokens to establish a remote access VPN session with the affected user’s privileges. However, individual hosts and services would require additional credentials for successful access, Cisco noted in its advisory.

Amazon security researcher Paulos Yibelo Mesfin discovered this flaw and it has been fixed in versions 4.10.04065, 4.10.08025, 5.0, and 5.1.2.42.

> A vulnerability I found in Cisco AnyConnect just got patched. CVE-2024-20337 is a powerful vulnerability. It grants external attackers access to internal networks when network users visit a website under attacker control. Stay vigilant! 🌊🔥⛓️https://t.co/Jy3qz4HJnU
> 
> — Paulos Yibelo (@PaulosYibelo) March 6, 2024

CVE-2024-20338 only affects Cisco Secure Client for Linux and its successful exploitation requires authentication. It can only be exploited by an authenticated, local attacker. The vulnerability allows the attacker to execute arbitrary code on an affected device with root privileges. They can copy a malicious library file to a specific directory and persuade an administrator to restart a specific process. 

Cisco advises enterprise admins to upgrade to one of the fixed versions, as version 5.1.2.42 of the VPN application resolves the bug.

Cisco has announced patches for several medium-severity flaws in AppDynamics Controller and Duo Authentication for Windows Logon and RDP, potentially leading to data leaks and secondary authentication bypass. The tech giant also warned about two flaws in Cisco Small Business 100, 300, and 500 Series wireless access points (APs), tracked as CVE-2024-20335, and CVE-2024-20336.

These flaws allow remote attackers to execute arbitrary code as the root user. However, Cisco won’t patch them because their Wireless APs have reached the end-of-life process. Similarly, the medium-severity flaws will remain unpatched for the same reason. Moreover, Cisco notes that it is not aware of any of these vulnerabilities being exploited in the wild.

Cisco has emphasized the need for cybersecurity vigilance and adopting security best practices. These include regularly updating software, using strong passwords and multi-factor authentication, being cautious with suspicious links, and preferring trustworthy Wi-Fi networks for sensitive VPN connections.

1.  New Cisco Web UI Vulnerability Exploited by Attackers
2.  Cisco Confirms Network Breach After Employee’s Gmail was Hacked
3.  Unpatched Cisco SD-WAN Manager Systems Exposed to DoS Attacks
4.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
5.  Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

We discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. These include modifying the device’s firmware, uploading customized/weaponized firmware, and bypassing security measures.

Thursday, March 7, 2024 10:00

We’ve been discussing networking devices quite a lot recently and how Advanced Persistent Threat actors (APTs) are using highly sophisticated tactics to target aging infrastructure for espionage purposes. Some of these attacks are also likely prepositioning the APTs for future disruptive or destructive attacks. 

Talos has also observed several ransomware groups gaining initial access to networking devices to extort their victims. We wrote about these attacks in our 2023 Year in Review report. 

The mechanisms and methodology behind these two groups are drastically different, but no less concerning. This is partly because networking devices offer a great deal of access to an attacker. If you can compromise a router, you are highly likely to have a point of ingress into that network.  

These attacks are largely being carried out on aging network infrastructure; devices that have long since gone end-of-life, and/or have critical unpatched vulnerabilities sitting on them. Many of these older devices weren’t designed with security in mind. Traditionally, network infrastructure has sat outside of security’s ecosystem, and this makes monitoring network access attempts increasingly difficult. 

Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. 

Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts (credit to my colleague Martin Lee for that analogy). 

In this blog, we explore how we got here, and the different approaches of APTs vs ransomware actors. We also discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. These include modifying the device’s firmware, uploading customized/weaponized firmware, and bypassing security measures. 

**How we got here**

There is a rich history of threat actors targeting network infrastructure — the most notorious example being VPNFilter in 2018. The attack was staged, but potential disaster was averted when the attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from issuing the final command to take over the devices. 

At the time, we spoke about how VPNFilter was the “wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.” 

The techniques used in VPNFilter gives us plenty of clues as to possible current threat actor motivations. In the attack, the modular design of the malware allowed for many things to take place post compromise – one module even allowed the malware to create a giant Tor network of the 500,000 compromised devices.  

A recent attack which may have been inspired by this was the KV Botnet (Lumen released a blog about this in December 2023). The botnet was used to compromise devices including small and home office (SOHO) routers and firewalls and then chain them together, “to form a covert data transfer network supporting various Chinese state-sponsored actors including Volt Typhoon.”  

The Beers with Talos team recently spoke about the KV Botnet and Volt Typhoon, a group widely reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and other organizations to be a PRC-based state actor. They have been known to conduct long-term espionage activities and strategic operations that are potentially positioning them for future destructive/disruptive attacks. Listen to the episode below:

In 2019, we saw another type of modular malware that was designed to target network infrastructure: “Cyclops Blink.” This was dubbed the “Son of VPNFilter” because of the similarities to that campaign.

The Cyclops Blink malware was designed to run on Linux systems, specifically for 32-bit PowerPC architecture. It could be used in a variety of ways, including reconnaissance and espionage activity. It leveraged modules to facilitate various activities such as establishment of C2, file upload/download and data extraction capabilities.  

In 2022, Talos wrote about how we had detected compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on devices protected by multi-factor authentication. This continued the pattern we have seen since our investigation into VPNFilter involving actors using MikroTik routers. 

APTs and cyber criminals have different goals for attacking network infrastructure. APTs want to go in with stealth and hide for espionage purposes. Criminal groups use edge devices to an end for ransomware purposes. 

For more insights into the status of attacks on network infrastructure, here is Talos’ Matt Olney and Nick Biasini talking about what Talos has observed over the past 18 months: 

**Post compromise tactics and techniques**

Compromising the network for persistent access and intelligence capture is a multi-step process and requires a lot of work and expertise in targeted technologies which is why we typically only see the most sophisticated threat actors carry out these attacks.  

Below are some techniques that Talos has observed post compromise on out-of-date networking equipment, in order to maintain persistent access. We initially discussed these in our threat advisory in April, as well as our 2023 Year in Review, but due to the sophisticated nature of these attacks and the continued exploitation, we wanted to dive deeper into some of these tactics: 

**1) Modifying the firmware**

Talos has observed APTs modifying network device firmware on older devices to add certain pieces of functionality, which will allow them to gain a greater foothold on the network. This could be adding implants or modifying the way the device captures information.  

An example of this is the recent exploitation of Cisco IOS XE Software Web Management User Interface. One attack included the deployment of an implant we called “BadCandy” which consisted of a configuration file (“cisco\_service.conf”). The configuration file defined the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters that allowed the actor to execute arbitrary commands at the system or IOS level.  

Another example is from September 2023, when CISA wrote about how BlackTech was observed modifying firmware to allow the installation of a modified bootloader which helps it to bypass certain security features (while creating a backdoor to the device). 

Detecting the modification of firmware is extremely difficult for defenders. Occasionally, there may be something in the logs to imply an upgrade and reboot, but turning off logging is usually one of the first steps attackers take once they are inside a network. 

This again highlights the need for organizations to sunset aging network infrastructure that isn’t secure by design, or, at the very least, increasing cybersecurity due diligence on older equipment such as configuration management. Performing configuration comparisons on firmware may help to highlight when it has been altered by an adversary.  

**2) Uploading customized/weaponized firmware**

If threat actors cannot modify the existing firmware, or they need additional levels of access that they don’t currently have, adversaries can upload customized or old firmware they know have working exploits against it (in effect, reverting to an older version of the firmware).  

Once the weaponized firmware has been uploaded, they reboot the device, and then exploit the vulnerability that is now unpatched. This now provides the threat actor with a box that can be modified with additional functionality, to exfiltrate data, for example. 

Again, as with the modification of firmware tactic, it’s important to check your network environment for unauthorized changes. These types of devices need to be watched very closely, as threat actors will want to try and prevent system administrators from seeing the activity by turning off logging. If you’re looking at your logs and it looks like someone has actually turned off logging, that is a huge red flag that your network has been infiltrated and potentially compromised. 

**3) Bypassing or removing security measures**

Talos has also seen threat actors take measures to remove anything blocking their access to fulfil their goals. If for example they want to exfiltrate data, but there’s an access control list (ACL) that blocks the actor from being able to access the host, they may modify the ACL or remove it from the interface. Or they may install operating software that knows to not apply ACLs against certain actor IP addresses, regardless of the configuration. 

Other security measures that APTs will attempt to subvert include disabling remote logging, adding user accounts with escalated privileges, and reconfiguring SNMP community strings. SNMP is often overlooked, so we recommend having good, complex community strings and upgrading to SNMPv3 where possible. Ensure that your management of SNMP is only permitted to be done from the inside and not from the outside.  

The BadCandy campaign is a good example of how an actor can remove certain security measures. The adversary was able to create miniature servers (virtualized computers) inside of compromised systems which created a base of operations for them. This allowed the threat actors to intercept and redirect traffic, as well as add and disable user accounts. This meant that even if the organization were to reboot the device and erase the active memory, the adversary would still have persistent accounts – effectively a consistent back door.  

**Additional campaign objectives**

In our original threat advisory, we also posted a non-exhaustive list of the type of activities Talos has observed threat actors take on network infrastructure devices. The point behind this is that threat actors are taking the type of steps that someone who wants to understand (and control) your environment.  

Examples we have observed include threat actors performing a “show config,” “show interface,” “show route,” “show arp table” and a “show CDP neighbor.” All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have. Other campaign objectives include: 

*   Creation of hub-and-spoke VPNs designed to allow the siphoning of targeted traffic from network segments of interest through the VPN. 
*   The capture of network traffic for future retrieval, frequently limited to specific IPs or protocols. 
*   The use of infrastructure devices to deliver attacks or maintain C2 in various campaigns. 

> Read more about campaign objectives 

**Recommendations**

The first thing to say when it comes to recommendations is that if you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices.  

To combat the threat of aging network infrastructure as a target, Cisco became a founding member of the Network Resilience Coalition. Along with other vendors in this space and key governmental partners, the group is focussed on threat research and recommendations for defenders. The initial report from the Network Resilience Coalition was published at the end of January 2024 and contains a broad set of recommendations for both consumers of networking devices and product vendors. 

Earlier this month, Cisco’s Head of Trust Office Matt Fussa wrote about how organizations should view these recommendations, and the overall threat that end-of-life network infrastructure poses on a national security level.  

The report from the Network Resilience Coalition contains an in depth set of recommendations for network infrastructure defense. Here is a brief summary: 

Key recommendations from the report for network product vendors include: 

*   Align software development practices with the NIST Secure Software Development Framework (SSDF). 
*   Provide clear and concise details on product “end-of-life,” including specific date ranges and details on what support levels to expect for each. 
*   Separate critical security fixes for customers and not bundle those patches with new product features or functionality changes. 
*   Get involved in the OpenEoX effort in OASIS, a cross-industry effort to standardize how end-of-life information is communicated and provide it in a machine-readable format. 

Purchasers of network products should: 

*   Favor vendors that are aligned with the SSDF, provide you with clear end-of-life information, and provide you with separate critical security fixes. 
*   Increase cybersecurity diligence (vulnerability scanning, configuration management) on older products that are outside of their support period. 
*   Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age, and ensure implementation of timely updates and patches. 

As the report says, “These recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure and help better protect the critical infrastructure that people rely on for their livelihood and well-being.”  

From a Talos perspective, we are keen to re-emphasize this point and help our customers transition from equipment that has become end-of-life. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered. 

Proactive threat hunting is also one of the ways that organizations can root out visibility gaps and hints of incursion. Look for things like VPN tunnels, or persistent connections that you don't recognise. This is the type of thing that will be left in an attack of this nature.  

And finally, the definition of post compromise means that the attacker had gained some form of credentials to get them to the place where they could then launch the exploit and get deeper access to the device.  

Our recommendations are to select complex passwords and community strings, use SNMPv3 or subsequent versions, utilize MFA where possible, and require encryption when configuring and monitoring devices. Finally, we recommend locking down and aggressively monitoring credential systems like TACACS+ and any jump hosts. 

**Additional resources**

State-sponsored campaigns target global network infrastructure (Talos blog)  

Network Resilience: Accelerating Efforts to Protect Critical Infrastructure (Cisco blog) 

Network Resilience Coalition: Full report 

Securing Network Infrastructure Devices (CISA) 

The VPN Filter catastrophe that wasn’t 

Cisco Trust Center: Network Resilience

The 3 most common post-compromise tactics on network infrastructure

Ubuntu Security Notice 6681-1 - Wenqing Liu discovered that the f2fs file system implementation in the Linux kernel did not properly validate inode types while performing garbage collection. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service. It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6681-1March 06, 2024linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-iot,linux-kvm, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-iot: Linux kernel for IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-raspi: Linux kernel for Raspberry Pi systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernelDetails:Wenqing Liu discovered that the f2fs file system implementation in theLinux kernel did not properly validate inode types while performing garbagecollection. An attacker could use this to construct a malicious f2fs imagethat, when mounted and operated on, could cause a denial of service (systemcrash). (CVE-2021-44879)It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in theLinux kernel did not properly handle certain error conditions during deviceregistration. A local attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2023-22995)Bien Pham discovered that the netfiler subsystem in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal user could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-4244)It was discovered that a race condition existed in the Bluetooth subsystemof the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-51779)It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kerneldid not properly handle connect command payloads in certain situations,leading to an out-of-bounds read vulnerability. A remote attacker could usethis to expose sensitive information (kernel memory). (CVE-2023-6121)It was discovered that the VirtIO subsystem in the Linux kernel did notproperly initialize memory in some situations. A local attacker could usethis to possibly expose sensitive information (kernel memory).(CVE-2024-0340)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1032-iot      5.4.0-1032.33   linux-image-5.4.0-1087-gkeop    5.4.0-1087.91   linux-image-5.4.0-1104-raspi    5.4.0-1104.116   linux-image-5.4.0-1108-kvm      5.4.0-1108.115   linux-image-5.4.0-1124-gcp      5.4.0-1124.133   linux-image-5.4.0-173-generic   5.4.0-173.191   linux-image-5.4.0-173-generic-lpae  5.4.0-173.191   linux-image-5.4.0-173-lowlatency  5.4.0-173.191   linux-image-gcp-lts-20.04       5.4.0.1124.126   linux-image-generic             5.4.0.173.171   linux-image-generic-lpae        5.4.0.173.171   linux-image-gkeop               5.4.0.1087.85   linux-image-gkeop-5.4           5.4.0.1087.85   linux-image-kvm                 5.4.0.1108.104   linux-image-lowlatency          5.4.0.173.171   linux-image-oem                 5.4.0.173.171   linux-image-oem-osp1            5.4.0.173.171   linux-image-raspi               5.4.0.1104.134   linux-image-raspi2              5.4.0.1104.134   linux-image-virtual             5.4.0.173.171Ubuntu 18.04 LTS (Available with Ubuntu Pro):   linux-image-5.4.0-1124-gcp      5.4.0-1124.133~18.04.1   linux-image-5.4.0-173-generic   5.4.0-173.191~18.04.1   linux-image-5.4.0-173-lowlatency  5.4.0-173.191~18.04.1   linux-image-gcp                 5.4.0.1124.100   linux-image-generic-hwe-18.04   5.4.0.173.191~18.04.141   linux-image-lowlatency-hwe-18.04  5.4.0.173.191~18.04.141   linux-image-oem                 5.4.0.173.191~18.04.141   linux-image-oem-osp1            5.4.0.173.191~18.04.141   linux-image-snapdragon-hwe-18.04  5.4.0.173.191~18.04.141   linux-image-virtual-hwe-18.04   5.4.0.173.191~18.04.141After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6681-1   CVE-2021-44879, CVE-2023-22995, CVE-2023-4244, CVE-2023-51779,   CVE-2023-51780, CVE-2023-51782, CVE-2023-6121, CVE-2024-0340Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-173.191   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1124.133   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1087.91   https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1032.33   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1108.115   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1104.116

Ubuntu Security Notice USN-6681-1

Debian Linux Security Advisory 5636-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5636-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMarch 06, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-2173 CVE-2024-2174 CVE-2024-2176Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 122.0.6261.111-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXosMMACgkQZF0CR8NudjfyYw//StyDoWGq13uuZo2KfRhbd4IcesNC1Tz/hqlLbf6+BaKQ0it/oBteCcEUmwueWjpqqsxz/hfmhvTxsK+YQEAeSaV7jgVXbEz/eXqdH6VcsY2W2Ec8FiWqDgOX9wDMBUgXnHIQMvxsyEpWZ+gs7wTnfEzXGAVFVUZO+mE6dj/GRJegqTZMJ87+xivC7z+MHcmi8uoCA3jQ2LjHIot5hcVrC5RcaVnvO5W6AY/gMpcRhwPIjHk0DscVuWwv3K/+Av1eYqRpu9udr/UMxr6pLcMNEzV3a+X5WQNZQVr8wOeK/Db4J/F8xR3L+bGADb+rCI1ldwrKM3R8BQ5XU+m7vQuoEGWfS0TRirD/m/akHL9lc6a2cq4cPVCrHWTFVM0XlbKGOAIZq0l47XB2Ytg8zD3tpIAdxJfNCketuZeQ0VBYOLvBPAq975ZGYjTI4ZHgyvreBlKvFr25WSaW5+V6afyD/NjcF9CjpxqtBrlLaMLl7WdOIG4hbI7YpgnPEqzS16TphBfRb5VVmxJmrIqLgzmoBti798v0TjHa4fsRKOTgDlSPACoPu9As6fHepXNoAvs463rIj6xJ5K75Mh3mpt/tLiD9R8YPNNaplKTJGBYIsb2Zr1fAP+RJ9UzWB0jsGyh7i7uBB/gec0oropQb/5NE+cGdydNdLO+61FGXtrdm3FY==OuuM-----END PGP SIGNATURE-----

Debian Security Advisory 5636-1

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel  
did not properly handle inactive elements in its PIPAPO data structure,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-6817)

It was discovered that the IGMP protocol implementation in the Linux  
kernel contained a race condition, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-6932)

It was discovered that the netfilter connection tracker for netlink in  
the Linux kernel did not properly perform reference counting in some  
error conditions. A local attacker could possibly use this to cause a  
denial of service (memory exhaustion). (CVE-2023-7192)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly check deactivated elements in certain situations,  
leading to a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2024-0193)

Jann Horn discovered that the TLS subsystem in the Linux kernel did not  
properly handle spliced messages, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2024-0646)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 101.1  
    azure - 101.1  
    gcp - 101.1  
    generic - 101.1  
    generic - 101.2  
    gke - 101.1  
    gkeop - 101.1  
    ibm - 101.1  
    lowlatency - 101.1  
    lowlatency - 101.2

Ubuntu 18.04 LTS  
    aws - 101.1  
    azure - 101.1  
    gcp - 101.1  
    generic - 101.1  
    lowlatency - 101.1

Ubuntu 16.04 ESM  
    aws - 101.1  
    azure - 101.1  
    gcp - 101.1  
    generic - 101.1  
    lowlatency - 101.1

Ubuntu 22.04 LTS  
    aws - 101.1  
    azure - 101.1  
    gcp - 101.1  
    generic - 101.1  
    gke - 101.1  
    ibm - 101.1

Ubuntu 14.04 ESM  
    generic - 101.1  
    lowlatency - 101.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-6817  
-   CVE-2023-6932  
-   CVE-2023-7192  
-   CVE-2024-0193  
-   CVE-2024-0646

Tag

#linux