Red Hat Security Advisory 2024-0279-03 - An update for gstreamer-plugins-bad-free is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0279.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer-plugins-bad-free security updateAdvisory ID:        RHSA-2024:0279-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0279Issue date:         2024-01-17Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer-plugins-bad-free is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Red Hat Security Advisory 2024-0279-03

Red Hat Security Advisory 2024-0267-03 - An update for java-17-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0267.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-17-openjdk security and bug fix update  
Advisory ID:        RHSA-2024:0267-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0267  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-17-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* When Transparent Huge Pages (THP) are unconditionally enabled on a system, Java applications using many threads were found to have a large Resident Set Size (RSS). This was due to a race between the kernel transforming thread stack memory into huge pages and the Java Virtual Machine (JVM) shattering these pages into smaller ones when adding a guard page. This release resolves this issue by getting glibc to insert a guard page and prevent the creation of huge pages. (RHEL-13930, RHEL-13931, RHEL-13934, RHEL-13935)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257720  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0267-03

Red Hat Security Advisory 2024-0265-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and out of bounds access vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0265.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: java-1.8.0-openjdk security and bug fix updateAdvisory ID:        RHSA-2024:0265-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0265Issue date:         2024-01-17Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.Security Fix(es):* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)* OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* In the previous release in October 2023 (8u392), the RPMs on RHEL 8 were changed to use Provides for java, jre, java-headless, jre-headless, java-devel and java-sdk which included the full RPM version. This prevented the Provides being used to resolve a dependency on Java 1.8.0 (for example, \"Requires: java-headless 1:1.8.0\"). This change has now been reverted to the old \"1:1.8.0\" value. (RHEL-19636, RHEL-19637)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2257728https://bugzilla.redhat.com/show_bug.cgi?id=2257837https://bugzilla.redhat.com/show_bug.cgi?id=2257850https://bugzilla.redhat.com/show_bug.cgi?id=2257853https://bugzilla.redhat.com/show_bug.cgi?id=2257859https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0265-03

Red Hat Security Advisory 2024-0249-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0249.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-21-openjdk security update  
Advisory ID:        RHSA-2024:0249-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0249  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0249-03

Red Hat Security Advisory 2024-0248-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0248.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-21-openjdk security update  
Advisory ID:        RHSA-2024:0248-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0248  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0248-03

Red Hat Security Advisory 2024-0247-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0247.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0247-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0247  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0247-03

By Deeba Ahmed
9Hits, Double Hit: Malware Mimics Web Tool to Mine Crypto, Generate Fake Website Traffic.
This is a post from HackRead.com Read the original post: Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners

Cybercriminals are targeting vulnerable Docker servers by deploying two containers: a standard XMRig miner and the 9Hits viewer application—an automated traffic exchange system.

Cado Security researchers have discovered a new campaign targeting vulnerable Docker servers, deploying two containers – a regular XMRig miner and the 9hits viewer application. This is the first documented case of malware deploying the 9Hits Traffic Exchange viewer application as a payload.

For your information, 9hits is a platform where members buy credits for traffic generated on their website and can run the viewer app to visit requested websites in exchange for credits.

Researchers suspect that the attackers discovered the honeypot via Shodan or a similar service, as their IP isn’t included in common abuse databases, or they may be using a different server for scanning.

Further probing revealed that the attacker is likely using a script to set the DOCKER\_HOST variable and run the regular CLI to compromise the server. They fetch off-the-shelf images from Dockerhub for their 9hits and XMRig software, a common attack vector for campaigns targeting Docker.

Generally, attackers use a generic Alpine image to break out of a container and run malware on the host. In this campaign, however, they do not try to exit the container and run it with a predetermined argument.

The spreader initiates the infection using a custom command to invoke a Docker container, including configuration/session identifiers. The nh.sh process is the entry point, and after the attacker adds their session token, it allows the 9hits app to authenticate with their servers and fetches a list of sites to visit. Once the app has visited the site, the session token owner is awarded a credit on the 9hits platform.

It is worth noting that the session token system is designed to work in untrusted contexts, allowing the app to be run in illegitimate campaigns without the risk of the attacker’s account being compromised.

9hits, a headless Chrome app, is used to visit various websites, including adult and pop-up sites. In 2017, Chrome 59 introduced Headless mode, allowing users to run the browser in an unattended environment without visible UI, making it popular for browser automation with projects like Puppeteer or ChromeDriver.

According to Cado Security’s blog post, interestingly, the attacker disabled the app’s ability to visit crypto-related sites. The -o option in XMRig deployments specifies a mining pool, typically a public pool with the owner’s wallet address, but in this case, it appears private, preventing campaign statistics analysis.

Further, as seen in the image below, the dscloud domain is used for dynamic DNS, updated by the Synology server with the attacker’s IP. The address resolves to 2736.82.56, the same IP that infected the honeypot.

Exposure to Docker hosts remains a common entry vector for attackers, emphasizing the importance of maintaining system security to prevent malicious use of systems. The campaign significantly impacts compromised hosts by exhausting CPU resources, causing legitimate workloads to fail.

Additionally, it could potentially leave a remote shell on the system, causing a more serious breach. This highlights the ongoing trend of attackers seeking new strategies to exploit compromised hosts.

****_RELATED ARTICLES_****

1.  **Change your password: Docker suffers breach; 190k users affected**
2.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
3.  **Threat actors hijacking Bitbucket and Docker Hub for Monero mining**
4.  **OracleIV DDoS Botnet Malware Targets Docker Engine API Instances**
5.  **Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw**

Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners

By Waqas
Kaspersky has recently launched a tool called iShutdown, designed not only to detect the notorious Pegasus spyware but also to identify other malware threats on iOS devices.
This is a post from HackRead.com Read the original post: Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

The iShutdown tool has been launched a few weeks after Kaspersky cybersecurity researchers revealed significant insights into Operation Triangulation. This investigation delves into how spyware threats compromise iPhones.

Kaspersky’s Global Research and Analysis Team (GReAT) has introduced a new tool that lets users detect Pegasus, a popular iOS spyware known for targeting journalists and activists. This lightweight method called iShutdown will identify signs of spyware on Apple iOS devices, including three prominent spyware families Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

The iShutdown tool is now available to the public, seven months after Kaspersky Labs initially reported the hacking of its employees’ iPhones, referred to as Operation Triangulation. In December 2023, the company released an update disclosing that hackers likely exploited an obscure hardware feature during spyware attacks against iPhone users.

The method was tested on a set of Pegasus-compromised iPhones. However, it must be noted that this method/tool is different from the iShutdown iOS application that allows Mac devices to shut down/sleep/restart/log out.

According to the cybersecurity firm, traces of Pegasus-related processes were discovered in a text-based system log file called “Shutdown.log” on iPhones compromised with the spyware. 

The log file is stored within the sysdiagnose archive of iOS devices. It records every reboot event with its environmental characteristics and is a generally overlooked forensic artefact. It can have entries dating back several years, providing valuable information. When a user initiates a reboot, the operating system terminates running processes, flushing memory buffers, and waiting for a normal reboot.

Its analysis revealed “sticky” processes that hinder reboots. Pegasus-related processes were found in over four reboot delay notices. These anomalies during reboot procedures allowed the tool to flag potential infections with high accuracy. Further analysis revealed a similar filesystem path used by all three spyware families, “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator, as an indicator of compromise.

Kaspersky GReAT’s lead security researcher, Maher Yamout, has confirmed the log’s consistency with other Pegasus infections, making it a reliable forensic artefact for infection analysis. The tool offers enhanced protection to a broader user base.

“Compared to more time-consuming acquisition methods such as forensic device imaging or a full iOS backup, Shutdown.log file recovery is pretty simple,” explained Yamout.

Kaspersky has developed a Python3 utility on GitHub for macOS, Windows, and Linux users to detect spyware. The tool extracts, analyzes, and parses Shutdown.log artifacts. It simplifies detection and raises awareness, empowering users to take control of their digital security.

However, Kaspersky suggests users adopt a holistic approach towards data and device security. The company recommends users perform daily reboots, use lockdown mode, disable iMessage and FaceTime, timely iOS updates, and regular check backups.

The announcement comes after SentinelOne’s report revealing that information stealers targeting macOS like KeySteal, Atomic, and JaskaGo are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

****_RELATED ARTICLES_****

1.  **QuaDream, Israeli iPhone hacking spyware firm, to shut down**
2.  **European Spyware Vendor Offering Android, iOS Device Exploits**
3.  **iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers**
4.  **Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India**
5.  **NSO zero-click iMessage exploit hacks iPhone without need to click links**

Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.

Wednesday, January 17, 2024 12:00

Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. 

Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.  

There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**ManageEngine OpManager directory traversal vulnerability **

_Discovered by Marcin “Icewall” Noga._ 

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager, a network management solution. 

TALOS-2023-1851 (CVE-2023-47211) can be exploited if an adversary sends a target a specially crafted HTTP request, which could allow them to create a file in any location outside of the default MiBs file’s location directory. This vulnerability has a critical severity score of 9.1 out of 10. 

This vulnerability arises if the adversary uses OpManager and navigates to Settings -> Tools -> MiB Browser and selects “Upload MiB.” The arbitrary file they could eventually create can only be one of a few file extensions, however, including .txt, .mib and .mi2. 

**Multiple vulnerabilities in GTKWave **

_Discovered by Claudio Bozzato._ 

Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. 

GTKwave is a wave viewer used to run different FPGA simulations. It includes multiple versions to run on macOS, Linux, Unix and Microsoft machines. The open-source software analyzes trace files to look at the results of simulations run across different design implementations, or to analyze protocols captured with logic analyzers.  

Talos researchers found a wide array of security issues across this software that affect different functions in GTKwave, many of which are triggered if an attacker can trick the targeted user into opening a specially crafted malicious file. In all, Talos recently released 33 advisories that cover more than 80 CVEs. Many of these issues are caused by the reuse of vulnerable code across the software. Other vulnerabilities are often duplicated by the adversary sending different file types as the initial infection document. 

There are eight integer overflow vulnerabilities that could result in memory corruption, and eventually, arbitrary code execution: TALOS-2023-1812 (CVE-2023-38618, CVE-2023-38621, CVE-2023-38620, CVE-2023-38619, CVE-2023-38623, CVE-2023-38622), TALOS-2023-1816 (CVE-2023-35004), TALOS-2023-1822 (CVE-2023-35989), TALOS-2023-1798 (CVE-2023-36915, CVE-2023-36916), TALOS-2023-1777 (CVE-2023-32650), TALOS-2023-1824 (CVE-2023-39413, CVE-2023-39414), TALOS-2023-1790 (CVE-2023-35992) and TALOS-2023-1792 (CVE-2023-35128). 

The most common vulnerability type Talos researchers found in GTKWave were out-of-bounds write issues that could lead to arbitrary code execution. All the following vulnerabilities could be exploited if a target opened an attacker-created file: 

*   TALOS-2023-1804 (CVE-2023-37416, CVE-2023-37419, CVE-2023-37420, CVE-2023-37418, CVE-2023-37417) 
*   TALOS-2023-1805 (CVE-2023-37447, CVE-2023-37446, CVE-2023-37445, CVE-2023-37444, CVE-2023-37442, CVE-2023-37443) 
*   TALOS-2023-1810 (CVE-2023-37282) 
*   TALOS-2023-1811 (CVE-2023-36861) 
*   TALOS-2023-1813 (CVE-2023-38649, CVE-2023-38648) 
*   TALOS-2023-1817 (CVE-2023-39235, CVE-2023-39234) 
*   TALOS-2023-1819 (CVE-2023-34436) 
*   TALOS-2023-1823 (CVE-2023-38657) 
*   TALOS-2023-1826 (CVE-2023-39443, CVE-2023-39444) 

TALOS-2023-1807 (CVE-2023-37921, CVE-2023-37923, CVE-2023-37922) can also lead to remote code execution, but in this case, is caused by an arbitrary write issue. 

For a complete list of all the vulnerabilities Talos discovered in GTKWave, refer to our Vulnerability Reports page here. 

**DuoUniversalKeycloakAuthenticator for Keycloak **

_Discovered by Benjamin Taylor of Cisco ASIG._ 

An information disclosure vulnerability exists in the instipod DuoUniversalKeycloakAuthenticator for Keycloak. Keycloak is an open-source identity and access management solution, and DuoUniversalKeyAuthenticator allows Keycloak to push a Cisco Duo notification to the Duo app, asking the user to authenticate in.  

The Keycloak extension for Duo, after it detects that initial authentication has succeeded with Keycloak, redirects the user’s browser to the configured duosecurity.com endpoint, sending the username and password in question each time. 

TALOS-2023-1907 (CVE-2023-49594) indicates that this is unnecessary exposure of this data, potentially allowing an attacker to steal or view this information. 

**Multiple vulnerabilities in WWBN AVideo **

_Discovered by Claudio Bozzato._ 

WWBN AVideo contains multiple vulnerabilities that an attacker could exploit to carry out a range of malicious actions, including brute-forcing user credentials and forcing a targeted user to reset their password to something the attacker knows. 

AVideo is a web application, mostly written in PHP, that allows users to create audio and video sharing websites. Users can import videos from other sources, like YouTube, encode the videos and then make them shareable in various ways. 

There are multiple cross-site scripting vulnerabilities in AVideo that could allow an attacker to execute arbitrary JavaScript code on the targeted machine: 

*   TALOS-2023-1882 (CVE-2023-48730) 
*   TALOS-2023-1883 (CVE-2023-48728) 
*   TALOS-2023-1884 (CVE-2023-47861) 

An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted web page. 

There are three other vulnerabilities — TALOS-2023-1869 (CVE-2023-47171), TALOS-2023-1881 (CVE-2023-49738) and TALOS-2023-1880 (CVE-2023-49864, CVE-2023-49863, CVE-2023-49862) — that could allow adversaries to read arbitrary files with an HTTP request targeting different parameters in AVideo’s “objects/aVideoEncoderReceiveImage.json.php” file. 

Talos researchers also discovered TALOS-2023-1896 (CVE-2023-49589), an insufficient entropy vulnerability that can allow an attacker to forge a password reset for an administrator account. This could allow an adversary to reset a user’s account, set a new password that only the adversary knows, and then log in with that account information. An adversary could also exploit TALOS-2023-1897 (CVE-2023-50172) to prevent AVideo from sending an email to the associated account’s email address alerting them of the password reset process, so exploitation becomes less evident. 

Similarly, TALOS-2023-1900 (CVE-2023-49599) can also be exploited using this method, but this vulnerability targets administrator accounts. 

The most serious vulnerability Talos discovered in AVideo is TALOS-2023-1886 (CVE-2023-47862), a local file inclusion vulnerability that could eventually lead to arbitrary code execution. This vulnerability has a severity score of 9.8 out of 10. TALOS-2023-1885 (CVE-2023-49715) is an unrestricted php file upload vulnerability that can also lead to code execution, but only when used in conjunction with a local file inclusion vulnerability like TALOS-2023-1886. 

TALOS-2023-1898 (CVE-2023-49810) could be exploited in AVideo by sending a specially crafted HTTP request. An adversary could exploit this vulnerability to bypass the CAPTCHA process when trying to log into the service, therefore making it easier for an attacker to attempt to brute force login credentials or password-guessing attacks.

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024

Gentoo Linux Security Advisory 202401-25 - Multiple vulnerabilities have been discovered in OpenJDK, the worst of which can lead to remote code execution. Versions greater than or equal to 11.0.19_p7:11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-25  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenJDK: Multiple Vulnerabilities  
     Date: January 17, 2024  
     Bugs: #859376, #859400, #877597, #891323, #908243  
       ID: 202401-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenJDK, the worst of  
which can lead to remote code execution.

Background  
==========

OpenJDK is an open source implementation of the Java programming  
language.

Affected packages  
=================

Package                   Vulnerable       Unaffected  
------------------------  ---------------  ----------------  
dev-java/openjdk          < 11.0.19_p7:11  >= 11.0.19_p7:11  
                          < 17.0.7_p7:17   >= 17.0.7_p7:17  
                          < 8.372_p07:8    >= 8.372_p07:8  
dev-java/openjdk-bin      < 11.0.19_p7:11  >= 11.0.19_p7:11  
                          < 17.0.7_p7:17   >= 17.0.7_p7:17  
                          < 8.372_p07:8    >= 8.372_p07:8  
dev-java/openjdk-jre-bin  < 11.0.19_p7:11  >= 11.0.19_p7:11  
                          < 17.0.7_p7:17   >= 17.0.7_p7:17  
                          < 8.372_p07:8    >= 8.372_p07:8

Description  
===========

Multiple vulnerabilities have been discovered in OpenJDK. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenJDK users should upgrade to the latest versions:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.372_p07"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-11.0.19_p7"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-17.0.7_p7"

All OpenJDK JRE binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-8.372_p07"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-11.0.19_p7"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-17.0.7_p7"

All OpenJDK binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.372_p07"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-11.0.19_p7"  
  # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-17.0.7_p7"

References  
==========

[ 1 ] CVE-2022-21540  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21540  
[ 2 ] CVE-2022-21541  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21541  
[ 3 ] CVE-2022-21549  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21549  
[ 4 ] CVE-2022-21618  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21618  
[ 5 ] CVE-2022-21619  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21619  
[ 6 ] CVE-2022-21624  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21624  
[ 7 ] CVE-2022-21626  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21626  
[ 8 ] CVE-2022-21628  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21628  
[ 9 ] CVE-2022-34169  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34169  
[ 10 ] CVE-2022-39399  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39399  
[ 11 ] CVE-2022-42920  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42920  
[ 12 ] CVE-2023-21830  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21830  
[ 13 ] CVE-2023-21835  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21835  
[ 14 ] CVE-2023-21843  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21843

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-25

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux